{\rtf1\ansi\deff0{\fonttbl{\f0\fnil\fcharset0 Courier New;}} {\colortbl ;\red0\green128\blue0;} \viewkind4\uc1\pard\cf1\lang9225\b\f0\fs24\par \par \par \par THE GUIDE\par \par FOR (mostly) HARMLESS\par \par HACKING\par \par \par \par \par \par \par \par \par \par \par \par \par #Contents of Volume 1: \par \par -Hacking tip of this column: how to finger a user via telnet. \par -How to forge email \par -How finger can be used to crack into an Internet host. \par -How get Usenet spammers kicked off their ISPs \par -How get email spammers kicked off their ISPs. \par -How to nuke offensive Web sites. \par -How to Forge Email Using Eudora Pro \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par _______________________________________________ \par \par GUIDE TO (mostly) HARMLESS HACKING \par Vol. 1 Number 1 \par Hacking tip of this column: how to finger a user via telnet. \par _______________________________________________________ \par \par \par \par \tab Hacking. The word conjures up evil computer geniuses plotting the downfall \par of civilization while squirreling away billions in electronically stolen \par funds in an Antigua bank. But I define hacking as taking a playful, adventurous approach to \par computers. \par Hackers don't go by the book. We fool around and try odd things, and when we stumble across \par something \par entertaining we tell our friends about it. Some of us may be crooks, but more often we are good \par guys, \par or at least harmless. \par \tab Furthermore, hacking is surprisingly easy. I'll give you a chance to prove \par it to yourself, today! But regardless of why you want to be a hacker, it is definitely a way to \par have fun, \par impress your buddies, and get dates. If you are a female hacker you become totally irresistible \par to all men. \par Take my word for it!;^D This column can become your gateway into this world. In fact, after \par reading just this \par first Guide to (mostly) Harmless Hacking, you will be able to pull off a stunt that will impress \par the average \par guy or gal unlucky^H^H^H^H^H^H^H \par fortunate enough to get collared by you at a party. \par \tab So what do you need to become a hacker? Before I tell you, however, I am \par going to subject you to a rant. Have you ever posted a message to a news group or email list \par devoted to hacking? \par You said something like "What do I need to become a hacker?" right? Betcha you won't try *that* \par again! It gives \par you an education in what "flame" means, right? Yes, some of these 3l1te types like to flame the newbies. They act \par like they were born clutching a Unix manual in one hand and a TCP/IP specification document in the other and anyone \par who knows less is scum. \par \par ********************* \par Newbie note: 3l1t3, 31337, etc. all mean "elite." The idea is to take either \par the word "elite" or "eleet" and substitute numbers for some or all the \par letters. We also like zs. Hacker d00dz do this sor7 of th1ng l0tz. \par ******************** \par \par \tab Now maybe you were making a sincere call for help. But there is a reason \par many hackers are quick to flame strangers who ask for help. \par \tab What we worry about is the kind of guy who says, "I want to become a hacker. But I *don't* \par want to learn \par programming and operating systems. Gimme some passwords, d00dz! Yeah, and credit card numbers!!!" \par \tab Honest, I have seen this sort of post in hacker groups. Post something like this and you are \par likely to wake up the next morning to discover your email \par box filled with 3,000 messages from email discussion groups on agricultural \par irrigation, proctology, collectors of Franklin Mint doo-dads, etc. Etc., \par etc., etc....arrrgghhhh! \par \tab The reason we worry about wannabe hackers is that it is possible to break \par into other people's computers and do serious damage even if you are almost \par totally ignorant. \par \tab How can a clueless newbie trash other people's computers? Easy. There are \par public FTP and Web sites on the Internet that offer canned hacking programs. \par Thanks to these canned tools, many of the "hackers" you read about getting \par busted are in fact clueless newbies. \par \tab This column will teach you how to do real, yet legal and harmless hacking, \par without resorting to these hacking tools. But I won't teach you how to harm \par other people's computers. Or even how to break in where you don't belong. \par \par \par ****************************** \par You can go to jail tip: Even if you do no harm, if you break into a portion \par of a computer that is not open to the public, you have committed a crime. If \par you telnet across a state line to break in, you have committed a federal \par felony. \par ************************************* \par \par \tab I will focus on hacking the Internet. The reason is that each computer on \par the Internet has some sort of public connections with the rest of the Net. \par What this means is that if you use the right commands, you can *legally* \par access these computers. \par \tab That, of course, is what you already do when you visit a Web site. But I \par will show you how to access and use Internet host computers in ways that \par most people didn't know were possible. Furthermore, these are *fun* hacks. \par In fact, soon you will be learning hacks that shed light on how other people \par (Not you, right? Promise?) may crack into the non-public parts of hosts. And \par these are hacks that anyone can do. \par \tab But, there is one thing you really need to get. It will make hacking \par infinitely easier: A SHELL ACCOUNT!!!! \par \tab A "shell account" is an Internet account in which your computer becomes a \par terminal of one of your ISP's host computers. Once you are in the "shell" \par you can give commands to the Unix operating system just like you were \par sitting there in front of one of your ISP's hosts. \par \tab Warning: the tech support person at your ISP may tell you that you have a \par "shell account" when you really don't. Many ISPs don't really like shell \par accounts, either. Guess why? If you don't have a shell account, you can't \par hack! \par \tab But you can easily tell if it is a real shell account. First, you should use a "terminal emulation program" \par to log on. You will need a program that \par allows you to imitate a VT 100 terminal. If you have Windows 3.1 or Windows \par 95, a VT 100 terminal program is included as one of your accessory program. \par Any good ISP will allow you to try it out for a few days with a guest \par account. Get one and then try out a few Unix commands to make sure it is \par really a shell account. \par \tab You don't know Unix? If you are serious about understanding hacking, you'll need some good \par reference books. No, I don't mean the kind with breathless \par titles like "Secrets of Super hacker." I've bought too many of that kind of \par book. They are full of hot air and thin on how-to. Serious hackers study \par books on: \par a) Unix. I like "The Unix Companion" by Harley Hahn. \par b) Shells. I like "Learning the Bash Shell" by Cameron Newham and Bill \par Rosenblatt.A "shell" is the command interface between you and the Unix \par operating system. \par c) TCP/IP, which is the set of protocols that make the Internet work. I \par like "TCP/IP for Dummies" by Marshall Wilensky and Candace Leiden. \par \tab OK, rant is over. Time to hack! \par \tab How would you like to start your hacking career with one of the simplest, \par yet potentially hairy, hacks of the Internet? Here it comes: telnet to a \par finger port. \par Have you ever used the finger command before? Finger will sometimes tell you a \par bunch of stuff about other people on the Internet. Normally you would just \par enter the command: \par finger Joe_Schmoe@Fubar.com \par But instead of Joe Schmoe, you put in the email address of someone you would like to check out. \par For example, my email address is cmeinel@techbroker.com. So to finger me, give the command: \par finger cmeinel@techbroker.com \par Now this command may tell you something, or it may fail with a message such as "access denied." \par But there is a more elite way to finger people. You can give the command: \par telnet llama.swcp.com 79 \par What this command has just done is let you get on a computer with an \par Internet address of llama.swcp.com through its port 79 without giving it \par a password. But the program that llama and many other Internet hosts are running will usually \par allow you to give \par only ONE command before automatically closing the \par connection. Make that command: \par cmeinel \par This will tell you a hacker secret about why port 79 and its finger programs are way more \par significant than \par you might think. Or, heck, maybe something else if the friendly neighborhood hacker is still \par planting insulting \par messages in my files. \par Now, for an extra hacking bonus, try telnetting to some other ports. For \par example: \par telnet kitsune.swcp.com 13 \par That will give you the time and date here in New Mexico, and: \par telnet slug.swcp.com 19 \par Will show you a good time! \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par _____________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING \par Vol. 1 Number 2 \par In this issue we learn how to forge email and how to spot forgeries.\par I promise, this hack is spectacularly easy! \par ______________________________________________________________ \par \par \par \par Heroic Hacking in Half an Hour How would you like to totally blow away your friends? OK, what is the \par hairiest thing you hear that super hackers do? It's gaining unauthorized access to a computer, right? So \par how would you like to be able to gain access and run a program on the almost any of the millions of computers hooked \par up to the Internet? How would you like to access these Internet computers in the same way as the most notorious hacker \par in history: Robert Morris! \par It was his "Morris Worm" which took down the Internet in 1990. Of course, \par the flaw he exploited to fill up 10% of the computers on the Internet with \par his self-mailing virus has been fixed now on most Internet hosts. \par But that same feature of the Internet still has lots of fun and games and \par bugs left in it. In fact, what we are about to learn is the first step of \par several of the most common ways that hackers break into private areas of \par unsuspecting computers. \par But I'm not going to teach you to break into private parts of computers. It sounds too sleazy. Besides, \par I am allergic to jail. So what you are about to learn is legal, harmless, yet still lots of fun. No pulling \par the blinds and swearing blood oaths among your buddies who will witness you doing this hack. \par But to do this hack, you need an on-line service which allows you to \par telnet to a specific port on an Internet host. Netcom, for example, will let \par you get away with this. But Compuserve, America Online and \par many other Internet Service Providers (ISPs) are \par such good nannies that they will shelter you from this temptation. \par But your best way to do this stuph is with \par a SHELL ACCOUNT! If you don't have one yet, get it now! \par \par *********************************** \par Newbie note: A shell account is an Internet account that lets you give \par Unix commands. Unix is a lot like DOS. You get a prompt on your screen and \par type out commands. Unix is the language of the Internet. If you want to be \par a serious hacker, you have to learn Unix. \par **************************** \par \par Even if you have never telnetted before, this hack is super simple. In fact, even though what you are about \par to learn will look like hacking of the most \par heroic sort, you can master it in half an hour or less. And you only need \par to memorize *two* commands. \par To find out whether your Internet service provider will let you do this \par stuph, try this command: \par telnet callisto.unm.edu 25 \par This is a computer at the University of New Mexico. My Compuserve account \par gets the vapors when I try this. It simply crashes out of telnet without so \par much as a "tsk, tsk." But at least today Netcom will let me do this command. And just about any cheap "shell account" \par offered by a fly-by-night Internet service provider will let you do this. Many college accounts will let you get away \par with this, too. \par \par ****************************** \par Newbie note : How to Get Shell Accounts \par Try your yellow pages phone book. Look under Internet. Call and ask for a \par "shell account." \par They'll usually say, "Sure, can do." But lots of times they are lying. They \par think you are too dumb to know what a real shell account is. Or the \par underpaid person you talk with doesn't have a clue. \par The way around this is to ask for a free temporary guest account. Any \par worthwhile ISP will give you a test drive. Then try out today's hack. \par ******************************* \par \par OK, let's assume that you have an account that lets you telnet someplace \par serious. So let's get back to this command: \par telnet callisto.unm.edu 25 \par If you have ever done telnet before, you probably just put in the name of \par the computer you planned to visit, but didn't add in any numbers afterward. \par But those numbers afterward are what makes the first distinction between the \par good, boring Internet citizen and someone slaloming down the slippery slope \par of hackerdom. \par What that 25 means is that you are commanding telnet to take you to a \par specific port on your intended victim, er, computer. \par \par *********************************** \par Newbie note : Ports \par A computer port is a place where information goes in or out of it. On your \par home computer, examples of ports are your monitor, which sends information \par out, your keyboard and mouse, which send information in, and your modem, \par which sends information both out and in. \par But an Internet host computer such as callisto.unm.edu has many more ports \par than a typical home computer. These ports are identified by numbers. Now \par these are not all physical ports, like a keyboard or RS232 serial port (for \par your modem). They are virtual (software) ports. \par *********************************** \par \par But there is phun in that port 25. Incredible phun. You see, whenever you \par telnet to a computer's port 25, you will get one of two results: once in \par awhile, a message saying "access denied" as you hit a firewall. But, more \par often than not, you get something like this: \par Trying 129.24.96.10... \par Connected to callisto.unm.edu. \par Escape character is '^]'. \par 220 callisto.unm.edu Smail3.1.28.1 #41 ready at Fri, 12 Jul 96 12:17 MDT \par Hey, get a look at this! It didn't ask us to log in. It just says...ready! \par Notice it is running Smail3.1.28.1, a program used to compose and send \par email. \par Ohmigosh, what do we do now? Well, if you really want to look sophisticated, the next thing you do is \par ask callisto.unm.edu to tell you what commands you can use. In general, when you get on a strange \par computer, \par at least one of three commands will get you information: "help," "?", or "man." In this case I type in: \par help \par And this is what I get: \par 250 The following SMTP commands are recognized: \par 250 \par 250HELO hostname startup and give your hostname \par 250MAIL FROM: start transaction from sender \par 250RCPT TO:name recipient for message \par 250VRFY
verify deliverability of address \par 250EXPN
expand mailing list address \par 250DATA start text of mail message \par 250RSETreset state, drop transaction \par 250NOOP do nothing \par 250DEBUG [level] set debugging level,default 1 \par 250HELP produce this help message \par 250QUIT close SMTP connection \par 250 \par 250 The normal sequence of events in sending a message is to state the \par 250 sender address with a MAIL FROM command, give the recipients with \par 250 as many RCPT TO commands as are required (one address per command) \par 250 and then to specify the mail message text after the DATA command. \par 250 Multiple messages may be specified. End the last one with a QUIT. \par Getting this list of commands is pretty nifty. It makes you look really kewl because you know \par how to \par get the computer to tell you how to hack it. And it \par means that all you have to memorize is the "telnet 25 " and \par "help" commands. For the rest, you can simply check up on the commands while \par on-line. So even if your memory is as bad as mine, you really can learn and \par memorize this hack in only half an hour. Heck, maybe half a minute. \par OK, so what do we do with these commands? Yup, you figured it out, this is a very, very \par primitive email program. \par And guess why you can get on it without \par logging in? Guess why it was the point of vulnerability that allowed Robert \par Morris to crash the Internet? \par Port 25 moves email from one node to the next across the Internet. It \par automatically takes incoming email and if the email doesn't belong to \par someone with an email address on that computer, it sends it on to the next \par computer on the net, eventually to wend its way to the person to who this \par email belongs. \par Sometimes email will go directly from sender to recipient, but if you email to someone far away, \par email may go through several computers. \par There are millions of computers on the Internet that forward email. And you \par can get access to almost any one of these computers without a password! \par Furthermore, as you will soon learn, it is easy to get the Internet \par addresses of these millions of computers. \par Some of these computers have very good security, making it hard to have \par serious fun with them. But others have very little security. One of the joys \par of hacking is exploring these computers to find ones that suit ones fancy. \par OK, so now that we are in Morris Worm country, what can we do with it? \par \par ******************************** \par Evil Genius note: Morris used the "DEBUG" command. Don't try this at home. \par Nowadays if you find a program running on port 25 with the DEBUG command, it \par is probably a trap. Trust me. \par ******************************** \par \par Well, here's what I did. (My commands have no number in front of them, \par whereas the computer's responses are prefixed by numbers.) \par helo santa@north.pole.org \par 250 callisto.unm.edu Hello santa@north.pole.org \par mail from:santa@north.pole.org \par 250 ... Sender Okay \par rcpt to:cmeinel@nmia.com \par 250 ... Recipient Okay \par data \par 354 Enter mail, end with "." on a line by itself \par It works!!! \par . \par 250 Mail accepted \par What happened here is that I sent some fake email to myself. Now let's take a look at what I got in my mailbox, showing \par the complete header: \par Here's what I saw using the free version of Eudora: \par X POP3 Rcpt: cmeinel@socrates \par This line tells us that X-POP3 is the program of my ISP that received my \par email, and that my incoming email is handled by the computer Socrates. \par \par ***************************** \par Evil Genius Tip: email which comes into your email reading program is \par handled by port 110. Try telnetting there someday. But usually POP, the \par program running on 110, won't give you help with its commands and boots you \par off the minute you make a misstep. \par ***************************** \par \par Return Path: \par This line above is my fake email address. \par Apparently From: santa@north.pole.org \par Date: Fri, 12 Jul 96 12:18 MDT \par But note that the header lines above say "Apparently-From" This is important because it alerts me to the fact that this \par is fake mail. \par Apparently To: cmeinel@nmia.com \par X Status: \par It works!!! \par Now here is an interesting fact. Different email reading programs show \par different headers. So how good your fake email is depends on part on what \par email program is used to read it. Here's what Pine, an email program that \par runs on Unix systems, shows with this same email: \par Return Path: \par Received: \par from callisto.unm.edu by nmia.com \par with smtp \par (Linux Smail3.1.28.1 #4) \par id m0uemp4 000LFGC; Fri, 12 Jul 96 12:20 MDT \par This identifies the computer on which I ran the smail program. It also tells what version of the smail program was running. \par Apparently From: santa@north.pole.org \par And here is the "apparently-from" message again. So both Pine and Eudora \par show this is fake mail. \par Received: from santa@north.pole.org by callisto.unm.edu with smtp \par (Smail3.1.28.1 #41) id m0uemnL 0000HFC; Fri, 12 Jul 96 12:18 MDT \par Message Id: \par Oh, oh! Not only does it show that it may be fake mail -- it has a message \par ID! This means that somewhere on Callisto there will be a log of message IDs \par telling who has used port 25 and the smail program. You see, every time \par someone logs on to port 25 on that computer, their email address is left \par behind on the log along with that message ID. \par Date: Fri, 12 Jul 96 12:18 MDT \par Apparently From: santa@north.pole.com \par Apparently To: cmeinel@nmia.com \par It works!!! \par If someone were to use this email program to do a dastardly deed, that \par message ID is what will put the narcs on his or her tail. So if you want to \par fake email, it is harder to get away with it if you send it to someone using \par Pine than if they use the free version of Eudora. (You can tell what email \par program a person uses by looking at the header of their email.) \par But the email programs on port 25 of many Internet hosts are not as well \par defended as callisto.unm.edu. Some are better defended, and some are not \par defended at all. In fact, it is possible that some may not even keep a log \par of users of port 25, making them perfect for criminal email forgery. \par So just because you get email with perfect-looking headers doesn't mean it \par is genuine. You need some sort of encrypted verification scheme to be almost \par certain email is genuine. \par \par ****************************************** \par You can go to jail note: If you are contemplating using fake email to commit \par a crime, think again. If you are reading this you don't know enough to forge \par email well enough to elude arrest. \par ******************************************* \par \par Here is an example of a different email program, sendmail. This will give \par you an idea of the small variations you'll run into with this hack. \par \par Here's my command: \par telnet ns.Interlink.Net 25 \par The computer answers: \par Trying 198.168.73.8... \par Connected to NS.INTERLINK.NET. \par Escape character is '^]'. \par 220 InterLink.NET Sendmail AIX 3.2/UCB 5.64/4.03 ready at Fri, 12 Jul 1996 \par 15:45 \par Then I tell it: \par helo santa@north.pole.org \par And it responds: \par 250 InterLink.NET Hello santa@north.pole.org (plato.nmia.com) \par Oh, oh! This sendmail version isn't fooled at all! See how it puts \par "(plato.nmia.com)" the computer I was using for this hack in there \par just to let me know it knows from what computer I've telnetted? But what the \par heck, all Internet hosts know that kind of info. I'll just bull ahead and \par send fake mail anyhow. Again, my input has no numbers in front, while the \par responses of the computer are prefaced by the number 250: \par mail from:santa@north.pole.com \par 250 santa@north.pole.com... Sender is valid. \par rcpt to:cmeinel@nmia.com \par 250 cmeinel@nmia.com... Recipient is valid. \par data \par 354 Enter mail. End with the . character on a line by itself. \par It works! \par 250 Ok \par quit \par 221 InterLink.NET: closing the connection. \par OK, what kind of email did that computer generate? Here's what I saw using \par Pine: \par Return Path: \par Received: \par From InterLink.NET by nmia.com \par with smtp \par (Linux Smail3.1.28.1 #4) \par id m0ueo7t 000LEKC; Fri, 12 Jul 96 13:43 MDT \par Received: from plato.nmia.com by InterLink.NET (AIX 3.2/UCB 5.64/4.03) \par id AA23900; Fri, 12 Jul 1996 15:43:20 0400 \par Oops. Here the InterLink.NET computer has revealed the computer I was on \par when I telnetted to its port 25. However, many people use that Internet host \par computer. \par Date: Fri, 12 Jul 1996 15:43:20 0400 \par From: santa@north.pole.org \par Message Id: <9607121943.AA23900@InterLink.NET> \par Apparently To: cmeinel@nmia.com \par It worked! \par OK, here it doesn't say "Apparently-From," so now I know the computer \par ns.Interlink.Net is a pretty good one to send fake mail from. An experienced \par email aficionado would know from the Received: line that this is fake mail. \par But its phoniness doesn't just jump out at you. \par I'm going to try another computer. Hmmm, the University of California at \par Berkeley is renowned for its computer sciences research. I wonder what their \par hosts are like? Having first looked up the numerical Internet address of one \par of their machines, I give the command: \par telnet 128.32.152.164 25 \par It responds with: \par Trying 128.32.152.164... \par Connected to 128.32.152.164. \par Escape character is '^]'. \par 220 remarque.berkeley.edu ESMTP Sendmail 8.7.3/1.31 ready at Thu, 11 Jul \par 1996 12 \par help \par 214 This is Sendmail version 8.7.3 \par 214 Commands: \par 214 HELOEHLOMAILRCPTDATA \par 214 RSETNOOPQUITHELPVRFY \par 214 EXPNVERB \par 214 For more info use "HELP ". \par 214 To report bugs in the implementation send email to \par 214 sendmail@CS.Berkeley.EDU. \par 214 For local information send email to Postmaster at your site. \par 214 End of HELP info \par Oh, boy, a slightly different sendmail program! I wonder what more it will \par tell me about these commands? \par HELP mail \par 214 MAIL FROM: \par 214 Specifies the sender. \par 214 End of HELP info \par Big f***ing deal! Oh, well, let's see what this computer (which we now know is named remarque) will do to fake mail. \par MAIL FROM:santa@north.pole.org \par 250 santa@north.pole.org... Sender ok \par Heyyy... this is interesting ... I didn't say "helo" and this sendmail \par program didn't slap me on the wrist! Wonder what that means... \par RCPT TO:cmeinel@techbroker.com \par 250 Recipient ok \par DATA \par 354 Enter mail, end with "." on a line by itself \par This is fake mail on a Berkeley computer for which I do not have a \par password. \par 250 MAA23472 Message accepted for delivery \par quit \par 221 remarque.berkeley.edu closing connection \par Now we go to Pine and see what the header looks like: \par Return Path: \par Received: \par from nmia.com by nmia.com \par with smtp \par (Linux Smail3.1.28.1 #4) \par id m0ueRnW 000LGiC; Thu, 11 Jul 96 13:53 MDT \par Received: \par from remarque.berkeley.edu by nmia.com \par with smtp \par (Linux Smail3.1.28.1 #4) \par id m0ueRnV 000LGhC; Thu, 11 Jul 96 13:53 MDT \par Apparently To: \par Received: from merde.dis.org by remarque.berkeley.edu (8.7.3/1.31) \par id MAA23472; Thu, 11 Jul 1996 12:49:56 0700 (PDT) \par Look at the three "received" messages. My ISP's computer received this email not directly from Remarque.berkeley.edu. \par but from merde.dis.com, which in \par turn got the email from Remarque. Hey, I know who owns merde.dis.org! So the Berkeley computer forwarded this fake \par mail through famed computer security expert Pete Shipley's Internet host computer! Hint: the name "merde" is a joke. \par So is "dis.org." \par Now let's see what email from remarque looks like. Let's use Pine again: \par Date: Thu, 11 Jul 1996 12:49:56 0700 (PDT) \par From: santa@north.pole.org \par Message Id: <199607111949.MAA23472@remarque.berkeley.edu> \par This is fake mail on a Berkeley computer for which I do not have a \par password. \par Hey, this is pretty kewl. It doesn't warn that the Santa address is phony! \par Even better, it keeps secret the name of the originating computer: \par plato.nmia.com. Thus remarque.berkeley.edu was a really good computer from \par which to send fake mail. (Note: last time I checked, they had fixed \par remarque, so don't bother telnetting there.) \par But not all sendmail programs are so friendly to fake mail. Check out the \par email I created from atropos.c2.org! \par telnet atropos.c2.org 25 \par Trying 140.174.185.14... \par Connected to atropos.c2.org. \par Escape character is '^]'. \par 220 atropos.c2.org ESMTP Sendmail 8.7.4/CSUA ready at Fri, 12 Jul 1996 \par 15:41:33 \par help \par 502 Sendmail 8.7.4HELP not implemented \par Gee, you're pretty snippy today, aren't you... What the heck, let's plow \par ahead anyhow... \par helo santa@north.pole.org \par 501 Invalid domain name \par Hey, what's it to you, buddy? Other sendmail programs don't give a darn what name I use \par with "helo." OK, OK, I'll give you a valid domain name. But not \par a valid user name! \par helo satan@unm.edu \par 250 atropos.c2.org Hello cmeinel@plato.nmia.com [198.59.166.165], pleased \par to meet you \par Verrrry funny, pal. I'll just bet you're pleased to meet me. Why the #%&@ \par did you demand a valid domain name when you knew who I was all along? \par mail from:santa@north.pole.com \par 250 santa@north.pole.com... Sender ok \par rcpt to: cmeinel@nmia.com \par 250 Recipient ok \par data \par 354 Enter mail, end with "." on a line by itself \par Oh, crap! \par 250 PAA13437 Message accepted for delivery \par quit \par 221 atropos.c2.org closing connection \par OK, what kind of email did that obnoxious little sendmail program generate? \par I rush over to Pine and take a look: \par Return Path: \par Well, how very nice to allow me to use my fake address. \par Received: \par from atropos.c2.org by nmia.com \par with smtp \par (Linux Smail3.1.28.1 #4) \par id m0ueqxh 000LD9C; Fri, 12 Jul 96 16:45 MDT \par Apparently To: \par Received: from satan.unm.edu (cmeinel@plato.nmia.com [198.59.166.165]) \par Oh, how truly special! Not only did the computer atropos.c2.org blab out my true identity, it also revealed \par that satan.unm.edu thing. Grump... \par that will teach me. by atropos.c2.org (8.7.4/CSUA) with SMTP id PAA13437 for \par cmeinel@nmia.com; Fri, 12 \par Jul 1996 15:44:37 0700 (PDT) \par Date: Fri, 12 Jul 1996 15:44:37 0700 (PDT) \par From: santa@north.pole.com \par Message Id: <199607122244.PAA13437@atropos.c2.org> \par Oh, crap! \par So, the moral of that little hack is that there are lots of different email programs floating around on port 25 of \par Internet hosts. So if you want to \par have fun with them, it's a good idea to check them out first before you use \par them to show off with. \par ______________________________________________________ \par \par GUIDE TO (mostly) HARMLESS HACKING \par Vol. 1 Number 3 \par How finger can be used to crack into an Internet host. \par _______________________________________________________ \par \par \par \par Before you get too excited over learning how finger can be used to crack an Internet host, will \par all you law enforcement folks out there please relax. \par I'm not giving step-by-step instructions. I'm certainly not handing out code \par from those publicly available canned cracking tools that any newbie could \par use to gain illegal access to some hosts. \par What you are about to read are some basic principles and techniques behind \par cracking with finger. In fact, some of these techniques are fun and legal as \par long as they aren't taken too far. And they might tell you a thing or two \par about how to make your Internet hosts more secure. \par You could also use this information to become a cracker. Your choice. Just \par keep in mind what it would be like to be the "girlfriend" of a cell mate \par named "Spike." \par \par ********************************* \par Newbie note: Many people assume "hacking" and "cracking" are synonymous. \par But "cracking" is gaining illegal entry into a computer. "Hacking" is the \par entire universe of kewl stuff one can do with computers, often without \par breaking the law or causing harm. \par ********************************* \par \par What is finger? It is a program which runs on port 79 of many Internet host computers. It is \par normally \par used to provide information on people who are \par users of a given computer. \par For review, let's consider the virtuous but boring way to give your host \par computer the finger command: \par finger Joe_Blow@boring.ISP.net \par This causes your computer to telnet to port 79 on the host boring.ISP.net. \par It gets whatever is in the .plan and .project files for Joe Blow and \par displays them on your computer screen. \par But the Happy Hacker way is to first telnet to boring.ISP.net port 79, from which we can then run \par its \par finger program: \par telnet boring.ISP.net 79 \par If you are a good Internet citizen you would then give the command: \par Joe_Blow \par or maybe the command: \par finger Joe_Blow \par This should give you the same results as just staying on your own computer \par and giving the command "finger Joe_Blow@boring.ISP.net." \par But for a cracker, there are lots and lots of other things to try after \par gaining control of the finger program of boring.ISP.net by telnetting to \par port 79. \par Ah, but I don't teach how to do felonies. So we will just cover general \par principles of how finger is commonly used to crack into boring.ISP.net. You \par will also learn some perfectly legal things you can try to get finger to do. \par For example, some finger programs will respond to the command: \par finger @boring.ISP.net \par If you should happen to find a finger program old enough or trusting enough to accept this command, you might get \par something back like: \par [boring.ISP.net] \par Login NameTTY Idle WhenWhere \par happy Prof. Foobarco 1d Wed 08:00 boring.ISP.net \par This tells you that only one guy is logged on, and he's doing nothing. This means that if someone should manage to \par break in, no one is likely to notice \par at least not right away. \par Another command to which a finger port might respond is simply: \par finger \par If this command works, it will give you a complete list of the users of this host. These user names then can be used \par to crack a password or two. \par Sometimes a system will have no restrictions on how lame a password can be. \par Common lame password habits are to use no password at all, the same password \par as user name, the user's first or last name, and "guest." If these don't \par work for the cracker, there are widely circulated programs which try out \par every word of the dictionary and every name in the typical phone book. \par \par ******************************** \par Newbie Note: Is your password easy to crack? If you have a shell account, \par you may change it with the command: \par passwd \par Choose a password that isn't in the dictionary or phone book, is at least 6 \par characters long, and includes some characters that are not letters of the \par alphabet. \par A password that is found in the dictionary but has one extra character is \par *not* a good password. \par ******************************** \par \par Other commands which may sometimes get a response out of finger include: \par finger @ \par finger 0 \par finger root \par finger bin \par finger ftp \par finger system \par finger guest \par finger demo \par finger manager \par Or, even just hitting once you are into port 79 may give you \par something interesting. \par There are plenty of other commands that may or may not work. But most \par commands on most finger programs will give you nothing, because most system \par administrators don't want to ladle out lots of information to the casual \par visitor. In fact, a really cautious sysadmin will disable finger entirely. \par So you'll never even manage to get into port 79 of some computers \par However, none of these commands I have shown you will give you root access. They provide information only. \par \par ************************ \par Newbie note: Root! It is the Valhalla of the hard-core cracker. "Root" is \par the account on a multi-user computer which allows you to play god. It is the \par account from which you can enter and use any other account, read and modify \par any file, run any program. With root access, you can completely destroy all \par data on boring.ISP.net. (I am *not* suggesting that you do so!) \par ************************* \par \par It is legal to ask the finger program of boring.ISP.net just about anything you want. The worst that can happen \par is that the program will crash. \par Crash...what happens if finger crashes? \par Let's think about what finger actually does. It's the first program you meet when you telnet to boring.ISP.net's port 79. \par And once there, you can give it a command that directs it to read files from any user's account you may \par choose. That means finger can look in any account. That means if it crashes, you may end up in root. \par Please, if you should happen to gain root access to someone else's host, \par leave that computer immediately! You'd better also have a good excuse for \par your systems administrator and the cops if you should get caught! \par If you were to make finger crash by giving it some command like ///*^S, you might have a hard time claiming that you \par were innocently seeking publicly \par available information. \par \par ***************** \par You can go to jail tip: Getting into a part of a computer that is not \par open to the public is illegal. In addition, if you use the phone lines or \par Internet across a US state line to break into a non-public part of a \par computer, you have committed a Federal felony. You don't have to cause any \par harm at all it's still illegal. Even if you just gain root access and \par immediately break off your connection it's still illegal. \par *************** \par \par Truly elite types will crack into a root account from finger and just leave immediately. \par They say the real rush of cracking comes from being *able* to \par do anything to boring.ISP.net but refusing the temptation. \par The elite of the elite do more than just refrain from taking advantage of \par the systems they penetrate. They inform the systems administrator that they \par have cracked his or her computer, and leave an explanation of how to fix the \par security hole. \par \par ************************************ \par You can go to jail tip: When you break into a computer, the headers on \par the packets that carry your commands tell the sysadmin of your target who \par you are. If you are reading this column you don't know enough to cover your \par tracks. Tell temptation to take a hike! \par ************************************ \par \par Ah, but what are your chances of gaining root through finger? Haven't \par zillions of hackers found all the crashable stuph? Doesn't that suggest that \par finger programs running on the Internet today are all fixed so you can't get \par root access through them any more? No. \par The bottom line is that any systems adminstrator that leaves the finger \par service running on his/her system is taking a major risk. If you are the \par user of an ISP that allows finger, ask yourself this question: is using it \par to advertise your existence across the Internet worth the risk? \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par _______________________________________________________ \par \par GUIDE TO (mostly) HARMLESS HACKING \par Vol. 1 Number 4 \par How get Usenet spammers kicked off their ISPs. \par _______________________________________________________ \par \par \par \par How do you like it when your sober news groups get hit with 900 number sex \par ads and Make Money Fast pyramid schemes? If no one ever made those guys pay \par for their effrontery, soon Usenet would be inundated with crud. \par It's really tempting, isn't it, to use our hacking knowledge to blow these \par guys to kingdom come. But many times that's like using an atomic bomb to \par kill an ant. Why risk going to jail when there are legal ways to keep these \par vermin of the Internet on the run? \par This issue of Happy hacker will show you some ways to fight Usenet spam. \par Spammers rely on forged email and Usenet posts. As we learned in the second \par Guide to (mostly) Harmless Hacking, it is easy to fake email. Well, it's \par also easy to fake Usenet posts. \par \par ***************** \par Newbie Note: Usenet is a part of the Internet consisting of the system of \par on-line discussion groups called "news groups." Examples of news groups are \par rec.humor, comp.misc, news.announce.newusers, sci.space.policy, and alt.sex. \par There are well over 10,000 news groups. Usenet started out in 1980 as a Unix \par network linking people who wanted -- you guessed it -- to talk about Unix. \par Then some of the people wanted to talk about stuff like physics, space \par flight, barroom humor, and sex. The rest is history. \par ***************** \par \par Here's a quick summary of how to forge Usenet posts. Once again, we use the technique of telnetting \par to a specific port. The Usenet port usually is open \par only to those with accounts on that system. So you will need to telnet from \par your ISP shell account back into your own ISP as follows: \par telnet news.myISP.com nntp \par where you substitute the part of your email address that follows the @ for \par "myISP.com." You also have the choice of using "119" instead of "nntp." \par With my ISP I get this result: \par Trying 198.59.115.25 ... \par Connected to sloth.swcp.com. \par Escape character is '^]'. \par 200 sloth.swcp.com InterNetNews NNRP server INN 1.4unoff4 05- Mar-96 \par ready (posting) \par Now when we are suddenly in a program that we don't know too well, we ask \par for: \par help \par And we get: \par 100 Legal commands \par authinfo user Name|pass Password|generic \par article [MessageID|Number] \par body [MessageID|Number] \par date \par group newsgroup \par head [MessageID|Number] \par help \par ihave \par last \par list [active|newsgroups|distributions|schema] \par listgroup newsgroup \par mode reader \par newgroups yymmdd hhmmss ["GMT"] [] \par newnews newsgroups yymmdd hhmmss ["GMT"] [] \par next \par post \par slave \par stat [MessageID|Number] \par xgtitle [group_pattern] \par xhdr header [range|MessageID] \par xover [range] \par xpat header range|MessageID pat [morepat...] \par xpath MessageID \par Report problems to \par Use your imagination with these commands. Also, if you want to forge posts \par from an ISP other than your own, keep in mind that some Internet host \par computers have an nntp port that requires either no password or an easily \par guessed password such as "post." But it can be quite an effort to find an \par undefended nntp port. So, because you usually have to do this on your own \par ISP, this is much harder than email forging. \par Just remember when forging Usenet posts that both faked email and Usenet \par posts can be easily detected if you know what to look for. And it is \par possible to tell where they were forged. Once you identify where spam really \par comes from, you can use the message ID to show the sysadmin who to kick out. \par Normally you won't be able to learn the identity of the culprit yourself. \par But you can get their ISPs to cancel their accounts! \par Sure, these Spam King types often resurface with yet another gullible ISP. \par But they are always on the run. And, hey, when was the last time you got a \par Crazy Kevin "Amazing Free Offer?" If it weren't for us Net vigilantes, your \par email boxes and news groups would be constantly spambombed to kingdom come. \par And the spam attack I am about to teach you is perfectly legal! Do it and \par you are a certifiable Good Guy. Do it at a party and teach your friends to \par do it, too. We can't get too many spam vigilantes out there! \par The first thing we have to do is review how to read headers of Usenet posts and email. \par The header is something that shows the route that email or Usenet post took to get into your computer. It gives the names of Internet host computers \par that have been used in the creation and transmission of a message. When \par something has been forged, however, the computer names may be fake. \par Alternatively, the skilled forger may use the names of real hosts. But the \par skilled hacker can tell whether a host listed in the header was really used. \par First we'll try an example of forged Usenet spam. A really good place to \par spot spam is in alt.personals. It is not nearly as well policed by anti-spam \par vigilantes as, say, rec.aviation.military. (People spam fighter pilots at \par their own risk!) \par So here is a ripe example of scam spam, as shown with the Unix-based Usenet reader, "tin." \par Thu, 22 Aug 1996 23:01:56alt.personals Thread 134 of 450 \par Lines 110 >>>>FREE INSTANT COMPATIBILITY CHECK FOR SEL No responses \par ppgc@ozemail.com.au glennys e clarke at OzEmail Pty Ltd - Australia \par \par CLICK HERE FOR YOUR FREE INSTANT COMPATIBILITY CHECK! \par http://www.perfect-partners.com.au \par \par WHY SELECTIVE SINGLES CHOOSE US \par \par At Perfect Partners (Newcastle) International we are private and \par confidential. We introduce ladies and gentlemen for friendship \par and marriage. With over 15 years experience, Perfect Partners is one \par of the Internet's largest, most successful relationship consultants. \par Of course the first thing that jumps out is their return email address. Us \par net vigilantes used to always send a copy back to the spammer's email \par address. \par On a well-read group like alt.personals, if only one in a hundred readers \par throws the spam back into the poster's face, that's an avalanche of mail \par bombing. This avalanche immediately alerts the sysadmins of the ISP to the \par presence of a spammer, and good-bye spam account. \par So in order to delay the inevitable vigilante response, today most spammers use fake email addresses. But just to be sure the email address is phony, I exit tin and at the Unix prompt give the command: \par whois ozemail.com.au \par We get the answer: \par No match for "OZEMAIL.COM.AU" \par That doesn't prove anything, however, because the "au" at the end of the \par email address means it is an Australian address. Unfortunately "whois" does \par not work in much of the Internet outside the US. \par The next step is to email something annoying to this address. A copy of the offending spam is usually annoying enough. But of course it bounces back \par with a no such address message. \par Next I go to the advertised Web page. Lo and behold, it has an email address for this outfit, perfect.partners@hunterlink.net.au. Why am I not surprised that it is different from the address in the alt.personals spam? \par We could stop right here and spend an hour or two emailing stuff with 5 MB \par attachments to perfect.partners@hunterlink.net.au. Hmmm, maybe gifs of \par mating hippopotami? \par \par *************************** \par You can go to jail note: Mailbombing is a way to get into big trouble. \par According to computer security expert Ira Winkler, "It is illegal to mail \par bomb a spam. If it can be shown that you maliciously caused a financial \par loss, which would include causing hours of work to recover from a spamming, \par you are criminally liable. If a system is not configured properly, and has \par the mail directory on the system drive, you can take out the whole system. \par That makes it even more criminal." \par *************************** \par \par Since intentional mailbombing is illegal, I can't send that gif of \par mating hippopotami. So what I did was email one copy of that spam back to \par perfect.partners. Now this might seem like a wimpy retaliation. And we will \par shortly learn how to do much more. But even just sending one email message \par to these guys may become part of a tidal wave of protest that knocks them \par off the Internet. If only one in a thousand people who see their spam go to \par their Web site and email a protest, they still may get thousands of protests \par from every post. This high volume of email may be enough to alert their \par ISP's sysadmin to spamming, and good-bye spam account. \par Look at what ISP owner/operator Dale Amon has to say about the power of \par email protest: \par "One doesn't have to call for a 'mail bomb.' It just happens. Whenever I see \par spam, I automatically send one copy of their message back to them. I figure \par that thousands of others are doing the same. If they (the spammers) hide \par their return address, I find it and post it if I have time. I have no \par compunctions and no guilt over it." \par Now Dale is also the owner and technical director of the largest and oldest ISP in Northern Ireland, so he knows some good ways to ferret out what ISP is harboring a spammer. And we are about learn one of them. Our objective is to find out who connects this outfit to the Internet, and take out that connection! Believe me, when the people who run an ISP find out one of their customers is a spammer, they usually waste no time kicking him or her out. \par Our first step will be to dissect the header of this post to see how it was forged and where. Since my newsreader (tin) doesn't have a way to show headers, I use the "m" command to email a copy of this post to my shell account. \par It arrives a few minutes later. I open it in the email program "Pine" and \par get a richly detailed header: \par Path: sloth.swcp.com!news.ironhorse.com!news.uoregon.edu!vixen.cso.uiuc.edu!news.steal th.net!nntp04.primenet.com!nntp.primenet.com!gatech!nntp0.mindspring.com!news.mi ndspring.com!uunet!in2.uu.net!OzEmail!OzEmail-In!news \par From: glennys e clarke \par NNTP-Posting-Host: 203.15.166.46 \par Mime-Version: 1.0 \par Content-Type: text/plain \par Content-Transfer-Encoding: 7bit \par X-Mailer: Mozilla 1.22 (Windows; I; 16bit) \par The first item in this header is definitely genuine: sloth.swcp.com. It's \par the computer my ISP uses to host the news groups. It was the last link in \par the chain of computers that have passed this spam around the world. \par \par ******************* \par Newbie Note: Internet host computers all have names which double as their \par Net addresses. "Sloth" is the name of one of the computers owned by the \par company which has the "domain name" swcp.com. So "sloth" is kind of like the \par news server computer's first name, and "swcp.com" the second name. "Sloth" \par is also kind of like the street address, and "swcp.com" kind of like the \par city, state and zip code. "Swcp.com" is the domain name owned by Southwest \par Cyberport. All host computers also have numerical versions of their names, \par e.g. 203.15.166.46. \par ******************* \par \par Let's next do the obvious. The header says this post was composed on the \par host 203.15.166.46. So we telnet to its nntp server (port 119): \par telnet 203.15.166.46 119 \par We get back: \par Trying 203.15.166.46 ... \par telnet: connect: Connection refused \par This looks a lot like a phony item in the header. If this really was a \par computer that handles news groups, it should have a nntp port that accepts \par visitors. It might only accept a visitor for the split second it takes to \par see that I am not authorized to use it. But in this case it refuses any \par connection whatever. \par There is another explanation: there is a firewall on this computer that \par filters out packets from anyone but authorized users. But this is not common \par in an ISP that would be serving a spammer dating service. This kind of \par firewall is more commonly used to connect an internal company computer \par network with the Internet. \par Next I try to email postmaster@203.15.166.46 with a copy of the spam. But I get back: \par Date: Wed, 28 Aug 1996 21:58:13 -0600 \par From: Mail Delivery Subsystem \par To: cmeinel@techbroker.com \par Subject: Returned mail: Host unknown (Name server: 203.15.166.46: host not \par found) \par The original message was received at Wed, 28 Aug 1996 21:58:06 -0600 \par from cmeinel@localhost \par \par ----- The following addresses had delivery problems ----- \par postmaster@203.15.166.46 (unrecoverable error) \par \par ----- Transcript of session follows ----- \par 501 postmaster@203.15.166.46... 550 Host unknown (Name server: \par 203.15.166.46: host not found) \par \par ----- Original message follows ----- \par Return-Path: cmeinel \par Received: (from cmeinel@localhost) by kitsune.swcp.com (8.6.9/8.6.9) id \par OK, it looks like the nntp server info was forged, too. \par Next we check the second from the top item on the header. Because it starts \par with the word "news," I figure it must be a computer that hosts news groups, \par too. So I check out its nntp port: \par telnet news.ironhorse.com nntp \par And the result is: \par Trying 204.145.167.4 ... \par Connected to boxcar.ironhorse.com. \par Escape character is '^]'. \par 502 You have no permission to talk. Goodbye. \par Connection closed by foreign host \par OK, we now know that this part of the header references a real news server. \par Oh, yes, we have also just learned the name/address of the computer \par ironhorse.com uses to handle the news groups: "boxcar." \par I try the next item in the path: \par telnet news.uoregon.edu nntp \par And get: \par Trying 128.223.220.25 ... \par Connected to pith.uoregon.edu. \par Escape character is '^]'. \par 502 You have no permission to talk. Goodbye. \par Connection closed by foreign host. \par OK, this one is a valid news server, too. Now let's jump to the last item in the header: in2.uu.net: \par telnet in2.uu.net nntp \par We get the answer: \par in2.uu.net: unknown host \par There is something fishy here. This host computer in the header isn't \par currently connected to the Internet. It probably is forged. Let's check the \par domain name next: \par whois uu.net \par The result is: \par UUNET Technologies, Inc. (UU-DOM) \par 3060 Williams Drive Ste 601 \par Fairfax, VA 22031 \par USA \par \par Domain Name: UU.NET \par \par Administrative Contact, Technical Contact, Zone Contact: \par UUNET, AlterNet [Technical Support] (OA12) help@UUNET.UU.NET \par +1 (800) 900-0241 \par Billing Contact: \par Payable, Accounts (PA10-ORG) ap@UU.NET \par (703) 206-5600 \par Fax: (703) 641-7702 \par \par Record last updated on 23-Jul-96. \par Record created on 20-May-87. \par \par Domain servers in listed order: \par NS.UU.NET137.39.1.3 \par UUCP-GW-1.PA.DEC.COM 16.1.0.18 204.123.2.18 \par UUCP-GW-2.PA.DEC.COM 16.1.0.19 \par NS.EU.NET192.16.202.11 \par \par \par \par The InterNIC Registration Services Host contains ONLY Internet Information \par (Networks, ASN's, Domains, and POC's). \par Please use the whois server at nic.ddn.mil for MILNET Information. \par So uu.net is a real domain. But since the host computer in2.uu.net listed in \par the header isn't currently connected to the Internet, this part of the \par header may be forged. (However, there may be other explanations for this, \par too.) \par Working back up the header, then, we next try: \par telnet news.mindspring.com nntp \par I get: \par Trying 204.180.128.185 ... \par Connected to news.mindspring.com. \par Escape character is '^]'. \par 502 You are not in my access file. Goodbye. \par Connection closed by foreign host. \par Interesting. I don't get a specific host name for the nntp port. What does \par this mean? Well, there's a way to try. Let's telnet to the port that gives \par the login sequence. That's port 23, but telnet automatically goes to 23 \par unless we tell it otherwise: \par telnet news.mindspring.com \par Now this is phun! \par Trying 204.180.128.166 ... \par telnet: connect to address 204.180.128.166: Connection refused \par Trying 204.180.128.167 ... \par telnet: connect to address 204.180.128.167: Connection refused \par Trying 204.180.128.168 ... \par telnet: connect to address 204.180.128.168: Connection refused \par Trying 204.180.128.182 ... \par telnet: connect to address 204.180.128.182: Connection refused \par Trying 204.180.128.185 ... \par telnet: connect: Connection refused \par Notice how many host computers are tried out by telnet on this command! They must all specialize in being news servers, since none of them handles \par logins. This looks like a good candidate for the origin of the spam. There are 5 \par news server hosts. Let's do a whois command on the domain name next: \par whois mindspring.com \par We get: \par MindSpring Enterprises, Inc. (MINDSPRING-DOM) \par 1430 West Peachtree Street NE \par Suite 400 \par Atlanta, GA 30309 \par USA \par \par Domain Name: MINDSPRING.COM \par \par Administrative Contact: \par Nixon, J. Fred (JFN) jnixon@MINDSPRING.COM \par 404-815-0770 \par Technical Contact, Zone Contact: \par Ahola, Esa (EA55) hostmaster@MINDSPRING.COM \par (404)815-0770 \par Billing Contact: \par Peavler, K. Anne (KAP4) peavler@MINDSPRING.COM \par 404-815-0770 (FAX) 404-815-8805 \par \par Record last updated on 27-Mar-96. \par Record created on 21-Apr-94. \par \par Domain servers in listed order: \par \par CARNAC.MINDSPRING.COM204.180.128.95 \par HENRI.MINDSPRING.COM 204.180.128.3 \par \par ********************* \par Newbie Note: The whois command can tell you who owns a domain name. The \par domain name is the last two parts separated by a period that comes after the \par "@" in an email address, or the last two parts separated by a period in a \par computer's name. \par ********************* \par \par I'd say that Mindspring is the ISP from which this post was most likely \par forged. The reason is that this part of the header looks genuine, and offers \par lots of computers on which to forge a post. A letter to the technical \par contact at hostmaster@mindspring.com with a copy of this post may get a \par result. \par But personally, I would simply go to their Web site and email them a protest from there. Hmmm, maybe a 5 MB gif of mating hippos? Even if it is illegal? But systems administrator Terry McIntyre cautions me: \par "One needn't toss megabyte files back ( unless, of course, one is helpfully \par mailing a copy of the offending piece back, just so that the poster knows \par what the trouble was. The Law of Large Numbers of Offendees works to your advantage. Spammer sends one post to 'reach out and touch' thousands of potential customers.Thousands of Spammees send back oh-so-polite notes about the improper behavior of the Spammer. Most Spammers get the point fairly quickly. \par One note - one _wrong_ thing to do is to post to the newsgroup or list \par about the inappropriateness of any previous post. Always, always, use \par private email to make such complaints. Otherwise, the newbie inadvertently \par amplifies the noise level for the readers of the newsgroup or email list." \par Well, the bottom line is that if I really want to pull the plug on this \par spammer, I would send a polite note including the Usenet post with headers \par intact to the technical contact and/or postmaster at each of the valid links \par I found in this spam header. Chances are that they will thank you for your \par sleuthing." \par Here's an example of an email I got from Netcom about a spammer I helped \par them to track down. \par From: Netcom Abuse Department \par Reply-To: \par Subject: Thank you for your report \par Thank you for your report. We have informed this user of our policies, and \par have taken appropriate action, up to, and including cancellation of the \par account, depending on the particular incident. If they continue to break \par Netcom policies we will take further action. \par The following issues have been dealt with: \par santigo@ix.netcom.com \par date-net@ix.netcom.com \par jhatem@ix.netcom.com \par kkooim@ix.netcom.com \par duffster@ix.netcom.com \par spilamus@ix.netcom.com \par slatham@ix.netcom.com \par jwalker5@ix.netcom.com \par binary@ix.netcom.com \par clau@ix.netcom.com \par frugal@ix.netcom.com \par magnets@ix.netcom.com \par sliston@ix.netcom.com \par aessedai@ix.netcom.com \par ajb1968@ix.netcom.com \par readme@readme.net \par captainx@ix.netcom.com \par carrielf@ix.netcom.com \par charlene@ix.netcom.com \par fonedude@ix.netcom.com \par nickshnn@netcom.com \par prospnet@ix.netcom.com \par alluvial@ix.netcom.com \par hiwaygo@ix.netcom.com \par falcon47@ix.netcom.com \par iggyboo@ix.netcom.com \par joyful3@ix.netcom.com \par kncd@ix.netcom.com \par mailing1@ix.netcom.com \par niterain@ix.netcom.com \par mattyjo@ix.netcom.com \par noon@ix.netcom.com \par rmerch@ix.netcom.com \par rthomas3@ix.netcom.com \par rvaldes1@ix.netcom.com \par sia1@ix.netcom.com \par thy@ix.netcom.com \par vhs1@ix.netcom.com \par Sorry for the length of the list. \par Spencer \par Abuse Investigator \par ___________________________________________________________________ \par NETCOM Online Communication Services Abuse Issues \par 24-hour Support Line: 408-983-5970 abuse@netcom.com \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par _______________________________________________________ \par \par GUIDE TO (mostly) HARMLESS HACKING \par Vol. 1 Number 5 \par How get email spammers kicked off their ISPs. \par _______________________________________________________ \par \par \par \par So, have you been out on Usenet blasting spammers? It's phun, right? \par But if you have ever done much posting to Usenet news groups, you will \par notice that soon after you post, you will often get spam email. This is \par mostly thanks to Lightning Bolt, a program written by Jeff Slayton to strip \par huge volumes of email addresses from Usenet posts. Here's one I recently got: \par Received:from mail.gnn.com (70.los-angeles-3.ca.dial-access.att.net \par [165.238.38.70]) by mail-e2b-service.gnn.com (8.7.1/8.6.9) with SMTP id \par BAA14636; Sat, 17 Aug 1996 01:55:06 -0400 (EDT) \par Date: Sat, 17 Aug 1996 01:55:06 -0400 (EDT) \par Message-Id: <199608170555.BAA14636@mail-e2b-service.gnn.com> \par To: \par Subject: Forever \par From: FREE@Heaven.com \par "FREE" House and lot in "HEAVEN" \par Reserve yours now, do it today, do not wait. It is FREE \par just for the asking. You receive a Personalized Deed and detailed Map to \par your home in HEAVEN. Send your name and address along with a one time \par minimum donation of $1.98 cash, check, or money order to \par help cover s/h cost \par TO: Saint Peter's Estates \par P.O. Box 9864 \par Bakersfield,CA 93389-9864 \par This is a gated community and it is "FREE". \par Total satisfaction for 2 thousand years to date. \par \par >From the Gate Keeper. 9PS. See you at the Pearly Gates) \par GOD will Bless you. \par Now it is a pretty good guess that this spam has a forged header. To \par identify the culprit, we employ the same command that we used with Usenet \par spam: \par whois heaven.com \par We get the answer: \par Time Warner Cable Broadband Applications (HEAVEN-DOM) \par 2210 W. Olive Avenue \par Burbank, CA 91506 \par \par Domain Name: HEAVEN.COM \par \par Administrative Contact, Technical Contact, Zone Contact,\par Billing Contact: \par Melo, Michael (MM428) michael@HEAVEN.COM \par (818) 295-6671 \par \par Record last updated on 02-Apr-96. \par Record created on 17-Jun-93. \par \par Domain servers in listed order: \par \par CHEX.HEAVEN.COM 206.17.180.2 \par NOC.CERF.NET 192.153.156.22 \par From this we conclude that this is either genuine (fat chance) or a better \par forgery than most. So let's try to finger FREE@heaven.com. \par First, let's check out the return email address: \par finger FREE@heaven.com \par We get: \par [heaven.com] \par finger: heaven.com: Connection timed out \par There are several possible reasons for this. One is that the systems \par administrator for heaven.com has disabled the finger port. Another is that \par heaven.com is inactive. It could be on a host computer that is turned off, \par or maybe just an orphan. \par \par ********************* \par Newbie note: You can register domain names without setting them up on a \par computer anywhere. You just pay your money and Internic, which registers \par domain names, will put it aside for your use. However, if you don't get it \par hosted by a computer on the Internet within a few weeks, you may loose your \par registration. \par ********************* \par \par We can test these hypotheses with the ping command. This command tells you \par whether a computer is currently hooked up to the Internet and how good its \par connection is. \par Now ping, like most kewl hacker tools, can be used for either information or as a means of attack. But I am going to make you wait in dire suspense for a \par later Guide to (mostly) Harmless Hacking to tell you how some people use \par ping. Besides, yes, it would be *illegal* to use ping as a weapon. \par Because of ping's potential for mayhem, your shell account may have disabled \par the use of ping for the casual user. For example, with my ISP I have to go \par to the right directory to use it. So I give the command: \par /usr/etc/ping heaven.com \par The result is: \par heaven.com is alive \par \par *********************** \par Technical Tip: On some versions of Unix,giving the command "ping" will start \par your computer pinging the target over and over again without stopping. To \par get out of the ping command, hold down the control key and type "c". And be \par patient, next Guide to (mostly) Harmless Hacking will tell you more about \par the serious hacking uses of ping. \par *********************** \par \par Well, this answer means heaven.com is hooked up to the Internet right now. \par Does it allow logins? We test this with: \par telnet heaven.com \par This should get us to a screen that would ask us to give user name and \par password. The result is: \par Trying 198.182.200.1 ... \par telnet: connect: Connection timed out \par OK, now we know that people can't remotely log in to heaven.com. So it sure looks as if it was an unlikely place for the author of this spam to have \par really sent this email. \par How about chex.heaven.com? Maybe it is the place where spam originated? I \par type in: \par telnet chex.heaven.com 79 \par This is the finger port. I get: \par Trying 206.17.180.2 ... \par telnet: connect: Connection timed out \par I then try to get a screen that would ask me to login with user name, but \par once again get "Connection timed out." \par This suggests strongly that neither heaven.com or chex.heaven.com are being used by people to send email. So this is probably a forged link in the \par header. \par Let's look at another link on the header: \par whois gnn.com \par The answer is: \par America Online (GNN2-DOM) \par 8619 Westwood Center Drive \par Vienna, VA 22182 \par USA \par \par Domain Name: GNN.COM \par \par Administrative Contact: \par Colella, Richard (RC1504) colella@AOL.NET \par 703-453-4427 \par Technical Contact, Zone Contact: \par Runge, Michael (MR1268) runge@AOL.NET \par 703-453-4420 \par Billing Contact: \par Lyons, Marty (ML45) marty@AOL.COM \par 703-453-4411 \par \par Record last updated on 07-May-96. \par Record created on 22-Jun-93. \par \par Domain servers in listed order: \par \par DNS-01.GNN.COM 204.148.98.241 \par DNS-AOL.ANS.NET 198.83.210.28 \par Whoa! GNN.com is owned by America Online. Now America Online, like \par Compuserve, is a computer network of its own that has gateways into the \par Internet. So it isn't real likely that heaven.com would be routing email \par through AOL, is it? It would be almost like finding a header that claims its \par email was routed through the wide area network of some Fortune 500 \par corporation. So this gives yet more evidence that the first link in the \par header, heaven.com, was forged. \par In fact, it's starting to look like a good bet that our spammer is some \par newbie who just graduated from AOL training wheels. Having decided there is \par money in forging spam, he or she may have gotten a shell account offered by \par the AOL subsidiary, GNN. Then with a shell account he or she could get \par seriously into forging email. \par Sounds logical, huh? Ah, but let's not jump to conclusions. This is just a \par hypothesis and it may be wrong. So let's check out the remaining link in \par this header: \par whois att.net \par The answer is: \par AT&T EasyLink Services (ATT2-DOM) \par 400 Interpace Pkwy \par Room B3C25 \par Parsippany, NJ 07054-1113 \par US \par \par Domain Name: ATT.NET \par \par Administrative Contact, Technical Contact, Zone Contact: \par DNS Technical Support (DTS-ORG) hostmaster@ATTMAIL.COM \par 314-519-5708 \par Billing Contact: \par Gardner, Pat (PG756) pegardner@ATTMAIL.COM \par 201-331-4453 \par \par Record last updated on 27-Jun-96. \par Record created on 13-Dec-93. \par \par Domain servers in listed order: \par \par ORCU.OR.BR.NP.ELS-GMS.ATT.NET199.191.129.139 \par WYCU.WY.BR.NP.ELS-GMS.ATT.NET199.191.128.43 \par OHCU.OH.MT.NP.ELS-GMS.ATT.NET199.191.144.75 \par MACU.MA.MT.NP.ELS-GMS.ATT.NET199.191.145.136 \par Another valid domain! So this is a reasonably ingenious forgery. The culprit could have sent email from any of heaven.com, gnn.com or att.net. We know heaven.com is highly unlikely because we can't get even the login port to \par work. But we still have gnn.com and att.net as suspected homes for this \par spammer. \par The next step is to email a copy of this spam *including headers* to both \par postmaster@gnn.com (usually a good guess for the email address of the person \par who takes complaints) and runge@AOL.NET, who is listed by whois as the \par technical contact. We should also email either postmaster@att.net (the good \par guess) or hostmaster@ATTMAIL.COM (technical contact). Also email \par postmaster@heaven.com, abuse@heaven.com and root@heaven.com to let them know \par how their domain name is being used. \par Presumably one of the people reading email sent to these addresses will use the email message id number to look up who forged this email. Once the \par culprit is discovered, he or she usually is kicked out of the ISP. \par But here is a shortcut. If you have been spammed by this guy, lots of other people probably have been, too. There's a news group on the Usenet where \par people can exchange information on both email and Usenet spammers, \par news.admin.net-abuse.misc. Let's pay it a visit and see what people may have \par dug up on FREE@heaven.com. Sure enough, I find a post on this heaven scam: \par From: bartleym@helium.iecorp.com (Matt Bartley) \par Newsgroups: news.admin.net-abuse.misc \par Subject: junk email - Free B 4 U - FREE@Heaven.com \par Supersedes: <4uvq4a$3ju@helium.iecorp.com> \par Date: 15 Aug 1996 14:08:47 -0700 \par Organization: Interstate Electronics Corporation \par Lines: 87 \par Message-ID: <4v03kv$73@helium.iecorp.com> \par NNTP-Posting-Host: helium.iecorp.com \par (snip) \par No doubt a made-up From: header which happened to hit a real domain \par name. \par Postmasters at att.net, gnn.com and heaven.com notified. gnn.com has \par already stated that it came from att.net, forged to look like it came from \par gnn. Clearly the first Received: header is inconsistent. \par Now we know that if you want to complain about this spam, the best place to send a complaint is postmaster@att.net. \par But how well does writing a letter of complaint actually work? I asked ISP \par owner Dale Amon. He replied, "From the small number of spam messages I have \par been seeing - given the number of generations of exponential net growth I \par have seen in 20 years - the system appears to be *strongly* self regulating. \par Government and legal systems don't work nearly so well. \par "I applaud Carolyn's efforts in this area. She is absolutely right. Spammers are controlled by the market. If enough people are annoyed, they respond. If that action causes problems for an ISP it puts it in their economic interest to drop customers who cause such harm, ie the spammers. Economic interest is often a far stronger and much more effective incentive than legal \par requirement. \par "And remember that I say this as the Technical Director of the largest ISP \par in Northern Ireland." \par How about suing spammers? Perhaps a bunch of us could get together a class \par action suit and drive these guys into bankruptcy? \par Systems administrator Terry McIntyre argues, "I am opposed to attempts to \par sue spammers. We already have a fairly decent self-policing mechanism in \par place. \par "Considering that half of everybody on the internet are newbies (due to the 100% growth rate), I'd say that self-policing is marvelously effective. \par "Invite the gov't to do our work for us, and some damn bureaucrats will \par write up Rules and Regulations and Penalties and all of that nonsense. We \par have enough of that in the world outside the 'net; let's not invite any of \par it to follow us onto the 'net." \par So it looks like Internet professionals prefer to control spam by having net vigilantes like us track down spammers and report them to their ISPs. Sounds \par like phun to me! In fact, it would be fair to say that without us net \par vigilantes, the Internet would probably grind to a halt from the load these \par spammers would place on it. \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par \par _______________________________________________________ \par \par GUIDE TO (mostly) HARMLESS HACKING \par Vol. 1 Number 6 \par How to nuke offensive Web sites. \par _______________________________________________________ \par \par \par \par How do we deal with offensive Web sites? \par \par Remember that the Internet is voluntary. There is no law that forces an ISP to serve people they don't like. As the spam kings Jeff Slayton, Crazy \par Kevin, and, oh, yes, the original spam artists Cantor and Siegal have \par learned, life as a spammer is life on the run. The same holds for Web sites \par that go over the edge. \par The reason I bring this up is that a Happy Hacker list member has told me he would like to vandalize kiddie porn sites. I think that is a really, really \par kewl idea except for one problem. You can get thrown in jail! I don't \par want the hacker tools you can pick up from public Web and ftp sites to lure \par anyone into getting busted. It is easy to use them to vandalize Web sites. \par But it is hard to use them without getting caught! \par \par ***************** \par You can go to jail note: Getting into a part of a computer that is not open \par to the public is illegal. In addition, if you use the phone lines or \par Internet across a US state line to break into a non-public part of a \par computer, you have committed a Federal felony. You don't have to cause any \par harm at all it's still illegal. Even if you just gain root access and \par immediately break off your connection it's still illegal. Even if you are \par doing what you see as your civic duty by vandalizing kiddie porn it's \par still illegal. \par *************** \par \par Here's another problem. It took just two grouchy hacker guys to get the \par DC-stuff list turned off . Yes, it *will* be back, eventually. But what if \par the Internet were limited to carrying only stuff that was totally \par inoffensive to everyone? That's why it is against the law to just nuke ISPs \par and Web servers you don't like. Believe me, as you will soon find out, it is \par really easy to blow an Internet host off the Internet. It is *so* easy that \par doing this kind of stuph is NOT elite! \par So what's the legal alternative to fighting kiddie porn? Trying to throw Web kiddie porn guys in jail doesn't always work. While there are laws against \par it in the US, the problem is that the Internet is global. Many countries \par have no laws against kiddie porn on the Internet. Even if it were illegal \par everywhere, in lots of countries the police only bust people in exchange for \par you paying a bigger bribe than the criminal pays. \par \par ******************* \par They can go to jail note: In the US and many other countries, kiddie porn is \par illegal. If the imagery is hosted on a physical storage device within the \par jurisdiction of a country with laws against it, the person who puts this \par imagery on the storage device can go to jail. So if you know enough to help \par the authorities get a search warrant, by all means contact them. In the US, \par this would be the FBI. \par ******************* \par \par But the kind of mass outrage that keeps spammers on the run can also drive \par kiddie porn off the Web. *We* have the power. \par The key is that no one can force an ISP to carry kiddie porn or anything \par else. In fact, most human beings are so disgusted at kiddie porn that they \par will jump at the chance to shut it down. If the ISP is run by some pervert \par who wants to make money by offering kiddie porn, then you go to the next \par level up, to the ISP that provides connectivity for the kiddie porn ISP. \par There someone will be delighted to cut off the b*****ds. \par So, how do you find the people who can put a Web site on the run? We start \par with the URL. \par I am going to use a real URL. But please keep in mind that I am not saying \par this actually is a web address with kiddie porn. This is being used for \par purposes of illustration only because this URL is carried by a host with so \par many hackable features. It also, by at least some standards, carries X-rated \par material. So visit it at your own risk. \par http://www.phreak.org \par Now let's say someone just told you this was a kiddie porn site. Do you just launch an attack? No. \par This is how hacker wars start. What if phreak.org is actually a nice guy \par place? Even if they did once display kiddie porn, perhaps they have \par repented. Not wanting to get caught acting on a stupid rumor, I go to the \par Web and find the message "no DNS entry." So this Web site doesn't look like \par it's there just now. \par But it could just be the that the machine that runs the disk that holds this Web site is temporarily down. \par There is a way to tell if the computer that \par serves a domain name is running: the ping command: \par /usr/etc/ping phreak.org \par The answer is: \par /usr/etc/ping: unknown host phreak.org \par Now if this Web site had been up, it would have responded like my Web site \par does: \par /usr/etc/ping techbroker.com \par This gives the answer: \par techbroker.com is alive \par \par ************************* \par Evil Genius Note: Ping is a powerful network diagnostic tool. This example \par is from BSD Unix. Quarterdeck Internet Suite and many other software \par packages also offer this wimpy version of the ping command. But in its most \par powerful form which you can get by installing Linux on your computer \par the ping-f command will send out packets as fast as the target host can \par respond for an indefinite length of time. This can keep the target extremely \par busy and may be enough to put the computer out of action. If several people \par do this simultaneously, the target host will almost certainly be unable to \par maintain its network connection. So *now* do you want to install Linux? \par ************************* \par \par ************************* \par Netiquette warning: "Pinging down" a host is incredibly easy. It's way too \par easy to be regarded as elite, so don't do it to impress your friends. If you \par do it anyhow, be ready to be sued by the owner of your target and kicked off \par your ISP or much worse! If you should accidentally get the ping command \par running in assault mode, you can quickly turn it off by holding down the \par control key while pressing the "c" key. \par ************************* \par \par ************************* \par You can go to jail warning: If it can be shown that you ran the ping-f \par command on purpose to take out the host computer you targeted, this is a \par denial of service attack and hence illegal. \par ************************ \par \par OK, now we have established that at least right now, http://phreak.com \par either does not exist, or else that the computer hosting it is not connected \par to the Internet. \par But is this temporary or is it gone, gone, gone? We can get some idea \par whether it has been up and around and widely read from the search engine at \par http://altavista.digital.com. It is able to search for links embedded in Web \par pages. Are there many Web sites with links to phreak.org? I put in the \par search commands: \par link: http://www.phreak.org \par host: http://www.phreak.org \par But they turn up nothing. So it looks like the phreak.org site is not real \par popular. \par Well, does phreak.org have a record at Internic? Let's try whois: \par whois phreak.org \par Phreaks, Inc. (PHREAK-DOM) \par Phreaks, Inc. \par 1313 Mockingbird Lane \par San Jose, CA 95132 US \par \par Domain Name: PHREAK.ORG \par \par Administrative Contact, Billing Contact: \par Connor, Patrick (PC61) pc@PHREAK.ORG \par (408) 262-4142 \par Technical Contact, Zone Contact: \par Hall, Barbara (BH340) rain@PHREAK.ORG \par 408.262.4142 \par \par Record last updated on 06-Feb-96. \par Record created on 30-Apr-95. \par \par Domain servers in listed order: \par \par PC.PPP.ABLECOM.NET 204.75.33.33 \par ASYLUM.ASYLUM.ORG205.217.4.17 \par NS.NEXCHI.NET204.95.8.2 \par Next I wait a few hours and ping phreak.org again. I discover it is now \par alive. So now we have learned that the computer hosting phreak.org is \par sometimes connected to the Internet and sometimes not. (In fact, later \par probing shows that it is often down.) \par I try telnetting to their login sequence: \par telnet phreak.org \par Trying 204.75.33.33 ... \par Connected to phreak.org. \par Escape character is '^]'. \par \par \par \par ______________ _______________________________ __ \par ___ __ \\__ / / /__ __ \\__ ____/__|__ //_/____________________ _ \par __ /_/ /_ /_/ /__ /_/ /_ __/ __ /| |_ ,< _ __ \\_ ___/_ __ `/ \par _ ____/_ __ / _ _, _/_ /___ _ ___ | /| |__/ /_/ / / _ /_/ / \par /_/ /_/ /_/ /_/ |_| /_____/ /_/ |_/_/ |_|(_)____//_/_\\__, / \par /____/ \par \par \par ; \par Connection closed by foreign host. \par Aha! Someone has connected the computer hosting phreak.org to the Internet! \par The fact that this gives just ASCII art and no login prompt suggests that \par this host computer does not exactly welcome the casual visitor. It may well \par have a firewall that rejects attempted logins from anyone who telnets in \par from a host that is not on its approved list. \par Next I finger their technical contact: \par finger rain@phreak.org \par Its response is: \par [phreak.org] \par It then scrolled out some embarrassing ASCII art. Finger it yourself if you really want to see it. \par I'd only rate it PG-13, however. \par The fact that phreak.org runs a finger service is interesting. Since finger is one of the best ways \par to crack into a system, we can conclude that either: \par 1) The phreak.org sysadmin is not very security-conscious, or \par 2) It is so important to phreak.org to send out insulting messages that the \par sysadmin doesn't care about the security risk of running finger. \par Since we have seen evidence of a fire wall, case 2 is probably true. \par One of the Happy Hacker list members who helped me by reviewing this Guide, \par William Ryan, decided to further probe phreak.org's finger port: \par "I have been paying close attention to all of the "happy hacker" things that \par you have posted. When I tried using the port 79 method on phreak.org, it \par connects and then displays a hand with its middle finger raised and the \par comment "UP YOURS." When I tried using finger, I get logged on and a \par message is displayed shortly thereafter "In real life???"" \par Oh, this is just *too* tempting...ah, but let's keep out of trouble and just leave that port 79 alone, OK? \par Now how about their HTML port, which would provide access to any Web sites \par hosted by phreak.org? We could just bring up a Web surfing program and take \par a look. But we are hackers and hackers never do stuph the ordinary way. \par Besides, I don't want to view dirty pictures and naughty words. So we check \par to see if it is active with, you guessed it, a little port surfing: \par telnet phreak.org 80 \par Here's what I get: \par Trying 204.75.33.33 ... \par Connected to phreak.org. \par Escape character is '^]'. \par HTTP/1.0 400 Bad Request \par Server: thttpd/1.00 \par Content-type: text/html \par Last-modified: Thu, 22-Aug-96 18:54:20 GMT \par 400 Bad Request \par

400 Bad Request

\par Your request '' has bad syntax or is inherently impossible to satisfy. \par
\par
thttpd/1.00
\par Connection closed by foreign host. \par Now we know that phreak.org does have a web server on its host computer. \par This server is called thttpd, version 1.0. We also may suspect that it is a \par bit buggy! \par What makes me think it is buggy? Look at the version number: 1.0. Also, \par that's a pretty weird error message. \par If I were the technical administrator for phreak.org, I would get a better \par program running on port 80 before someone figures out how to break into root \par with it. The problem is that buggy code is often a symptom of code that \par takes the lazy approach of using calls to root. In the case of a Web server, \par you want to give read-only access to remote users in any user's directories \par of html files. So there is a huge temptation to use calls to root. \par And a program with calls to root just might crash and dump you out into \par root. \par \par ************************ \par Newbie note: Root! It is the Valhalla of the hard-core cracker. "Root" is \par the account on a multi-user computer which allows you to play god. You \par become the "superuser"! It is the account from which you can enter and use \par any other account, read and modify any file, run any program. With root \par access, you can completely destroy all data on boring.ISP.net or any other \par host on which you gain root. (I am *not* suggesting that you do so!) \par ************************* \par \par Oh, this is just too tempting. I do one little experiment: \par telnet phreak.org 80 \par This gives: \par Trying 204.75.33.33 ... \par Connected to phreak.org. \par Escape character is '^]'. \par Because the program on port 80 times out on commands in a second or less, I was set up ready to do a paste to host \par command, which quickly inserted the \par following command: \par
thttpd/1.00 \par This gives information on phreak.org's port 80 program: \par HTTP/1.0 501 Not Implemented \par Server: thttpd/1.00 \par Content-type: text/html \par Last-modified: Thu, 22-Aug-96 19:45:15 GMT \par 501 Not Implemented \par

501 Not Implemented

\par The requested method '
\par
thttpd/1.00
\par Connection closed by foreign host. \par All right, what is thttpd? I do a quick search on Altavista and get the \par answer: \par A small, portable, fast, and secure HTTP server. The tiny/turbo/throttling \par HTTP server does not fork and is very careful about memory... \par But did the programmer figure out how to do all this without calls to root? Just for kicks I try to access the \par acme.org URL and get the message "does \par not have a DNS entry." So it's off-line, too. But whois tells me it is \par registered with Internic. Hmm, this sounds even more like brand X software. \par And it's running on a port. Break-in city! What a temptation...arghhh... \par Also, once again we see an interesting split personality. The phreak.org \par sysadmin cares enough about security to get a Web server advertised as \par "secure." But that software shows major symptoms of being a security risk! \par So what may we conclude? It looks like phreak.org does have a Web site. But \par it is only sporadically connected to the Internet. \par Now suppose that we did find something seriously bad news at phreak.org. \par Suppose someone wanted to shut it down. Ah-ah-ah, don't touch that buggy \par port 80! Or that tempting port 79! Ping in moderation, only! \par \par ******************************** \par You can go to jail note: Are you are as tempted as I am? These guys have \par notorious cracker highway port 79 open, AND a buggy port 80! But, once \par again, I'm telling you, it is against the law to break into non-public parts \par of a computer. If you telnet over US state lines, it is a federal felony. \par Even if you think there is something illegal on that thttpd server, only \par someone armed with a search warrant has the right to look it over from the \par root account. \par ******************************** \par \par First, if in fact there were a problem with phreak.org (remember, this is \par just being used as an illustration) I would email a complaint to the \par technical and administrative contacts of the ISPs that provide phreak.org's \par connection to the Internet. So I look to see who they are: \par whois PC.PPP.ABLECOM.NET \par I get the response: \par [No name] (PC12-HST) \par Hostname: PC.PPP.ABLECOM.NET \par Address: 204.75.33.33 \par System: Sun 4/110 running SunOS 4.1.3 \par Record last updated on 30-Apr-95 \par In this case, since there are no listed contacts, I would email \par postmaster@ABLECOM.NET. \par I check out the next ISP: \par whois ASYLUM.ASYLUM.ORG \par And get: \par [No name] (ASYLUM4-HST) \par Hostname: ASYLUM.ASYLUM.ORG \par Address: 205.217.4.17 \par System: ? running ? \par Record last updated on 30-Apr-96. \par Again, I would email postmaster@ASYLUM.ORG \par I check out the last ISP: \par whois NS.NEXCHI.NET \par And get: \par NEXUS-Chicago (BUDDH-HST) \par 1223 W North Shore, Suite 1E \par Chicago, IL 60626 \par Hostname: NS.NEXCHI.NET \par Address: 204.95.8.2 \par System: Sun running Unix \par Coordinator: \par Torres, Walter (WT51) walter-t@MSN.COM \par 312-352-1200 \par Record last updated on 31-Dec-95. \par So in this case I would email walter-t@MSN.COM with evidence of the \par offending material. I would also email complaints to \par postmaster@PC.PPP.ABLECOM.NET and postmaster@ ASYLUM.ASYLUM.ORG. \par That's it. Instead of waging escalating hacker wars that can end up getting \par people thrown in jail, document your problem with a Web site and ask those who \par have the power to cut these guys off to do something. Remember, you can help fight the \par bad guys of cyberspace much better from your computer than \par you can from a jail cell. \par \par ************************* \par Netiquette alert: If you are just burning with curiosity about whether \par thttpd can be made to crash to root, *DON'T* run experiments on phreak.org's \par computer. The sysadmin will probably notice all those weird accesses to port \par 80 on the shell log file. He or she will presume you are trying to break in, \par and will complain to your ISP. You will probably lose your account. \par ************************* \par \par ************************* \par Evil Genius note: The symptoms of being hackable that we see in thttpd are \par the kind of intellectual challenge that calls for installing Linux on your \par PC. Once you get Linux up you could install thttpd. Then you may experiment \par with total impunity. \par If you should find a bug in thttpd that seriously compromises the security \par of any computer running it, then what do you do? Wipe the html files of \par phreak.org? NO! You contact the Computer Emergency Response Team (CERT) at \par http://cert.org with this information. They will send out an alert. You will \par become a hero and be able to charge big bucks as a computer security \par consultant. This is much more phun than going to jail. Trust me. \par ************************ \par _________________________________________________________ \par \par Guide to (mostly) Harmless Hacking \par Vol. 1 No. 7 \par How to Forge Email Using Eudora Pro \par _________________________________________________________ \par \par \par \par In this Guide you will learn how to use Eudora Pro to fake email. This will include how to forge: \par -Who sent the mail \par -Extra headers to fake the route it took though the Internet \par -Even the message ID! \par -And anything else you can imagine \par -Plus, how to use Eudora for sending your email from other people's \par computers whether they like it or not. \par -Plus, is it possible to use Eudora for mail bombing? \par \par One of the most popular hacking tricks is forging email. People love to \par fake out their friends by sending them email that looks like it is from \par Bill_Gates@microsoft.com, santa@north.pole.org, or beelzebub@heck.mil. \par Unfortunately, spammers and other undesirables also love to fake email so \par it's easy for them to get away with flooding our email accounts with junk. \par Thanks to these problems, most email programs are good Internet citizens. \par Pegasus, which runs on Windows, and Pine, which runs on Unix, are fastidious \par in keeping the people from misusing them. Have you ever tried to forge email \par using Compuserve or AOL? I'm afraid to ever say something is impossible to \par hack, but those email programs have all resisted my attempts. \par I will admit that the screen name feature of America OnLine allows one to \par hide behind all sorts of handles. But for industrial strength email forging \par there is Eudora Pro for Windows 95, Qualcomm's gift to the Internet and the \par meanest, baddest email program around. \par Some Super Duper haxors will see this chapter and immediately start making \par fun of it. They will assume I am just going to teach the obvious stuff, like \par how to put a fake sender on your email. \par No way. This is serious stuff. For example, check out the full headers of \par this email: \par Return-Path: \par Received: from kizmiaz.fu.org (root@kizmiaz.fu.org [206.14.78.160]) \par by Foo66.com (8.8.6/8.8.6) with ESMTP id VAA09915 \par for ; Sat, 13 Sep 1997 21:54:34 -0600 (MDT) \par Received: from Anteros (pmd08.foo66.com [198.59.176.41]) \par by kizmiaz.fu.org (8.8.5/8.8.5) with SMTP id UAA29704 \par for ; Sat, 13 Sep 1997 20:54:20 -0700 (PDT) \par Date: Sat, 13 Sep 1997 20:54:20 -0700 (PDT) \par Message-Id: <2.2.16.19970913214737.530f0502@ayatollah.ir> \par received: from emout09.mail.ayatollah.ir (emout09.mx.aol.com \par [198.81.11.24])by Foo66.com (8.8.6/8.8.6) with ESMTP id MAA29967 for \par ; Mon, 8 Sep 1997 12:06:09 -0600 (MDT) \par Favorite-color:turquoise \par X-Sender: meinel@ayatollah.ir (Unverified) \par X-Mailer: Windows Eudora Pro Version 2.2 (16) \par Mime-Version: 1.0 \par Content-Type: text/plain; charset="us-ascii" \par To: cpm@foo66.com \par From: Carolyn Meinel \par Subject: Test of forged everything \par I actually sent this email though a PPP connection with my account \par cpm@foo66.com to myself at that same address. Yes, this email began and \par ended up at the same computer. However, if you read the headers, this email \par looks like it was sent by a computer named Anteros, then went to \par kizmiaz.fu.org, then ayatollah.ir. Sender, it reports, is unverified but \par appears to be meinel@ayatollah.ir. \par What is of particular interest is the message ID. Many people, even \par experienced sysadmins and hackers, assume that even with forged email, the \par computer name at the end of the message ID is the computer on which the \par email was written, and the computer that holds the record of who the guy was \par who forged it. \par But you can quickly prove with Eudora Pro that you can forge a message ID \par that references almost any computer, including nonexistent computers. \par Some of this Guide is clearly amateurish. For hundreds of dollars you can \par buy an email program from a spammer company that will forge email better and \par pump it out faster. Still, this learning to forge email on Eudora \par illustrates many basic principles of email forgery. \par Let's start with the sender's email address. I managed to myself three \par different fake addresses in this email: \par meinel@ayatollah.ir \par cmeinel@techbroker.com \par cpm@foo66.com \par Only the last of these, cpm@foo66.com, was "real." The other two I inserted myself. \par There is a legitimate use for this power. In my case, I have several ISPs \par but like to have everything returned to my email address at my own domain, \par techbroker.com. But that ayatollah address is purely a joke. Here's how I \par put in those names: \par 1) In Eudora, click "tools" then "options." This will pull down a menu. \par 2) Click "Personal Information." For forging email, you can make every one \par of these entries fake. \par 3) The address you put under "Pop account" is where you tell Eudora where to \par look to pick up your email. But guess what? When you send email you can put \par a phony host in there. I put "ayatollah.ir." This generated the line in the \par header, "Message-Id: <2.2.16.19970913214737.530f0502@ayatollah.ir>." Some \par people think the message ID is the best way to track down forged email. Just \par mail the sysadmin at ayatollah.ir, right? Wrong! \par 4) "Real name" and "Return address" are what showed up in the header lines \par "From: Carolyn Meinel " and "Return-Path: \par ." I could have made them fake. If they are fake, \par people can't reply to you by giving the "reply" command in their email \par program. \par 5) Next, while still on the options pulldown, scroll down to "sending mail." \par Guess what, under "SMTP Server," you don't have to put in the one your ISP \par offers you to send your email out on. With a little experimentation you can \par find hundreds -- thousands -- millions -- of other computers that you can \par use to send email on. However, this must be a real computer that will really \par send out your email. I picked kizmiaz.fu.org for this one. That accounts for \par the header lines: \par Received: from kizmiaz.fu.org (root@kizmiaz.fu.org [206.14.78.160]) \par by Foo66.com (8.8.6/8.8.6) with ESMTP id VAA09915 \par for ; Sat, 13 Sep 1997 21:54:34 -0600 (MDT) \par Received: from Anteros (pmd08.foo66.com [198.59.176.41]) \par by kizmiaz.fu.org (8.8.5/8.8.5) with SMTP id UAA29704 \par for ; Sat, 13 Sep 1997 20:54:20 -0700 (PDT) \par \par How to Make Extra Headers and Fake the Path through the Internet \par \par But maybe this doesn't make a weird enough header for you. Want to make \par your email even phonier? Even really experienced Eudora users rarely know \par about how to make extra headers, so it's a great way to show off. \par 1) Open Windows Explorer by clicking "start," then "programs," then "Windows \par Explorer." \par 2) On the left hand side is a list of directories. Click on Eudora. \par 3) On the right hand side will be all the directories and files in Eudora. \par Scroll down them to the files. Click on "eudora.ini." \par 4) Eudora.ini is now in Notepad and ready to edit. \par 5) Fix it up by adding a line at the going to the line entitled "extra \par headers=" under [Dialup]. After the "=" type in something like this: \par extraheaders=received:from emout09.mail.ayatollah.ir (emout09.mx.aol.com \par [198.81.11.24])by Foo66.com (8.8.6/8.8.6) with ESMTP id MAA29967 for \par ; Mon, 8 Sep 1997 12:06:09 -0600 (MDT) \par With this set up, all your email going out from Eudora will include that \par line in the headers. You can add as many extra headers to your email as you \par want by adding new lines that also start with "extra headers=". For example, \par in this case I also added "Favorite-color:turquoise." \par \par ****************************************************** \par You can go to jail warning: There still are ways for experts to tell where \par you sent this email from. So if someone were to use forged email to defraud, \par threaten or mail bomb people, watch out for that cellmate named Spike. \par ***************************************************************** \par \par Is it Possible to Mail Bomb Using Eudora? \par \par The obvious way to mail bomb with Eudora doesn't work. The obvious way is \par to put the address of your victim into the address list a few thousand times \par and then attach a really big file. But the result will be only one message \par going to that address. This is no thanks to Eudora itself. The mail daemons \par in common use on the Internet such as sendmail, smail and qmail only allow \par one message to be sent to each address per email. \par Of course there are better ways to forge email with Eudora. Also, there is \par a totally trivial way to use Eudora to send hundreds of gigantic attached \par files to one recipient, crashing the mail server of the victim's ISP. But \par I'm not telling you how because this is, after all, a Guide to (mostly) \par Harmless Hacking. \par But next time those Global kOS dudes try to snooker you into using one of \par their mail bomber programs (they claim these programs will keep you safely \par anonymous but in fact you will get caught) just remember all they are doing \par is packaging up stuff that anyone who knows two simple tricks could do much \par better with Eudora. (If you are a legitimate computer security professional, \par and you want to join us at Infowar in solving the problem, contact me for \par details and we'll think about whether to trust you.) \par \par ************************************************ \par Evil Genius Tip: This deadly mailbomber thingy is a feature, yes, \par honest-to-gosh intended FEATURE, of sendmail. Get out your manuals and \par study. \par ************************************************ \par \par The ease with which one may forge perfect mail and commit mail bombings \par which crash entire ISP mail servers and even shut down Internet backbone \par providers such as has recently happened to AGIS may well be the greatest \par threat the Internet faces today. I'm not happy about revealing this much. \par Unfortunately, the mail forgery problem is a deeply ingrained flaw in the \par Internet's basic structure. So it is almost impossible to explain the basics \par of hacking without revealing the pieces to the puzzle of the perfect forgery \par and perfect mailbombing. \par If you figure it out, be a good guy and don't abuse it, OK? Become one of \par us insiders who see the problem and want to fix it rather than exploit it \par for greed or hatred. \par The Guide for (mostly) Harmless Hacking Volume 1\par \par "Sa\'efmo" 1/1\par \par \par }