ALL THE EFFORTS SEEMS FINALLY TO GET THE TENTACLE LD ATTENTION... KEEP IT UP CYPHERPUNKS!!!... ANARCHY IS WINNING... LOVE MEDUSA P.S. TO LD... THE FOLLOWING SHOULD REALLY TURN YOU ON... finger ld231782@longs.lance.colostate.edu [longs.lance.colostate.edu] Login name: ld231782 In real life: L. Detweiler Office: Home phone: 498-8278 Directory: /users/UNGRAD/ES/ld231782 Shell: /bin/tcsh Most recent logins: dolores Fri Jan 21 16:16 keller Sat Jan 22 16:09 Never logged in. No Plan. JUST DOING SOME RESEARCH VIA NIC WE FIND THAT THE MACHINE Non-authoritative answer: Name: longs.lance.colostate.edu Address: 129.82.109.16
set type=mx longs.lance.colostate.edu
longs.lance.colostate.edu preference = 0, mail exchanger = longs.lance.col ostate.edu longs.lance.colostate.edu preference = 10, mail exchanger = yuma.acns.colo state.edu longs.lance.colostate.edu internet address = 129.82.109.16 yuma.acns.colostate.edu internet address = 129.82.100.64 acns.colostate.EDU nameserver = yuma.acns.ColoState.EDU acns.colostate.EDU nameserver = lamar.ColoState.EDU yuma.ACNS.ColoState.EDU internet address = 129.82.100.64 lamar.ColoState.EDU internet address = 129.82.103.75 lamar.ColoState.EDU preference = 10, mail exchanger = lamar.ColoState.EDU lamar.ColoState.EDU preference = 20, mail exchanger = yuma.ACNS.ColoState.ED U lamar.ColoState.EDU internet address = 129.82.103.75 yuma.ACNS.ColoState.EDU internet address = 129.82.100.64 and a traceroute to LDs favorite posting machine the return times indicate that my end is a 9.6 ppp connection 2 hops away from 4. Note also I didnt query intervening routers and hosts for information. Upstream hosts and/or routers may also be compromisable... 4 cix-west2.cix.net (149.20.3.3) 310 ms 260 ms 290 ms 5 ans.cix.net (149.20.5.2) 280 ms 280 ms 280 ms 6 en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5) 270 ms 290 ms 270 ms 7 mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222) 280 ms 320 ms 290 ms 8 t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2) 300 ms 290 ms 300 ms 9 t3-0.Denver-cnss96.t3.ans.net (140.222.96.1) 310 ms 300 ms 310 ms 10 mf-0.Denver-cnss97.t3.ans.net (140.222.96.193) 310 ms 290 ms 310 ms 11 t3-0.enss141.t3.ans.net (140.222.141.1) 300 ms 300 ms 310 ms 12 cu-gw.ucar.edu (192.52.106.4) 300 ms 410 ms 310 ms 13 ucb-ncar.CO.westnet.net (129.19.254.46) 310 ms 129.19.248.62 (129.19.248.62 ) 320 ms 330 ms 14 csu-ucb.CO.westnet.net (129.19.254.102) 340 ms 320 ms 340 ms 15 csu-gw-2.UCC.ColoState.EDU (129.82.103.2) 310 ms 450 ms 310 ms 16 longs.lance.colostate.edu (129.82.109.16) 350 ms 330 ms 320 ms WELL WHAT DOES THIS TELL US TECHNICALLY SO FAR... THERE IS MOST LIKELY NO EFFECTIVE FIREWALL PROTECTION BETWEEN LD'S FAVORITE MACHINE AND THE OUTSIDE WORLD AS TRACEROUTE USES UDP PROBES ON RANDOM PORTS. NO INCOMING UDP BLOCKAGE GENERALLY INDICATES THE SECURITY OF THAT MACHINE IS NOT DEPENDENT ON PROXY/PACKET FILTERING TYPE ROUTERS AND FIREWALLED DOMAINS ADDITIONALLY A ISS LOG RUN VIA iss -p 129.82.109.16 SHOWED THE FOLLOWING RESULTS : --> Inet Sec Scanner Log By Christopher Klaus (C) 1993 <-- Email: cklaus@hotsun.nersc.gov coup@gnu.ai.mit.edu ================================================================ Host 129.82.109.16, Port 11 opened. systat udp/tcp users Host 129.82.109.16, Port 13 opened. daytime udp/tcp Host 129.82.109.16, Port 17 opened. qotd tcp quote Host 129.82.109.16, Port 21 opened. ftp tcp Host 129.82.109.16, Port 23 opened. telnet tcp Host 129.82.109.16, Port 25 opened. smtp tcp Host 129.82.109.16, Port 37 opened. time udp/tcp Host 129.82.109.16, Port 53 opened. domain udp/tcp Host 129.82.109.16, Port 79 opened. finger tcp Host 129.82.109.16, Port 109 opened. pop-2 tcp Post Office Protocol Host 129.82.109.16, Port 110 opened. pop-3 Host 129.82.109.16, Port 111 opened. sunrpc udp/tcp JACKPOT!!!!!! Host 129.82.109.16, Port 119 opened. nntp tcp Host 129.82.109.16, Port 210 opened. THIS ONE IS UNUSUAL? i shows closed by foreign host Host 129.82.109.16, Port 512 opened. biff/exec udp/tcpf Host 129.82.109.16, Port 513 opened. who/login udp/ tcp Host 129.82.109.16, Port 514 ("shell" service) opened. syslog/shell udp/tcp Host 129.82.109.16, Port 515 opened. syslog/printer udp/tcp Host 129.82.109.16, Port 593 opened. refuses telnet(udp connection) research... Host 129.82.109.16, Port 704 opened. accepts telnet connection(tcp) echos... Host 129.82.109.16, Port 1024 opened. accepts telnet connection(tcp) Host 129.82.109.16, Port 1025 opened. listener RFS remote_file_sharing Host 129.82.109.16, Port 1031 opened. Host 129.82.109.16, Port 1032 opened. tcp Host 129.82.109.16, Port 1033 opened. not checked Host 129.82.109.16, Port 1034 opened. not checked Host 129.82.109.16, Port 1035 opened. not checked Host 129.82.109.16, Port 1036 opened. not checked Host 129.82.109.16, Port 5599 opened. not checked Host 129.82.109.16, Port 6667 opened. not checked THE SCAN WAS TERMINATED AT THIS POINT. IN THE ABOVE LIST WE FIND SEVERAL GEMS THE BEST OF WHICH IS SUNRPC :)... so next of course rpcinfo -p longs.lance.colostate.edu program vers proto port 100004 2 udp 1029 ypserv 100004 2 tcp 1024 ypserv 100004 1 udp 1029 ypserv 100004 1 tcp 1024 ypserv 100007 2 tcp 1025 ypbind 100007 2 udp 1038 ypbind 100007 1 tcp 1025 ypbind 100007 1 udp 1038 ypbind 100005 1 udp 1071 mountd 100005 1 tcp 1031 mountd 100003 2 udp 2049 nfs 100024 1 udp 1081 status 100024 1 tcp 1032 status 100008 1 udp 1087 walld 100021 1 tcp 1033 nlockmgr 100021 1 udp 1092 nlockmgr 100021 3 tcp 1034 nlockmgr 100021 3 udp 1096 nlockmgr 100020 1 udp 1099 llockmgr 100020 1 tcp 1035 llockmgr 100021 2 tcp 1036 nlockmgr 150001 1 udp 1127 pcnfsd 300019 1 udp 1022 200002 1 udp 1956 whether running regular or secure RPC(the latter requires nfscrack to crack the secret exponent) this machine is most likely a sparc or compatible running a given version of SUNOS 4.1.X?(check HINFO if available.) a check should be made to see which network security patchs have been applied to this host. A probe of longs.lance.colostate.edu smtp port : longs.lance.colostate.edu Sendmail 8.6.4/8.6.4 (LANCE 1.00) ready at xxx,xx2 xxx xxxx xx:xx:xx -xxxx 220 ESMTP spoken here VRFY ld231782 250 L. Detweiler <ld231782@longs.lance.colostate.edu> EXPN ld231782 502 That's none of your business quit 221 longs.lance.colostate.edu closing connection OK SO FAR SO GOOD HIS MACHINE SHOWS A FAIRLY SECURE SMTP DAEMON. EXAMINATION OF THAT REVISION AND SOURCE OF SENDMAIL IS STILL UNDER QUESTION BECAUSE THE CURRENT VERSION 8.65 ADDS EVEN MORE SECURITY PATCHES CHECKING FOR ANONYMOUS FTP WE FIND: Check for anonymous FTP service connected to 129.82.109.16. 220 longs.lance.colostate.edu FTP server (Version 4.1 Sun Mar 25 22:59:11 EST 19 90) ready. Name (129.82.109.16:root): anonymous 530 User anonymous unknown. Login failed. ftp> quit 500 'SYST': command not understood. # ftp 129.82.109.16 Connected to 129.82.109.16. 220 longs.lance.colostate.edu FTP server (Version 4.1 Sun Mar 25 22:59:11 EST 19 90) ready. Name (129.82.109.16:root): ftp 530 User ftp unknown. Login failed. ftp> quit 500 'SYST': command not understood. DETWEILER YOU HAVE BEEN A HYPOCRITE, LIAR AND SCONDREL, HOWEVER TO REMAIN PROPERLY SENSITIVE TO A NON COMPOS MENTIS I WILL GIVE YOU A CHANCE TO APOLGIZE BEFORE I HAVE MY TENTACLES FORM FOR THEIR NEXT ASSAULT. IF YOU DO NOT APLOGIZE YOU WILL REGRET THE RESULTS OF YOUR ACTIONS. I AM NOT TOYING AROUND WITH YOU ANY FURTHER . WE ARE HAVING TENTACLE WHO ARE INFORMATION BROKERS PASSING EVERYTHING WE KNOW ABOUT YOU TO FEDERAL LAW ENFORCEMENT AND THE AGGRIEVED AND ABUSED PARTIES. CEASE AND DESIST! LOVE MEDUSA P.S. A ANONYMOUS REMAILER BLOCK TO SEND YOUR APOLGY TO ME FOLLOWS I MUST HAVE THAT APOLOGY IMMEDIATELY OR FURTHER ACTIONS WILL FOLLOW! --------8<--cut here-->8-------- :: Encrypted: PGP -----BEGIN PGP MESSAGE----- Version: 2.3a hEwCKlkQ745WINUBAf0Z/wGHrYOMJy7+1M6DSrFtnvVEbEH3Kbi/k04MOgbIhTr+ 8HSWOdI6MCl0qHCbB9B+0NZILAsY06dJL5F3L2d3pgAAAVcg0HAS0/wC6qvGO3DL OzAvOYuUJW0nPLiYYDfotcPYc4ndxLQ/p1FDXc8reECJgrFbjBm2nuMVPNDoI+ba u93u/sWUHwrZdiVphz0RWzmY+qJb0IlKkoTWBX0Bcz8TzUEVbnhnbOSQfyqAP0Tz PmoKND1VC2HlPstrd7/20iY4CAxh1bUs+f/ZlOThiHnLPAOXpIb3CWv6dqiNV3Zc iSaF/AcJr29L/ij27zykuNPRXKvZasNUy2fpPYgtt01/NO3XK9f0E3NyCJJirTa0 rOh0P6j93a1mLaDFXtrMIBA+zOgLetslrgedrpz0qipDS/EHfef635adB8S3UjB6 EgozJG7LSamw2LKZAC6nqzeuGcu5RI61jeLjv4Mf2IkE5WHppCgUyOVLv4/gWyR/ K65K6kyWji+XcBRcQZTe48IthsaR7LJHDabeE6Ha8wqoEPlbOCudIWKd =AZpv -----END PGP MESSAGE----- <To reply, save everything below the "cut here" marks above <into another file. Type your reply here (below the blank <line three lines above!) and mail to hfinney@shell.portal.com