BO DLL FTP99CMP
Psyber Streaming Server Shivka-Burka Spy-Sender Shockrave
BackDoor 2.00 - 2.03 TransScout TransScout Trojan Cow 1.0
TransScout Transmission Scout v1.1 - 1.2 Der Spaeher 3 Der Spaeher v3.0
TransScout
TransScout
TransScout
TransScout
Ripper
Netscape/Corba exploit Bugs
Deep Throat v1.3 serve Deep Throat 1.3 KeyLogger
The Invasor, Deep Throat v2.0
Illusion Mailer
HVL Rat 5.30
port 2400
PortD
port 2565 (TCP)
Striker
port 2567 (TCP)
Lamer Killer
port 2568 (TCP)
Lamer Killer
port 2569 (TCP)
Lamer Killer
port 2583 (TCP)
WinCrash2
port 2600
Digital RootBeer
port 2801 (TCP)
Phineas Phucker
port 2989 (UDP)
RAT
port 3024 (UDP)
WinCrash 1.03
port 3128
RingZero
port 3129
Masters Paradise 9.x
port 3150 (UDP)
Deep Throat, The Invasor
port 3459
Eclipse 2000
port 3700 (UDP)
Portal of Doom
port 3791 (TCP)
Total Eclypse
port 3801 (UDP)
Eclypse 1.0
port 4092 (UDP)
WinCrash-alt
port 4321
BoBo 1.0 - 2.0
port 4567 (TCP)
File Nail
port 4590 (TCP)
ICQ-Trojan
port 5000 (UDP)
Bubbel, Back Door Setup, Sockets de Troie/socket23
port 5001 (UDP)
Back Door Setup, Sockets de Troie/socket23
port 5011 (TCP)
One of the Last Trojans (OOTLT)
port 5031 (TCP)
Net Metropolitan
port 5321 (UDP)
Firehotker
port 5400 (UDP)
Blade Runner, Back Construction
port 5401 (UDP)
Blade Runner, Back Construction
port 5402 (UDP)
Blade Runner, Back Construction
port 5521 (TCP)
Illusion Mailer
port 5550 (TCP)
Xtcp 2.0 - 2.1
port 5550 (TCP)
X-TCP Trojan
port 5555 (TCP)
ServeMe
port 5556 (TCP)
BO Facil
port 5557 (TCP)
BO Facil
port 5569 (TCP)
Robo-Hack
port 5571 (TCP)
Lamer variation
port 5742 (UDP)
WinCrash
port 6400 (TCP)
The Thing
port 6669 (TCP)
Vampire 1.0 - 1.2
port 6670 (TCP)
DeepThroat
port 6683 (UDP)
DeltaSource v0.5 - 0.7
port 6771 (TCP)
DeepThroat
port 6776 (TCP)
BackDoor-G, SubSeven
port 6838 (UDP)
Mstream (Attacker to handler)
port 6912
Shit Heep
port 6939 (TCP)
Indoctrination 0.1 - 0.11
port 6969
GateCrasher, Priority, IRC 3
port 6970
GateCrasher 1.0 - 1.2
port 7000 (UDP)
Remote Grab, Kazimas
port 7300 (UDP)
NetMonitor
port 7301 (UDP)
NetMonitor
port 7302 (UDP)
NetMonitor
port 7303 (UDP)
NetMonitor
port 7304 (UDP)
NetMonitor
port 7305 (UDP)
NetMonitor
port 7306 (UDP)
NetMonitor
port 7307 (UDP)
NetMonitor
port 7308 (UDP)
NetMonitor
port 7789 (UDP)
Back Door Setup, ICKiller
port 8080
RingZero
port 8989
Recon, recon2, xcon
port 9090
Tst2, telnet server
port 9400
InCommand 1.0 - 1.4
port 9872 (TCP)
Portal of Doom
port 9873
Portal of Doom
port 9874
Portal of Doom
port 9875
Portal of Doom
port 9876
Cyber Attacker
port 9878
TransScout
port 9989 (TCP)
iNi-Killer 2.0 - 3.0
port 9999 (TCP)
theprayer1
port 10067 (UDP)
Portal of Doom
port 10101
BrainSpy Vbeta
port 10167 (UDP)
Portal of Doom
port 10520
Acid Shivers + LMacid
port 10607 (TCP)
Coma 1.09
port 10666 (TCP)
Ambush
port 11000 (TCP)
Senna Spy
port 11223 (TCP)
Progenic trojan 1.0 - 1.3
port 12076 (TCP)
Gjammer
port 12223 (UDP)
Hack 99 KeyLogger
port 12223 (TCP)
Hack 99
port 12345 (UDP)
GabanBus, NetBus, Pie Bill Gates, X-bill
GabanBus, NetBus, X-bill
Whack-a-mole
Whack-a-mole
WhackJob
Senna Spy Lamer
stacheldraht
Priority (Beta)
Kuang2 The Virus
Millennium 1.0 - 2.0
Millennium
NetBus 2 Pro Logged, chupacabra
GirlFriend 1.3x (Including Patch 1 and 2) Prosiak
Evil FTP, Ugly FTP, Whack Job
Donald Dick 1.52 - 1.55
Donald Dick
Delta Source
trinoo
trinoo
The Unexplained
AOL Trojan
NetSphere 1.0 - 1.31337
NetSphere
NetSphere
NetSphere final
Sockets de Troi = socket23
Kuang2
port 31335 (UDP) port 31336 port 31337 (TCP) port 31337 (UDP) port 31338 (UDP) port 31339 (TCP) port 31339 (UDP) port 31554 (TCP) port 31666 (UDP) port 31785 (TCP) port 31787 (TCP) port 31788 (TCP) port 31789 (UDP)
port 31791 (UDP)
port 31792 (UDP)
port 32418
port 33333 port 33577
port 33777 port 33911 (TCP) port 34324 (TCP) port 40412 (TCP) port 40421 (UDP) port
trinoo
Bo Whack
Baron Night, BO client, BO2, Bo Facil
BackFire, Back Orifice, DeepBO Back Orifice, DeepBO Netspy
NetSpy DK
Schwindler is from portugal
BOWhack
Hack 'a' Tack 1.0 - 2000
Hack 'a' Tack
Hack 'a' Tack
Hack 'a' Tack
Hack 'a' Tack
Hack 'a' Tack
Acid Battery v1.0
Blakharaz, Prosiak
PsychWard
PsychWard
Spirit 2001a
BigGluck, TN
The Spy
Agent 40421, Masters Paradise Masters Paradise Masters Paradise Masters Paradise Delta Source
Sockets de Troie = socket23
port 50766 (UDP)
Schwindler 1.82
port 53001 (TCP)
Remote Windows Shutdown
port 54320
Back Orifice 2000
port 54321 (TCP)
School Bus
port 54321 (UDP)
Back Orifice 2000
port 54329 (TCP)
lamer
port 57341 (TCP)
netraider 0.0
port 58339
ButtFunnel
port 60000
Deep Throat
port 60068
Xzip 6000068
port 61348 (TCP)
Bunker-Hill Trojan
port 61466 (TCP)
Telecommando
port 61603 (TCP)
Bunker-Hill Trojan
port 63485 (TCP)
Bunker-Hill Trojan
port 65000 (UDP)
Devil v1.3
port 65000 (TCP)
Devil
stacheldraht
lamer variation
port 65432
The Traitor
port 65432 (UDP)
The Traitor
port 65535
RC, ICE
Another problem with remote-access or password-stealing Trojans is that there are ever-emerging groundbreaking mutations—7 written in 1997, 81 the following year, 178 in 1999, and double that amount in 2000 and 2001. No software antiviral or antiTrojan programs exist today to detect the many unknown Trojan horses. The programs claiming to be able to defend your system typically are able to find only a fraction of all the Trojans out there. More alarming is that the Trojan source code floating around the Internet can be easily modified to form an even greater number of mutations.
Viral Infection
In this context, a virus is a computer program that makes copies of itself by using a host program. This means the virus requires a host program; thus, along with executable files, the code that controls your hard disk can, and in many cases, will be infected. When a computer copies its code into one or more host programs, the viral code executes, then replicates.
Typically, computer viruses that hackers spread tend to spread carry a payload, that is, the damage that will result after a period of specified time. The damage can range from a file corruption, data loss, or even hard disk obliteration. Viruses are most often distributed through email attachments, pirate software distribution, and infected floppy disk dissemination.
The damage to your system caused by a virus depends on what kind of virus it is. Popular renditions include active code that can trigger an event upon opening an email (such as in the infamous I Love You and Donald Duck ''bugs"). Traditionally, there are three distinct stages in the life of a virus: activation, replication, and manipulation:
Activation. The point at which the computer initially "catches" the virus, commonly from a trusted source.
Replication. The stage during which the virus infects as many sources as it can reach.
Manipulation. The point at which the payload of the virus begins to take effect, such as a certain date (e.g., Friday 13 or January 1), or an event (e.g., the third reboot, or scheduled disk maintenance procedure).
A virus is classified according to its specific form of malicious operation: Partition Sector Virus, Boot Sector Virus, File Infecting Virus, Polymorphic Virus, Multi-Partite Virus, Trojan Horse Virus, Worm Virus, or Macro Virus. Appendix F contains a listing of the most common viruses from the more than 69,000 known today. These names can be compared to the ASCII found in data fields of sniffer captures for virus signature assessments.
Подпись: CHeaie a HohSTcR WiTCH CoHFiCtiFaTeD
One of the main problems with antivirus programs is that they are generally reactive in nature. Hackers use various "creation kits" (e.g., The Nuke Randomic Life Generator and Virus Creation Lab) to design their own unique metamorphosis of viruses with concomitantly unique traces. Consequently, virus protection software has to be constantly updated and revised to accommodate the necessary tracing mechanisms for these fresh infectors.
The Nuke Randomic Life Generator (shown in Figure 8.19) offers a unique generation of virus tools. This program formulates a resident virus to be vested in random routines, the idea being to create different mutations.
Using the Virus Creation Lab (Figure 8.20), which is menu-driven, hackers create and compile their own custom virus transmutations, complete with most of the destruction options, which enable them to harm files, undertake disk space, and congest systems. This software is reportedly responsible for over 60 percent of the plethora of virus variations found today.
Hacker's These construction kits are available on the CD bundled with this book. Wardialing
Port scanning for exploitable security holes—the idea being to probe as many listeners as possible, and keep track of the ones that are receptive or useful to your particular purpose—is not new. Analogous to this activity is phone sys-
Uiruj Lab Uar 1.1 =
Coded by frixter* Subcoded hy White Cracker.
U iriio Sfcue W.ipne
Enter Ulrua Nana:
tem code scanning, called wardialing: hackers use wardialing to scan phone numbers, keeping track of those that answer with a carrier.
Excellent programs such as Toneloc, THCScan and PhoneSweep were developed to facilitate the probing of entire exchanges and more. The basic idea is simple: if you dial a number and your modem gives you a potential CONNECT status, it is recorded; otherwise, the computer hangs up and dials the next one, endlessly. This method is classically used to attempt a remote penetration attack on a system and/or a network.
More recently, however, many of the computers hackers want to communicate with are connected through networks such as the Internet rather than analog phone dial-ups. Scanning these machines involves the same brute-force technique, sending a blizzard of packets for various protocols, to deduce which services are listening from the responses received (or not received).
Wardialers take advantage of the explosion of inexpensive modems available for remote dial-in network access. Basically, the tool dials a list of telephone numbers, in a specified order, looking for the proverbial modem carrier tone. Once the tool exports a list of discovered modems, the attacker can dial those systems to seek security breaches. Current software, with self-programmed module plug- ins, will actually search for "unpassworded" PC remote-control software or send known vulnerability exploit scripts.
THC-Scan is one of the most feature-rich dialing tools available today, hence is in widespread use among wardialers. The software is really a successor to Toneloc, and is referred to as the Hacker's Choice (THC) scanner, developed by the infamous van Hauser (president of the hacker's choice). THC-Scan brought new and useful functionality to the wardialing arena (it automatically detects speed, data bits, parity, and stop bits of discovered modems). The tool can also determine the OS type of the discovered machine, and has the capability to recognize when a subsequent dial tone is discovered, making it possible for the attacker to make free telephone calls through the victim's
PBX.
Web Page Hacking
Recently, Web page hackers have been making headlines around the globe for their "achievements," which include defacing or replacing home pages of such sites as NASA, the White House, Greenpeace, Six Flags, the U.S. Air Force, The U.S. Department of Commerce, and the Church of Christ (four of which are shown in Figure 8.21). (The renowned hacker Web site [www.2600.com/hacked_pages/] contains current and archived listings of hacked sites.)
The following article written by an anonymous hacker (submitted to www.TigerTools.net on February 6, 1999) offers an insider's look at the hacker's world.
I've been part of the ''hacking scene" for around four years now, and I'm disgusted by what some so-called hackers are doing these days. Groups with names like "milw0rm" and "Dist0rt" think that hacking is about defacing Web pages and destroying Web sites. These childish little punks start stupid little "cyber wars" between their groups of crackers. They brag about their hacking skills on the pages that they crack, and all for what? For fame, of course.
Back when I was into hacking servers, I never once left my name/handle or any other evidence of who I was on the server. I rarely ever changed Web pages (I did change a site run by a person I know was committing mail fraud with the
aid of his site), and I always made sure I "had root" if I were going to modify anything. I always made sure the logs were wiped clean of my presence; and when I was certain I couldn't be caught, I informed the system administrator of the security hole that I used to get in through.
I know that four years is not a very long time, but in my four years, I've seen a lot change. Yes, there are still newbies, those who want to learn, but are possibly on the wrong track; maybe they're using tools like Back Orifice—just as many used e-mail bombers when I was new to the scene. Groups like milw0rm seem to be made up of a bunch of immature kids who are having fun with the exploits they found at rootshell.com, and are making idiots of themselves to the real hacking community.
Nobody is perfect, but it seems that many of today's newbies are headed down a path to nowhere. Hacking is not about defacing a Web page, nor about making a name for yourself. Hacking is about many different things: learning about new operating systems, learning programming languages, learning as much as you can about as many things as you can. [To do that you have to] immerse yourself in a pool of technical data, get some good books; install Linux or *BSD. Learn; learn everything you can. Life is short; don't waste your time fighting petty little wars and searching for fame. As someone who's had a Web site with over a quarter-million hits, I can tell you, fame isn't all it's cracked up to be.
Go out and do what makes you happy. Don't worry about what anybody thinks. Go create something that will be useful for people; don't destroy the hard work of others. If you find a security hole in a server, notify the system administrator, and point them in the direction of how to fix the hole. It's much more rewarding to help people than it is to destroy their work.
In closing, I hope this article has helped to open the eyes of people who are defacing Web sites. I hope you think about what I've said, and take it to heart. The craze over hacking Web pages has gone on far too long. Too much work has been destroyed. How would you feel if it were your hard work that was destroyed?
The initial goal of any hacker when targeting a Web page hack is to steal passwords. If a hacker cannot successfully install a remote-control daemon to gain access to modify Web pages, he or she will typically attempt to obtain login passwords using one of the following methods:
FTP hacking
Telnet hacking
Password-stealing Trojans
Social engineering (swindling)
Breach of HTTP administration front ends.
Exploitation of Web-authoring service daemons, such as MS FrontPage
Anonymous FTP login and password file search (e.g., /etc folder)
Search of popular Internet spiders for published exploitable pwd files
The following scenario of an actual successful Web page hack should help to clarify the material in this section. For the purposes of this discussion, the hack has been broken into five simple steps.
Hacker's The target company in this real-world scenario signed an agreement waiver as part
of the requirements for a Web site integrity security assessment.
Step 1: Conduct a Little Research
The purpose of this step is to obtain some target discovery information. The hacking analysis begins with only a company name, in this case, WebHackVictim, Inc. As described previously, this step entails locating the target com-
Подпись: Look up Jiioirier domain name using WHOIS:
pany's network domain name on the Internet. Again, the domain name is the address of a device connected to the Internet or any other TCP/IP network in a system that uses words to identify servers, organizations, and types of organizations, in this form: www.companyname.com.
As noted earlier, finding a specific network on the Internet can be like finding the proverbial needle in a haystack: it's difficult, but possible. As you know by now, Whois is an Internet service that enables a user to find information, such as a URL for a given company or a user who has an account at that domain. Figure 8.22 shows a Whois verification example.
Now that the target company has been located as a valid Internet domain, the next part of this step is to click on the domain link within the Whois search result to verify the target company. Address verification will substantiate the correct target company URL; in short, it is confirmation of success.
Step 2: Detail Discovery Information
The purpose of this step is to obtain more detailed target discovery information before beginning the attack attempt. This involves executing a simple host ICMP echo request (PING) to reveal the IP address for www.webhackvictim.com. PING can be executed from an MS-DOS window (in Microsoft Windows) or a Terminal Console Session (in UNIX). In a nutshell, the process by which the PING command reveals the IP address can be broken down into five steps:
A station executes a PING request.
The request queries your own DNS or your ISP's registered DNS for name resolution.
The URL—for example www.zyxinc.com—is foreign to your network, so the query is sent to
an InterNIC DNS.
From the InterNIC DNS, the domain xyzinc.com is matched with an IP address of XYZ's own DNS or ISP DNS (207.237.2.2), using the same discovery techniques from Chapter 5 and forwarded.
XYZ Inc.'s ISP, hosting the DNS services, matches and resolves the domain www.xyzinc.com to an IP address, and forwards the packet to XYZ's Web server, ultimately returning with a response (see Figure 8.23).
The target domain IP address is revealed with an ICMP echo (PING) request in Figure 8.24.
Pinging www web hack victim corn [2Q7.155 246 7] wi|h 32 byles of tat a
Reply from 207.155.243.7; bytes=32 time= 143ms TTL=247 Reply from 207 155.246.7: bytes=32 time= 147ms TTL=247 Reply from 207 155.246,7: bytes=32 time= 152ms TTL-247 Reply from 207.155.248.7: byt*?s=32 time= 143ms TTL=247
Figure 8.24 ICMP echo request.
C:\>ping ftp.webri ackviclim. com Unknown ho si flp.webhackvictim.com
Figure 8.25 Extended ping query.
Standard DNS entries for domains usually include name-to-IP address records for WWW (Internet Web Server), FTP (FTP Server), and so on. Extended PING queries may reveal these hosts on our target network 207.155.248.0 as shown in Figure 8.25.
Unfortunately, in this case, the target either doesn't maintain a standard DNS entry pool or the FTP service is bound by a different name-to-IP address, so we'll have to perform a standard IP port scan to unveil any potential vulnerable services. Normally, we would only scan to discover active addresses and their open ports on the entire network (remember, hackers would not spend a lot of time scanning with penetration and vulnerability testing, as that could lead to their own detection). A standard target site scan would begin with the assumption that the network is a full Class C (refer to Chapter 1). With these parameters, we would set the scanner for an address range of 207.155.248.1 through 207.155.248.254, and 24 bits in the mask, or 255.255.255.0, to accommodate our earlier DNS discovery findings:
www www.webhackvictim.com 207.155.248.7
However, at this time, we're interested in only the Web server at 207.155.248.7, so let's get right down to it and run the scan with the time-out set to 2 seconds. This should be enough time to discover open ports on this system:
207.155.248.7: 11, 15, 19, 21, 23, 25, 80
Bingo! We hit the jackpot! Note the following:
Port 11: Systat. The systat service is a UNIX server function that provides the capability to remotely list running processes. From this information, a hacker can pick and choose which attacks are most successful.
Port 15: Netstat. The netstat command allows the display of the status of active network connections, MTU size, and so on. From this information, a hacker can make a hypothesis about trust relationships to infiltrate outside the current domain.
Port 19: Chargen. The chargen service is designed to generate a stream of characters for testing purposes. Remote attackers can abuse this service by forming a loop from the system's echo service with the chargen service. The attacker does not need to be on the current subnet to cause heavy network degradation with this spoofed network session.
Port 21: FTP. An open FTP service banner can assist a hacker by listing the service daemon version. The attacker, depending on the operating system and daemon version, may be able to gain anonymous access to the system.
Port 23: Telnet. This is a daemon that provides access and administration of a remote computer over the network or Internet. To more efficiently attack the system, a hacker can use information given by the telnet service.
Port 25: SMTP. With SMTP and Port 110: POP3, an attacker can abuse mail services by sending mail bombs, spoofing mail, or simply by stealing gateway services for Internet mail transmissions.
Port 80: HTTP. The HTTP daemon indicates an active Web server service. This port is simply an open door for several service attacks, including remote command execution, file and directory listing, searches, file exploitation, file system access, script exploitation, mail service abuse, secure data exploitation, and Web page altering.
Port 110: POP3. With POP3 and Port 25: SMTP, an attacker can abuse mail services by sending mail bombs, spoofing mail, or simply stealing gateway services for Internet mail transmissions.
If this pattern seems familiar, it's because this system is most definitely a UNIX server, probably configured by a novice administrator. That said, keep in mind that current statistics claim that over 89 percent of all networks connected to the Internet are vulnerable for some type of serious penetration attack, especially those powered by UNIX.
Step 3: Launch the Initial Attack
The objective of this step is to attempt anonymous login and seek any potential security breaches. Let's start with the service that appears to be gaping right at us: the FTP daemon. One of the easiest ways of getting superuser access on UNIX Web servers is through anonymous FTP access. We'll also spoof our address to help cover our tracks.
This is an example of a regular encrypted password file similar to the one we found: the superuser is the part that enables root, or admin access, the main part of the file:
root:x:0:1:Superuser:/: ftp:x:202:102:Anonymous ftp:/u1/ftp: ftpadmin:x:203:102:ftp Administrator:/u1/ftp
Step 4: Widen the Crack
The first part of this step necessitates downloading or copying the password file using techniques detailed in previous sections. Then we'll locate a password cracker and dictionary maker, and begin cracking the target file. In this case, recommended crackers include Cracker Jack, John the Ripper, Brute Force Cracker, or Jack the Ripper.
Step 5: Perform the Web Hack
After we log in via FTP with admin rights and locate the target Web page file (in this case, index.html), we'll download the file, make our changes with any standard Web-authoring tool, and upload the new hacked version (see Figure 8.26).
To conclude this section as it began, from the hacker's point of view, the following is a Web hack prediction from Underground hacker team H4G1S members, after hacking NASA.
THE COMMERCIALIZATION OF THE INTERNET STOPS HERE
Gr33t1ngs fr0m th3 m3mb3rs 0f H4G1S
Our mission is to continue where our colleagues the ILF left off. During the next month, we the members of H4G1S will be launching an attack on corporate America. All who profit from the misuse of the Internet will fall victim to our upcoming reign of digital terrorism. Our privileged and highly skilled members will stop at nothing until our presence is felt nationwide. Even your most sophisticated firewalls are useless. We will demonstrate this in the upcoming weeks.
You can blame us
Make every attempt to detain us
You can make laws for us to break
And "secure" your data for us to take
A hacker, not by trade, but by BIRTHRIGHT.
Some are born White, Some are born Black
But the chaos chooses no color
The chaos that encompasses our lives, all of our lives
Driving us to HACK
Deep inside, past the media, past the government, past ALL THE BULLSHIT: WE ARE ALL HACKERS
Once it has you it never lets go.
The conspiracy that saps our freedom, our humanity, our stability and security
The self-propagating fruitless cycle that can only end by force
If we must end this ourselves, we will stop at nothing
(Our Hdck-^cJ \/^rsiOfi
Figure 8.26 Original versus hacked Web page. Take a step back and look around
How much longer must my brothers suffer, for crimes subjectively declared ILLEGAL.
All these fucking inbreds in office Stealing money from the country Writing bills to reduce your rights As the country just overlooks it PEOPLE OF AMERICA: IT'S TIME TO FIGHT.
And FIGHT we WILL
In the streets and from our homes
In cyberspace and through the phones
They are winning, by crushing our will
Through this farce we call the media
Through this farce we call capitalism
Through this farce we call the JUSTICE SYSTEM
Tell Bernie S (http://www.2600.com/law/bernie.html) and Kevin Mitnick
(http://www.kevinmitnick.com/) about Justice
This is one strike, in what will soon become *MANY* For those of you at home, now, reading this, we ask you Please, not for Hagis, Not for your country, but for YOURSELF
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment