[posted by Joshua on behalf of M.Manciu] need Linux help
John O Comeau
This is PROBABLY the way someone did it:
telnet aix.zam.kfa-juelich.de 25 (M. Manciu's IP, the SMPT port)
MAIL FROM:<bogusUser>
RCPT TO:<asi639>
DATA
Hey dude! I hacked into your system! - Bogus User
.
The SMPT protocol is totally trusting and believes everything it is told.
Don't worry about it. Send the guy an email back the same way.
Obhack: wrote a forth-like compiler in 400 lines source, 1K compiled.
Stateless, brainless, very hackish but it works... when I actually do
something USEFUL with it I'll share it with the world... - JC
M.Manciu (asi...@aix.zam.kfa-juelich.de) wrote:
: Here's a post on someone else's behalf:
: --------------------------------
: I am very glad that finnaly I can read some articles in this NG. I would
: like to ask for some help. I have a slackware version of Linux on my computer
: which is connected to the internet. It seems that somebody from outside knows
: at least one account on my machine (without knowing it's password). From
: time to time I am receiving e-mail from unexistent users on my machine. Can
: anybody help me with this problem? More precisely, can anybody tell me how
: somebody from outside can hack my machine, and which ar the ways to stop this an
: Thak you
: ------------------------------------------------------------------------------
: Well, s/he didn't have an ObHack, so here are some of mine:
: obhack:
: Set up an Internet gateway on my PS/2 mod 80 and 11.25kbit modem which I keep
: connected to my ISP at all times (ibm.net has great availability, or at least
: they did that last time I connected a few months ago =) running webd, mailerd,
: usenetd, etc. (tools of my own)
: This is a 386DX/20mhz, 12mb ram, 120MB and 400MB scsi disks (will use that
: 400megger for t web pages) usign OS/2 3.0 connect (much quicker on the 386 than
: OS/2 4). I'm also working on a telnet proxying agent and a ftp caching server.
: YetAnotherObHack:
: well, actually this isn't done. I want to set up my computer to capture all
: IP addresses. So I set up as the default route and then configure lots of
: loopback interfaces (don't ask me how I did this) to get nearly every network
: there is. Then I connected my software (dns+tcp) to a raw socket and monitored
: for traffic. It then functions like SOCKS and also a name server to the outside
: world? Result? I can opena TCP connection from another machine (like my Aptiva)
: via the Model 80 and it seems like i'm on the real Internet. I'm also working on
: extensions for RealAudio/Video, etc. Only problem is a bug in dns+tcp is causing
: a thread to get in a loop, tying up the CPU...
: - jer...@ibm.net, posting on behalf of asi...@aix.zam.kfa-juelich.de
--
jco...@world.std.com aka John Otis Lene Comeau
Home page: http://world.std.com/~jcomeau/
Disclaimer: Don't risk anything of value based on free advice.
"Anybody can do the difficult stuff. Call me when it's impossible."
Andrew Mobbs
In article <EHJvx...@world.std.com>,
John O Comeau <jco...@world.std.com> wrote:
>This is PROBABLY the way someone did it:
>telnet aix.zam.kfa-juelich.de 25 (M. Manciu's IP, the SMPT port)
>MAIL FROM:<bogusUser>
>RCPT TO:<asi639>
>DATA
>Hey dude! I hacked into your system! - Bogus User
>.
>
>The SMPT protocol is totally trusting and believes everything it is told.
>Don't worry about it. Send the guy an email back the same way.
s/SMPT/SMTP/g
More usefully, install Wietse Venema's TCP wrappers to monitor the SMTP
port, then compare the logs to the timestamps in the mail headers, find
out where the luser is coming from and deal with them (or their
sysadmin) how you see fit.
<URL:ftp://ftp.win.tue.nl/pub/security/> for the TCP wrappers, see the
tcp_wrapper.txt there for details.
Oh, have a look at comp.security.unix for more of these sort of
questions, and useful help, and consider buying the O'Reilly internet
security book (the "safe" book).
ObHack:
I've been looking at brute-forcing an MD5 hash collision recently, I've
managed to get a program that will check for over 3x10^8 MD5 collisions
per _second_ on a 266MHz Pentium II.
How? I hacked MD5 to not do the final digestification, it just returns
the internal state which is an array of four 32 bit integers. I
precompute a large number of MD5 sums, store the results in two arrays,
one for the first integer of each result, the other for the final
three. I then generate MD5 sums, and compare the first of the integers
to the stored ones. Most of the time this will tell me not to bother
checking any further (i.e. I get about 8 `hits' from 10^11 checks).
The inner loop of this compiles down to just 4 instructions (on the
PII, it's 8 or so on RISC architectures). Yes, this means the CPU is
averaging 5 instructions issued per cycle (it has 7 integer units).
If you're interested, the inner loop is:
for(;y && x^fcmpb[y];y--);
which compiles to:
.L68:
cmpl %ecx,(%ebx,%edx,4)
je .L71
decl %edx
jne .L68
Infact, this is almost certainly suboptimal. Since the PII has a 14
stage pipeline I'm probably causing hideous stalls. I don't know enough
about the architecture to know where the feedbacks are on the pipeline,
or other low-level optimizations that I might be missing. Can anyone
help?
Unfortunatly, it'd still take an incredibly unfeasible amount of time
for this one machine to brute-force a collision. (I'm not confident
enough of my maths to post a number for this :-) If I'm vaguely correct
it should be feasible to do if I could be bothered to organise an RSA
style distributed crack, and a reasonable number of people join in.
--
Andrew Mobbs - http://www.chiark.greenend.org.uk/~andrewm/