*Hobbit* wrote: > > Funny, I just pulled virtually the same script out of a packet dump > last last week and was going to send it in. In this case they called it > "rd.s" and most of the comments were gone except for one at the top > claiming it had been written by "Yo Man!" ... > > The gracious providers of this script, once having used it, were apprehended > in the process of scanning several places with "rpcinfo" looking for X.25 > links [or whatever the x25.inr RPC service is]. > > _H* > "historical" note this script was used to break in to an Ultrix machine here in aug 92 the guy opened an account for himself with a username of "yo" so he probably was genius who originated it .... (yo is short for yonatan - which is the hebrew version Jonathan -his nam ) at the time he was a student at Ben-Gurion Uni (bgu.ac.il in Beer-Sheva, Israel) and part of a (then) quite active cracking group there he went up for a disciplinary hearing at BGU and got of quite lightly (the police said there wasn't enough evidence to prosecute ...) Rafi P.S. I still have a .tar.Z file of his dir with cracking tools there was the rdist script + crack-4.1 + the usual assormtment of utmp/wtmp editing tools + a c prog for capturing passwds with following comment in the header - /* when run from a shell-escape in /bin/mail, this program is able to read any password given to su, telnet, rsh by any user. Works on Ultrix 4.0-4.2 with no mods */ - the whole bundle was sent off to CERT of course... I didn't notice any announcments about a fix for this one - although it didn't seem to work trivialy under Ultrix 4.2A(rev 47) and I don't have too much time too play with it ( it reads /dev/{k,}mem ) -- +-------------------------------+---------------------------------------+ | Rafi Sadowsky | rafi@tavor.openu.ac.il | | Comp.Sci. dept |-[also postmaster@openu.ac.il]---------+ | Open University of Israel | Voice: +972-3-6460592 | | Tel-Aviv, Israel | Fax: +972-3-6460483 | +-------------------------------+---------------------------------------+