The fourth edition
of the Happy
Hacker book
contains much more detailed information on how to fight back
-- legally -- when you find a Web site you feel has no right
to exist. Many people calling themselves hackers have ranted
and flamed about how evil I am to show people how to take down
Web sites. However, I believe that your right to protest what
you see is evil is an essential part of your freedom of speech.
Oh, yes, I also
show a fun, legal way to "hack" your friends' web
sites in the fourth edition of the Happy Hacker book:):) -- Carolyn Meinel
GUIDE TO (mostly) HARMLESS HACKING
Vol. 1 Number 6
It's vigilante phun day one more time! How to nuke offensive
Web sites.
_______________________________________________________
Now, how do we take down offensive Web sites?
Remember that the Internet is voluntary. There is no law that
forces an ISP to serve people they don't like. As the spam kings
Jeff Slayton, Crazy Kevin, and, oh, yes, the original spam artists
Cantor and Seigal have learned, life as a spammer is life on
the run. Well, the same holds for Web sites that go over the
edge.
The reason I bring this up is that a Happy Hacker list member
has told me he would like to vandalize kiddie porn sites. I
think that is a really, really a kewl idea -- except for one
problem. You can get thrown in jail! I don't want the hacker
tools you can pick up from public Web and ftp sites to lure
anyone into getting busted. It is easy to use them to vandalize
Web sites. But it is hard to use them without getting caught!
*****************
YOU CAN GO TO JAIL NOTE: Getting into a part of a computer that
is not open to the public is illegal. In addition, if you use
the phone lines or Internet across a US state line to break
into a non-public part of a computer, you have committed a Federal
felony. You don't have to cause any harm at all -- it's still
illegal. Even if you just gain root access and immediately break
off your connection -- it's still illegal. Even if you are doing
your civic duty by vandalizing kiddie porn -- it's still illegal.
***************
Trying to throw Web kiddie porn guys in jail usually is not
going to work. The Internet is global. Many countries have no
laws against kiddie porn on the Internet. Even if it were illegal
everywhere, in lots of countries the police only bust people
in exchange for you paying a bigger bribe than the criminal
pays.
Besides, I'm a First Amendment absolutist. Give the government
the power to censor even kiddie porn, and you're giving the
government too much power. On the other hand, the kind of mass
outrage that keeps spammers on the run can also drive kiddie
porn off the Web.
But no one can force an ISP to carry kiddie porn. In fact,
most human beings are so disgusted at it that they will jump
at the chance to shut it down. If the ISP is run by some pervert
who wants to make money by offering kiddie porn, then you go
to the next level up, to the ISP that provides connectivity
for the kiddie porn ISP. There someone will get a conscience
attack and cut off the b*****ds.
So, how do you find the people who can put a Web site on the
run? We start with the URL.
I am going to use a real URL. But please keep in mind that
I am not saying this actually is a web address with kiddie porn.
This is being used for purposes of illustration only.
http://www.phreak.org
Now let's say someone just told you this was a kiddie porn
site. Do you just launch an attack? No.
This is how hacker wars start. What if phreak.org is actually
a nice guy place? Even if they did once display kiddie porn,
perhaps they have repented. Not wanting to get caught acting
on a stupid rumor, I go to the Web and find the message "no
DNS entry." So this Web site doesn't look like it's there
just now.
But it could just be the that the machine that holds the disk
that holds this Web site is temporarily down. There is a way
to tell if the computer that serves a domain name is running:
the ping command:
/usr/etc/ping phreak.org
The answer is:
/usr/etc/ping: unknown host phreak.org
Now if this Web site had been up, it would have responded like
my Web site does:
/usr/etc/ping techbroker.com
This gives the answer:
techbroker.com is alive
OK, now we have established that at least right now, http://phreak.com
either does not exist, or else that the computer hosting it
is not connected to the Internet.
But is this temporary or is it gone, gone, gone? We can get
some idea whether it has been up and around and widely read
from the search engine at http://altavista.digital.com. It is
able to search for links embedded in Web pages. Are there many
Web sites with links to phreak.org? I put in the search commands:
link: http://www.phreak.org
host: http://www.phreak.org
But they turn up nothing. So it looks like the phreak.org site
is not real popular.
Well, does phreak.org have a record at Internic? Let's try
whois:
whois phreak.org
Phreaks, Inc. (PHREAK-DOM)
Phreaks, Inc.
1313 Mockingbird Lane
San Jose, CA 95132 US
Domain Name: PHREAK.ORG
Administrative Contact, Billing Contact:
Connor, Patrick (PC61) pc@PHREAK.ORG
(408) 262-4142
Technical Contact, Zone Contact:
Hall, Barbara (BH340) rain@PHREAK.ORG
408.262.4142
Record last updated on 06-Feb-96.
Record created on 30-Apr-95.
Domain servers in listed order:
PC.PPP.ABLECOM.NET 204.75.33.33
ASYLUM.ASYLUM.ORG 205.217.4.17
NS.NEXCHI.NET 204.95.8.2
I try telnetting to their login sequence:
telnet phreak.org
Trying 204.75.33.33 ...
Connected to phreak.org.
Escape character is '^]'.
______________ _______________________________ __
___ __ \__ / / /__ __ \__ ____/__ |__ //_/____________________ _
__ /_/ /_ /_/ /__ /_/ /_ __/ __ /| |_ ,< _ __ \_ ___/_ __ `/
_ ____/_ __ / _ _, _/_ /___ _ ___ | /| |__/ /_/ / / _ /_/ /
/_/ /_/ /_/ /_/ |_| /_____/ /_/ |_/_/ |_|(_)____//_/ _\__, /
/____/
;
Connection closed by foreign host.
Aha! Someone just turned the computer hosting phreak.org on!
The fact that this gives just ASCII art and no login prompt
suggests that this host computer does not exactly welcome the
casual visitor.
Next I try fingering their technical contact:
finger rain@phreak.org
Its response is:
[phreak.org]
It then scrolled out some embarrassing ASCII art. Finger it
yourself if you really want to see it. I'd only rate it PG-13,
however.
The fact that phreak.org run a finger service is interesting.
Since finger is one of the most powerful opportunities for the
well-equipped hacker to crack into the system, we can conclude
that either:
1) The phreak.org sysadmin is not very security-conscious,
or
2) It is so important to phreak.org to send out insulting messages
that the sysadmin doesn't care about the security risk of running
finger.
OK, how about their HTML port, which would provide access to
any Web sites hosted by phreak.org? We can check to see if it
is active with, you guessed it, a little port surfing:
telnet phreak.org 80
Here's what I get:
Trying 204.75.33.33 ...
Connected to phreak.org.
Escape character is '^]'.
HTTP/1.0 400 Bad Request
Server: thttpd/1.00
Content-type: text/html
Last-modified: Thu, 22-Aug-96 18:54:20 GMT
<HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY><H2>400 Bad Request</H2>
Your request '' has bad syntax or is inherently impossible to
satisfy.
<HR>
<ADDRESS><A HREF="http://www.acme.org/software/thttpd/">thttpd/1.00</A></ADDRESS
</BODY></HTML>
Connection closed by foreign host.
Now we know that phreak.org does have something like a web
server on its host computer. This server is called thttpd, version
1.0. We also may suspect that it is a bit buggy!
What makes me think it is buggy? Look at the version number:
1.0. Also, that's a pretty weird error message.
If I were the technical administrator for phreak.org, I would
get a better program running on port 80 before someone figures
out how to break into root with it. The problem is that buggy
code is often a symptom of code that takes the lazy approach
of using calls to root. In the case of a Web server, you want
to give read-only access to remote users in any user's directories
of html files. So there is a huge temptation to use calls to
root.
And a program with calls to root just might crash and dump
you out into root.
************************
Newbie note: Root! It is the Valhalla of the hard-core cracker.
"Root" is the account on a multi-user computer which
allows you to play god. It is the account from which you can
enter and use any other account, read and modify any file, run
any program. With root access, you can completely destroy all
data on boring.ISP.net. (I am *not* suggesting that you do so!)
*************************
Oh, this is just too tempting. I do one little experiment:
telnet phreak.org 80
This gives:
Trying 204.75.33.33 ...
Connected to phreak.org.
Escape character is '^]'.
Because the program on port 80 times out on commands in a second
or less, I was set up ready to do a paste to host command, which
quickly inserted the following command:
<ADDRESS><A HREF="http://www.phreak.org/thttpd/">thttpd/1.00</A></ADDRESS</BODY></HTML>
This gives information on phreak.com's port 80 program:
HTTP/1.0 501 Not Implemented
Server: thttpd/1.00
Content-type: text/html
Last-modified: Thu, 22-Aug-96 19:45:15 GMT
<HTML><HEAD><TITLE>501 Not Implemented</TITLE></HEAD>
<BODY><H2>501 Not Implemented</H2>
The requested method '<ADDRESS><A' is not implemented
by this server.
<HR>
<ADDRESS><A HREF="http://www.acme.org/software/thttpd/">thttpd/1.00</A></ADDRESS
</BODY></HTML>
Connection closed by foreign host.
All right, what is thttpd? I do a quick search on Altavista
and get the answer:
A small, portable, fast, and secure HTTP server. The tiny/turbo/throttling
HTTP server does not fork and is very careful about memory...
Ah, but did the programmer figure out how to do all this without
calls to root? Just for kicks I try to access the acme.org URL
and get the message "does not have a DNS entry." So
it's off-line, too. But whois tells me it is registered with
Internic. Hmm, this sounds even more like brand X software.
And it's running on a port. Break-in city! What a temptation...arghhh...
So what may we conclude? It looks like phreak.org does have
a Web site, but it is of a private nature. It is only turned
on from time to time.
Now suppose that we did find something seriously bad news at
phreak.org. Suppose someone wanted to shut it down. Ah-ah-ah,
don't touch that buggy port 80!
********************************
You can go to jail note: Are you are as tempted as I am? These
guys have notorious cracker highway port 79 open, AND a buggy
port 80! But, once again, I'm telling you, it is against the
law to break into non-public parts of a computer. If you telnet
over US state lines, it is a federal felony. Even if you think
there is something illegal on that thttpd server, only someone
armed with a search warrant has the right to look it over.
********************************
First, I would normally email a complaint to the technical
and administrative contacts of the ISPs that provide phreak.org's
connection to the Internet. So I look to see who they are with
whois:
whois PC.PPP.ABLECOM.NET
I get the response:
[No name] (PC12-HST)
Hostname: PC.PPP.ABLECOM.NET
Address: 204.75.33.33
System: Sun 4/110 running SunOS 4.1.3
Record last updated on 30-Apr-95
In this case, since there are no listed contacts, I would email
postmaster@ABLECOM.NET.
I check out the next ISP:
whois ASYLUM.ASYLUM.ORG
And get:
[No name] (ASYLUM4-HST)
Hostname: ASYLUM.ASYLUM.ORG
Address: 205.217.4.17
System: ? running ?
Record last updated on 30-Apr-96.
Again, I would email postmaster@ASYLUM.ORG
I check out the last ISP:
whois NS.NEXCHI.NET
And get:
NEXUS-Chicago (BUDDH-HST)
1223 W North Shore, Suite 1E
Chicago, IL 60626
Hostname: NS.NEXCHI.NET
Address: 204.95.8.2
System: Sun running Unix
Coordinator:
Torres, Walter (WT51) walter-t@MSN.COM
312-352-1200
Record last updated on 31-Dec-95.
So in this case I would email walter-t@MSN.COM with evidence
of the offending material.
That's it. Instead of waging escalating hacker wars that can
end up getting people thrown in jail, document your problem
with a Web site and ask those who have the power to cut these
guys off to do something. Remember, you can help fight the bad
guys of cyberspace much better from your computer than you can
from a jail cell.
Oh, and if you are just burning with curiosity about whether
thttpd can be made to crash to root, *DON'T* run experiments
on phreak.org's computer. They will notice all those weird accesses
to port 80 on their shell log file. They will figure out who
you are and how to throw you in jail if you do crack in.
But this is the kind of intellectual challenge that calls for
installing Linux on your PC. Then under Linux you would install
thttpd. Then tie your Linux machine into the Internet and telnet
away!
If you should find a bug in thttpd that seriously compromises
the security of any computer running it, then what do you do?
Wipe the html files of phreak.org? NO! You contact the Computer
Emergency Response Team (CERT) with this information. They will
send out an alert. You will become a hero and be able to charge
$1500 per day as a computer security consultant. This is much
more phun than going to jail. Trust me.
But if you are going to find a way to make thttpd that puts
you into root, do it fast or I may beat you to it!
OK, I'm signing off for this column. I look forward to your
contributions to this list. Happy hacking -- and don't get busted!
______________________________________________________
Want to share some kewl stuph? Tell me I'm terrific? Flame
me? For the first two, I'm at . Please
direct flames to dev/null@techbroker.com. Happy hacking!
______________________________________________________
© 1996 Carolyn P. Meinel. You may forward the GUIDE
TO (mostly) HARMLESS HACKING as long as you leave this notice
at the end. To subscribe, email with
message "subscribe hacker <joe.blow@boring.ISP.net>"
substituting your real email address for Joe Blow's.
