What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group


July 14, 1999
_______________________________________________________________________
See the Happy Hacker web site at http://www.happyhacker.org
URL of the day: http://www.securityfocus.com - Bugtraq's new home!
_______________________________________________________________________

Editor's Comments
URLs
Nuggets of Info
Reader Questions
Reader Submissions
Future Issues

***********************************************************************
      *** Editor's Comments
***********************************************************************

Well, it seems that my comments got *ahem* chopped out of the last digest.
Here's what I said:

For those of you fairly new to the digest: If you want to submit something
to the digest, but don't want your name and/or email address used, just
say so in the message and I will remove it before adding it (assuming I
add it). Oh, and my comments and articles are copyright 1999 by me, and
can't be used _anywhere_ commercially without my express consent. This
includes books, for-profit websites, or other for-profit entities.
Violators will be forced to use AOL with Windows 3.1 and might be
prosecuted, too. ;) (This applies to my older comments and articles in
digests, too)    

Ok, I'm a little paranoid. Some of you email me stuff that could get you
put on a 'bad guy' list somewhere. Keep in mind that your mail goes  
through antionline.com before it comes to me. It is entirely possible that
JP or somebody else from AO could make copies of what comes into the
unixeditor@cmeinel.com account. If you don't want this, I offer two
alternatives: PGP-encode your messages to me with the key at

http://www.hobbiton.org/~unixed/unixed.asc OR just mail me at
unixed@hobbiton.org - all this second option will do is keep your mail out
of JP's hands. I won't even _GET_ into Packetstorm's story. Read for
yourself in the URLs section. I am quite aware that Carolyn, JP and I have
differing opinions on the subject.

On a happier note, I'd like to say that I had a great time at Summercon
99, and I'd like to thank the following people: BinaryZero, Alaric,
Jaeger, Breaker, Jen from CNN (thanks for the tour!), clovis and the other
people that set it all up, as well as all those various people I hung out
with and talked to and have forgotten your names. Go to summercon
next year! Wargame director Vince Larsen definitely knows what he's
talking about (and managed to keep a cool head even through all the
bashing). I'm definitely in awe...changing the whole security scheme of
an operating system is not exactly the easiest thing to do.

***********************************************************************
      *** URLs
***********************************************************************

HNN's account of what happened to one of the biggest security archives

http://www.hackernews.com/arch.html?070299

Linux ipchains

http://www.rustcorp.com/linux/ipchains/

BeOS - Not UNIX in my mind, but whatever

http://www.be.com/

More good stuff from Lance Spitzner:
Armoring Solaris

http://www.enteract.com/~lspitz/armoring.html
Armoring Linux

http://www.enteract.com/~lspitz/linux.html

Small Linux distro that runs on top of Windows/DOS

http://www.dragonlinux.nu/

***********************************************************************
      *** Nuggets of Info
***********************************************************************

1) Unsubscribe as follows: Send an email to with the
   message "unsubscribe happyhacker" and you're off.

2) It's generally not a good idea to tell people you just met at a hacker
   convention what your account passwords are. (right bz?)

3) You can consider me the Linux editor too, since Linux is, after all, a

   flavor of UNIX. There will be no separate Linux editor.

4) Yes, you can use a modem to dialup your ISP, just like in Windows.
   Anything you do in Windows can be done in Linux, and much more. Try
   http://howto.linuxberg.com/LDP/HOWTO/PPP-HOWTO.html 

5) Please, PLEASE read through oilder issues of the digest before asking a
   question that was probably already covered. There are 3 digests that
   have a section called UNIX commands. Don't ask me to repost them.

6) Want to rename a file? Renaming is the same as moving. Use mv.

***********************************************************************
      *** Reader Questions
***********************************************************************

Aseem Asthana <asthana@bom4.vsnl.net.in> wrote:

Sir,
I have a question. I know that a .forward file can forward your mail to
another acct. What are the other capabilities of a .forward file? Is there
a URL for that?

Thanks,
Aseem.

[Ed- First thing to do - "man forward". Second thing to do, search on
yahoo. Here's a link: http://www.emailman.com/forward/ ]

-----------------------------------------------------------------------

Magnus Kristiansen <makris@online.no> wrote:

If you could be so kind as to help me with this I would be ever so
greatful! :

If you send a mail with pico, which doesn't reach anyone, like
Bjarnebull@nowhere.org, does the the mail get written in to
/var/tmp/dead.letter then?! You see my and my frineds are playing with
the ln command! =) Is there some other method which may be used?

I'm not sure that you get my drift here, both lets try anyway!

(The exploit for Sendmail 8.8.4)

Thanx

Excuse the spelling/grammer - I'm from Norway, the land of the snow,
home of the wikings...

[Ed- Well, as far as I've seen, the dead.letter gets written to your home
directory (possibly your current directory) when you abort a message using
_pine_ -- I don't know about pico. Symlink attacks are actually pretty
effective with programs that don't check whether a file already exists.
Maybe I'll write something up. If anybody has more information about what
Magnus is asking, by all means let us know :)]

-----------------------------------------------------------------------

Ganglion <Ganglion@bigfoot.com> wrote:

Hello

How can i make a program running after i exit my shell account ?
i have tried these command:
nice -n 20 myprog &
exit
......but the system terminate my program after i leave
note : there was no "logout" command

thanks

[Ed- You may not have the privileges to run a background process. What
you've written there should work, provided the system's admin will allow
you. Here's a question for all of you: What are some good ways to enforce
the 'no background processes while you're not logged in' rule? I'd think
you could run a cron job that automatically kills unattended processes,
but if anybody else has different (weird, creative) solutions to this, I'd
love to hear them.]

-----------------------------------------------------------------------

iris <irisgarden@iname.com> wrote:

Hello there

I have a prob.? our system administrator have disabled the finger command
in our unix (sunos 5.6) each time i type finger it says (EXCUCUTION
PERMTION DENIED) so i need this command how can i enable it again ,, or
is there a C code that i can compile under my account directory and give
me the same results as  the Finger command  do???

Please HELP!!
thanx

[Ed- 1) To enable it again, you need to set the permissions on the
finger executable such that you can execute it. 2) Feel free to grab some
finger client source code and compile it on your system. It shouldn't be
too hard to find. 3) Telnet to port 79 of the computer you're trying to
finger, and type in the name of the person you're trying to finger, and
press return. Same thing as fingering.]

-----------------------------------------------------------------------

Phyberglass <phyberglass@hotmail.com> wrote:

Hi, 
 

I was doing some port surfing on a University computer and i came across 
what i thought to be a very open box. (my knowledge is really limited so i 
can't say if it really was that "open" or not). Anyway, 
after looking around there were a couple of ports open that i couldn't
find 
the name for. These ports are port 57 and 111. Is there somewhere you
could 
direct me to to get a complete listing of port assignemnts? 

Yours sincerely, 

Oblivious 

[Ed- Assuming you didn't find it in /etc/services, take a look at RFC 1700
"Internet Assigned Numbers" at

http://www.pmg.lcs.mit.edu/cgi-bin/rfc/view?1700

Port 57 seems to be some sort of terminal access, and 111 (which is very
common, I might add) is Sun's Remote Procedure Call. Try 

rpcinfo -p target.host.com

for more RPC-related info on that computer. Enjoy.]

-----------------------------------------------------------------------

Outbreak <crashs4@mindspring.com> wrote:

Ok, I was on mIRC the other day talking to this hacker.  He was gonna show
me how he got passwords and stuff.. he asked for the hostname of my shell
account, so i said...    nether.net.... Then he asked my login name there
so i gave it to him..

About ten seconds later he told me my password and it was right! How did
he do that, Please tell me... I would love to show my friend this neat
little trick he pulled off.

                                        Thanks!!!!

[Ed- Well, I think you're on the right track by calling it a 'trick'. I
don't have quite enough information to be able to say how he got it. Two
things come to mind, though. Maybe you are infected with Back Orifice or
something similar and he got it by snooping on your computer. Another
possibility is that somehow he had nether.net's password file, and had
cracked it. There's no easy way of doing this in ten seconds that I can
see. If anybody else wants to shed some light on the subject, by all means
do.]

-----------------------------------------------------------------------

archmage@en.com wrote:

I am trying to setup a linux box to play around on.  I am installing
Redhat Linux 5.1(bought it a while ago).  In the manual it recommends
that you make several partitions.  Is this really necessary?  Especially
if it is for home use to play around on?  Thanks.

[Ed- It's not really that big of a deal if you're just going to be toying
around with it at home. If you're paranoid about security, it's generally
a good idea to isolate certain parts of your file system. Most notably is
the /var directory. If you have the /var directory mounted on the same
partition as /tmp for example, if your logs get insanely large, you could
run into problems when trying to run programs that need to use temporary
files. I'm sure you all can think of some other evil possibilites and DoS
attacks that could take place by someone log flooding you with improperly
mounted partitions. You might also want to separate the /home directory
(or whatever appropriate directory) so that users can't fill up your whole
disk. (Quotas might be good, too) Of course you'll generally want a
separate swap partition as well. How much you want to subdivide your
filesystem is mostly up to you, though.]

-----------------------------------------------------------------------

pubies@juno.com wrote:

I have somewhat of a complex question to ask, and who better to ask then
the experts. Anywayz here's my question, Me and a friend are going to try
to set up a linux o/s (most likely red Hat or some Sort, I am trying to
get him an easy to use version since he is some what of a newbie when it
comes with unix) on his computer. Also he wants to get some sort of a
Linux server that can provide a shell account to me and a few of our
friends. Now my question is what do you suggest we use to do this
(software etc.) and if you happen to have some URL's of information sites
regarding this and some how-to's it wood be greatly appreciated.

Inclosing I would like to thank anyone who is bothering reading this
e-mail, and congratulate hhd on what a great job they are doing for us

all.

Thank you for any information you can provide me with.

[Ed- Provided you can get your computer on the internet, you pretty much
have all of the tools you need to offer shell accounts in a plain install.
Just give your friends their own usernames and the IP address every time
you dial up (assuming you're dialing up). They can telnet to your box and
have access to your system. Hardly complex :)]

-----------------------------------------------------------------------

Arnout Engelen <arnout.engelen@beer.com> wrote:

Hi,

I recently got myself Debian Linux, and because I learnd Perl and some
socket programming, I decided to try to customize the finger daemon on
my box. I wrote the daemon (and client) mainly based on the scripts in
the HHD/Win - Perl Corner. Now they work fine on, say, port 31337, but I
can't get the daemon to listen at port 79. I commented out the original
finger daemon in /etc/inetd.conf, and when I portscan localhost, port 79
seems to be free (i.e. not open). But when I try to run the finger
daemon on port 79, it'll tell me 'Socket Error: Bad file Descriptor'.
Again, it works fine listening at port 31337... any thoughts?

Lyca0n
lyca0n@iname.com

[Ed- What's happening here is you're trying to bind to one of the reserved
ports (1-1023).  A program must run as root to listen on one of these
ports. So you'll need to setuid it to 0. Make damn sure, however, that
there are no holes in your implementation, or you may find someone
breaking in that way. I encourage you to post it up somewhere where others
can pick at it and check to make sure it's tight. Then send us the URL :)]

-----------------------------------------------------------------------

Ryan Rhea <ryan_rhea@hotmail.com> wrote:

I read some of your digests on the web, I realized I needed some extra
security for my linux box.  I have scanned my own machine and I realized
that several were open by default.  After looking at the RFC for port
numbers and /etc/services I can see that I need to turn most of the ports
off.  I looked at tcpd for logging port access, but I can't figure out how
to turn off certain ports.  Also, I have several ports that don't match
/etc/services or the RFC, is there any other way to determine what daemon
an open port is running?

Any help is appreciated!
Sincerely,
Ryan T. Rhea
ryan_rhea@hotmail.com

[Ed- Turning off ports is as easy (in most cases) as commenting out the
appropriate line in inetd.conf and kill -HUP <inetd's process id> -
Anything that's not in inetd.conf must be investigated by you. I don't
know what's running on your system, much less how to turn it off. Check
the rc files that get called at startup, and possibly comment out some
lines in there. Also try telnetting (or netcatting) to the ports and see
what they yield. Further suggestions for Ryan are welcome.]

***********************************************************************
      *** Reader Submissions
***********************************************************************

Anonymous wrote:

> 2) To my knowledge, the stock partition managers in most Linux distros
>    do not support FAT32.

Most stock partition managers now do support fat32. Even fips ,a dos
program; now fips20, supports fat32. *fips is a good free repartitioner
instead of having to buy partition magic. You can d/l fips from

http://www.igd.fhg.de/~aschaefe/fips/

and from my last memory of doing a cd install it should also be on most
cd's. Warning: be very carefull when playing with fips or any repartitioning
tools one mess up and bye-bye partitions.

>You need a third-party utility to modify these.

A distribution is almost entirely third party to begin with. Linux is only
the kernel. Then other people port programs over to work with the kernel.
Then linux distributors takes the kernel and the programs calls them
packages and bundle it all together. Granted some distros. do some
development work but the majority of the packages are not developed by

them.

[Ed- I stand corrected on the partitioner issue. And I was using the term
'third party' to indicate software that's not included on the stock
distributons. You are, however, correct.]

-----------------------------------------------------------------------

RavenBlack <raven@ravenblack.net> wrote:

From a recent issue (perhaps the most recent)....

>   u_long get_sp(void)
>    {
>       return ( (u_long)_asm_(mov %sp,%i0) );
>    }
>All I've done is add the return command and cast the return from the
>line
>        _asm_(mov %sp,%i0) as a long int.  (ie (u_long))

Unfortunately, as well as possibly making it work, that
has other effects. Some C compilers won't let you put other
things on the same line with _asm_ because they don't consider
_asm_ a function. The other potential flaw is merely a tiny
insignificant one of performance - 'return' usually copies the
value to be returned into the output register (or equivalent
return-value location, dependant upon the system in question).
In this case, the value is already there, so you could end up
with a wasted 'mov'. Which probably wouldn't bother you a bit.

--RavenBlack

-----------------------------------------------------------------------

Jonas <G.Paterson@scm.brad.ac.uk> wrote:

> Alex Harrington <fastkeys@btinternet.com> wrote:
>
> >Marc Childress <marc.childress@lownotes.org> wrote:
> >
> >unixed.,
> >
> >As I understand it, RedHat's default installation is rather "insecure".
> [SNIP]
>
> Redhat put on all the latest libs 'n' apps before they have had long
> enough to iron out any bugs. If you need a secure distro, use Slackware.
> It uses older libs and versions of apps which have very few bugs. The
> only thing we do on the webservers at work is to edit /etc/seccurety to
> ban root telnets. Other than that, it seems to be pretty secure out of
> the box.

As a user of RedHat for some time, I have been aware that it isn't as
secure as some distros "out of the box", but I've always done my best
to keep up with bugs and applying the fixes. However, I've been
wondering (after a discussion with some friends) about just how secure
RedHat is. Is it drastically insecure or is it just a case of RedHat
going for the latest version of everything and the end-user being left
to apply fixes?

[Ed- I don't think it's so insecure you really have to ditch it in favor
of something else. I don't know redhat all that well, so don't take my
word as gospel. (As you all know, I'm a Debian guy) The security flaws
seem to be pretty well distributed among the various Linux flavors.]

> Jeff <mgardinr@execulink.com> wrote:
<SNIP>
> The second thing I wanted to do is share for your readership a neat
> little xwindows trick.  If you want your local machine to display a
> window from a remote computer do this:
>
> in a shell on your local computer (with xwindows running) type
>
> xhost +
> Be warned (this reduces the security of your computer)
>
> [Ed- So do this only if you know what you're doing.]
>
> in a shell on the remote computer (with xwindows running) type
>
> setenv DISPLAY my.computer.com:0.0  (for csh or tsh)
> export DISPLAY=my.computer.com:0.0 (for bash?!)
> Then when you execute a command on the remote machine the window pops up
> on your local display.  I may not have the bash command just right but
> in principle you must sent the DISPLAY var to have either the name of
> your local machine:0.0 or the ip_address of your local machine:0.0. The
> xhost + line reduces the security of your computer by making your
> computer accept signals from remote sources.
>
> Its cool, try it.
>
> [Ed- Again, try it if you know what you're doing...or are willing to
> open a security hole.]

This feature of xwindows to display information from other servers is
a useful, if insecure feature. However, there is no need to make it as
insecure as Jeff did in his example. xhost can be used to allow access
to only one host by invoking it in the form xhost +other.host This
way, only connections from other.host will be accepted, and not the

entire world as Jeff had it.

[Ed- Thanks for clarifying that!]

-----------------------------------------------------------------------

Roger Maalouf <maalouf@intracom.net.lb> wrote:

Hello,

As I was reading some stuff lately I found these two interesting acronyms:

DIG: Domain Internet Groper
PING: Packet INternet Groper

Nothing much but I'm sure lots of you didn't know that, or that I'm just
plain stup!d. I always thought that PING was used to reflect the bouncing
that it does; say like ping-pong ! Also DIG; I thought it to represent
the digging deep for information !

Well, like they say: nothing is what it seems to be.

Regards,
Roger :)

[Ed- Not really security related, but I thought I'd explain it anways. I'm
pretty sure that this is a case of utilities being named first and turned
into acronyms later. Some bands have done this too. Bonus points to the
person who can name 3 bands that had acronyms applied to their names.
KMFDM doesn't count.]

-----------------------------------------------------------------------

Jacob Ratkiewicz <jratkie1@iusb.edu> wrote:

Regarding <makris@online.no>'s question on the password file format, I
quote Sam's "Unix Unleashed" (Robin Burk, et al) pg 955:

    "The 'pswd' field contains either the 13 character encrypted
    password; null, indicating that no password is needed for
    login; or a string containing a character not from the
    following set - {./0-9a-zA-Z}. If the 'pswd' field contains
    a character not from the encryption set, the username cannot
    be logged into. Normally, system administrators would use '*'
    or '*LK*' for the entry.

But they could also use '!!'. Therefore, the presence of '!!' in the
pswd field of the /etc/passwd file most probably means that the account
has been disabled.

***********************************************************************
      *** Future Issues
***********************************************************************

Onion Routing
How Private is It?
How Far is Too Far?

***********************************************************************
_______________________________________________________________________

This is a list devoted to *legal* hacking! If you plan to use any
information in this Digest or at our Web site to commit crime, go away!
Foo on you! Don't email us bragging about any crimes you may have
committed.  We mean it.

For Unix questions, contact unixeditor@cmeinel.com.

Happy Hacker staff: Unix editor, <unixeditor@cmeinel.com>;
Windows editor, <editor@cmeinel.com>;
Hacker Wargame Director, Vincent Larsen <vincent@sage-inc.com>;
Clown Princess: Carolyn Meinel <>

Happy Hacker is a 501 (c) (3) tax deductible organization
in the United States operating under Shepherd's Fold Ministries.

 © 2013 Happy Hacker All rights reserved.