==Phrack Inc.== Volume 0x0b, Issue 0x3f, Phile #0x02 of 0x0f |=-------------------------=[ L O O P B A C K ]=------------------------=| |=----------------------------------------------------------------------=| |=---------------------------=[ phrackstaff ]=--------------------------=| |=[ 0x01 ]=---------------------------------------------------------------=| Ode to a Dtorz Haqr - b0f's pilfered shell histories b0f@srv1:~$ cat .bash_history 3 rm .bash_history 4 ls -alF /* alf is my favorite tv show! */ 5 BitchX irc.dtors.net #dtors 6 BitchX 127.0.0.1 7 netstat -anp |grep LISTEN 8 ls 9 w 10 cat d.c 11 rm d d.c 12 ls 13 rm core 14 ls 15 ls /usr/bin 16 LD_PRELOAD=/bin/su 17 passwd 18 su 19 export LD_PRELOAD=/bin/su 20 su 21 su 22 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 23 w /* Ahhh..... the common mistake of confusing export LD_PRELOAD=AAAAAAAAAAAAA.... /bin/suid WITH export LD_PRELOAD=/bin/suid AAAAAAAAAAAAAAAAAAAAA.... don't worry b0f! it's a mistake that even the best of us make freqently! no, seriously!!!!!! */ 24 w 25 w 26 w 27 w 28 w 29 w 30 export LD_PRELOAD=/usr/bin/passwd 31 w 32 w 33 export LD_PRELOAD=/usr/bin/useradd 34 w 35 su 36 ps aux 37 sh 38 export LD_PRELOAD= 39 sh 40 history b0f@srv1:~$ bof@srv1:~$ w b0f pts/1 82-40-58-105.cab Tue Dec 9 16:47 - 19:21 (02:33) b0f pts/1 82-40-58-105.cab Tue Dec 9 16:44 - 16:47 (00:03) b0f pts/1 82-40-58-105.cab Tue Dec 9 07:12 - 07:32 (00:19) b0f ftpd6088 localhost Mon Dec 8 16:12 - 16:17 (00:05) b0f ftpd5864 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5863 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5862 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5861 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5860 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5859 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5858 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5857 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5856 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5855 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5854 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5853 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5852 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5851 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5850 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5849 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5848 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5847 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5846 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5845 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5844 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5843 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5842 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5841 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5840 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5839 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5838 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5837 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5836 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5835 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5834 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5833 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5832 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5831 localhost Mon Dec 8 14:16 - 14:16 (00:00) b0f ftpd5830 localhost Mon Dec 8 14:16 - down (08:59) b0f ftpd5829 localhost Mon Dec 8 14:15 - 14:16 (00:00) b0f ftpd5828 localhost Mon Dec 8 14:15 - down (08:59) b0f ftpd5827 localhost Mon Dec 8 14:15 - 14:15 (00:00) /* Editor: You get the fucking hint..... +2500 lines */ /* We literally cut out 2500+ lines, No Joke!! */ b0f ftpd3347 localhost Mon Dec 8 13:25 - down (09:50) b0f ftpd2876 localhost Mon Dec 8 13:22 - 13:22 (00:00) b0f ftpd2875 localhost Mon Dec 8 13:22 - down (09:53) b0f ftpd2873 localhost Mon Dec 8 13:22 - 13:22 (00:00) b0f ftpd2871 localhost Mon Dec 8 13:22 - down (09:53) b0f ftpd2870 localhost Mon Dec 8 13:22 - 13:22 (00:00) b0f ftpd2869 localhost Mon Dec 8 13:22 - down (09:53) b0f ftpd2868 localhost Mon Dec 8 13:22 - 13:22 (00:00) b0f ftpd2867 localhost Mon Dec 8 13:22 - 13:22 (00:00) b0f pts/0 82-40-58-105.cab Mon Dec 8 13:11 - 13:39 (00:28) b0f ftpd1384 localhost Mon Dec 8 13:10 - down (10:05) b0f ftpd1383 localhost Mon Dec 8 13:10 - 13:10 (00:00) b0f ftpd1380 localhost Mon Dec 8 13:10 - down (10:05) b0f ftpd1379 localhost Mon Dec 8 13:10 - 13:10 (00:00) b0f pts/0 82-40-58-105.cab Mon Dec 8 11:42 - 13:10 (01:28) b0f pts/0 82-40-58-105.cab Mon Dec 8 11:10 - 11:41 (00:31) b0f pts/1 82-40-58-105.cab Sun Dec 7 22:04 - 23:01 (00:57) |=[ 0x02 ]=---------------------------------------------------------------=| Robin of Loxley IRC Logs - rap1st dude unban this could look bad for you im trying to let you make it clear your side oh please ven had NOTHING to do with condemned i would never let him ok, well you cant say nothing because obviously, he asked to help the site, provided technical support and was an op in #hackphreak thats a pretty big link that is moronic he provided no tech support hackphreak is not condemned say what you want, and if you lible me, i will sue you my lawyers live for this shit I understand that, but do you not hold your ops to your same set of ethics? notice he isnt an op any more? when i saw what he was doing, i removed him look man, ever since I took this job as an investigative reporter, I have been nothing but fair and balanced I need to ask you something fine, give me the phone number of your boss did you visit the site? let me check you out as if you dont give it to me, we are finished here wait a minute you wotn answer that? I am my own boss i trust, but verify of course i went to look at it who do you submit to? mike hennigan? ok, so you went to a site, knowing you would be looking at underage girls in the nude? mike wallce? i went to see if the story was true, and then took action im independant then you are full of crap i have more media contacts than you have friends ok, but.. now look.. im not trying to start anything here.. but you knowingly went to an underage porn site is that ethical you ALWAYS Have a contact ? you are an idiot, good bye yes, but my contact is not my boxx you are now perm banned my articles can go where ever I want good do what you feel is right well, I would like to think you are a good guy my lawyers are a bit bored now anyway but I have to get Bill Oreilly on you here for a minute ok? you know i am who is bill orielly? have you or have you not looked at hundreds maybe thousands of underage pictures of girls while defending your cause? i havent i am not on that committie, as i have young children then how do you know they are underage? verification is handled by others but you looked at venemous's site? how many times will you ask that? what made his any different? I want confirmation, I want to be fair good bye convince me you are a good guy -ignored- and the article will reflect that this will look bad for you if you dont answer you really dont know who i am do you? go for it, i will call my attorneys now who should i direct them to? listen man we are friends, are we not? I know who you are no you listen, you wanna fuck with me, i will fucking bury you but jesus, im doing a job no, you are trying to create a scenario I need to get this information out to the masses and i will NOT fall into that bullshit look, I have a few more questions for you I will write my article when i found out what he was doing, i distanced myself and my channel from him and then hand it to you ok? you have no more questions i will answer you wanna play ? i am game was that the first time you downloaded child pornography? but i will bury you, remember i said that we are through, forever I need to ask this you are perm banned in hackphreak dont ever come back did you touch yourself ever while you did "verification" ? I didnt do anything to deserve this have I ever published anything about you that was wrong or misleading? (rap1st): did you touch yourself ever while you did "verification" ? < oh no? i think this is more than enough as a reporter, I have to ask that a simple "no" would have sufficed oh please you continue, and i you will incur my wrath i suggest you just go away you are a sick fuck look man, the last thing I need is your wrath Ill just forget about this article ok? its not worth it we are done forever can I come back to #hackphreak if I drop the article? nope why are you so defensive? is there something I should know? if you want to come clean right now, Ill publish it yes, that is you dont stop bothering me, you will be very sorry you publish whatever you want man whatever makes you happy, and when you are paying me 100 million in damages, and spending 15-20 in jail, i will smile at you through your bars im not going to make shit up I provide facts not bullshit (rap1st): did you touch yourself ever while you did "verification" ? < oh no? i think this is more than enough to qualify as bullshit now go away, before i get angry look, you didnt even answer that im nto going to speculate Ill just say you refused to answer i wouldnt dignify that bullshit with a fucking response now i am warning you man get lost holy shit, im not sure what got you so riled up Ill drop the article.. cool? I wont do it. you do whatever you want man I dont appreciate the threats but you do anything that affects me, my family or my business, i will bury you we are old friends fuck that not any more we arent i have NEVER had any one speak to me like that we have always been tight i have NEVER had any one speak to me like that did i touch myself, if you were here, i would fucking mangle you I didnt mean to upset you haha calm down too late i dont take that shit from anyone ok, look, I tried to be friendly Im going to sue you excellent, bring it on i am quite sure my resources will last far longer than yours so bring it, PLEASE |=[ 0x03 ]=---------------------------------------------------------------=| Let's Start a Honeypot - Javaman (respected "scene" person in a 'private' chat session) hahaha lets just run a honeypot that would be badass very innovative. like a honeypot with all our projects all over the place. yeah but we'd back it up of course definitly we would restore it from a fixed image every night. if anyone fucked it up, we'd just restore there's a network'd camera/webcam that you access via vnc prety slick idea the honeypot or the camera? the camera I'd love to do honeypot stuff. we'd get MAD 0hday ;) a vnc server that has vmware and every imaginable OS what's the "h" in 0hday stand for again? * nullboy mulls. OH! hour I remembered. it doesn't hahaha no, it's OH! day its oh. oh -day 0h! as in zero. hehehe dude a honeypot with all of our projects in our home directories would be just so very cool yeah and maybe do something like every couple of commands a chunk of text, like philosophy is spit out to the user's terminal. but the best would be we could make our own frontend, to it nono, no front end. just a unix machine telnet in, guest/guest. I see but you can't run shit right from it that way it would be like a haunted machine. hmmm, this could be a lot of fun, especially around halloween time yeah but just in general ian imagine back in the day you rooting a machine and it starts dumping chunks of text out at you seriously, we need to push the envelope like a story this could end up being really innovative. bryce, im still all for the community VPN/IPSec network idea that'd be ill well, just running some obscure software is cool enough yeah it could run like xenix with adventure you telnet in and get adventure AIX 2.0! or zork dude telnet in and you get a shell. yeah but as you start to explore you get a zork like game but you are still in unix right thank god I log this channel haha this would be sweet. we'll all forget this idea in an hour "Navigate the directory structure to find the princess!" nono booo tim, think of it as a haunted unix machine maybe the amulet of yendor some directories will contain odd files we have to hack bash and stuff will change when you're not looking it could shift around in odd ways random conole resets it could be like a flashback to nostalgia ascii graphics. yeah dude simulated bbs dialups all kinds of fake prompts it's all about Doors bbs's yeah little toy hacking challenges. that would be badass. man that would be SO FUCKING INNOVATIVE. yeah ghost prompts that appear in the center of the screen let's see if we can build a web-site first ahhaha good idea, bryce then we'll branch out into some other interesting services. sad thing is we can achieve the honeypot befor ethe website since it requires no graphics. we need some infrastructure for the honeypot it needs to be in a sandbox of sorts yeah otherwise it won;'t be a honeypot bbl and we need the backup/restore mechanism. that's easy not really once we build the box how we like it...make an ISO um, right but it should be able to change you don't just want it RO so you need a way to track legitimate changes and separate them from bogus changes well ya. I mean an ISO in the sense of once itr's been rm'd, we just reinstall from ISO cuz it will get rm'd after burning to a CD? I don't get it burn the cd and just store it somewhere not boot off it Disk image backup. right what about stuff that changed recently? * bda dances. CVS the Install nullboy: Incremental disk images. and then burn an ISO from the current CVS Via CVS or rsync or whatever. ok, sounds like we've got it figured out yay 650 anytime minutes thing with that is that you gotta rely on rsync services on the machine not getting fsck'd Free Nights and weekends starting at 8pm best is some kind of shared filesystem and a new ph0ne so you can access it externally to make backups and not rely on the host to make it available there's always *gasp* NFS no, cause nfs can be messed up on the machine well, a nice mirroring raid array would be easy if one disk fets fucked, we'd have a backup and it can be done w/ IDE now no nullboy: wtf are you talking about? afs, then. cause you can't tell the diff between a legitimate change and a change that comes about from malice Whatever. We should just keep this machine unplugged from the network. Hell, I wasn't even paying attention to the conversation. :P everyone shut up My Vagina has two sets of lips no one understands me. explain it then CHUT UP! who's at all interested in actually doing anythihg with this idea? aye ok aye What? "Doing something"? Huh? side note: problem 1: prevent anyone from using the machine as a staging ground for network abuse I can't wait to shoot my current cell phone battery with my bbgun nullboy: solved, prohibit outbound tcp nullboy: nosuid, noexec haha err tcp/udp/icmp problem 2: how to do version control on the system reliably nullboy: md5sums against admin-changed list. bda: I was thinking more along the lines of an external firewall Isn't this called LIDS? iverson: we need to go shopping for pellet guns (speaking of BB) people should be able to make persistent changes to the system . . . . . but you need to be able to back them off when something goes wrong version control: We have an offsite mirror of the system that we develop on. We commit changes to a CVS style system and build ISOs of the latest system. Goto the live box and update. changes come from within the box no one's sitting there typing cvs commit all the time cron diff / hahah you can't rely on anything the host does. we're assuming it's going to get hacked. bryce, hold on a second So. You can't trust the host. You can't trust the users. What's the point of this, exactly? to keep the system running Except maybe as an exercise in frustration? honeypot Oh. Jesus. that's why im saying, developement changes take place offsite on a mirror box you have to keep it running with some minimum functionality the only way to track changes is if you can access the storage externally, afaik question: you can't trust file service running on the honeypot when you say track changes, do you mean track changes the users make? YES! oh, lal i r dum yes u r anyhoo I goeth home k I'm logging this stuff so we can reference later but I think that you could do something using vmware that would work well. 1: prevent them from abusing external resources from the box. find / | diff find-xx-xx-xx.txt > diff-xx-xx-xx.txt | scp diff-xx-xx-xx.txt blah@blah.com 2: track changes externally for files being added, atleast um, no remember, you can't trust the services running on that host they're all backdoored and shit Going to have to drop the machine and boot it off CD. Do the diffs to dead/ro system disks. right Fucked otherwise. What a pain in the ass. OR, have physical sharing of the devices What? as in with vmware, or shared scsi, or any number of things Well. nfs even. to some extent With vms, you can still get fucked. And the host itself will get owned. So can't do that. ah you're right though it's FAIRLY safe. <@javaman> that's bullshit yeah, you're right :D pita. if your vm gets owned, you get owned. I wonder . . . . virtual machine is the best way. then use tripwire or something to make sure the host doesn't get compromised. When it does, shut everything down and restore from backup what about making the Honey pot in a fully functional jail? You can break out of jails. I just named a machine "despair" yeah, you have to watch the jail carefully seriously, without physical measures, there's no assurance that you will detect getting owned. dont you think that would be easy to automate? if it sees conditions get violated it sends out an email and shuts itself down it'd work in most cases. it's just not a "perfect" solution You guys are nuts. You just can't make a machine secure. :P heh yeah, why bother so . . . .the web site |=[ 0x04 ]=---------------------------------------------------------------=| Rafa's Resume - his webpage Rafael Nuñez /* In case you're wondering what kind of name this is, it's supposed to read like 'Rafael Nunez' except he has one of those non ASCII compliant spic letters in his name */ Contact Los Palos Grandes. 4ta. Avenida con 3ra. transversal Cypress Garden Building, 91 Apartment, Caracas, Venezuela, 1070 zip code. Email: rafa@box.sk / rafa@cpiu.us Office: 5812 - 9524266 Mobile: 58414-2633236 ICQ # 10318 Venezuelan, Age 24 Languages: Spanish, English and Italian Objective Summary Senior position within penetration testing, intrusion detection system analysis, forensic analysis and incident response, research and development of new exploits and architecting the security infrastructure of an organization. Willing to relocate. Over 5 years of experience in the information security field with core progress in Penetration Testing, Intrusion Detection System analysis, packet analysis and incident handling, , and firewall deployment and stress testing. Have assisted federal authorities in incident response and forensic analysis to track down and investigate system compromises. Project Manager of Intelligence Department from Scientech de Venezuela. C.A. www.scientech.com.ve Experience Ethical Hacking Strong understanding of penetration tests and risk assessments, bypassing firewalls, etc. Computer Forensic Experience using EnCase Forensic Software, AccessData Forensic Tools, Fire Dmz, etc. VPNs/Cryptography Experience using StoneGate, Laplink Software, BorderWare software. PGP, GnuPG, etc. Operating Systems OpenBSD 2.x, 3.x, Windows NT/2K/XP, Linux Redhat 7-9, Sun Solaris, X86 Solaris, X Windows OE. Unix Services OpenSSH, OpenSSL, Apache, ApacheSSL, WuFTPD, NcFTPD, SFTP, Stunnel, Sendmail, MySQL, and. Sun DiskSuite Intrusion Detection Systems (IDS) 1. Remote help to create custom attack signatures for AppliedWatch.com 2. Research in tactical IDS evasion techniques and tools (Fragroute) Helped the worlds first OS-native Snort management/monitoring console. (http://www.appliedwatch.com) 3. Versed in analyzing packets through Protocol Header Anomaly Detection (PHAD) and analyzing hex dumps of malicious traffic without ASCII representation. Firewalls 1. Checkpoint FW-1 Cisco Pix Firewall - OpenBSD Packet Filter, IPF, and Linux IPChains 2. Windows based, Agnitum Outpost, Zonealarm and Blackice Penetration Testing/Risk Assessment Advanced knowledge in penetration testing of security software and appliances. Have discovered numerous vulnerabilities in systems, exploits and released the Webdav exploit for the vulnerability of Windows 2000 Internet Information Server 5. Knowledge in the use of the following security tools. Also have homegrown, custom attack tools, WoH, Adm, Teso, Gobbles, w00w00, el8, etc. exploits, and scanners that have not been released to the general public. 1. Tripwire 2. NESSUS 3. SSCAN 4. Nmap 5. Nemesis, Packit (Packet Injection) 6. NAI CyberCop 7. ISS RealSecure 8. Shadow Security Scanner 9. Retina Scanner from eEye 10. GFI LANguard Network Security Scanner 11. Dame Ware Remote Control 12. Cisco Scanner from Ian Tessier 13. Symantec NetRecon 14. Nikko (old whisker) 15. Xforce Scanner Work History Scientech de Venezuela,C.A. 2002-Present Project Manager of Intelligence Department Helped bring company to full profitability within penetration tests and risk assessments. Personally acquired the team to improve and manage for the goal of a perfect work. http://www.scientech.com.ve Counter Pedophilia Investigative Unit : 2002-Present Deputy Director CPIU is a great organization which has been working on tracking down the root of pedophile and child pornography rings on the internet. http://www.cpiu.us Fatelabs, Inc 2000 - June 2002 Internet Warfare and Intelligence Consultant Provided successful remote penetration test of Walt Disney, San Jose State University, and the University of Pittsburgh (multiple Class A networks). Past penetration tests included war dialing modem pools, MITM-based attacks of SSL and SSH sessions, and session hijacking. Reason for leaving: Needed to move to the USA http://www.fatelabs.com The Hackademy School Paris 1 - 2001 villa du clos de Malevart Metro Goncourt 75011 Paris. France. 0140210120 hackademy@dmpfrance.com. 3 levels approved, Director of Hackadamey: Spinelli Olivier http://www.dmpfrance.com Universidad Católica Andrés Bello 2001 - Computer Engineering 3th trimester approved. Reason for leaving: Approached by Fatelabs to work on remote Homeland Defense Notoriety, Awards and Publications 2002-2003 The New York Times New York City, New York Technology Consultant § Advise journalists of technology facts and opinions for upcoming stories. www.nytimes.com 2001-2003 News.com & Zdnet Technology Consultant § Advise journalists of technology facts and opinions for upcoming stories. www.news.com 2002-2003 IDG.net and ComputerWorld Technology Consultant § Advise journalists of technology facts and opinions for upcoming stories. www.idg.net 2003 PC-NEWS Technology Consultant Advise journalists of technology facts and opinions for upcoming stories. www.pc-news.com The Hacker Diaries - Confessions of Teenage hackers - McGrawHill Written about in the book, "The Hacker Diaries" by Dan Verton http://www.amazon.com/exec/obidos/tg/detail/-/0072223642?v=glance White Gray Black Hackers notorious website Listed on the hackers famous list http://www.wbglinks.net/pages/watchmen/ Decoding Computer Intruders http://www.nytimes.com/2003/04/24/technology/circuits/24viru.html?page wanted=3 New IIS exploit could be one of many http://www.computerworld.com/securitytopics/security/holes/story/0,108 01,79701,00.html U.K. police nab Fluffi Bunni hacker http://www.computerworld.com/printthis/2003/0,4814,80811,00.html Supuesta competencia de hackers genera revuelo http://www.pc-news.com/detalle.asp?sid=&id=11&Ida=1150 Vulnerability enables Passport account hijackings http://www.infoworld.com/article/03/06/30/HNpass_1.html Hackers organize vandalism contest http://news.com.com/2100-1002_3-1023172.html?tag=lh A.V. man leads anti-pedophile group Jared Zucker, other investigators try to keep children safe while online http://www.vvdailypress.com/cgi-bin/newspro/viewnews.cgi?newsid1056374 491,18869, The International Herald Tribune Cyber Terrorists Sharpening Their Tools The Daily Press A.V. man leads anti-pedophile group. Blackcode Security Cyber Terrorists Sharpening Their Tools Crime Research Blocking a cyber attack. Boiling Springs Sentry Pedophile shake down, Counter Pedophilia Investigative Unit hard at work. Blacksburg Times Pedophile shake down, Counter Pedophilia Investigative Unit hard at work. Chesnee Tribune The Counter Pedophilia Investigative Unit, cracking down on pedophilia. Inman Times The Counter Pedophilia Investigative Unit, cracking down on pedophilia. Middle Tyger Times The Counter Pedophilia Investigative Unit, cracking down on pedophilia. Whitmire News The Counter Pedophilia Investigative Unit, cracking down on pedophilia. Woofruff News The Counter Pedophilia Investigative Unit, cracking down on pedophilia. Spartanburg County News Counter Pedophilia Experts Shutting Down Internet Child Pornography 2600 : The Hackers Quarterly The reality of media coverage on convicted computer criminals. The State Counter Pedophilia agency making a sweep in South East REFERENCES John Schwartz The New York Times 1-888-NY-TIMES jswatz@nytimes.com Robert Lemos News.com & Cnet.com rob.lemos@cnet.com Paul Roberts IDG.net & ComputerWorld Paul_Roberts@idg.com Dan Verton ComputerWorld dan_verton@computerworld.com Eric Hines Fatelabs.com & Appliedwatch eric.hines@fatelabs.com M. Seth Pack Counter Pedophilia Investigative Unit PO BOX 400 Cowpens, SC 29330 home - 1-864-463-4296 mobile - 1-864-515-1183 mpack@cpiu.us Gloria Suarez Totalfina Elf Phone. (58212) 9096082 Mobile. (58) 412.2110971 gloria.suarez@totalcom José Torres Scientech de Venezuela Phone (58212) 9524266 Mobile. (58)414.250618 jtorres@scientech.com.ve |=[ 0x05 ]=---------------------------------------------------------------=| Great IRC Quotes - dvdman & friends i try not to idle in chans with kids ***SCENE WHORE ALERT*** dont make me use the race condition in the TCP ISN generation to predict the sequence number of an irc session and hijack the session by injecting a QUIT :w00t hey nolife remember the off by one heap on sshd in the key exchange algorithm (where u can free and get unlink to overwrite the return addr on the stack) or did you not remember unlink is vuln WTF SAID I WAS A TRADER?!? ******************************************************************** WAIT A MOMENT!!! Phrack Staff would like to remind our readers, not all of which are accredited scene historians, of Knight420's many attempts at fame. Don't forget, chemtrailX.c, the /sbin/iwconfig local exploit, written by Knight420 on 11/13/03 http://www.packetstormsecurity.nl/0311-exploits/chemtrailX.c We are quite confident Knight420 couldn't even buy a bag of weed in his middle class white neighborhood and go home without his bicycle and clothes stolen, let alone understand something as esoteric as a heap overflow. ******************************************************************** ^ 101010101010 the y0g1 b3rr4z of efnet |=[ 0x06 ]=---------------------------------------------------------------=| The Unofficial Phrack's Response to the Real Phrack - #phrack@EFNET 03:02 ## Join #phrack: skyper (~skyper@aziza.team-teso.net) 03:03 good morning. 03:03 aloha 03:04 hello skyper 03:04 skyper, why aint u put p62 on phrack.org ? 03:06 seriously, what kind of spinner doesnt put p62 on phrack.org 03:06 maybe coz he is not starring in p62 03:06 i think he's waiting for us to put it there :( 03:06 ouch :) 03:08 i read p62. would have release two articles myself. the honneynet article was cool. kind of stuff phrack.org needs. 03:08 the rest was jsut crap. boring & endless irc logs 03:08 moin skyper 03:08 that are of no interest in 3-5 years. ... 03:21 2 the_uT, what really made me laught is that u guys could spot my german asent. 03:21 2 acsent. |=[ 0x07 ]=---------------------------------------------------------------=| 3APA3A's Pathetic Rebuttal - 3APA3A (http://lists.netsys.com/pipermail/full-disclosure/2003-September/010747.html) Dear phrackstaff@ziplip.com, --Tuesday, September 23, 2003, 3:51:59 AM, you wrote to full-disclosure@lists.n etsys.com: pzc> 16. REAL authentic information regarding iDEFENSE contractor pzc> purchases. Not exactly. I really did some work for iDefense (as I always ready to do legal management/training/coding/administration/research work for any company and iDefense offer was really good). My real name is correct (and it can be found in any programming work I do, for example in FreeRADIUS sources and 3proxy license). The problem is: 1. I never signed contract or received any money for "Sambar Remote File Retrieval Vulnerability". 2. I never received payment of $300 for any work I did for iDefense. I can't disclosure advisories or payments details (well... since I don't smoke and I hate vodka, smallest of payments I received from iDefense was spent to buy new Panasonic DLC5 digital camera... I hope this information doesn't violate any contract). It makes me think rest of your information is also bogus or incomplete. -- ~/ZARAZA >>>>>>>> DEAR "3APA3A20030123," Perhaps you will not understand me because we are from 2 different worlds, but I'll try to explain anyhow. Here, in the United States of America, we have a "daytime TV talkshow" called "The Ricki Lake Show." On this show, every day, people take lie detector tests to determine if they have cheated on their boyfriends/girlfriends. Every single person swears they didn't, and when the polygraph results show them to be lying, they try to respond with great genuine surprise and outrage. You, 3APA3A20030123, have been caught in the middle of a lie, and you have failed to take responsibility for the seeds of deceit and dishonesty you have sown. You sound like Marty Roesch claiming he didn't get owned, or like Theo de Raadt, claiming he had an original idea that wasn't implemented 2 year before he "introduced" it into OpenBSD. FUCK YOU, 3APA3A20030123. Contributor(s) Name and/or Handle: Vladimir V. Dubrovin (aka 3APA3A) Country of Citizenship: Russia Date of submission(s): January 23, 2003 IDEFENSE Labs ID#(s) 3APA3A20030123 The Agreement Agreement between iDEFENSE, Inc., a Delaware corporation (the "Company"), and "Contributor" for compensation for information product delivered to and accepted by the Company. Services to be Provided You agree to provide the Company with genuine vulnerability and exploit code research related to information security (the "Information Product"). The Contributor agrees that Information Product being providing is not in the public domain at the time of this contract and that all work and research submitted to the Company is proprietary to the Contributor and has not been stolen or obtained in any unethical or unlawful manner. Fees The Company agrees to compensate the Contributor US$ 600 for Information Product provided. Payment will be sent via Western Union on March 1, 2003, to the following location: ALFA BANK PISKUNOVA, 45 NIZHNY NOVGOROD 603005 RUSSIA Tel: (7 ) (831) 2300957 For Mr. Vladimir V. Dubrovin If the Contributor is a US citizen and earns over US$ from the Company, US law requires the collection of tax information from the Contributor, thereby requiring the completion of a W9 form that is available at http://www.irs.gov/pub/irs-pdf/fw9.pdf. Once complete, please fax to: David Endler Director, Technical Intelligence iDEFENSE, Inc. 1-703-961-1071 fax Exclusivity The Contributor and the Company may agree herby as to an option for the company to acquire the intellectual property rights to the Information Product or to receive a limited exclusive period of use prior to the Contributor publicly releasing such Information Product. The following option applies: The Contributor relinquishes intellectual ownership of the Information Product relating to iDEFENSE Labs ID# 3APA3A20030123. The Contributor and the Company agree that the Contributor will be paid for the Information Product in exchange for granting and selling to the Company the exclusive right to release the information according to its security disclosure policy. The Contributor further agrees not to disclose the information used by or detailed in iDEFENSE Labs ID# 3APA3A20030123 to any public or private forum until such time that it is made public by the Company. This includes contact with the vendor. The Company will work with the vendor to determine the appropriate disclosure process. Contributors will be referenced in all reports sent to Company clients. If the Company identifies on any forum a vulnerability and/or exploit similar to the one being verified by the Company, no compensation will be provided. The Information Product and all rights will be returned to the Contributor. The Contributor relinquishes intellectual ownership of the Information Product relating to iDEFENSE Labs ID# 3APA3A20030123. The Contributor and the Company agree that the Contributor will be paid for the Information Product in exchange for granting and selling to the Company the exclusive right to release the information according to its security disclosure policy. The Contributor further agrees not to disclose the information used by or detailed in iDEFENSE Labs ID# 3APA3A20030123 to any public or private forum until such time that it is made public by the Company. This includes contact with the vendor. The Company will work with the vendor to determine the appropriate disclosure process. Contributors will be referenced in all reports sent to Company clients. If the Company identifies on any forum a vulnerability and/or exploit similar to the one being verified by the Company, no compensation will be provided. The Information Product and all rights will be returned to the Contributor. Do you agree with this? : __YES_________________________________ Standard Terms and Conditions By signing this Agreement, you agree to the Company~Rs Standard Terms and Conditions attached as Exhibit A and deemed part of this Agreement. Miscellaneous The offer contained in this Agreement is made only on the terms and conditions set forth in this Agreement. By signing this Agreement, you agree to its terms and conditions as originally electronically transmitted to you, and no modification of this Agreement by you which is not specifically agreed to in writing by the Company will be binding on the Company or have any force of effect. ACCEPTED AND AGREED: 3APA3A (Vladimir V. Dubrovin) Date: _February, 25 2003___ |=[ 0x08 ]=---------------------------------------------------------------=| b0f's Equally Pathetic Rebuttal - b0f (http://lists.netsys.com/pipermail/full-disclosure/2003-September/010755.html) pzc> 16. REAL authentic information regarding iDEFENSE contractor pzc> purchases. Hi would just like to touch on this. Most of the info they have on there about me is unture Yes i did get $300 from idefense and yes that is my name. My name can be found by searching google (good google skills boys). The date they have is completly wrong and i am not a member of dtors security and have never been. Any member from dtors would confirm that i didn't 'steal' nuthin from them to sell to idefense. For guessing my palpal account wouldn't be to hard since i always use this email address. I also have a good idea where they got the $300 price tag from. While i write this i must also congrat them in finding a hole in suexec. whereis suexec suexec: /usr/sbin/suexec /usr/share/man/man8/suexec.8.gz ls -al /usr/sbin/suexec -r-s--x--- 1 root apache 11732 May 15 06:09 /usr/sbin/suexec cat << EOF >> suexp.c /* REMOVED - sorry kids * Phrack supports Non-disclosure */ EOF make suexp cc suexp.c -o suexp ./suexp -t6 id uid=0(root) gid=0(apache) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) #h3h3h3 Ain't it great that there exploit gives gid=0(apache). I hope this clears this up and guys for phrack 63 anything you want to know about me just ask atleast you will get it right that way ;) Regards b0f ===== www.b0f.net >>>>>>>> DEAR b0f, Please refer to my response to 3APA3A and apply all points accordingly. Oh, and thank your lucky fucking stars that most of the people reading this don't know 1/8 as much about wire fraud/money laundering as they do about owning pathetic bums from the scene land fill. Since your iDEFENSE contract is pretty long, I'll just be pasting the specific part that applies to you. Contributor(s) Name and/or Handle: b0f Country of Citizenship: Scotland Date of submission(s): February 23, 2003 IDEFENSE Labs ID#(s) b0f20030223 Fees The Company agrees to compensate the Contributor US$ 300 for Information Product provided. Payment will be sent via Paypal (http://www.paypal.com) to the e-mail address b0fnet@yahoo.com. ACCEPTED AND AGREED: [signature] Alan McCaig [print your name] ALAN MCCAIG Date: 03/04/2003_________________________ |=[ 0x09 ]=---------------------------------------------------------------=| #Phrack Support Runs High - Matsu Kandagawa (http://lists.netsys.com/pipermail/full-disclosure/2003-September/010785.html) Thanks to Roesch's magnificent sentence-parsing spin job yesterday, like the rest of you, I'm quite sure that, quote, "there is no trojan in Snort". But unless I grossly misread the statements from Phrack, the central issue at hand was the introduction of deliberate weaknesses, not trojans. Do any of you have anything to say about that? When you say "look for yourself" surely you don't mean to claim that Average Joe Admin has the requisite skillset and detailed knowledge necessary to spot something potentially that subtle? And would anyone care to address the "off-by-one's, integer overflows, and logic bugs" m1lt0n alluded to in his or her article about Snort? How do you intend to counter the effects of Sneeze? Any comments on the Sebek piece? How confident are you in people who are doing your code review, anyway? I honestly hope the PHC does the same to every last one of the components of Project Honeynet: Honeyd, VMWare, the works. Whether you choose to admit it or not, the latest releases from Phrack do more to further the improvement of these technologies than the vast majority of researchers who are scared stiff at the prospect of losing funding. You complain now and tisk-tisk about the PHCs "juvenile" approach and tell yourselves it's all social engineering, but why not ask yourself where you'd be if they chose to sit on the papers they released yesterday instead? Ignoring people because you find them distateful doesn't make the problem go away. Hot tip for the initiated: With this bounteous cornucopia of unintended assistance from Phrack, it's better than even money that Major Martin and friends are likely to start asking some serious questions about all the money they've been pouring into substandard and intellectually dishonest research products. And don't think they don't know about who you've been corresponding with and trying to impress with your work, either. You aren't as slick as you think you are. If these recent embarrassments don't result in SIGNIFICANT improvements in Snort and a top-to-bottom review of honeynet design, I strongly suspect there's going to be some serious consequences. Just a wee hunch. I swear to God if I had a hundred thousand dollars in unmarked bills right now, I'd hand it over to the Phrack men this very minute with a hearfelt "thank you". In sum, "Everybody relax"-- the eternal refrain of the con artist-- might be good enough for people likely to be swayed by such assurances (or those who prefer to stick their heads in the sand to avoid unpleasant truths) but unfortunately for you, some of the people you've been working with demand a hell of a lot more. By the way, your explanation of how your machines were owned was one of the most disgraceful cop-outs I've seen in a long, long time. Evolve or die, Matsu. "who must be just some zit-faced chink PHC kid posting trolls from his mother's basement". (I have no interest in addressing your ad-hominem attacks, so I just thought I'd say it for you and get that out of the way.) |=[ 0x0a ]=---------------------------------------------------------------=| Fitness Tips & Suggestions - r1ght s41d phr3d phc, just thought i might share my workout routine with you - this is how i stay in tip top blackhat condition day 1 - flat bench press - 5 sets: 1x12, 1x10, 1x10, 1x8, 1x6 flat bench dumbbell - 4 sets: 1x12, 1x10, 1x10, 1x8 military press - 4 sets: 1x10, 1x10, 1x8, 1x8 decline bench pres - 5 sets: 1x12, 1x10, 1x10, 1x8, 1x6 day 2 - bicep dumbbell curls - 5 sets: 1x10, 1x10, 1x8, 1x6, 1x4 calf press - 4 sets: 1x55, 1x50, 1x30, 1x25 bicep curl preacher - 4 sets: 1x10, 1x10, 1x8, 1x8 forearm curls - 4 sets: 1x10, 1x10, 1x10, 1x10 decline abs - 4 sets: 1x35, 1x30, 1x25, 1x20 day 3 - tricep push down - 4 sets: 1x10, 1x10, 1x10, 1x8 tricep dumbbell raise - 5 sets: 1x10, 1x10, 1x10, 1x10, 1x8 leg press - 4 sets: 1x12, 1x10, 1x10, 1x8 tricep chord pulldown - 3 sets: 1x10, 1x10, 1x10 squats - 4 sets: 1x12, 1x10, 1x10, 1x8 day 4 - rest day 5 - flat bench press - 3 sets: 1x12, 1x10, 1x10 incline bench press - 5 sets: 1x12, 1x10, 1x10, 1x8, 1x6 incline bench machine - 3 sets: 1x10, 1x10, 1x10 incline bench (smith machine) - 3 sets: 1x10, 1x10, 1x10 decline abs - 4 sets: 1x35, 1x30, 1x25, 1x20 day 6 - lat pulldowns - 5 sets: 1x12, 1x10, 1x10, 1x10, 1x8 seated row - 5 sets: 1x12, 1x10, 1x10, 1x10, 1x8 lateral raises - 4 sets: 1x12, 1x10, 1x10, 1x8 shrugs - 4 sets: 1x12, 1x10, 1x10, 1x10 deadlifts - 4 sets: 1x10, 1x10, 1x10, 1x10 day 7 - rest >>>>>>>> DEAR phr3d, That sounds like a great workout program, with a few possible improvements that could be made. First off, it sounds by the number of calf presses you are doing, you may be emphasizing power a bit too much. You may want to cut down the huge number of reps (55 is high!) and shoot for slower more controlled raises where you fully extend your acchiles' tendon. You might want to max at 25 reps, rather than end on it for your high weight. Secondly, you may want to move your military press exercise to day 6, where it seems you're doing the majority of the work with your shoulders. Finally, since it seems from what you wrote that pectoral development is important to you (2 days of exclusive chest work), you may want to replace your tricep chord pulldowns with something like dips... freeweight dips would give you a great way to test your strength and consistently break down your pectoral muscle fibres with a day of recuperation before and after your day 3 workout. |=[ 0x0b ]=---------------------------------------------------------------=| Robin of Loxley IRC Logs Part II - rap1st you want to meet somewhere and have like some kind of peace treaty? when you are in nyc, let me know ok We actually fight for the same thing I think Im anti child porn I guess my brian got mangled somewhat a lot of efnet people told me you ran kiddie porn servers they filled my head with that and then that Venemous thing happened and that made me believe them they were like look.. his friends are getting busted for kiddie porn plus they said they hacked your home network and your business and said you had hidden dir's with underage boys and girls and you know they hack a lot of people so it sounded all true on phone with fbi, bear with me k vac told me anyway that you werent into kiddie stuff and Neonsurge also they said you only like older women i am very married and do NOT mess around i have children, who are my life see I didnt even know that very uninformed I was for you to make that comment to me, if you were within reach, i would have killed you where you stood dont take that as a threat have you killed anyone before? but when you have kids, remember what you said, and how you feel about it sounded like a threat to me do you want me dead? nah, not in the least if i did, you would be k you are obviously young yeah I am wait, I thought you knew who I was? I got deep traced and forgot that i am a person, who has feelings, and simply wont be spoken to that way I thought? yeah I forgot you arent familiar with figures of speech are you Im confused you can be 70, and still be obviously young will you just clarify everything for me? oh I see, young in mind? when you are more mature, with children of your own, remember what you said to me, and how you would feel if someone said that to you k and see if it sparks a murderous rage I dont want to be murdered or anything like that I got on the internet to chat not get killed good, remember that behind these nicks, are people behind these nicks are killers I guess and some of them, are very capable of doing horrible things, if motivated correctly no, most are quite nice, including me do you have ppl watching me now? but i have been fighting child porn for 12 years If you do, can you call them off? and to hear that, made me insane well what really scares me.. I was gonna msg you the other day.. it was some smart ass remark, something like "hey! hows the kiddie porn verification going?" and a window on my screen popped up and said "I wouldnt press enter if I was you" so right then I knew I shouldnt be fucking with you obviously but to be totally honest, I have no idea what I got into wise choice i was and still am scared so whoever you have watching me.. can you call them off? and we can just call a peace treaty one sec, phone again k are you like a secret FBI agent or something? no how do you know everything about me? just contacts? I want to learn you wont learn trade craft from me, sorry k I thought you were a mentor though? i dont have time to do that any more i am running 3 companies holy shit my phones never stop ringing as you can see computer security companies? yes why do you run 3? well, i think they will all become one as my main company, is trying to acquire 2 others but i am on the board of all 3 cool what services do you offer? and they want me to run em, as i am the most qualified, or so they say end to end security services desktop to mainframe and everything in between If people compromised your home network, dont you feel like maybe the security field isnt a great idea? no, it would mean you need to work harder to stay secure and i havent been compromised, yet So, you've worked harder since you've been compromised? i have never been compromised not yet anyway oh, so people were lying then? absolutely ask for proof they dont have any but if they were really good, you wouldnt even know about it, would you? heheheh, no comment they did some directory listings maybe they were fake had me convinced though bunch of !!!!!!!0011yearoldgirl.jpg type stuff show them to me and i will confirm or deny oh, that was awhile ago I didnt log it and i will be honest i run over 100 grand worth of stuff to stay safe let em try so you guys offer security services for anything? pretty much, including physical security 2 of my guys are over consulting to the civilian authority of iraq as an example I have a openvms cluster, OS installed out of box, how would I go about making my network here more secure? (hehe obviously I dont have to tell you what my network looks like *cough* deep trace *cough* ;) you want to hire us? then we can discuss this, after completing blanket nda's I think so ok What is your fee? me personally? 400 an hour depends on what you want done so you would work alone on this? but we both know you dont have the financial wherwithal for that well how long will it take to secure my cluster? 2 days, max 6 thousand so like 16 hours? I get a discount? pay pal me 3 grand, i will get started ok, I dont want just anyone on my network will it just be you? or other people? up to you can you do this alone? we all have ts clearances sure ok, you familiar with openvms then? i am familiar with a lot of stuff well thats all I am running dont wanna blow my rep of being lame now do you? are you a vms expert? lol nope, but i have guys who are I know you arent lame they dont need to be on your net to help secure it k how familiar are you with it? familiar enough k I just installed Im a newbie i have been working on HP shit forever uhm.. how the hell do I change directories? hahahah, if you dont know that, you dont need me ask em in the channel, and you will get help i just dont have time, sorry time is money I just need the command you've been talking to me for 30 minutes the least you can do is tell me how to change directories I just installed! try cd k didnt work wtf it shoudl, that is how you change directories this is vms anyway, back to the phones not unix? well, how can I afford to give you 6k, if you dont know how to change directories? hahahhahahahahhahaha, so transparent what? you cant afford 6 k p3riod I might be able to anyway, not trying to be rude, but i have to run to the data center ok thanks for your help np Ill ask my dad for a loan big loan |=[ 0x0c ]=---------------------------------------------------------------=| To: phrackstaff@phrack.efnet.ru From: John Draper Subject: Spammage.... Date: Wed, 14 Jan 2004 14:10:25 -0800 X-Mailer: Apple Mail (2.606) What is Phrack's stance on spammers? It is well known that large spam gangs are now paying top dollar to hackers who figure out ways to send porn smut and other undesirable Emails to millions of people. Obviously, there is a lot of money is spammage, and because programming jobs have all but left for places like India, an offer to earn $25,000 to wrote a virus of the likes of Sobig and others, can be a very hard thing to turn down. Especially when they are months behind in their rent and other bills. Being an Ex-hacker myself, my focus these days are Spam Management, and developing new technologies in managing it. Anyway, a await to learn what Phrack's views are on this important issue, and await to see some kind of a published viewpoint on this important issue. Regards JD >>>>>>>>>>>>>> Dear Cap'n Crunch, Thank you for your late-breaking letter that just barely made this wonderous edition of Phrack. This is the first letter ever to phrackstaff@phrack.efnet.ru, as we got this email about 2 minutes after we set up the MX record. You don't win a doorprize, but here is our answer: Like everybody else, we find spam at times to be fairly annoying, and we're sure everybody will agree that watching the Enzyte commercials on TV is much more entertaining than reading about it in Lance Spitzner's inbox without a controlling tty. Spam perpetrators have been villified by the press, and we think that the media should instead focus on the real issues at hand, like Michael Jackson and other celebrities who have chosen to spend their unceremonious years after stardom engaging in sexual relations with young children. None of us @ Phrackstaff have a lot of money, since apparently none of us have been considered qualified enough to write a major tech publication for O'Reilly or McGraw-Hill. Perhaps it's the lack of technical skill, which would certainly not pass the committee that reviewed 'The Hacker Diaries.' Or perhaps its our lack of wit and humor that provides for some pretty dry prose. One member of phrack- staff survives by handing out flyers on the street in a major city. Is this any different from physical spam? We encourage all people to be successful and survive in any way possible. If you don't want to sell out, we suggest you find a feasible way of prospering, like selling drugs to investment bankers, or sending penis-enhancement advertisements en masse so that middle class America can alleviate its insecurities. We can all agree that these are victim-less crimes. #phrack used to be unique because it housed hackers from the streets, people who had rap sheets longer than the Hacker Cracker manuscript. But now that, as you have pointed out, our wonderful government has traded us for slave labor, middle clas America is in the same boat as the welfare class. Guns, drugs, cryogenically frozen human organs, bulk mailing services - all of these should be sold remorselessly if it means the difference between drinking Natty Lite and Dom Perignon. P.S. Do cheese boxes still work? |=[ EOF ]=---------------------------------------------------------------=|