::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: ___ _,q$ :: :: ;$$$$$;.®óW$$$:$ :: :: ;$$'' "$i,."$$$:$ . :: :: i$$ ;$Si.;$$:$ : :: :: ;$$ I$;::$$:$ ;: :: :: Ç$; ;$ii.$$.$ ;$' :: :: . $$: $$iiI$ $ ,$$' :: :: $$ $$ii;$:$ _,<$$; :: :: ; $$__ ;$.$ $$$$P' :: :: ;;;;;$ $$%$$$$$; .$ $ ,__ :: :: ''''$ $$<''' .$ ; "$$QQÒ :: :: $ I$ $ "È$S, :: :: ;% ;$ .$ :. ?$, :: :: ii :$ $ ;| ;$, :: :: ::.l l $ :$ :: :: ; ^ .;/ :: :: . :: :: ..[Forbidden Knowledge Issue Six].. :: :: ..[Smells like chicken, Tastes like borg].. :: :: :: :: Forbidden Knowledge is an independant project brought to you by the :: :: following team of imbeciles with nothing better to do... :: :: :: ::--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--:: :: [ Wyzewun ] [ Chief Loser ] [ wyze1@g0v.za.org ] :: :: :: :: [ Pneuma ] [ Assistant Loser ] [ satur9@beer.com ] :: :: [ Vortexia ] [ Assistant Loser ] [ vortexia@psyche.za.org ] :: :: :: :: [ Moe1 ] [ General Slut ] [ moe1@codiez.za.org ] :: :: [ Cyberphrk ] [ Ascii Wh0re ] [ phuman@icon.co.za ] :: :: :: :: [ Sniper ] [ Webpimp ] [ sniper@h4x0rz.za.org ] :: ::--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--:: :: :: :: Guest Contributors: Cyberware, Corrupt SYN, Terabyte and jus :: :: :: :: Group Greetz: b4b0, cDc, Darkcyde, EHAP, HNN, L0pht, LoU, Rhino9 :: :: Individual Greetz: Badspirit, Corrupt SYN, Cache, Crazyguy, Cyberware, :: :: Cyclotron, icesk, jus, kM, kokey, Lothos, m0f0, :: :: Mnemonic, optiklenz, Terabyte, Tattooman, Ultima :: :: :: :: Disses to: FAT PE0PLE!#@#$ j00 aRe aLL gR0sS!%@# :: :: Disgustingly Obese: JP from AntiOnline, Carolyn Meinel, Roseanne Barr :: :: :: :: Oh: And Greets to the SAPS Computer Crime Unit. Since you've been kind :: :: enough not to laugh while listening to my personal phone calls, I :: :: thought I'd be kind enough to send you sh0ut 0utz. You guyz 0wn. :: :: :: :: Its a Fact: The head of the CCU's daughter has been raped by Pneuma at :: :: least nine times, and is finally beginning to enjoy it. :: :: :: :: Pimp Phat Tunez: NIN, Marilyn Manson, White Zombie, RATM, Korn, Prodigy, :: :: Chemical Brothers, Garbage, Eminem, Bloodhound Gang, :: :: Placebo, Offspring, Beastie Boys :: :: :: :: Pimp Wack Tunez: Spice Girls, B-Witched, Steps, Faithless, 2Pac, Puff :: :: Daddy, Any South African band :: :: :: :: Question: How long are you going to take before you realise that *BSD :: :: 0wnz Linux's pathetic ass? :: :: :: :: No sense of humour: Sektorgrl - I recall her kicking me at least 9 times :: :: for saying I was going to sacrifice the puppy her :: :: parents brought her to Satan. What a weirdo. ;) :: :: :: :: Other stuff in dis Issue: Uuuh, I can't remember coz it sucks so much. :: :: Just look around at stuff, or something ;P :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Contents of This Issue Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: -/- Introduction by The Editor :: :: -/- Pathetic mail of the month :: :: :: :: -/- Memory and Addressing Protection Part Two :: :: -/- Silly PGPDisk Bug :: :: -/- Playing with Nokia and Ericsson Cellphones :: :: -/- Securing RedHat Linux 6.0 :: :: -/- RedHat 6.0 LILO PAM Filter workaround :: :: -/- Java Personal Webserver 0.9 DoS :: :: -/- Ripping off Arcade Machines :: :: -/- A guide to Linux/FreeBSD IP Firewalling :: :: -/- Windows backdoor Stupidity :: :: -/- A Study of the CyberTrade Extranet :: :: -/- Telkom Identicall Glitches :: :: -/- Making free calls from Blue Payphones :: :: :: :: -/- Laterz and udder Bullsh!t :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Introduction by The Editor Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: FK are back in action with even more drugs in their bloodstream than :: :: ever before and although FK *still* sucks - we've got this leet new :: :: layout for the zine! Werd! Mail all women, vodka and article submissions :: :: to wyze1@g0v.za.org - sorry about the website being down for so long, :: :: the 12GB SCSI Apache was on died and Vort chose to just lament over the :: :: loss of all of his lame warez instead of reinstalling. Sheesh. ;) :: :: I will get Sniper to put it up on his box soon. It kinda pisses me off :: :: that they have been too lazy to put the domain up in two months. :( :: :: :: :: Enjoy the e-zine - its still getting better - but it's developing quite :: :: nicely over time. Just pretend that this is the first issue and then it :: :: will seem less lame. ;P :: :: :: :: Seriously though, past issues have been pretty damned awful, and things :: :: always went wrong - like me writing an article on trojaning su only to :: :: find out that some-one had already thought of the same idea... about 20 :: :: years ago! (Guess its my fault for not reading all doze uber-ereet :: :: old-skool texts, huh?) ;P But I still feel that FK will slowly get :: :: better over time and perhaps eventually grow to be quite good. Maybe. :: :: I wouldn't put money on it - I know how dumb I am. ;) :: :: :: :: Thanks to all the people who have supported us from the beginning even :: :: though we suck - we couldn't have gotten this far without you. Although :: :: you still suck for thinking it was cool in the first place. ;P :: :: :: :: Cheers, :: :: Wyzewun :: :: :: :: PS. I asked Cyberphrk to draw neato ascii of a goat, which I was going :: :: to put here, but he told me that his "g0at r3m3mb3r1ng sk1LLz" :: :: aren't what they used to be and asked me to send him a pic of one... :: :: :: :: That's when I decided I didn't want a goat that much. :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Completely Pathetic Mail of the Month Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: Well, originally I decided not to publish any mail I recieve in FK, but :: :: since I have recently gotten a large influx of immensely lame e-mail, I :: :: decided to set up this section, where I will publish the most idiotic :: :: mail I get every month in a vain effort to cut down on the stupid mail :: :: I get. *Ahem* Please note that I am *more* than happy to help with :: :: anything vaguely intelligent, and I really like the stuff that many :: :: readers have mailed me, just not stuff like... this... :: :: :: :: From: the_extremist@iname.com :: :: To: wyze1@g0v.za.org :: :: Date: Fri, 23 Jul 1999 10:34:55 -0400 (EDT) :: :: Subject: Unspecified :: :: :: :: Hi! :: :: :: :: I'm working on 194.225.24.65, [as well as wyze1s nerves] and it's my :: :: first case of cracking. it's the IP address of "Shahid Beheshti :: :: University" in Iran. [sounds like a really secure system, sure you will :: :: be able to cut it?] :: :: :: :: I've tried the PHF technique [elite] but I got no results and I also :: :: tried to FTP to their site but that way wasn't possible either. now I :: :: don't know what to do, [hmmm. me neither. phf didn't work? ftp'ing in :: :: and trying to get /etc/passwd didn't work? fuckit, this system must be :: :: sewper dewper locked down. i suggest you just give up and get better at :: :: tekken] so I decided to write a mail and request for help from you. :: :: :: :: if it's possible for you then please tell me how can I hack that page, :: :: and if it's not possible for you then tell me that matter too, so that :: :: I don't wait too much for your reply, Thanx! ;) [if its possible that :: :: you have an IQ above that of my left nipple then i would reply within :: :: a few days, but you may have trouble qualifying for this. perhaps you :: :: should try for an armpit hair. good luck. ] :: :: :: :: John. :: :: :: :: [end fantastically dumb e-mail. lets get on with the zine already] :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Memory and Addressing Protection Part Two by wyze1 Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: In Part One I covered the use of Fence and Bounds Registers, as well as :: :: Tagged architecture. In this Issue, I will be covering Segmentation, :: :: Paging, and sucessfully combining the two schemes. :: :: :: :: Segmentation is simply the idea of dividing a program into seperate :: :: pieces in memory. Each piece has a logical unity, a relationship among :: :: all of its data or code values and a completely unique name. They are :: :: also all different sizes. So our program would be divided into pieces :: :: that look something like this... :: :: :: :: ._______________ :: :: | MAIN | :: :: |---------------| :: :: | | :: :: | SUB_ROUTN_A | :: :: | | :: :: |---------------| :: :: | DATA_SEG_B | :: :: | | :: :: `---------------' :: :: :: :: The Operating System maintains a table of segment names and their true :: :: addresses in memory. A Program that is trying to access a piece of its :: :: data, a code segment, or whatever it's accessing, will look it up not :: :: as a real memory address, but as a pair. Name, of course, :: :: being the name of the segment, and Offset being how many bytes whatever :: :: we want is from the beginning of the segment. (Eg. SUB_ROUTN_A, 150). :: :: For efficiency sake, there is often one address table for each user :: :: process in execution. :: :: :: :: And so, a users program does not know where it *really* is in memory. :: :: It is impossible for it to change a pair into a real :: :: memory address. There are three advantages of this for the OS... :: :: :: :: 1. A Segment can be removed from main memory and stored somewhere else :: :: if it is not currently in use. :: :: :: :: 2. The OS can place any segment in any location, and can move it around :: :: as it pleases, even after execution, because all it needs to do is :: :: modify the address table after it has moved the memory. :: :: :: :: 3. Every address reference passes through the Operating System, so we :: :: can check for protection. (Eg. Read Only Segment etc) :: :: :: :: Let's look a bit at this last point. Because everything goes through the :: :: OS, it is easy for us to store values of what users may or may not do to :: :: specific pieces of memory. One user could be able to access a certain :: :: segment of another user's memory if deemed necessary, but still not be :: :: able to touch anything else of theirs. There is a much greater potential :: :: for versatile protection using this method than any we have looked at :: :: in Part One. :: :: :: :: BUT... This system has a gaping security flaw (which can be fixed with :: :: a bit of extra work) which you may have seen by now. What happens if our :: :: segment is 200 bytes long and we give a 400 byte offset? Oops. Quick and :: :: easy access to other people's memory - Not good. :: :: :: :: This system also causes memory fragmentation, because segments are of :: :: varying sizes and after awhile, unused fragments of space can lead to :: :: really shit memory utilization. Ugh. That just about kills it for me, :: :: lets move on to Paging. :: :: :: :: Paging is fairly similar to Segmentation, in that each address is still :: :: a two part object, this time consisting of . Programs are :: :: divided into EQUAL-sized pieces called Pages and memory is divided into :: :: units of the same size, called Page Frames. So our program, once divided :: :: will look like this... :: :: :: :: ._______________ :: :: | PAGE 0 | :: :: |---------------| :: :: | PAGE 1 | :: :: |---------------| :: :: | PAGE 2 | :: :: |---------------| :: :: | PAGE 3 | :: :: `---------------' :: :: :: :: Because Pages are the same size, we don't have memory fragmentation :: :: problems like we have with Segmentation. Also, we don't have to worry :: :: about users setting huge offsets. For example, lets say we have a page :: :: size of 1024 bytes. 10 bits are allocated for the offset portion of each :: :: address. A program cannot generate a offset value larger than 1023 in :: :: ten bits! ;) :: :: :: :: Moving to the the next location after causes a carry into the :: :: page portion, thereby moving translation to the next page. During the :: :: translation, there is a check to make sure that this program has not :: :: gone over the amount of pages it has been assigned. :: :: :: :: BUT... because there is no unity to the items on a page, there is no way :: :: to flag all values on a page as execute-only or read-only, or whatever :: :: we are trying to do. We don't have the sharing and restricting :: :: capabilities segmentation offered us. :( :: :: :: :: So, what do we do? We combine the two! The program is divided into :: :: logical segments, like in Segmentation, and then each segment is broken :: :: down into pages of equal size. Easy as that! And the flaws of each :: :: scheme are fixed! This is in fact the exact memory scheme that they used :: :: in Multics. :: :: :: :: :: :: :: :: Well, that's all for now. If anyone found this interesting and bugs me :: :: enough I will continue giving more modern examples of memory protection. :: :: But until then - Adios! :: :: :: :: --=====-- :: :: * Bambi (sdfg@ndf53-02-p61.gt.saix.net) has joined #hack :: :: * Bambi was kicked by ugh (Run home - I think some-one shot your mother) :: :: --=====-- :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Creating Trojan PGPDisks by wyze1 Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: Well, Network Associates have gone out and added PGP to their list of :: :: products to ruin and commercialize and they made their debut with PGP 6 :: :: for Windows some time ago - the first PGP made by NAI. :: :: :: :: A friends PC of mine had the new PGP on it (PGP 6.0.2i) and I was very :: :: impressed with the PGPDisk utility distributed with it... until I found :: :: out just how evil it was. Basically, PGPDisk creates a filesystem within :: :: a filesystem within a file on your HardDrive, then encrypts it with a :: :: pretty damn secure algorythym. When you open the file, it decrypts it :: :: with the password specified and if it was right, makes the PGPDisk a :: :: Virtual Drive on E: or F: or wherever you want to put it. :: :: :: :: Sounds simple enough, so where's the problem? The problem is not in the :: :: creation or encryption of the volumes, it's in the driver that they use :: :: to create the virtual drive. It looks like what they're using is a :: :: ripped version of Microsoft's own CD drivers, and what do we know about :: :: CDs under Windows? They Autorun! Stupid! Stupid! Stupid! Stupid! :: :: :: :: So, we just create a PGPDisk with some loser's public key, containing :: :: some or other fake information which we want to pretend to be sending :: :: along with Evil.Exe, which lets say is a backdoor of some sort that will :: :: delete itself and Autorun.inf as soon as it is run on the target machine.:: :: We then put an Autorun.inf file on the PGPDisk that looks something like :: :: :: :: [autorun] :: :: OPEN=EVIL.EXE :: :: :: :: And there we have it - A Nice Trojan PGPDisk just waiting for your local :: :: Windoze kidlet. Have fun with this one - And be good. ;) :: :: :: :: --=====-- :: :: * KewtAngel was kicked by wyze1 :: :: (Why are all chiqz that come to #hack so DUMB?!) :: :: --=====-- :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Playing with the Nokia and the Ericsson by Moe1 Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: The following are useful codes for the Nokia 6110 (and in some cases, :: :: other versions as well) :: :: :: :: *#0000# - This gives you the Software Version. The display is :: :: something like: :: :: :: :: V 4.73 :: :: 22-04-98 :: :: NSE-3 :: :: :: :: The top line is the software version. (Check Nokia Software Version Info :: :: section) :: :: :: :: *#war0anty# - Gives a Menu which has the following options :: :: :: :: 1: Displays Serial Number. :: :: 2: Displays the date of manufacture. :: :: 3: Displays the date where the phone was purchased (MMYY) you can here :: :: set the Purchasing Date. :: :: 4: Displays the date of the last repairment - if found (0000) :: :: 5: Displays the Transfer user data option. :: :: :: :: :: :: ---------------------------------------- :: :: Nokia Software Version Info :: :: ---------------------------------------- :: :: :: :: Version 3.14 :: :: 28-11-1997 :: :: First shipping version of the software. :: :: :: :: Version 4.33 :: :: 11-03-1998 :: :: Improved reception quality :: :: Renamed 'Long and Loud' SMS alert to 'Ascending' :: :: Renamed 'Warning Tones' to 'Warning and Game Tones' :: :: SMS message alert volume now linked to ringing volume :: :: Time taken to log onto new cell reduced :: :: Desktop charger now works correctly when the phone is inserted with the :: :: battery connected :: :: Minor changes in the profiles menu :: :: :: :: Version 4.73 :: :: 22-04-1998 :: :: Half Rate settings can no longer be changed via the keypad :: :: Reception of CCH blocks after cell reselection in weak field has been :: :: improved. :: :: Corrected the problem of the battery indicator bar flickering between :: :: one and two bars when using a Li-ion battery Improved the maintenance :: :: charging when using the ACP-7 charger :: :: More frequent battery low warning beeps added during a call made with a :: :: Li-ion battery :: :: Improved SMS stoage time handling. If the user has not selected a storage:: :: time, the phone uses the maximum storage time set by the network the :: :: phone is connected to. :: :: Improved audio quality when using the EFR (Enhanced Full Rate) Speech :: :: Codec Improved recovery of SIM card in error situations :: :: Fixed bug in SMS editing screen where the cursor is one character to far :: :: right :: :: :: :: Version 5.24 :: :: 14-09-1998 :: :: Implemented code *#746025625# which shows whether the SIM card inserted :: :: supports SIM-clock-stop-mode :: :: :: :: --------------------------------------- :: :: Nokia Phone Quality Rates :: :: --------------------------------------- :: :: :: :: Enhanced Full Rate Codec (EFR): :: :: On: Enter *3370# and EFR will be activated after a reboot of the phone :: :: (consumes more power ) :: :: Off: Enter #3370# and EFR will be switched off after a reboot of the :: :: phone. :: :: :: :: Half Rate Codec: :: :: On: Enter *4720# and Half Rate coded will be activated after a reboot of :: :: the phone (better standby time) :: :: Off: Enter #4720# and Half Rate coded will be de-activated after a :: :: reboot of the phone :: :: :: :: Enhanced Full Rate will give you much better sound quality when you :: :: enable it. The new Enhanced Full Rate CODEC adopted by GSM uses the :: :: ASELP (AlgebraicCode Excitation Linear Prediction) compression :: :: technology. This technology allows for much great voice quality in the :: :: same number of bits as the older Full Rate CODEC. The older technology :: :: was called LPC-RPE (Linear Prediction Coding with Regular Pulse :: :: Excitation). Both operate at 13 kilobits.(but you take up more space on :: :: the network, so they can charge you more) - Talk-time is reduced with :: :: about 5% :: :: :: :: Half Rate will give you bad soundquality, which gives the service :: :: provider the opportunity to have more calls on the network, and you :: :: might get a lower charge from them. - Will give you 30% longer talk-time.:: :: :: :: ------------------------------------------------- :: :: Nokia GSM Codes (Most will work on any GSM phone) :: :: ------------------------------------------------- :: :: :: :: Call Diverting :: :: ALL CALLS :: :: To Activate: * * 21 * NUMBER # [SEND] :: :: To Cancel: # # 21 # [SEND] :: :: To Check: * # 21 # [SEND] :: :: :: :: Time Delay :: :: To Activate: * * 002 * NUMBER * * (Wait 5 to 30 Secs) # [SEND] :: :: To Cancel: # # 002 # [SEND] :: :: To Check: * # 002 # [SEND] :: :: :: :: Conditional :: :: To Activate: * * 004 * NUMBER * * (Time 5 to 30 Seconds) # [SEND] :: :: To Cancel: # # 004 # [SEND] :: :: To Check: * # 004 # [SEND] :: :: :: :: NO ANSWER :: :: To Activate: * * 61 * NUMBER * * (Time 5 to 30 Seconds) # [SEND] :: :: To Cancel: # # 61 # [SEND] :: :: To Check: * # 61 # [SEND] :: :: :: :: UNREACHABLE :: :: To Activate: * * 62 * NUMBER # [SEND] :: :: To Cancel: # # 62 # [SEND] :: :: To Check: * # 62 # [SEND] :: :: :: :: ENGAGED :: :: To Activate: * * 67 * NUMBER # [SEND] :: :: To Cancel: # # 67 # [SEND] :: :: To Check: * # 67 # [SEND] :: :: :: :: TO CANCEL ALL CALL FORWARDING :: :: # # 002 # [SEND] :: :: :: :: :: :: Call Barring :: :: :: :: BARRING ALL OUTGOING CALLS :: :: To Activate: * 33 * BARRING CODE# [SEND] :: :: To Cancel: # 33 * BARRING CODE # [SEND] :: :: To Check: * # 33 # [SEND] :: :: :: :: BARRING ALL OUTGOING INTERNATIONAL CALLS :: :: To Activate: * 331 * BARRING CODE# [SEND] :: :: To Cancel: # 331 * BARRING CODE # [SEND] :: :: To Check: * # 331 # [SEND] :: :: :: :: BARRING ALL OUTGOING INTERNATIONAL (except to home country) CALLS :: :: To Activate: * 332 * BARRING CODE# [SEND] :: :: To Cancel: # 332 * BARRING CODE # [SEND] :: :: To Check: * # 332 # [SEND] :: :: :: :: BARRING ALL INCOMING CALLS :: :: To Activate: * 35 * BARRING CODE # [SEND] :: :: To Cancel: # 35 * BARRING CODE # [SEND] :: :: To Check: * # 35 # [SEND] :: :: :: :: BARRING ALL INCOMING CALLS WHILST OUTSIDE HOME COUNTRY :: :: To Activate: * 351 * BARRING CODE # [SEND] :: :: To Cancel: # 351 * BARRING CODE # [SEND] :: :: To Check: * # 351 # [SEND] :: :: :: :: BARRING ALL CALLS :: :: To Activate: * 330 * BARRING CODE # [SEND] :: :: To Cancel: # 330 * BARRING CODE # [SEND] :: :: To Check: * # 330 # [SEND] :: :: :: :: BARRING ALL OUTGOING CALLS :: :: To Activate: * 333 * BARRING CODE # [SEND] :: :: To Cancel: # 333 * BARRING CODE # [SEND] :: :: To Check: * # 333 # [SEND] :: :: :: :: BARRING ALL INCOMING CALLS :: :: To Activate: * 353 * BARRING CODE # [SEND] :: :: To Cancel: # 353 * BARRING CODE # [SEND] :: :: To Check: * # 353 # [SEND] :: :: :: :: CANCELLING ALL CALL BARRING :: :: # 330 * BARRING CODE # [SEND] :: :: :: :: Call wait/hold :: :: :: :: To Activate: * 43 # [SEND] :: :: To Deactivate: # 43 # [SEND] :: :: To Check: * # 43 # [SEND] :: :: :: :: Call Line Identity (CLI) :: :: OUTGOING :: :: To Activate: * 31 # [SEND] :: :: To Deactivate: # 31 # [SEND] :: :: To Check: * # 31 # [SEND] :: :: :: :: INCOMING :: :: To Activate: * 30 # [SEND] :: :: To Deactivate: # 30 # [SEND] :: :: To Check: * # 30 # [SEND] :: :: :: :: Diverting fax/data calls :: :: Data Calls :: :: No Reply :: :: To Activate: * * 61 * NUMBER * 25 # [SEND] :: :: To Cancel: # # 61 * 25 # [SEND] :: :: To Check Status: * # 61 # * 25 # [SEND] :: :: :: :: Time Delay :: :: To Activate: * * 61 * NUMBER * 25 * (Time 5 to 30 seconds) # [SEND] :: :: To Cancel: # # 61 # * 25 # [SEND] :: :: To Check Status: * # 61 # * 25 # [SEND] :: :: :: :: Unreachable :: :: To Activate: * * 62 * NUMBER * 25 # [SEND] :: :: To Cancel: # # 62 # * 25 # [SEND] :: :: To Check Status: * # 62 # * 25 # [SEND] :: :: :: :: BUSY :: :: To Ativate: * * 67 * NUMBER * 25 # [SEND] :: :: To Cancel: # # 67 # * 25 # [SEND] :: :: To Check Status: * # 67 # * 24 # [SEND] :: :: :: :: Unconditional :: :: To Activate: * * 21 * NUMBER * 25 # [SEND] :: :: To Cancel: # # 21 # * 25 [SEND] :: :: To Check Status: * # 21 # * 25 # [SEND] :: :: :: :: :: :: FAX :: :: No Reply :: :: To Activate: * * 61 * NUMBER * 13 # [SEND] :: :: To Cancel: # # 61 * 13 # [SEND] :: :: To Check Status: * # 61 # * 13 # [SEND] :: :: :: :: Time Delay :: :: To Activate: * * 61 * NUMBER * 13 * (5 to 30 seconds) # [SEND] :: :: To Cancel: # # 61 # * 13 # [SEND] :: :: To Check Status: * # 61 # * 13 # [SEND] :: :: :: :: Unreachable :: :: To Activate: * * 62 * NUMBER * 13 # [SEND] :: :: To Cancel: # # 62 # * 13 # [SEND] :: :: To Check Status: * # 62 # * 13 # [SEND] :: :: :: :: Busy :: :: To Activate: * * 67 * NUMBER * 13 # [SEND] :: :: To Cancel: # # 67 # * 13 # [SEND] :: :: To Check Status: * # 67 # * 13 #[SEND] :: :: :: :: Unconditional :: :: To Activate: * * 21 * NUMBER * 13 #[SEND] :: :: To Cancel: # # 21 # * 13 # [SEND] :: :: To Check Status: * # 21 # * 13 # [SEND] :: :: :: :: Retrieve IMEI: :: :: *#06# :: :: :: :: ------------------------------------------------- :: :: Nokia Service Provider Fone Lock :: :: ------------------------------------------------- :: :: SP Lock is used by Service Providers who want to lock the cellular phone :: :: to a specific network .. The reason for doing this is so that the phone :: :: will only be used on their network and hence they make more money out of :: :: you. :: :: :: :: How to check for SP Lock and remove it if you know your master code: :: :: -------------------------------------------------------------------- :: :: All Nokia phones (2110 and newer) have four different SIM locks which can:: :: be used to lock the phone for upto 4 different providers. But most phones:: :: with restriction only have one lock activated. ( lock 1) :: :: :: :: Note: To get the "p" and "w" symbols, simply push the "*" key 3 and 4 :: :: times respectively. :: :: :: :: #pw+(master code)+Y# :: :: :: :: #pw+1234567890+1# for Provider-Lock status :: :: #pw+1234567890+2# for Network-Lock status :: :: #pw+1234567890+3# for Provider(???)-Lock status :: :: #pw+1234567890+4# for SimCard-Lock status :: :: :: :: (master code) is a 10 digit code, based on the phones IMEI and the :: :: service provider number. :: :: :: :: Warning: If you use another code other than the mastercode "1234567890" :: :: the phone will report an error. If you do this more than 10 times you :: :: will get a display reading "Not Allowed" If you get this there appears :: :: to be no way to get rid of it, and you must take your phone to a Nokia :: :: repair centre. Your phone will still work, it just cannot be unlocked :: :: from that network provider. :: :: :: :: Allrighty then. Thats enough of the Nokia... :: :: :: :: Ericsson 337/388 :: :: ---------------- :: :: Press Right then * then Left Left * and Left * one more time. (This lets :: :: you view the software version,date etc.) :: :: :: :: Ericsson 628 :: :: ------------ :: :: *#0000# (Resets Menu Language to English) :: :: Press Right * Left Left * Left * (This lets you view the Software Ver) :: :: Press Right * Left Left * Left * Right (This lets you read all the :: :: programmed texts) :: :: Press Left * * Left then wait for 3 seconds (This lets you view the :: :: phone network lock status) :: :: :: :: Ericsson 688 :: :: ------------ :: :: Press Right * Left Left * Left * CLR (This views the Software Ver) :: :: Press Right * Left Left * Left * Right :: :: (This lets you check the phones 1-row text programming) :: :: Press Right * Left Left * Left * Right Right (This lets you check the :: :: phones n-row text programming) :: :: :: :: Ericsson 788 :: :: ------------ :: :: Press * Right * Left Left * Left * (This views the Software Version) :: :: Press * Left Left * (This gives you the Service Provider Lock) :: :: :: :: Ericsson 888 :: :: ------------ :: :: *#06# (This gives you the IMEI) :: :: Press * Right * Left Left * Left * (This views the Software Version) :: :: Note: This code also shows version of Infrared driver software and text :: :: labels) :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO A Guide to Securing RedHat Linux 6.0 by wyze1 Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: A lot of people out there are raving about RH6, why exactly, I don't :: :: know, but they seem to think it's just great. ;P So, for lack of any :: :: hope of getting these people to start using *BSD or Solaris, I have :: :: designed a guide to securing Red Hat Linux 6.0 which covers all known :: :: problems up to date, although it doesn't really tackle other issues. :: :: :: :: Now, go to ftp://update.redhat.com and download the source for the new :: :: kernel supplied by RedHat for RH6 systems (2.2.5-22). Then, go and :: :: download the information on the Linux 2.2.x ICMP DoS that causes Kernel :: :: Panic - search Geek-Girl's BugTraq archive for it. :: :: Apply the patch to fix this vulnerability. Now, recompile the Kernel, :: :: look in /usr/doc/HOWTO/Kernel-HOWTO if you don't know how. :: :: :: :: Now there haven't been any SUID vulnerabilities discovered in RH6 yet, :: :: but you probably don't want any just in case. You can nuke the lot of :: :: them simply by typing "chmod a-s -R / &". You may find some you want :: :: to re-SUID, like mount, but you probably won't need that many. :: :: :: :: Now, lets play with the Alt+SysRq Kernel hack, one of the nicest things :: :: about the new 2.2.x Kernel series. This hack allows you to press Alt, :: :: SysRq (Print Screen) and a Hotkey to perform various different tasks :: :: even when the system is not responding. You can press Alt+SysRq+K to :: :: kill all processes on the vterm you are using, or Alt+SysRq+M to dump :: :: memory information onto the screen and a whole bunch of other really :: :: neat things - none of which we are looking at in detail now, except for :: :: the one that makes the difference for security - Alt+SysRq+1-9. This :: :: hack determines how much of the kernel mumblings are logged. Having a :: :: lot of mumblings logged is generally quite nice, or, you can keep it at :: :: 1 or something and just jack it up when you need to. ;) :: :: :: :: Ugh. RedHat 6.0 has a stupid PAM'erized su. If you give the correct :: :: password to it, you become superuser immediately, and if you give the :: :: wrong password, there is a full one second delay before it tells you the :: :: attempt failed and logs the attempt. During this period, you can press :: :: Ctrl+Break to stop su and nothing will be logged, making it easy for :: :: some-one to brute-force the root password. Nuke su. It's a dumb program :: :: and I don't like it anywayz. ;) :: :: :: :: I hope you're not running X-Windows, but if you are, be sure to fix a :: :: few critical permissions in the UNIX 98 PTYs which could give you :: :: trouble by typing chmod 600 /dev/pts/* :: :: :: :: RedHat 6.0 also fucks up the permissions on the CD-ROM drive. A minor :: :: problem, but worth fixing anyway - Think of backups. Cat your /etc/fstab :: :: to see where your cdrom drive is and then chmod 600 /dev/whatever :: :: :: :: If you use KDE, and more specifically if you use K-Mail, then you are :: :: vulnerable to a silly symlink problem. Nuke K-Mail, Don't use K-Mail, or :: :: if you are a COMPLETE loser and you *really* want it, d/l the fix from :: :: ftp.kde.org/pub/kde/security_patches/kmail-security-patch.diff :: :: :: :: I think the ipop2d on RH6 in vulnerable to a remote buffer overflow :: :: exploit that produces a shell as user "nobody". I'm not sure, but if yer :: :: running an ipop2d yer a loser anyway, so who cares. ;) :: :: :: :: Now you should have a quasi-secure lame Linux box that is hopefully a :: :: bit less lame than when you started. This text only really covers what :: :: silly security problems need to be fixed, not common sense stuff. If :: :: you are new to *nix then you should get the Linux Administrators :: :: Security Guide from www.seifried.org/lasg - but not even that can :: :: completely teach you common sense. Make sure to close unwanted ports by :: :: checking your /etc/inetd.conf and preparing user's home directories :: :: properly, ie. like this... :: :: :: :: cd /home/redneck # Go to the home directory :: :: chattr +a .bash_history # Make history append only :: :: chown root.root .bash_profile # Make profile unmodifiable :: :: chown root.root .bash_logout # Make logout unmodifiable :: :: chown root.root .bashrc # Make bashrc unmodifiable :: :: :: :: There is a wealth of stuff you can do to make your system much more :: :: secure, but I'm not going to go into any of that right now. There are :: :: already too many lame guides to generic Linux security, and I don't :: :: feel like making another one. Later. :: :: :: :: --=====-- :: :: * Kat (guy@inside.thematrix.za.net) has joined #hack :: :: Guy... do you want to know... what... the matrix is? :: :: WELL I WONT TELL YOU, YA DUMB LITTLE FUCK!#%!$^%! THEY SAID I :: :: COULD HAVE A TALK SHOW, BUT NOOOOOOOOO, I HAVE TO BE IN A SCI-FI AND :: :: WEAR THIS G00FY TRENCHCOAT!^%$#^$!#%$ I HATE YOU ALL DAMNIT!#%@%^$# :: :: *sigh* :: :: * wyze1 sets mode: +o Kat :: :: --=====-- :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO RedHat 6.0 LILO PAM Filter Workaround Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: OK well I suppose I've put off writing this for long enough. :: :: :: :: Background: :: :: =========== :: :: :: :: The most commonly known hack on the planet has just gotten interesting. :: :: It seems that Redhat 6.0 has become uncommon in the stability of previous:: :: versions. Please note that this is not a hack in the script kiddy sense :: :: of the word. It will not gain you access to your best friends porn :: :: files, it will not let you read some girl you likes e-mail, and it will :: :: not let you pass school (Thank God, I think you guys should stay off the :: :: streets, its safer for you.) :: :: :: :: Technical Background: :: :: ===================== :: :: :: :: Linux uses a boot loader called Lilo. Lilo, if you read the man page :: :: you will notice this, actually has many other options over the regular :: :: "boot dos/linux" option. An easy hack on the system could be acomplished :: :: by having hands on access to the machine you want to break. Reboot the :: :: machine and at the lilo prompt type "$linux s" where $linux is your :: :: kernel name. This logs you in as a single user, from here you can edit :: :: the /etc/passwd file at will, and then log in properly. :: :: :: :: PAM Workaround in RH 6.0: :: :: ========================= :: :: :: :: It seems that there is some instabillity in PAM in RH6, either :: :: intentionally, or totally stupidly. All attempts to simply remove the :: :: root password will fail. To get around this: :: :: :: :: 1) Adduser r00t :: :: 2) Change pid and gid of r00t to 0:0 :: :: 3) Change passwd :: :: :: :: Exit single user mode, and login as r00t. :: :: :: :: Note: You must do it like this, because if you just try to get rid of :: :: the root passw, PAM GOES WILD. Its so easy it scares me. :: :: :: :: Bitches and gripes: :: :: =================== :: :: :: :: I finally understand the exponential growth in scripties. It struck me :: :: the other day. The Old Skool of hacker grew up on DOS/UNIX/etc.... :: :: playing around with demo's etc... They learnt the hack. Now we have this :: :: front end Win hanging around 90% of households, and stagnating education.:: :: The front-end will be the death of real hackers....Beware, the next :: :: generation will be the HaX0r........I am not a scripty, I just wanted :: :: others to understand them. :: :: :: :: :: :: :: :: --=====-- :: :: sektorgrl, no one likes you :: :: leave. :: :: no. :: :: jsbach likes me :( :: :: brb. :: :: SEE :: :: that's one person :: :: so nyah :: :: --=====-- :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Java Personal Webserver 0.9 Denial of Service by wyze1 Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: The Java Personal Webserver 0.9 by Clay Lenhart (Available from Tucows) :: :: is a freeware webserver written entirely in Java. It features on-screen :: :: logging and implements only the GET and HEAD functions. (HTTP 0.9) :: :: :: :: This bug was tested on a Windows 98 box with JDK 1.1.1 and it worked :: :: fine. I was going to test it on another Win98 box with JDK 1.2.1, but :: :: the fucking program decided to break - (The author hasn't ported it to :: :: Java 1.2 yet). It has not been tested on a Unix box because we refuse to :: :: run Japan's Secret Weapon, aka. XFree86 on any box we wouldn't want :: :: Satan to posses. If some-one else wants to test it and tell us what :: :: happens, feel free. :: :: :: :: Okay, so whats the problem? By connecting and typing GET followed by a :: :: couple of thousand characters (3000 for every 32mb of RAM on the system :: :: sounds about right) the system will become low on memory and the Java :: :: Virtual Machine will start whining about stuff like.. :: :: :: :: java.lang.OutOfMemoryError: <== Type of error that occurs when :: :: at ConnectionThread.readCommands(wyze1.java:521) <== Reading GET :: :: at ConnectionThread.run(wyze1.java:344) <== And Executing GET :: :: :: :: Right, so the VM has decided the system is low on memory. Thus the VM :: :: Garbage Collector will run on a thread with full priority. Okay, a bit :: :: of background for non-Java coders is required: Unlike other languages, :: :: you don't have to kill objects once you are finished with them, the :: :: Garbage Collector does it for you when there are no further references :: :: to the object. The GC can be called manually, and will also run :: :: automatically when it feels like it, and with full priority if the :: :: system is low on memory - like it is now. ;) :: :: :: :: So, the Garbage Collector looks around for threads to kill, and alas, it :: :: can't find any, so it just stops anything more being written to the :: :: editable textbox in the centre of the window, regardless of the fact :: :: that thats where our logging would be if it still worked. =P :: :: :: :: Fixing the error should be fairly simple - the only reason I didn't do :: :: it myself is because that would require porting the app to Java 1.2 and :: :: that is just TOO much work. ;) However, should the app be ported to Java :: :: 1.2, the bug could be fixed by using JFC/Swing instead of AWT and :: :: making the Textbox a Label. Then, the user input should be limited to :: :: a certain number of characters, and errors caused by too many chars in :: :: the user input should be catched. :: :: :: :: You will find the exploit for this vulnerability in the lame-java-c0de :: :: directory of this issue if you want. Have fun! :: :: :: :: --=====-- :: :: g1bb0r mE s1bb0rs3ckz :: :: Okay. *uNf* :: :: ta :: :: --=====-- :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Ripping off your local Aracde by Terabyte Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: Ever wondered why arcades try and rip you off? Cause they suck thats why.:: :: Well if your lucky enough to have a few pinball machines at the next :: :: arcade, try this and yer sure to have loads of fun. :: :: :: :: On the right hand side under the pinball machine, there should be a :: :: little switch(scratch around for it), next flick the switch, dont be :: :: alarmed the machine will turn off but turn it back on again(by flicking :: :: the switch again) holding both the flickers and voila a test credit :: :: hehe, enjoy! :: :: :: :: Another bug which came up with some machines is: you remember that ball :: :: game where u throw the balls into certain hoop like places and got :: :: tickets weeeelllll, here is how you can get those wooden balles without :: :: dishing out that cash. First check if any cameras or guards are nearby, :: :: if there are any dont do it this is way to risky, on the right hand side :: :: if you put your hand underneath the machine you should feel some wires, :: :: then not long after you should feel a hook like thingy, pull it and keep :: :: it down and voila bout 6 balls will come down like magic!! :: :: :: :: One more trick that might come in handy when u have none of those :: :: precious tokenz left, First of all find a Ridge Racer type game, Hence :: :: it must be a 1 player only, second a gun type game like Time crises, :: :: under each of theses machines lies at least 5-10 tokenz per machine as :: :: there is sumthing wrong with the design and magic company tokenz tend to :: :: fall out when it gets full, so scratch around and hopefully be lucky :: :: today. :: :: :: :: Till next time, :: :: TeRaByTe :: :: :: :: Tera Sends Greetz to: Hen-i, Depach and Ukj :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Linux/FreeBSD IP Firewalling by jus Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: In FK3 Vortexia described "the poor man's firewall", that is tcp :: :: wrappers, and how to set them up and use them as basic protection against:: :: unwanted connections. The next step is to make use of Linux's ipfwadm or :: :: fBSD's ipfw to setup a proper firewall to automatically block out :: :: potential attackers and keep certain services only available to your LAN :: :: (i.e. SQUID). :: :: :: :: Most generic or standard *nix kernels should have firewalling compiled, :: :: if not you will get errors when trying to use ipfw/ipfwadm. Just rebuild :: :: your kernel to include firewalling. :: :: :: :: OK, to setup firewall rules under linux "ipfwadm" is used. "man ipfwadm" :: :: will give some further insight as to what can be done with this tool, :: :: we're gunna focus on just keeping incoming connections where we want em :: :: :: :: Typing ipfwadm -I -l will give you a list of current firewall rules in :: :: their order, you will most likely have nothing there. Lets try something :: :: simple first, like block off your ftpd to all but yourself :) :: :: :: :: ipfwadm -I -i deny -P tcp -S 0.0.0.0/0 -D yourip 21 will disallow all :: :: connections from anywhere to port 21. Even from 127.0.0.1, so if you :: :: want to be able to connect to your own ftpd you need to add a rule to :: :: allow 127.0.0.1 though. If you are on dialup and get a dynamic IP, fill :: :: in 0.0.0.0/0 in place of "yourip". :: :: :: :: Note, if you are working on a machine remotely and firewalling it, you :: :: could lock yourself out accidently. Then your screwed, so place a rule :: :: in your firewall to allow connections from a trusted host at all times, :: :: ie ipfwadm -I -i accept -P ip -S 196.23.2.14 -D yourip. That will allow :: :: all types of connection to all ports from host 196.23.2.14. Note that it :: :: is not always good security practice for your firewall to explicity trust:: :: any box! :: :: :: :: Remember that the firewall runs down the list of rules until it meets a :: :: match with any connection attempt, so rule 1 will have preference over :: :: rule 2, etc. Place your rules accordingly. Lets say you wanted to allow :: :: access to SQUID on 3128 to only your LAN (which owns 196.34.23.*) but :: :: not to any else out there. :: :: :: :: ipfwadm -I -i deny -P tcp -S 0.0.0.0/0 -D yourip 3128 :: :: ipfwadm -I -i accept -P tcp -S 196.34.23.0/24 -D yourip 3128 :: :: :: :: Easy huh? Use -a instead of -i to add a rule at the end of the rules :: :: chain instead of at the front. :: :: :: :: Under fBSD its even simpler using ipfw. "ipfw list" will give you a list :: :: of currently existing rules. More than likely there is nothing except :: :: the last rule which allows all traffic through. ipfw allows us to specify:: :: a number for each rule thats created, making it easier to work with :: :: rules' order of preference. To add a rule like above for the ftpd, type :: :: ipfw add 1000 deny tcp from any to youripgoeshere 21 That will disallow :: :: any connections to your ftpd. The "1000" is the rule number, use ipfw :: :: list to decide an appropriate number, but remember you have all the :: :: numbers available down to approx 65k :) :: :: :: :: Similarily, the SQUID setup as above is done by using a rule to block :: :: all access to port 3128, an then a rule before that to allow access from :: :: our subnet. ipfw add 500 deny tcp from any to youripgoeshere 3128 :: :: disallows all connections, and ipfw add 450 allow tcp from 196.34.23.0/24:: :: to youripgoeshere 3128 will allow connections from our subnet :: :: 196.34.23.0/24. :: :: :: :: RTFM for more. -jus :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Windows Backdoor Stupidity by wyze1 Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: In this issue, for humours sake if nothing else, I thought I'd look at :: :: some of the hardk0re things we have to do to detect a new wave of ereet :: :: Windoze backdoors. Yes, inspired by 'doze kiddie backdoor mentality and :: :: fueled by the urge to spread the stupidity even further, there are now a :: :: whole bunch of really phjeerphull new tr0janZ available! w00p! :: :: :: :: Let us start by looking at Masters Paradise Trojan by Overlord. As :: :: always, like gewd kiddies we view the README first. Comments in <> :: :: :: :: ----------------------------- shnip ------------------------------------ :: :: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :: :: MASTERS PARADISE TROJAN v.1.2 :: :: (WIN 95/98) :: :: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :: :: :: :: (c) Overlord 7/18/1998 :: :: :: :: OVERVIEW: This is an add on for Masters Paradise (MP). MP lets you :: :: control someone elses computer when they're on line: see whats on their :: :: screen, download their files, get their passwords all secretly. But :: :: therez a catch.... :: :: :: :: You gotta know their IP (easy enuf, :: :: thru ICQ, IRC, recent emails, etc.). You also gotta have them running a :: :: TSR ('the agent') on their computer (more difficult). :: :: :: :: This is where Masters Paradise Trojan comes in. This is what it does: :: :: :: :: WHAT THE TROJAN DOES: Helps you get the agent to their computa, while :: :: lookin real innocent. :: :: :: :: WHAT THEY SEE: You just send them the icqcrk.zip (the trojan) file, :: :: saying its a cool ICQ utility. They run it - but it just comes up with a :: :: heap of errors and drops out. Dang! Isn't it always the way with good :: :: games. :: :: :: :: WHAT REALLY HAPPENZ: Unknowingly to them, there were no real error - just:: :: looked like that. The trojan has copied the agent over to their :: :: /windows/system directory. Executed itself, so it is running. Set its :: :: attributes so it can't be found. Set up stealth protections so it can't :: :: be deleted. And last and :: :: most importantly, modified win.ini so that it loads whenever they turn :: :: on their computa any time in the future. Now, whenever they are on the :: :: net, they are YOURS! :: :: :: :: STEALTHINESS: The trojan will not show up anywhere as loading, not in the:: :: in box, not the startup menu, not anywhere! The only way you can see if :: :: it is running is if you go CNTRL-ALT-DEL, you will see two copies of :: :: 'Explorer' running. One of these is the backdoor to their computer. The :: :: only other way they could find it is by checking through their win.ini :: :: file, and seeing 'explorer' getting auto loaded. But that looks innocent :: :: enuff, i bet???? :: :: :: :: KNOWN PROBLEMS: :: :: :: :: 1/ If you got the trojan on your computa, it is VERY hard to get it out. :: :: You would have to edit win.ini and remove any refs to explorer.exe, then :: :: reboot and then delete explorer from windows/system. :: :: :: :: 2/ This will only work if they have set up Windows in the default :: :: directory (/Windows). :: :: :: :: 3/ Will not work in Win 3.1, etc. Only Win 95 and greater. :: :: :: :: 4/ I notice sometimez the trojan works real slow (about 10 seconds to do :: :: its job). But still probably believable enough. :: :: :: :: VERSIONS :: :: v.1.2 Now pretends to be an ICQ utility. Works even from floppy drive :: :: now, and wipes itself out after installing. :: :: :: :: v.1.1.1 :: :: -Now installs to c:\windows\system rather than \windows in drive where :: :: go.exe is located. :: :: :: :: v.1.1 :: :: - More Stealthy. Does not just send the agent to startup menu, but :: :: modifies win.ini to load itself real invisibly. :: :: :: :: - No longer pretends to be a Tic Tac Toe program. Now, you can send it :: :: to someone saying it is anything (you can change the name from gamer.exe :: :: to hackutil.exe if you want). Just comes up with a fake error anyway. :: :: :: :: - Have changed the Pascal compiler so Thunderbyte doesn't give warnings :: :: any more. :: :: :: :: OVERLORD - www.cyberarmy.com :: :: ----------------------------- shnip ------------------------------------ :: :: :: :: Cool! I want a leet ICQ utility too! So, I unzipped icqcrk.zip, and saw :: :: icqcrk.exe, verchk.dat, icqcrk.gif and pc.nfo - Let me just extract the :: :: EXE into and run it. :: :: :: :: ---snip--- :: :: 3l33t Haxors Suber-Duber-Patcher 1.6 :: :: Copyright (c) Haxor, Inc 1995 :: :: ICQ ANTI-INVISIBLE Patch 1.01 :: :: By Captain America, 7/13/1998. :: :: Please Wait for version verify ..... :: :: File not found - verchk.dat <== That error shouldnt be there :: :: File not found - icqcrk.gif <== Gee, nor should that one :: :: File not found - c:\windows\system\explorer.exe <== *AHEM* :: :: Bad command or file name <== This is the Stealth in Action. Ph34r. :: :: File not found :: :: File not found :: :: File not found :: :: File not found :: :: File not found :: :: :: :: ICQ version verified OK :: :: Patching ICQ... :: :: Patch was successful... <== Patching WHAT? I dont *have* ICQ. ;) :: :: ---snip--- :: :: :: :: Ummmm... Ummm... I'm confused. This Trojan is too Hardk0re for me. I :: :: think its best that we move onto the next trojan - Frenzy! The uberelite :: :: new backdoor available from The Trojans Lair :: :: :: :: WoAH! DiS GuY DCC'd mE xXx-WaReZ.eXe, bUt eYe hAvE mAd RiGhT-CliCK SkiLLz:: :: dAt hE wILL Ph34r!@#@#@$#$ :: :: :: :: Company Name:- :: :: Internal Name: Server :: :: Product Name: Server :: :: Original Name: Server.exe :: :: :: :: Nope. Nothing that looks at all suspicious there. Damn. This guy is damn :: :: good. But Wait! I Know! I will run it through strings! :: :: :: :: -= drew@kung-fusion =- strings xXx-WaReZ.eXe :: :: :: :: Hmmm... still nothing suspicious. Only Twenty-Something stamps that say :: :: "Server", but that sounds normal enough. Then there was that other one :: :: that was stamped in there about 15 times that said... :: :: :: :: C : \ W I N D O W S \ D E S K T O P \ M Y F O L D ~ 1 \ P R O J E C T S :: :: \ T R O J A N \ T R O J A N . V B P :: :: :: :: But there is nothing suspicious about that either. Fuckit. This guy is :: :: too good for me. I give up. :: :: :: :: *SiGH* I weep for the lost generation of VB Backdoor Coders. :: :: :: :: --=====-- :: :: sektie: word has it, you give good head. :: :: Was I informed incorrectly? :: :: ph1x: word has it, youre a homo :\ :: :: du0d :: :: <_ad> HEH :: :: DO NOT SEXUALLY HARASS ME :: :: yah no sexual harassment in here :: :: ok? :: :: --=====-- :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO A Study of the CyberTrade Extranet by wyze1 Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: Beltel, a place very much alive with hacker activity, has been shutdown :: :: by Telkom because of supposed Y2K compliancy problems. Banking info is :: :: now sent through a system dubbed "CyberTrade", of which two of the four :: :: major banks in ZA have joined. CyberTrade is simply an Extranet, which :: :: gives banks facilities to do electronic money transfers etc, should :: :: they be too lazy (or stupid) to create their own. :: :: :: :: The fact that only 50% of the major South African banks have joined :: :: shows that there will be a great deal of fragmentation in the online :: :: banking scene fom now on, and that not everyone is about to fork out the :: :: cash to CyberTrade for something they can do themselves. By taking a :: :: closer look into the architecture of the CyberTrade Extranet, I :: :: concluded that it appears that the banks who aren't joining have the :: :: right idea. :: :: :: :: Beltel, despite being commonly exploited, it had the advantage that a :: :: third party could not retrieve any information by sniffing on a legit. :: :: user in any way other than physically tapping their phone. Because CT :: :: is just a simple extranet, a minor security flaw in one host could lead :: :: to a compromise on the entire South African banking industry due to CT's :: :: feeble at most attempts at encryption. :: :: :: :: The moral of the story: Online banking thru CyberTrade == Stupid :: :: :: :: --=====-- :: :: Woah! It says that L0phtcrack will let me Sniff Crack Faster :: :: I wonder how much crack I can sniff with that? :: :: --=====-- :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Telkom Identicall Glitches by wyze1 Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: Telkom's new Identicall system has been the bane of hackers and fone :: :: phreaks everywhere since its release, and has been a huge leap in terms :: :: of new developments for Telkom and its subsidiaries. Last issue, we :: :: covered a system which allows partial anonymity through dialing *31* :: :: before the number you want to call, but after the release of Issue Six, :: :: Telkom decided to make this a pay-for service. =( :: :: :: :: This for me was the final straw in a chain of events between our :: :: good friends at Telkom and the members of Posthuman. It started with :: :: them importing Six TEMPESTs for monitoring the Jhb 2600/Posthuman meets :: :: as well as the editors of Forbidden Knowledge, and now has moved on to :: :: things like making Caller-ID restriction a pay-for service just because :: :: it was published in a HPA e-zine. So, Here it is - how one can :: :: completely work around not only Identicall, but all conventional tracing :: :: methods implemented by Telkom. Oh, and get this, it's for FREE! And to :: :: our friends at Telkom and the SAPS CCU - Get a life! We are just writing :: :: a fucking E-ZINE for god's sake! :: :: :: :: Telkom bought their IdentiCall technology from some or other German :: :: Telecommunications Giant, I'm not sure exactly which one, perhaps a few :: :: of our German readers will be able to find out, but never-the-less, this :: :: system had only been tested out on the newer exchanges supplied by this :: :: company, and the South African telephone network is largely a hybrid of :: :: old and new exchanges. :: :: :: :: As a result, unknown to Telkom, (Relatively speaking of course, if you :: :: are reading this anything after 3 days after it's release, they will be :: :: aware of this) Identicall on all Pulse (Non-DTMF) exchanges does not :: :: function properly. It works to an extent, in that if your number is :: :: +27116848012 it will show as +2711684 - but that is it. Furthermore, :: :: dialing 101999 on these telephones will not produce any results, proving :: :: that ALL conventional tracing methods are shot to hell. For Telskum to :: :: trace you, some-one physically has to go through pages and pages of :: :: information trying to manually find you, and this method is both too :: :: expensive and tiresome for Telkom to actually pursue it lest they have :: :: a *really* good reason to do so. :: :: :: :: So, if you've been complaining about being on a pulse exchange for your :: :: entire life, whining about how slow data transfers are, and begging :: :: Telkom to upgrade you to a digital exchange - now is the time to stop. :: :: It may just be a resource worth keeping. ;) :: :: :: :: --=====-- :: :: how do you telnet to a ssh? :: :: --=====-- :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Making Free Calls from Blue Payphones by Cyberware Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: Well, I got this article in BMP format from Cyberware, and I was too :: :: lazy/dumb to report this in something resembling english, so I just :: :: chucked it in this issue as phreak.jpg - apologies for the slight image :: :: deterioation, but as a BMP it was just too damn huge. Oh yeh, not to :: :: mention apologies for not fixing Cyberware's spelling and grammar - he's :: :: Afrikaans and all. ;) Regardless, it's quite a neat trick, and hopefully :: :: it will be useful to you -- Enjoy! :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Next Issue Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: The next Issue will be released Approximately whenever-I-feel-like-it. :: :: That should be some time in October - Just watch HNN for details. The :: :: official Forbidden Knowledge mirrors are listed below. :: :: :: :: Posthuman Systems cc -=- www.posthuman.za.net :: :: PacketStorm Security -=- Down - Thanks JP you Fucking Idiot :: :: The E-Text Archives -=- ftp.etext.org/pub/Zines :: :: The HackerZ Hideout -=- www.hackersclub.com/km :: :: :: :: Well, thanks to all of the people who helped make this issue better by :: :: contributing articles or otherwise showing their support - And to the :: :: people who could write stuff for us but haven't - WHY NOT?! Hurry the :: :: fsck up already! ;-P :: :: :: :: How Now Brown Cow /-=-/ Now Brown How Cow /-=-/ Who Then Now Bitchez :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::