|---------------------------------------------------------------------------| | -=[ United Hackers Association 1 - Magazine, Issue IV ]=- | | November 01, 1998 | | E-Mail : uha1@gmx.net | | Homepage : http://come.to/UHA | | Editor of Magazine : br0therX ----> br0therX@gmx.net | |---------------------------------------------------------------------------| --->>> THIS IS ISSUE FOUR (4) !!!   ___ _____ ____   | | | | | | | \   | | | | |__| | \   | |__| | __ | @ \   \____/|_| |_|_|\_\     Best viewed with the DOS-Editor |------------------------------------------------------------| | Get the United Hackers Association Magazine for | | FREE into your E-MailBox! Go to our Homepage and select | | "Subscribe UHA Newsletter" or subscribe direct: | | http://uha1.listbot.com | |------------------------------------------------------------| If you want, post this text on Homepages/BBS/Ftp/Newsgroups etc. It's free, but please don't change anything without our permission!! WE ARE NOT RESPONSIBLE FOR ANYTHING YOU DO WITH THIS TEXT FILE OR ANY TROUBLE YOU GET INTO, OUR ISP OR ANYWHERE ELSE THIS TEXT FILE IS HOSTED WILL NOT BE RESPONSIBLE EITHER. ---====|DO VOTE FOR US ON OUR PAGE TO KEEP OUR MAGAZINE GOING ON!|=====--- Index : ======= 1. Back Orifice Clones - The Alternative Way (by VENOMOUS) 2. An Introduction to IRC Colliding (by B|uSmurf) 3. Getting the real host address in IRC (by br0therX) 4. 13 tiny bytes to show the huge sillyness (by bt398) 5. Basic TCP/IP Components (by br0therX) 6. What is a T-1 ? (by br0therX) 7. Cracking WebPages for the whole family -or- Webmaster change your Permissions! (by br0therX) 8. Back Orifice Remove/Detect (by Rob|nsonLaw) 9. ICQ-EXPLOIT (by ÉÅZ¥ MÖÑÉ¥) 10.How to crack Winamp Registry (by -=[Trashman]=-) 11.HOW TO MAKE A RED BOX (by -=ÉÅZ¥ MÖÑÉ¥=-) 12.Hacking & Security Holes in (by the ÉÅZ¥ MÖÑÉ¥) conseal Pc Firewalls-#1 13.KILLING PHONE LINE$ (by the ÉÅZ¥ MÖÑÉ¥) 14.Connecting to SprintNet/...etc from Canada (by KungFu Monkey) 15.Tracing Someone (by Zer0 Baud) 16.Rootshell Defaced 17.Shout out's Founder of UHA : the file ripper Editor of Issue(IV): br0therX, Vice of UHA : [-=RobinsonLaw=-] ============================================================== | If you want to publish one of your texts in our Magazine, | | just mail us your text to : br0therX@gmx.net | | | | All texts are welcome! | ============================================================== !!IMPORTANT!! --> If you have any QUESTIONS, please don't mail the authors, --> just go to our Homepage and post a message in our BBS!!! --> If you have any COMMENTS on this Magazine, --> please MAIL them to br0therX@gmx.net -thanx- !!IMPORTANT!! We can manipulate you however we want. We can read and change your personal datas. We can take your identity. Kill your existence. We can come near to you from everywhere in the world. You can't escape! -by the file ripper [Prezident/Founder of UHA] ------------------------------------------------------------------------------ | | | | | | | "Click, hum, click, hum, click, hum. | | A low level supervising program woke up a slightly higher level | | supervising program deep in the ship's semi-somnolent cyberbrain and | | reported to it that whenever it went click all it got was a hum. The | | higher level supervising program asked it what it was supposed to get, | | and the low level supervising program said that it couldn't remember | | exactly, but thought it was probably more of a sort of distant satisfied | | sigh, wasn't it? That it was all it was getting.The higher supervising | | program considered this and didn't like it. It asked the low level | | supervising program what exactly it was supervising and the low level | | supervising program said it couldn't remember that either, just that it | | was something that was meant to go click, sigh every ten years or so, | | which usually happened without fail. It had tried to consult its error | | look-up table but couldn't find it, which was why it had alerted the | | higher level supervising program to the problem.The higher level | | supervising program went to consult one of its own look-up tables to find | | out what the low level supervising program was meant to be supervising. | | It couldn't find the look-up table. Odd." | | taken out of: | | "Douglas Adams, Hitch Hiker's guide to the galaxy: Mostly Harmless" | | | | | ------------------------------------------------------------------------------ ===================================EOT======================================== 1.Back Orifice Clones - The Alternative Way ========================================= by VENOMOUS octobre 1998 [The Alliances Group] Clones are essential tools for channel takeovers on IRC. As IRC bots gets Making clones on the same server are quite hard these days. One of the popular ways of making clones are using wingates or socks. Scanning for an available socks or wingates can be frustrating. When you find one, someone might be using it. There another way to do it. Use Back Orifice. First you have to get some tools. I would suggest getting the Back Orifice pack and WakoFloodBots. (Don't ask me how to get them) Now the steps. ============== Sweep for a list of BO infected or join #bo_owned. Open another BOGUI side by side of the first one to redirect the infected IPs. Insert the infected IP (e.g. 192.168.0.3) into the target host text box and using the redir function in BOGUI, redirect the connection to the IRC server and port you want. You need to have the IP not the hostname. To do that just type /dns irc.webbernet.net Put 6666 (or anything you desire) in the in port text box on BOGUI and the IP of the IRC server and port number in the out IP:(port) text box and hit OK. Now with WakoFloodBots set the server port to 6666 and the server to the IP of the target host you've just redirected and click connect. Once connected, your clone is ready. To make more just repeat the steps with different IPs. You may of course use other clones loaders. I know this is very troublesome so you will have to wait for a tool which automates all that. But you have quite stable clones and they r0xx 'cause bots that scan for socks cannot detect them and anyone who u ses wingates will know that they can't connect to irc.webbernet.net. ===================================EOT======================================== 2.An Introduction to IRC Colliding ================================== by B|uSmurf [The Alliances Group] Alright kiddies, ever wonder what the hell happened when out of the blue you received this error on your status and have been disconnected from your IRC ? "*** You were killed by irc.ncal.verio.net (irc.ncal.verio.net!irc.ncal. verio.net ((ident@myisp.com)irc.anet.com <- (lamor@hisisp.com) *.webbernet.net[root@ircd.webbernet.net]))" This is probably due to a netsplit which occur just minutes/hours ago, or even a lag on a certain server. In one network there can only be on original nick and should there be two nicks of the same spelling both will be killed immediately. This is known as a nick collision. This text is especially for kiddies who seek the knowledge of colliding, but unfortunately the concept is written for IRCNET but can be implement on other network also. Colliding ========= You can observe the network by joining a channel known as &servers, in there you'll be able to monitor all the servers at once : •¯¯¯¯¯¯¯[ &servers ] [ modes..+mtnaq o..0 v..0 total..1 [ topic..SERVER MESSAGES: servers joining and leaving •_______[ chanstats ] Should a server split off from the rest of the network, you'll see something like this : -irc.webbernet.net:&SERVERS- *** Notice -- Received SQUIT *.unipi.it from *.DE (Connection timed out) -irc.webbernet.net:&SERVERS- *** Notice -- Received SERVER *.hu from Uni-Stuttgart.DE (7 [irc.bme.hu] Technical University of Budapest) -irc.webbernet.net:&SERVERS- *** Notice -- Received SERVER *.unipi.it from irc.ludd.luth.se (8 [irc.ccii.unipi.it] University of Pisa, Italy) -irc.webbernet.net:&SERVERS- *** Notice -- Received SQUIT irc.msu.ru from ircd.portal.ru (Ping timeout) You are currently sitting on irc.webbernet.net and in the channel &servers, and suddenly you saw this lines like this : "-irc.webbernet.net:&SERVERS- *** Notice -- Received SQUIT *.unipi.it from *.DE (Connection timed out)" ----- This mean *.unipi.it have splitted off from the rest of the network. "-irc.webbernet.net:&SERVERS- *** Notice -- Received SERVER *.unipi.it from irc.ludd.luth.se (8 [irc.ccii.unipi.it] University of Pisa, Italy)" ----- This mean *.unipi.it have merge back with the network. Another nice command nice command to get the list of the rest of the servers is by typing /links on your status window. Or if you want an easier way, get the Link Looker add-on for mIRC from Xcalibre.com or any other mIRC related sites. Ok so now you know when a server splitted off or merging back, but how do you exploit it? The best way is to join that particular server which splitted by using proxies/wingates. In IRCNET we have different country servers and to name a few there are : *.dti.ne.jp (6) [irc.dti.ne.jp] Akasaka Tokyo, Japan *.lv (2) [ircd.lvnet.lv] LvNet-Teleport, Riga, Latvia *.fr (5) [sil.polytechnique.fr] Ecole Polytechnique, France *.at (4) [irc.wu-wien.ac.at] [137.208.127.3 6667] Vienna, A If you're from *.ru, how do you enter a server from *.jp? Simple, book a plane ticket to Japan and pray hard the split doesn't merge during your journey. Ok, here's the way.. scan for proxy/wingate by using a scanner like Domscan or WGateScan which can be obtain from warforge.com. Using this proggies, scan for *.jp proxy/wingate... and after you've found one open another mIRC and join in the fun. Many of you might not know how to use proxy/wingate, so to save you some precious times searching high and low for an instruction manual, below is a short commands : /server (proxy/wingate) 23 /quote (server which have splitted off) (port) /quote nick (nickname) /quote user X X X X And presto! You are in! Collide any nicks you like or regain any channels you want which have been opless before the split. BUT wait, there's another problem, you might encounter something like nick/channel temporary not available or channel is jupe. This can be overcome when the server have been splitted for quite sometimes like maybe 30 minutes or 1 hour. Another good way to collide is using the lag of the server which have recently merge back. You can collide multiple nicks by just using one clone, by changing your nick constantly to your victim's nicks. A good mIRC script which have a built in lag collide proggy is Mindfield which can be obtain from Tribe's homepage at : www.tribe.roxx.ircnet.mcmails.com Tribe and Mindfield mIRC Scripts have built in proxy scanner in them which saves you your time from going around looking for proxies/wingates. That's all kiddies, enjoy and have fun. Written by B|uSmurf .: [-TAG-] Lord of the Smurfs :. ===================================EOT======================================== ------------------------------------------------------------------------------ | "It looked again. All it got was an error message. It tried to look up the | | error message in its error message look-up table and couldn't find that | | either. It allowed a couple of nanoseconds to go by while it went through | | all this again. Then it woke up its sector function supervisor. The sector | | function supervisor hit immediate problems. It called its | | supervising agent which hit problems too. | | Douglas Adams | ------------------------------------------------------------------------------ ===================================EOT======================================== 3.Getting the real host address in IRC ====================================== by br0therX@gmx.net october 1998 You are again and again the victim of a Denial of Service (DoS)attack in IRC. You are probably interested in who this attacker is, So you do a /whois on the nick who is attacking you. /whois attacker ----------------------------> attacker@hereisthehost.com (that shows the users address) Now you have the hostmask but already do no know if it is a spoofed one. Next thing you have to do is a /dns on the attacker's hostmask. /dns hereisthehost.com ------------------------> couldn't be resolved (usually gives you the IP) The IP couldn't be resolved so it's probably a spoofed on But what can we do ? Hey no problem! There is a real nice command for IRC (doesn't work on IRC-net Server). /quote userip attacker ---------------> attacker=specialagent@195.111.112.123 Wow - and the last thing you have to do now is: /dns 195.111.112.123 -----------------> Resolved to luba-pc.de Gotscha! You have the real host address. Time to let the attacker dance. ===================================EOT======================================== --------------------------------------------------- | Not everything that is counted counts, | | and not everything that counts can be counted." | | Albert Einstein | --------------------------------------------------- ===================================EOT======================================== 4. 13 tiny bytes to show the huge sillyness of our great common =============================================================== bt398 (bt398#@SOTON.AC.UK) Wed, 21 Oct 1998 23:07:44 +0100 Lately, I've been playing a bit with net.exe program(\windows\net.exe). With this program, a user can set up the networkdrivers (Windows For Workgroup protocol); moreover, a user can log in (opena wfw session) and also change his password. As this program runs on DOS, I've been wondering how next.exe was retrieving the password of the user;as no DLL calls to undocumented functions are possible, only a call to aspecial interrupt/function should be used. Then, tracing through the code, I've found a rather interesting feature. When a user changes its password, net.exe accesses to the old passwordusing the multiplex interrupt 2fh (or so-called software interrupt) withfunction 11h (sub function 84h). I suppose that function 11XX, int 2fh is installed by the windows kernel so that it can exchange data (WFW infos)with a DOS program. Well, so you would say that this function requires asinput the password and returns an error if the password is bad.. but, no...Microsoft did it the other way. The function returns the uncrypted password to a buffer (... no comment).Indeed, this is not _big_ deal but if a user has access to your computerafter you logged then he can easily retrieve your password.. And I am sure that a lot of people uses the same password for their mail and their windows password (so it is somewhat a security problem). I attached a smallprogram that prompts the password of the user (you must have logged in first); this only work on Windows for Workgroup 3.11 and Windows 95(Windows 98 and Windows NT are not affected -hopefully-).But I wouldn't be surprised if Win98 has an undocumented function that returns the password of the user (I wouldn't bet that about NT though.) fix : well, I didn't find anything .. except that this code : mov ax, 1184h mov bx, 0dh xor cx, cx int 2fh seems to disable the password caching feature. ===================================EOT======================================== 5.Basic TCP/IP Components ========================= by br0therX@gmx.net octobre 1998 credits to J.P. Before moving forward to discussions of deeper knowledge, it is important that you have the base understanding of some of the more common TCP/IP concepts. The IP Address ============== Every computer connected to the Internet or another network need a unique TCP/IP Address. A single TCP/IP Address is comprised of two components that combine to provide a single resolvable address: the Network Identification and the Host Identification. Network and Host Identification and the InterNIC ================================================ The Network Identification portion of a TCP/IP address identifies what portion of your network a device resides on, while the Host address portion of the address identifies a device as unique. Because there are varying sizes of networks, and a limited number of IP addresses, TCP/IP address schemes have been categorized into three address classes. These three classes are administered by an organization called InterNIC. The InterNIC maintains a list of available IP address schemes and assigns them to organizations in an effort to ensure that no two networks have the same network ID. This done to prevent conflicts if a network decides to become part of the Internet. To effectively distribute these IP addresses, the InterNIC has defined three address classes based on the number of octets that are used to make up a Network ID. These address classes are known as Class A, B, and C. Which Classes and Host Numbers Available ? ========================================== --------------------------------------------------------------------------- IP Address Octets used for Octets used for Octet A Available Class Network ID Host ID Values Host Add. --------------------------------------------------------------------------- Class A A B,C,D 1-126 16.777.214 Class B A,B C,D 128-191 65.534 Class C A,B,C D 192-233 254 --------------------------------------------------------------------------- An IP address is made up of four octets, represented as A,B,C,D in the previous table. In all cases a single IP address is made up of a Host ID and a Network ID. For instance, if a machine had the Class C address of 199.23.232.17, the machine would have a Network ID of 199.23.232 and a Host ID of 17. On the other hand, of a machine had a Class B address of 142.55.39.121 it would have a Network ID of 142.55 and a Host ID of 39.121 What is a Subnet Mask ? ======================= Even though your TCP/IP stack is inherently aware of the three TCP/IP classifications and therefore will automatically break down the Host ID and Network ID of any given address, it is necessary to assign each logical network a Subnet Mask. This Subnet Mask assists each client in determining the Host and Network IDs of any packets coming in and any packets going out. A Subnet Mask assigns 1s to the Network ID bits and 0s to the Host ID bits of an IP address providing for quick translation of an IP address. Default Subnet Mask for Each Address Class ========================================== --------------------------------------------------------------------------- IP Address Network ID Subnet Mask Binary Translation Class --------------------------------------------------------------------------- Class A A.X.X.X 255.0.0.0 11111111.00000000.00000000.0000000 Class B A.B.X.X 255.255.0.0 11111111.11111111.00000000.0000000 Class C A.B.C.X 255.255.255.0 11111111.11111111.11111111.0000000 --------------------------------------------------------------------------- While it might seen redundant to assign a Subnet Mask to a computer when the TCP/IP stack is inherently aware of the network classifications, it can actually be used to further segment the network. Subnet Masks can be an extremely complicated subject. The Default Gateway =================== The Default Gateway often simply called the Router, is a device that has knowledge of other Gateways on the network and is used as first contact by devices that need to communicate outside their own network. In other words, any time a host sends a packet to a device with a different Network ID, the packet is first sent to the Default Gateway. The Default Gateway then forwards the packet to the next logical gateway until the packet reaches the final gateway. The Default Gateway is in most cases associated with either a physical router port or a logical router port. The Domain Name Servers - DNS ============================= The Domain Server provides a user friendly interface to your TCP/IP network by providing a method for resolving IP Addresses to easy-to-remember Host Names. The Domain Name Server is used to eliminate the need for every user to know not only your network addressing scheme, but also the Host ID of every sever or host. The first step in alleviating the situation is to provide a Domain Name to act as an alias for the Network ID. For instance, using a Domain Name Server 131.135.132.100 can be translated to DRESSMAN.COM WINS/NetBIOS Name ================= Microsoft clients (as do OS/2) require the NetBIOS interface client to server/client to client communication. The TCP/IP protocol does not inherently provide for this interface. In result, when a Net-BIOS-dependent machine attempts to communicate across a subnet with another NetBIOS-dependent machine using only IP, it will fail miserably. Even though Machine A can ping Machine B and vice versa, unless the NetBIOS interface is available, there will be no communication. To resolve this issue, the Internet community at large defined RFCs 1001/1002 (Request for Comment) providing design for an IP-friendly NetBIOS-Interface. This interface, commonly known as a NetBIOS Name Server, acts very much like a standard Domain Server; however, instead of providing a flat Host Name to IP address resolution, it provides NetBIOS name to IP address resolution allowing for standard NetBIOS-dependent communication. At this time, there are only three known NetBIOS Name Servers. The first is Microsoft WINS, which provides complete NetBIOS-dependent services for all Windows clients - but is not completely RFC-compliant. The second is SAMBA, a shareware based UNIX service that not only acts as a NetBIOS Name Server, but also allows UNIX hosts to act like Windows for Workgroups workstations and share files with Microsoft clients. The last known NetBIOS Name server is provided by Network TeleSystems. Note: So be aware if your Computer tries to communicate via port 137 to the Internet telling anyone that you are sharing printers and files. ===================================EOT======================================== 6.What is a T-1 ? ================= by br0therX@gmx.net octobre 1998 Ever wondered what a T1 is ? T1 is a very fast and expensive permanent Digital Carrier System with Point to Point Connection. --------------------------------------------------------------------------- Signal Carrier T-1-Channel SP-Channel Transfer(Mbps) System --------------------------------------------------------------------------- DS-0 None None 1 0.0064 DS-1 T1 1 24 1.544 DS-1C T-1C 2 48 3.152 DS-2 T2 4 96 6.312 DS-3 T3 28 672 44.736 DS-4 T4 168 4032 274.760 --------------------------------------------------------------------------- Some countries are providing E1 with a Transfer of 2.048 Mbps. ===================================EOT======================================== 7.Cracking WebPages for the whole family-or-Webmaster change your Permissions! ============================================================================== by br0therX octobre 1998 This should not be a how to crack but should show how easy it is to obtain miss-configured Frontpage passwords! ------------------------------------------------------------------------------ | There is an often quoted axiom in computing publishing circles and it goes | | like this "80 percent of the people use only 20 percent of a program's | | capabilities" | | ------------------------------------------------------------------------------ FrontPage VTI-BIN and VTI_PVT Vulnerabilities ============================================= FrontPage Version: 1.0 Impact: Remote users can view passwords or other sensitive files Class: Severe to critical Fix: None yet. Additional Info: http://rhino9.ml.org ; bugtraq@netspace.org ; http://www.geek-girl.com/bugtraq/search.html This is a well known bug in the security world but it still exists ! And so I think that it is worth to discuss. You can find those Frontpage servers via SearchEngines like Altavista [http://www.altavista.com] or with FTP-SearchEngines like FTPSearch [http://ftpsearch.ntnu.no/]. Just look for files like : administrator.pwd administrators.pwd authors.pwd service.pwd users.pwd If you found such a file try to access it. Probably you have no problem to read it. There are no world-read restrictions. And by default this directory is also world writeable!! That's really a huge security hole! [maybe you want use the Anonymizer [http://www.anonymizer.com/surf_free.shtml] for accessing such files, or even use another way of Proxy-Chaining. Those *.pwd files are stored in the /vti_pvt/ directory. A typical /vti_pvt/ directory looks like this: Index of /br0therX/PC/_vti_pvt/ Name Last modified Size Description ----------------------------------------------------------------------------- Parent Directory _vti_cnf/ 01-Sep-97 11:21 1K _x_todo.htm 21-May-97 16:31 1K _x_todoh.htm 21-May-97 16:31 1K access.cnf 19-May-97 19:07 1K administrators.pwd 19-May-97 19:06 1K authors.pwd 19-May-97 19:06 1K botinfs.cnf 01-Sep-97 11:21 1K bots.cnf 01-Sep-97 11:21 1K deptodoc.btr 01-Sep-97 11:21 1K doctodep.btr 01-Sep-97 11:21 5K frontpg.lck 19-May-97 19:06 0K service.cnf 01-Sep-97 11:21 1K service.lck 01-Sep-97 11:21 0K services.cnf 19-May-97 19:06 1K svcacl.cnf 19-May-97 19:06 1K users.pwd 19-May-97 19:06 1K Your *.pwd file which you accessed via http or ftp will look apparently like: # -FrontPage- br0therX:RIeUwTw2eYj56 ------>note: that's not the password, but the - encrypted hash. WOW - that's it! Now you have the FrontPage login and also the encrypted password. Add :0:0:comments:/:/bin/bash to your password file and drop it into your cracker [br0therX:RIeUwTw2eYj56:0:0:comments:/:/bin/bash] like: Cracker Jack by Jackal; PaceCrack95; Hades by Remote and Zabkar (pooh...that's fast) or John the Ripper by Solar Designer. FrontPage server extension use DES encryption. "One would think that DES is entirely infallible. It isn't. Although the information cannot be reverse encoded, passwords encrypted via DES can be revealed through a comparative process. The process works as(s) follows: 1. You obtain a dictionary file, which is really no more than a flat file (plain text) list of words [commonly referred to as wordlists]. 2. These words are encrypted using DES 3. Each encrypted word is compared to the target password. If a match occurs, there is a 98 percent chance that the password was cracked." Wow, again -that's it! Now you have the password in plaintext! A lot of people also use this password for their UNIX-Shell. So you can take a homerun directly to ROOT. Shit this was damn easy and all I can say is: Check your Frontpage *.pwd file permissions and the permission to view /_vti_pvt/ and /_vti_bin/ . Or maybe some day you will found your side cracked. The next problem is that anyone could connect to the /_vti_bin/ directory, place commands files and execute them. Index of /br0therX/PC/_vti_bin/ Name Last modified Size Description ----------------------------------------------------------------------------- Parent Directory _vti_adm/ 19-May-97 19:06 1K _vti_aut/ 19-May-97 19:06 1K shtml.exe 19-May-97 19:06 3M ===================================EOT======================================== 8.BackOrifice Remove/Detect =========================== by the RobinsonLaw kelvinla@yahoo.com September 27, 1998 Since that more and more newbies became the victim of Bo (a popular trojans).I'll write an article on how to detect whrether user is been infected by trojan and how to remove them. Back Orifice(BO) Desription =========================== REMEMBER-Never receive a file from a stranger even if they said they have a good hacker program unless u doing!!! Many newbie have been affected because they have initialise a server trojan file,which in real name for it is BOSERVE.exe. It can be renamed by the intruder.Once it is installed , it'll open up a backdoor for intruder to get in through the victim ip address and create hoax in it. For instance,delete victim files,copy it,reboot victim machine etc. Some infected victim thaught that the intruder is a real hacker but actually even a 9 yrs old boy can do that just by clicking the program.The create of this program is show that how insecure win95/98 is. To determining whrether BO has been installed on your machine: Basic level =========== Basic level mean that the trojan install in victim machine is no password needed and it's using default port which came by downloading the back orifice program.In this case i will only taught how to detect and remove it i won't taught u how to use it cuz more and more ppl been the victim of it and i don't want them to surfur again.If you don't agree what i said just ignore it and continue ur LAMN ACTIVIES. 1]go to c:\windows\system directory and check whrether there is a blank program ( .exe)<-- spacebar.exe if u found it u couldn't delete it now cuz it's running when ever u startup ur machine. SOLUTION-There is plenty of way to remove it so i only teach one. That is don't startup ur windows go to dos prompt when u startup ur machine goto the c:\windows\system and delete the program. 2]Well after u successful delete it,it does not mean that u free from trojan u still have to delete the registry key if not windows will startup with an annoying saying that this file counldn't execute. Solution-Start the regedit program (c:\windows\regedit.exe)and access the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Look for files that range between 124,928 byte and remove it. In default situation,the data will be set value as " .exe" when u see it just click delete. 3]If someone tell you that he going to delete your favourite program or ur screen pop up a message such as "YOU ARE NOW BEEN HACKED" u will probably think that some hacker had hack into ur machine and u couldn't do much about unless became nervous and seek for help right? Solution-1]Disconnect from the net and he will not get into ur machine anymore follow instruction above and remove the trojan.Simple and easy Solution-2]In case you want some fun and see who is accesing ur hardisk .First run c:\windows\netstat.exe and you will see some ip address look for Uddp port 31337 or 90 that mean the intruder is connect to u. You can copy his ip address and do wateva u want :>. Advanced Level ============== Advanced level mean the trojan had been reconfigured. When u follow instruction above and still could not cure it then it maybe the intruder have renamed it or change the port. 1]In case i don't want to waste your time on how to remove it just go to our club and download an antigen for it. 2)Well if the situation could not be cure just backup ur important files and reformat your hardisk :>. Copyright (C) by Robinsonlaw ===================================EOT======================================== 9.ICQ-EXPLOIT ============== by the ÉÅZ¥ MÖÑÉ¥ eazy_money@hcvorg.com October 17, 1998 Annoying People and Shortcuts ============================= ICQ won't let you on? Well try instead of just connecting, go into chat mode but, when you connect you'll be in chat. Just click Available/Connect and it'll disappear. You're on.If you're in a large chat room or just have "IRC Style", if someone has the same text color as your background you can't see it right? Go to Display then click Override Format.Ok I'm sure some of you live with your parents (not 18 yet) or maybe you have a sibling or friend who like to watch you when you're in ICQ right? Yeah me too. Well say you're in a chat with someone teaching you something or you're there with some girl/guy (no discrimination here) getting off. You don't want them to read it but you want to save it right? Well click File and then Save Buffer. But then you need to get rid of it well, click File and then Clear Buffer.You're in a chat and noone knows each other right? Well there's this one person leaving logs all over in your firewall (it happens). This guy/girl isn't on your ICQ list but he/she's cussing you out in chat. So he can't get past your firewall but you wanna talk to these people well, KICK HIM/HER. Click File then Kick User then double-click the nick of this person. It brings up a voting dialog. If the person doesn't get kicked they're liable to do the same to you.Someone wants you to teach them to hack? They keep trying to send you a chat too? Well of course you're going to decline but you want to slow him down some? Well Decline with a reason. Put your reason. Then hold enter until the dialog holds no more. Then click ok. The person sees a reason and they can't click ok because it's too big for the window. They can click on the dialog and hit enter or space and it'll disappear but are they thinking about it? In the old ICQ when you double-clicked the persons name and the message dialog popped up right? Well in ICQ 98 you can double-click their name and it opens up the message box.You hate when someone sends a message to anyone? You want to do it but you're not sure how? Well open up a message box to anyone then click More then Multiple Recipients then send it to whoever you want.You wanna send more than one file on ICQ? Well go to the directory where the files are then click the first file then hold CTRL click all the other files you want then send it. You wanna get someone to leave you alone? Get them to add themselves to their own cantact list. When they connect to ICQ next time. Everyone on their list will be gone when they restart ICQ. Proof ICQ has a few mistakes ============================ When you send a Inernet Phone/Game Do not Accept is spelled wrong. Click on the ICQ button then move your mouse to the right over the flower then let go the button sticks.After you get over 200 users on your list you'll start losing some you don't talk to. When you use a ' in your Information or in a message it comes out as ". Supposed Secrets ================ Put a - next to your name then look at your info. You don't see what it do you? It's right there! 'Nick Name First Name and Last Name' ARE NOW 'Category Company and Department'Put a & next to your name and like the tip above....it changes your info. Check it.INs like 7000000 (Administrator Ð) work for ICQ also try 8000000 and so on. I have not tried all these. Security ======== Say you've been message bombed on ICQ? Me too. Well, you can stop that.Click ICQ then go into Security & Privacy then go to the ignore list tab.Then click Do not accept messages from users not on my list. That's it. Mess with the Security & Privacy. Spoofing ======== Yes I know this is why you got this document in the first place.So here it is.Well, click ICQ then go to Preferences then click on the Connection tab. Click I'm using a permanent internet connection (LAN). Then click I am behind a firewall or proxy. Now click Firewall settings. I am using a SOCKS4 proxy server. Next. Now put in the IP you want in SOCKS4 Host. Click next. Click Done. Click OK. Now restart ICQ and you're spoofed. You wanna know the drawbacks to this? Well here they are. First off you can't get a direct connection to anyone. It'll ask you to send through the server. Noone else can get a direct connection to you. If they keep hitting Retry they'll never get through so they have to be smart enough to send through the server. Also you can't send or recieve chat requests. That's about it. Written: August 20th, 1998 by ÉÅZ¥ MÖÑÉ¥ e-mail: eazy_money@hcvorg.com ===================================EOT======================================== 10.How to crack Winamp Registry =============================== Written by -=[Trashman]=- Trashman@Post.tele.dk October 18, 1998 ,--, ____ _,-----,_ _,--,_ __\ /___,---,\ /_ | | _| | _/ | | _/ | | | _/ | (_ | | |_ | | | ___| |_ (__ |____| | | __) | | | |_|_____| |_ | | | | |____| |____| _//' | __) | | |_ | |_ | | _| | |__ ___//'_______|___ __//'_______|__ __| `\\_____| /____\ ascii /____\ by /_____\ Trashman Heya ! So I'm finally back ;) Since i've in the last couple of weeks have noticed people keep asking about a serial for Winamp i decided to write this tutorial. I know there are several keygens out there, but wouldn't it be nicer to get the serial on your own ? Sure it would, and that's why, in this tutorial, i'm gonna teach you how to "crack" Winamp 2.0 So read on and have your very own serial within a minute ;) First of all you need to install the program (Winamp 2.0 - www.winamp.com) Then i suppose you have already installed SoftIce and are now ready to crack. So you probably already noticed (using SoftIce), that WinAmp 2.0 (WA2 from now on), uses the breakpoint getdlgitemtexta (=BPX GETDLGITEMTEXTA) So you launch WA2 and go to the Registration menu. Now you're ready to type your name and (fake) serial. So you type your name, except for the last letter cause WA2 checks for the correct serial by every single letter you type.EX: BuLLe (without the last letter). Then you press CTRL+D and type BPX GETDLGITEMTEXTA Press F5 and type in the last letter. (in my case T) *BOOM* and you're back in SoftIce. There you press F11 to return from the CALL'er. Then you press F10 10 times untill you're at this line: 0177:0040373B CMP EAX,ESI Hmm..two registers compared..sounds interesting, so let's type ? EAX to get a closer look at it. In my case this is what showed up: 024F541D 0038753309 "OT" Now what, you think. Well if you don't see anything interesting here you might as well reboot your system and never turn the power back on ;) Guess what you're looking at DUMBASS !! Yeah you're damn right ! The serial !!!!So clear all breakpoints by typing BC* and return to WA2. Enter your name and serial and guess what shows up in the About box !! ----- LICENSED TO: (your serial) ----- Is this cool or what ?? Yes it is. Eventhough you could have d/l'ed a keygen, you must feel better doing it your self. At least I do ;) All for now..till next time ! to get the fun stuff with winamp -> open winamp press N press U press L press escape press L press escape press S press O press F press T Written by -=[Trashman]=- ===================================EOT======================================== 11.HOW TO MAKE A RED BOX ======================== by -=ÉÅZ¥ MÖÑÉ¥=- eazy_money@hcvorg.com October 8, 1998 I write thi$ for educational u$e only!! If you get bu$ted it i$ not my falt it i$ your$. $oo you can not take me to trail or $ue me here we go you phone addict$ :-) This will show you how to make a red box it i$ ea$y a$ 1,2,3 $tep 1.. what you will need ======== you will need a "33 Number Memory Pocket Tone Dialer"you can pick one up at raido shack and you will need to order a "6.5536 MHz frequency crystal" from mouser you can pick one up at http://www.mouser.com last but not least you will have to have a phillip's head screw driver $tep 2.. ======== Once you get every thang take cover off and remove the crystal that is in there and saulder the 6.5536 MHz frequency crystal in there. Then program the 33 Number Memory Pocket Tone Dialer to play the nickel,dime,and quarter tones. $tep 3.. ======== Now you go to a payphone and play the tones and never agin pay for a service. HAVE FUN MY PHONE FREAK$ :-) made by, ÉÅZ¥ MÖÑÉ¥ e-mail: eazy_money@hcvorg.com ===================================EOT======================================== 12.Hacking & Security Holes in conseal Pc Firewalls-#1 ====================================================== by the ÉÅZ¥ MÖÑÉ¥ eazy_money@hcvorg.com September 19, 1998 Anther $eucrty hole in the Con$eal PC Firewall a.k.a. $ignal9 Ju$t thank of all the wanna be 31337 hacker$ that are going to cra$h cuz of thi$. The lamer$ $hould learn not to u$e $hit from the www borad but,make there own $hit. Thi$ text wa$ made by, ÉÅZ¥ MÖÑÉ¥ Do not edit thi$ in any way!!! Leave it a$ it i$ or you will be sent to Hackers Hell=) Thi$ trick work$ be$t with ICQ and IRC I write thi$ for educational u$e only!! If you get bu$ted it i$ not my falt it i$ your$. $oo you can not and will not take me to trail,$ue,and or blame me in any way for your action$. Here we go you hacking addict$ :-) Here we go, 1st off get the victims ip# off ICQ or on IRC they could be spoofed type this to get a the real ip# on IRC /quote userip eazymoney.Which gives:eazymoney=+user@194.134.10.162. This is his true ip #4. Now once again you /dns 194.134.10.162. This time, there is a response Resolved to "source from Antionline" If he/she has you on there ignore list on ICQ then make another account and readd that uin# or Try to find some one there talking to that is on the victims list and is on your list too either way you'll get their ip#. What you got to do now is open a exploit (nestea or boink, newtear etc for Linux) (the best to use is Exploit Generator v0.85 for Windows) run a netstat "dns their ip#" get the port open from that host. You should now have the victims ip# and port , then send a packet just 1 from a regognized host they talk to seldomly "note" 79% firewall users have such fucked up rulsets or so many incoming hosts that they let 1 packet through. that packet is let through on their ruleset, so it registers =) ding! It may take a while for the packet to send the whole fragment but within a matter of seconds. Boom watch the lamer go offline. :-) There are other ways of forcing backdoors open on conseal PC firewall "considering it has 2 flaws" As to be said by many firewall annaylists "conseal pc firewall" is the most secure firewall to prevent attacks against hackers. Well you annalzers check twice next time:) Thi$ ha$ been te$ted by me it work$ on a lot of pepole. I would like to $ay about not quite 99% considering you have some firewall warrior out amongst us. Thi$ i$ good to prove to pepole that thank there really secure that thay ain't $hit basicly. Even lamer$ can prove them worng. H-A-P-P-Y C-R-A-$-H-I-N-G written by, ÉÅZ¥ MÖÑÉ¥ & The KuNg FU HcV SqUaD e-mail: eazy_money@hcvorg.com Copyrighted 1997-1998 HcV Organization : Trademark of Evilwood Enterprise ===================================EOT======================================== 13.KILLING PHONE LINE$ ====================== by the ÉÅZ¥ MÖÑÉ¥ eazy_money@hcvorg.com September 19, 1998 Thi$ i$ one of the be$t thang$ i ever figerd out and it i$ ea$y a$ 1,2,3 I write thi$ for educational u$e only!! If you fuck up and get bu$ted it i$ not my a$$ it i$ your$. here we go you phone addict$ $tep 1. ======= Go to a COCOTs (Customer Owned Coin Operated Telephone.) $tep 2. ======= call the operator and tell them you would like to cancel your acount with the service here is how it will probley go (operator) Oparator how may i help you? (you) I would like to cancle my acount with your service. (oparator) What is your name sir/madom (you) blah blah (the lamer$ name that i$ li$ted in the phone book) (oparator) Thank you sir/madem what is the full phone number with the area code? (you) blah blah blah (the lamer$ phone #) oparator) Your phone number has now be cancled thank you for using our service. $tep 3. ======= hang the phone up and get the fuck out of the area HAVE FUN made by, ÉÅZ¥ MÖÑÉ¥ e-mail: eazy_money@hcvorg.com ===================================EOT======================================== 14.Connecting to SprintNet/...etc from Canada ============================================= by KungFu Monkey shitall@yahoo.com October 12, 1998 Alright incase you hadn't noticed there is nothing written by me. Well nothing with my name on it, RIGHT? Its cause my name use to be Varicose Virus and that got old really fast, so I decided to right a text on connecting to SprintNet/Telnet/SprintMail/GlobeNet from Canada. As you may know SprintNet is almost impossible to connect via Canada. You cant call SprintNet up with your modem cause it doesn't work like that, well if your in the states it does work like that, but your out of the calling area, but when you try through datapac you get error messages like this: CALL CLEARED- INCOMPATIBLE CALL OPTIONS (XXY). So how the hell does someone connect to the elusive SprintNet from North of the border?? So far there is only one way to connect to this over protective American network from Canada. It takes a little skill and knowledge but after that your in. Connecting to SprintNet/Telnet: =============================== First you'll need a telnet account with a BBS or your ISP or something. you then need to find a dialout. I tend to use dialout.XXXX.edu (XXXX is actually letters but I ain't tellin yall cause overuse causes many a shutdown, RIGHT?) Once connected to the dialout you need to make sure its working so type AT it should reply with OK if not your fuct. Then your gonna find a SprintNet public access dialup. [I use 18005463000] if this number is still available while you read this go ahead and use it. So you've telneted to your dialout. You've typed AT and received OK, so next is dialing the number you want to dial. the system I use is ATDT8[then #] (it could be different with the system you use) so then you type ATDT818005463000 ....you wait...and you wait...and wait some more...but then you receive CONNECT 1200 BUFFER 38400 So now what?? well do what any good hacker would do. Hit or ENTER twice. If the dialout disconnects you, keep trying, the dialout I use only connects everyonce and a while. So you hit ENTER twice you then see TERMINAL= Now I've tried D2 and and they do the same thing so go for it. So now your connected to SprintNet, felicitations. So what now? Its just like datapac'cept you don't have to enter the zeros so example 31200061 can be re-written as 31261 don't ask...it just does. That's about it. Also this is VERY fun to play on. And now you can go to IRC and show how your are an 31337 HAX0R DUDE! and you can say, HEY I CAN GET TO SPRINTNET BUT CAN YOU GET TO DATAPAC?? although they probably can so don't ask. Conclusion: =========== Be very CAREFULL when using dialout on the internet, cause they can very easily trace your number (of course they can they're a freakin' Telecom Company) and its SIMPLE as hell to trace telnet sessions! Unless your an EREET BITCH but if your such an EREET BITCH why are you reading this?!? ===================================EOT======================================== 15.Tracing-Someone =================== by Zer0 Baud eazy_money@hcvorg.com September 22, 1998 Tracing ======= This is really easy but some people dont know this .. Get WSPING and get the ip and trce it .. the 2nd to last domain is normaly the isp.. that sahould tell you and if it doesn't try the domain like as if it where a webpage .. (Ex.--) IP Address: 209.30.70.6 TraceRoute 209.30.70.6 (209.30.70.6) 58 bytes from 209.30.70.6: time=286 ms 1-8 250 0 13243252344432 I ripped my info out 9 250 0 146.188.240.25 195.ATM11-0-0.CR2.DFW1.ALTER.NET 10 270 20 137.39.21.182 412.atm6-0-0.sr1.dfw1.alter.net 11 250 -20 206.181.125.153 dfw2-core2-pt4-1-0.atlas.digex.net 12 245 -5 165.117.52.101 dfw2-core1-fa9-1-0.atlas.digex.net 13 270 25 165.117.50.30 iah1-core2-s5-0-0.atlas.digex.net 14 250 -20 165.117.56.78 iah1-core1-fa5-1-0.atlas.digex.net 15 270 20 206.181.103.42 16 262 -8 209.30.70.6 amax30.dialup.hou1.flash.net host reached This person is in houston, tx {hou1}... and if you didn't know you could try www.flash.XXX XXX = com, net, org .. ect ===================================EOT======================================== 16.Rootshell Defaced ===================== taken from http://www.rootshell.com 28 octobre 1998 10/28/98 8:44AM PDT On Wed Oct 28th at 5:12AM PST the main Rootshell page was defaced by a group of crackers. Entry to the machine was made via SSH (secure shell) which is an encrypted interface to the machine at 04:57AM PST this morning. Rootshell was first informed of this incident at 6:00 AM PST and the site was immediately brought offline. The site was back up and operational by 8:00AM PST. We are still in the process of investigating the exact methods that were used. The paranoid MAY want to disable ssh 1.2.26. Rootshell runs Linux 2.0.35, ssh 1.2.26, qmail 1.03, Apache 1.3.3 and nothing else. The attackers used further filesystem corruption to make it harder to remove the damaged HTML files. Here is the hacked site: ======================== y0y0y0, u all m4y b w0nd3r1ng wh3r3 th3 k-sp1ff r00tsh3ll sYt3 w3nt. w3ll. 1t'z 4 l0ng st0rY.. s3v3r4l nYt3z ag0, eY3 l4y 1n b3d p0nd3r1ng. and wh4t wUz ey3 p0nd3r1ng, u a$k? eYe wUz th1nk1ng ab0Ut h0w kUt3 mY n3xt d0or n31ghb0r'z sm4ll m4l3 ch1ld l00k3d n4k3d. bUt m0$tly, eYe b3g4n t0 h4v3 d0UbtZ 4s t0 th3 r34s0n ph()r mY 3x1st3nc3... eYe wUz th1nking t0 mY$3lf.. k1t, eY3 s3z t0 mY 0h-s0-v3ry-g4y s3lf, y 1z it that eY3 h4v3 b33n pUt 0n th1s 34rth? 1z lYph3 r1lly 4ll ab0Ut pr0v1d1ng bUgtr4q skr1Ptz ph0r k-l4m3 t4rdZ sUch 4z th3 HFG g1mpZ, kn0wn ph0r th31r ph34r$0m3 HTML t4GZ & ab1l1ty t0 c0nsUm3 sm4ll h3rdz 0f k0Wz 1n a s1ngl3 s1tt1ng? 1n sh0rt, n0. 1'm g01ng t0 r3t1r3 4nd b3c0m3 a sc0Utm4zt3r,m4yb3 a m4l3 b4bys1tt3r. -k1t kn0x out p.s. 0h y4h, phr33 m1tn1ck. p.p.s. h3y u ant10nl1n3 f4gg0t w1th th3 fUnnY l4zt n4m3.. u'r3 n3xt. sh0ut 0uTz t0: MOD - Masters of Dropstat - 1m n0t sUr3 1ph 3y3 m34n th3 0ld M0D 0r th3 gNu 0n3. 1m n0t sUr3 th3r3'z a d1ff3r3nc3. BoW - Brotherhood of Webmasters - w3 lUv y0u. err n0, w3 h8 y0u. h3lp, 1m b1-p0l4r. TNo - The Newbie Order - v0yl4m3r 4nd d1s k4n sh4r3 c3llZ w1th m3rc ph0r th31r 1nd3x.htMl krYm3z HFG - Heavy Frightened Girliemen - sUr3ly th3 sUpr3m3 HTML j0ck3yZ 0f th3.. m0nth. l34rn1ng h0w t0 h1d3 str1nGz 1n '98!@# LOD - Legion of DOS - dir --help? fUk th1s shYt, l3tz n4rk 34ch 0th3r!@# r00t - 1ph y0u'r3 n0t 0wn3d bY r00t, 1nst4ll slAkw4r3 3.o 4nd lYk3, g1v3 uZ th3 r00t p4zZw3rd, n shYt. 0r 3lz3 w3'll b4n y00!@$ CDC - Cult 0f the Dum asCii - mUdg3 r1t3z w4r3z 4nd th3 r3zt 0f uZ w3rk 0n "h0w t0 bl0w Up th3 t01l3t p4rt ][ - app34r1ng 0n g3r4ld0." 0ur l1ghts1d3 h0M3b0yZ: Secure Networks Inc. - wh1t3 p0w3r r3j3kt g3tz r1ch 0ff 0f p4th3t1c n3rd w1th 1nf3r10r1ty k0mpl3x wh1l3 uZ1ng h1z skr1ptz t0 h4q .edUz 1n .ca. st0ry @ 11. ISS - wh3r3 th3 m41l sp00lZ & w4r3z r a m4tt3r 0f pUbl1k r3k0rd Tsutomu Shimomura - th4nx ph0r th3 C3ll K0d3zZ d00d!@# D.J. Bernstein - th4nx ph0r 8.9.1. Eric Allman - th4nx ph0r 8.9.1. w3'd g1v3 sUm r34l sh0Ut 0utz, bUt 3v3ry0n3 1n th3 sc3n3 1z fUqn g4y c0mp4r3d t0 uZ, 4nd 1t'd b s0mewh4t p01ntl3Zz t0 sh0Ut t0 0urs3lv3z. sm00ch. h3y. u d1dnt th1nk w3'd l34v3 y0U w1t n0 w4r3z, d1d y0u!?@ w3'r3 n0t l1k3 th4t.. h3r3'z th3 0-dAy: ===================================EOT======================================== -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- --=Issue 5 coming up soon! Check it out!=-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- If you want to join UHA, please take a look into our join-section on our Homepage! We are also interested in alliances with other Hacking Groups. Greetings to gHF, iNsAnE iNc, NuKeM, IHA, DnD, DDs, contribution writers and all members of UHA. 17.Shout-Out's! =============== Easy money : Thanx for contribute ur text to us br0therX : Daniel u r so damn [...]Go on!; B.K. time will come [...]; Thx to TAG B|uSmurf : Prescilla !!! Venomous : Greets All [TAG] Members .. B|uSmurf, Grimmie, Stormz, cKguy, KeYgEn, FBI, brOtherX, Jason^_X, raz, Gred, CuMeoHob, ZeRoE, KiDz, |D|A|R|K, Prescilla (our sweet TAG mascot) and whoever you are that I forgot! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Proudly presented by, -=[ United Hackers Association 1 ]=- Email : uha1@gmx.net or kelvinla@yahoo.com Homepage : http://www.uha1.com -or- http://come.to/UHA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ===================================EOF========================================