What's New!

Chat with

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 


Meet the 
Happy Hacksters 

Help for 



It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Visit this group

Nov. 1996 posts to happy Hacker

Fri Nov 01 11:27:00 1996
From: cybersynergy@juno.com (Martin Lemmon)

I have a boilerplate e-mail/fax/memo for e-mail/fax spammers.  It quotes
from the relevant sections of federal law, with the fines bolded and in
20-point type (all caps, too!).  When I get an unsolicited fax, I fax it
back to the sender with the memo.  I also use it for unsolicited e-mail.=20
With unsolicited e-mail, you need to be careful, as sometimes, buried in
the body of the spam, is the "reply-to" e-mail address - you don't just
hit "reply."

I've used it for a while now, with good results.  It follows, in case
you'd like to try this approach.

<OR UNSOLICITED e-mail TO e-mail ADDRESS xxx@xxx.xxx>

Under US Code Title 47, =A7227(b)(1)(C):

=09"It shall be unlawful for any person within the United States to
=09 use any telephone facsimile machine, computer, or other device
=09 to send an unsolicited advertisement to a telephone facsimile
=09 machine"

A "telephone facsimile machine" is defined in =A7227(a)(2)(B) as:

=09"equipment which has the capacity to transcribe text or images
=09 (or both) from an electronic signal received over a regular
=09 telephone line onto paper."

Under this definition, an e-mail account, modem, computer and printer
together constitute a fax machine.

The rights of action are as follows.  Under =A7227(b)(3)(B):

=09"A person or entity may, if otherwise permitted by the laws or
=09 rules of court of a State, bring in an appropriate court of
=09 that State --

=09  (A) an action based on a violation of this subsection or the
=09      regulations prescribed under this subsection to enjoin
=09      such violation,=20
=09  (B) an action to recover for actual monetary loss from such a
=09      violation, or to receive $500 in damages for each such
=09      violation, whichever is greater, or=20
=09  (C) both such actions. If the court finds that the defendant
=09      willfully or knowingly violated this subsection or the
=09      regulations prescribed under this subsection, the court
=09      may, in its discretion, increase the amount of the award
=09      to an amount equal to not more than 3 times the amount
=09      available under subparagraph (B) of this paragraph."


Good Luck!

On Mon, 28 Oct 1996 15:11:59 -0700 (MST) Carolyn Meinel
<> writes:
>>From tqdb@wichita.fn.net Mon Oct 28 12:26:39 1996
>> Date: Mon, 28 Oct 1996 04:09:48 -0800
>> From: Greg Bulmash <gbhp@worldnet.att.net>
>> Under federal law, unsolicited electronic communications such as
>> faxes or e-mail are illegal.  Not just after someone has said not to
>> send them anymore, but the first time.  Each one carries a minimum
>> penalty of $500 and a maximum penalty of $1500.
>     While I have heard people cite this interpretation of the law=20
>and over again, I have never heard of any successful cases being=20
>against the sender.  That seems quite odd, if indeed your=20
>is 100% valid when taking account of how long spamming has occurred. =20
>that I don't wish it was true..
>  -=3D| T.Q.D.B. - tqdb@wichita.fn.net - http://www.feist.com/~tqdb |=3D-
>           "The term 'hacker' is not necessarily derogatory.
>          A small percentage of them give the rest a bad name."
>       --Special Agent Andrew Black, FBI SF Computer Crime Squad

Sat Nov 02 01:22:50 1996
From: Carolyn Meinel <>
Subject: HH: More on Giant Pings

I did a little checking on Usenet for the reaction to the news about the
giant ping datagram attack. Here's a quick summary.

1) People are really paranoid about describing exactly how it can be done.

2) There is a lot of misinformation floating around. Most significantly,
it has been asserted that only Windows 95 and Windows NT can do this.
This is not true. It is just that these are the only two operating systems
that can do it with a simple one-line command.

3) I haven't encountered any reports of giant datagram pings being used
to attack Internet hosts and routers.

4) The patches that can protect your system against this attack are
posted at http://www.uk.linux.org/patches/. More information may be found
at http://www.sophist.demon.co.uk/ping/.

Regarding discussion of this attack on this list, there have been
comments about how it can't be elite and isn't really hacking if it can
be done easily from Windows 95 (or Windows NT). I agree it isn't elite.
It's too easy to be elite. BUT -- you have just learned how to do
something that some day may cause a really big disaster on the internet.
How many people use Windows 95 or Windows NT? Millions. How many are
someday going to be really, really mad enough to send out just one funny

So what is the solution? On Usenet I see all these guys tiptoeing around
trying to talk about the problem without saying what exactly it is. They
are really afraid that a bunch of idiots will start pinging down huge
hunks of the Internet. Meanwhile, CERT, which is supposed to save us from
giant Internet disasters, hasn't said anything about the problem.

My guess is that we are seeing ostrich behavior. Hush up the problem and
no one will exploit it. Ever. Sure.

Just think how this could be used. All it takes is one ping to zap each
vulnerable host. One crank could take out thousands of hosts per day by
hand. If he or she knows how to write a DOS .bat file, it could be lots more.

Should the ability of the Internet to keep running be dependent upon
everyone who knows how to use the network diagnostic functions of Windows
being good guys?

The reason I published exact details of how you could make these killer
pings was to prove to you how easy it is for absolute beginners to do
deadly hacker attacks.

IMHO, if the Internet is safe only by everyone agreeing be good guys,
then we are in deep trouble. What is to keep terrorists or a nation at war
from wreaking the Internet? Especially when it is so easy to do?

If you just joined the list, and would like a copy of the issue of Guide
to (mostly) Harmless Hacking that details how to do the killer ping
exploit, email me and I'll send it to you.

Carolyn Meinel
M/B Research -- The Technology Brokers

Mon Nov 04 06:47:19 1996
From: Carolyn Meinel <>
Subject: HH: Internet Scambusters

>Internet ScamBusters
>- - exposing what really works and what doesn't - -
>By Audri and Jim Lanford, NETrageous Inc.
>© =A9 1996 NETrageous Inc.
>Issue #9  October 12, 1996
>More On The "809" SCAM: Internet ScamBusters Uncovers
>Additional Serious Implications For The Infamous "809" Scam
>On Monday we sent out a Special Alert to notify subscribers of the
>"809" Scam.  We've been doing a lot of research on this scam all
>week, and getting *a lot* of email.  Last night we uncovered
>information which results in much broader implications of this scam
>than we've seen reported anywhere.  So, we're sending out this
>additional issue of Internet ScamBusters to warn you about the new
>Brief review: The "809" scam has many permutations but they all
>involve a message to you (either by email, phone or pager) that you
>immediately call a number in the "809" area code to avoid some bad
>consequence (such as litigation, or to receive information about
>someone who has been arrested or died) or to gain some good benefit
>(such as winning a wonderful prize).
>The "809" area code is in the Caribbean, yet most people are not
>aware that they are making an international call when they dial the
>"809" area code.  "809" calls can be "pay-per-call" numbers (such as
>900 numbers in the US) - and there are no legal requirements that
>callers be informed that they are being charged extra.  When you
>return a "pay-per-call" 809 call, they try to keep you on the phone
>as long as possible, and you are charged very high rates for the
>call, reportedly up to $25 per minute.
>New information:  Until recently, the "809" area code covered the
>entire Caribbean.  However, that's changed.  There are now a series
>of new area codes for different countries in the Caribbean.  That
>means there are now additional area codes which victims can
>unknowingly call with the same results as the original "809" scam.
>The "268" area code is already reportedly being used by scam artists.
>  And you can be sure that the scammers won't take long to start
>using these new codes in a big way.
>According to representatives at AT&T, here are the new area codes and
>their effective dates:
>Country         Code      Effective Date
>Bahamas         242       October 1, 1996
>Barbados        246       July 1, 1996
>Antigua         268       April 1, 1996
>Cayman Islands  345       September 1, 1996
>Monsterrat      664       July 1, 1996
>St. Lucia       758       July 1, 1996
>Puerto Rico     787       March 1, 1996
>St. Kitts/Nevis 869       October 1, 1996
>Jamaica         876       October 1, 1996 (conflicting reports-
>                          may still be 809)
>Bermuda now has the area code of 441.
>A few more countries will be changing their area codes in 1997:
>N. Commonwealth
>of Mariana Is.  670       July 1, 1997
>Trinidad &
>Dominica        767       October 1, 1997
>Tobago          868       June 1, 1997 (however, this may have
>                          already have occurred according to AT&T)
>Several countries are keeping the 809 area code, such as the
>Dominican Republic, Grenada, Virgin Islands, Martinique, St. John
>(although St. John may change to 268), St. Thomas, and St. Vincent.
>(Please note: We spoke with three representatives at AT&T, and they
>all gave us slightly different information. For example, they varied
>on whether the effective date for Antigua's change was March 1 or
>April 1, 1996 and whether Jamaica has a new area code.  However, our
>concern is with the major concepts rather than with the specific
>And there's more.  AT&T supplied us with a long list of
>"pay-per-call" numbers.  The numbers on this list may include adult
>sex lines, resume lines, and other "pay-per-call" numbers.
>(Please note: this list does not include all of the "pay-per-call"
>numbers in the Caribbean - and there may be numbers included below
>that are not "pay-per-call" numbers.  Our purpose here is to warn
>readers of the scope of this problem.)
>Antigua / St. John
>268-404-4000 to 404-6999
>Dominican Republic
>809-404-4000 to 404-6999
>809-412-0785 to 412-0787
>809-412-0960 to 412-0964
>809-414-1000 to 414-1499
>809-470-0000 to 414-1949
>809-474-0001 to 474-9996
>809-476-0105 to 476-0112
>809-476-0131 to 476-0135
>809-476-0314 to 476-0319
>809-476-1001 to 476-1020
>809-476-1200 to 476-1229
>809-476-1350 to 476-1399
>809-476-1400 to 476-1446
>809-476-1600 to 476-1629
>809-476-1765 to 476-1796
>809-476-1930 to 476-1999
>809-537-0300 to 537-0899
>809-540-5000 to 540-5199
>809-563-0000 to 563-0199
>809-563-0300 to 563-0699
>809-563-9000 to 563-9199
>809-563-9300 to 563-9899
>St. Vincent
>809-456-0000 to 456-9999
>809-457-0000 to 457-9999
>809-458-0000 to 458-9999
>809-485-0000 to 485-9999
>809-490-0000 to 490-9999
>809-493-0000 to 493-9999
>Summary: Be very careful returning phone numbers to area codes you
>don't recognize, especially when you receive calls, emails or pages
>with urgent messages that you call these numbers.  Call your long
>distance phone company's operator to find out where the area code is
>located (or look it up on the net), and only call numbers that make
>sense to you.
>Two additional "pay-per-call" number scams:
>SCAM: Some 800 numbers reportedly roll over to "809" and other
>foreign "pay-per-call" numbers with little or no warning.
>A representative at AT&T warned us of a common scam she encounters.
>Here's how it works:  You see an ad on the Internet or in a newspaper
>for an overseas job opportunity as a "secret shopper" or a "mystery
>shopper." You call the listed 800 number to either learn more or to
>apply for the job.  You are left on hold for 15 to 20 minutes.  You
>are either warned that the call is being rolled over to a toll call,
>or you're not warned. However, even when people are warned, they
>don't realize that the roll over is to an international,
>"pay-per-call" number.  When you are finally connected, you're told
>all the positions have been filled.  When you receive your phone
>bill, you have a very large charge.
>SCAM: "809" and other "pay-per-call" numbers can be used to cheat
>businesses who offer fax back services.
>Thanks to Lee Jones, who alerted us to this scam: Many companies
>offer a computerized fax-back service where the company faxes
>requested documents to a phone number entered by the caller.  The
>caller can get the fax-back service to call back their "pay-per-call"
>number.  When the business calls this "pay-per-call" fax number to
>send the documents, they are charged the very inflated rates.  You
>should consider protecting your business from this scam by blocking
>area codes such as those listed above.
>An update on the Internet version on the 809 scam we described in the
>last issue of Internet ScamBusters:
>On October 8th, we looked up the domain name and ISP of "Global
>Communications," the company that had posted the "809" message we
>included in the last issue. We discovered that the domain name,
>demon.net, is owned by Demon Systems Limited, in London.  We tried
>calling Demon many times, but their phone was always busy.  We
>emailed them asking what they intended to do about this scam, but we
>received no reply (other than their automated response that they had
>received our email).
>We also searched the newsgroups to see whether they had posted any
>additional information.  We found three relevant posts. Here is part
>of the response from Mike Whitaker, Duty Postmaster, Demon Internet
>Ltd., postmaster@demon.net:
>This message originates from one of our customers and is clearly a
>'scam' to persuade people to call the number listed. Demon take a
>very dim view of such behaviour, and appropriate action is being
>Demon Internet has closed "Global Communications" account and is
>considering further action.
>You can be sure that "Global Communications" and other companies like
>them will be back soon with different names, phone numbers, email
>addresses and messages.  Again, it's not the specifics of this scam
>that are important - it's watching out for the general principles.
>Incidentally, if you're curious, several people called the 809 phone
>number "Global Communications" posted to discover what actually
>happened when you called.  Ryan J. Donmoyer, in MONEY Daily on
>October 9th, reports:
>"Callers to the number are led to believe they are talking to
>a live person, but in fact it is a clever recording that
>responds to the caller's voice. Among other things, an
>irate-sounding man with a British accent warns, 'Your
>check will come round or we'll come round to get it.' The
>recording seems designed to keep callers on the line as
>long as possible, and is reportedly billed at $25 per minute."
>Others reported that this "man" with a British accent kept telling
>them to hold on while he picked up other phone calls and supposedly
>yelled at his staff. He continued to yell at the callers as well,
>saying "send the money," and yelled into other ringing phones as long
>as the callers remained on the line.
>Corrections and Clarifications to Issue #8 Of Internet ScamBusters:
>- According to our sources at AT&T, the number listed in the email
>(809 496 2700) is located in the Dominican Republic, not in the
>British Virgin Islands or the Bahamas as we reported.
>- We had a typo in the last issue that implied that the Bahamas and
>the British Virgin Islands were the same country - obviously, that's
>not true. (Thanks to Kathryn Morris for pointing this out.)
>- Finally, we hope it goes without saying that we do not view all
>Caribbean businesses as fraudulent.  Obviously, most Caribbean
>businesses are honest.  Nor did we name the West Indian language as
>"broken English."  What we said was the person who answers the phone
>in these scams sometimes speaks broken English and pretends not to
>understand you to keep you on the line.  We certainly did not, and do
>not, view West Indian language as "broken English."
>A plug for our newsletter, NETrageous Results:  Stop
>wasting your time, effort and money on unsuccessful Internet
>marketing.  Visit  http://www.netrageous.com/netrageous.html
>BTW, we are often asked how we can publish Internet ScamBusters and
>yet sell stuff on the Net.  The answer is simple: We respect Internet
>culture, offer only very high quality products, and give exceptional
>guarantees on everything we offer.  We are passionate about helping
>businesses achieve outstanding success by providing tremendous
>value to customers.  At the same time, we're committed to helping
>people avoid getting ripped off by Internet scams,
>misinformation and hype.
>About Internet ScamBusters
>Internet ScamBusters is a free resource to
>benefit the commercial Internet community, published by Audri and
>Jim Lanford at NETrageous Inc.  Feel free to pass along the
>entire zine for non-commercial purposes - however, please do not
>remove the copyright notice.
>If you like Internet ScamBusters, please forward it along
>or tell your friends where they can subscribe
>-email to scambusters@svr.com or at http://www.scambusters.com
>We appreciate it!
>To UNSUBSCRIBE from Internet ScamBusters, send an e-mail to:
>scambusters@svr.com and write "unsubscribe" in the subject field.
>To SUBSCRIBE to Internet ScamBusters, send an e-mail to:
>scambusters@svr.com and write "subscribe" in the subject field.
>To receive a list of PAST ISSUES of Internet ScamBusters, send an
>e-mail to: scambusters@svr.com and write ISSUE in the subject field.
>To COMMENT on Internet ScamBusters, send an e-mail to:
>(Please do not send comments to this list by clicking reply.
>This is a one-way only mailing list.)
>We welcome your feedback.  Please send any questions, comments,
>stories about bad experiences, or  words of wisdom to help others NOT
>get ripped off  to comments@netrageous.com (anonymity guaranteed).
>The disclaimer located at http://www.scambusters.com/disclaimer.html
>applies to this zine.

Mon Nov 04 06:47:29 1996
From: Carolyn Meinel <>
Subject: HH: Reply to Guide

From: Damien Sorder <jericho@dimensional.com>

> More intro to TCP/IP: port surfing! Daemons! How to get on almost any
> computer without logging in and without breaking the law. Impress your

If you read the laws, I think you will find that even connecting to a port
with intention to gain access is in fact illegal.

(Moderator's note: I have to disagree vigorously on this point. A bunch
of us have had fun for years tweaking security "expert" Fred Cohen on this
point by surfing his all.net ports. The dread "telnet bomb":))

> clueless friends and actually discover kewl, legal, safe stuph. I'll bet
> se7en doesn't know how to do all this...

Begin flame war..

> from the run of the mill computer user is to learn how to port surf. I'll
> bet you won't find port surfing in a Unix manual.

You will find it in the lamest of security books actually.

> your friends will look at you and say, "Big deal. I can run programs, too."
> They will immediately catch on to the dirty little secret of the hacker
> world. Most hacking exploits are just lamerz running programs they picked up

The dirty little secret of the MEDIA hacker world.

> it is the only way to discover something new. There are only a few hundred
> hackers -- at most -- who discover new stuph. The rest just run canned
> exploits over and over and over again. Boring. But port surfing by hand
> is on the path to the pinnacle of hackerdom.

Curiosity: Have you ever written exploit code Carolyn? If so, could you
post it?

(Moderator's note: nope!)

> UDP       0     0  *(TFTP)                 *(*)

> So my lady friend wanted to try out another port. I suggested the finger
> port, number 79. So she gave the command:

Not the first choice of all haxors I guess. TFTP is usually pretty

> lets you give Unix commands. Or -- run Linux or some other kind of Unix on
> your PC and hook up to the Internet.

> Following are some of my favorite ports. It is legal and harmless to pay
> them visits so long as you don't figure out how to gain superuser status

any status. Any access to the system is illegal.

For those of you with linux or some other version of unix who would like
to know a little more about this.. look at your /etc/inetd.conf file. :)

Tue Nov 05 09:55:35 1996
From: Carolyn Meinel <>
Subject: HH: A possible, but stupid hack (fwd)

(Moderator's note: Greg, what happened to your "do not turn to the dark
side" admonition?;^D)

From: Greg Bulmash <gbhp@worldnet.att.net>
Subject: A possible, but stupid hack

Looking to make trouble.  Web TV offers the ability.

Go to your local electronics dealer... Circuit City, Fry's, Good Guys,
etc.  Pretend to be very interested.  Send yourself an e-mail.

You now have the e-mail address for their Web TV account.  What you
send them to possibly be revealed to an unsuspecting customer is up to
you.  I'm not sure if the e-mailer handles attachments, but if you
could send some of your favorite gif or .jpeg files...


|"If you can find a better deal, I'll eat my foot"  |
| -  Earl "Stumpy" Johnson's famous last words      |
|Greg Bulmash                  gbhp@worldnet.att.net|
|  Writing, Editing, DTP, Web Design & Sympathy     |
|             Check Out My Humor Zine               |
|          http://www.bulmash.com                      |

Sun Nov 10 21:57:08 1996
From: Carolyn Meinel <>
Subject: HH: Testing opportunities for weird pings

(Moderator's note: I have anonymized the poster. But if there is anyone
on this list with serious hacking skills, Contact me and we may be able
to set you up with some experiments on this guy's network.)

On Mon, 4 Nov 1996, Carolyn P. Meinel wrote:

> At 09:32 AM 11/4/96 -0700, you wrote:
> >
> >What type of information are you looking for.  What exactly it does? (What
> >it does to the machine or if people are using it to down systems?)
> For starters, the bane of reporting on the Internet is hysterical hype.
> Bottom line: are denial of service attacks a growing threat? Is giant
> Windows 95 ping really a big deal? For example, some people say that these
> pings get fragmented when they go through routers (unless they crash the
> router itself). That would seem to limit the damage they can do.

Denial of service attacks are growing, but they require some knowledge to
use the programs to work and also equipment.  An ISP here in El Paso had
one of its users trying a Denial of service attack (ping flood), but his
program was configured wrong and he actually took out the ISP network.

The Win 95 bug is a big threat only for the local network.  Once the ping
hits a router it is no longer a threat.  We have been testing with all the
machines listed in the problems list.  We have found that once it went
past our router that there was no affect.  But if the machine were on this
side of it (local), the puter bit it big time.  This is a worry to us at
Universities because some of the student information is stored on these
boxes.  And since labs are setup with win 95 it could pose a threat.  But
with patches available it has been calmed down.

Denial of servie is a last resort attack.  Most would like to gain access
to it rather then let no one access it.  But it could grow in the coming
months......if you can't hack it....jack it (let no one use it).  With
program available in the public domain, anyone can be dangerous.  But
these attacks have not become a serious threat yet.

Most people don't have the bandwidth to be dangerous. Even a 28.8 PPP'd is
not a big threat unlike a ISDN line.

> Another issue is that flood pings are getting popular among hackers,
> probably because they are so trivial. It's a favorite way, supposedly, to
> zap  people off of IRC. With discovery of the Win 95 ping, I expect many
> more hackers will start exploring ways to tailor make their pings. I've
> already seen exploit code for FreeBSD, for example.

Yes codes out there but you need to have equipment to do it. This is what
makes the difference.  We have done some testing and you need to have a
network that can handle the traffic.  Plus some places have cutoff on alot
of traffic coming from a port.  Once they start to flood the network, they
get shutoff.

> It is alleged that a patch to make Solaris safe from the Win 95 ping also
> allows Soolaris to generate flood pings using oversized datagrams.

I have not seen this yet.

> I'm not too bad with computers myself, so any code that enables tailor-made
> pings is interesting to me. My policy is that I won't write about a hack
> until I've tried it myself, albeit on computers whose owners consent!

I might be able to let you try on a system, but it would have to be
controled experiment.  We are intrested on the results we gather.  I do
alot of R&D here and this is one thing we are exploring.  We have alot of
machine you could help us with.  But controled in that it can be stoped so
we can gather information.  I would be willing to call you and find out
what you would like to try.

> If you want to see how I write on hacking, I have an article in the Nov.
> Internet Underground.

If interested please let me know.


Sun Nov 10 21:58:12 1996
From: Carolyn Meinel <>
Subject: HH: Scriptors of Doom

From: Scriptors of DOOM <sod@command.com.inter.net>


Hi again...

It's me...

Yup, it's Friday...

Yet another HP bug has arrived at the HP Bug of the Week.  That's
http://command.com.inter.net/~sod/ for those of you who haven't been
keeping track.


I guess you'll hafta come and take a look at it again now..



I bet you really wanna know what's broken this week... Probably, maybe..

Well, OK, I'll tell ya.  But you're not gonna like it..

I mean, really, you're gonna say "You've _got_ to be kidding me."



That program.. Well, it's rdist.


For 10.X..


It's really more of an implementation than an exploit, really, but hey,
whatever works, ya know?

So git yer ass on over to our little page care of us folk at SOD, where one
bug a week is the promise we keep, lest our souls get all icky and gross in
the murkiest swamp o' hell.



Well, Hi there!  It's me, your friend, yet again.  I'm just sitting here
sipping my Earl Gray with honey wondering how it is that you can rationalize
continuing your company without me.  Hmmmm.  Let me think.  If all those
logic courses I took back in college were any help at all, I should be able
to develop a rational argument for that.  Hmmmm.  Hmmmm.  Nope, don't think
I can right now.  The way I see it, you've got everything to gain and nothing
lose except for a fiscal mass, of course.  Isn't a more secure operating
system WORTH a few measly million dollars??  Why, of course it is.  I knew
you'd see it my way.  And while you're seeing it my way, why don't you think
about getting me laid, too -- I'd *really* appreciate that, and believe me,
I'd show my gratitude.  So why not come browse your ass on over to that
little URL up there, and then maybe our attorneys will screw each other and
come up with a fair and reasonable offer that both of us will appreciate.

Sun Nov 10 21:58:22 1996
From: Carolyn Meinel <>
Subject: HH: CIAC Bulletin F-04: HP-UX Ping Vulnerability (fwd)

This CIAC bulletin is the *first* official warning of the killer ping
vulnerability.  Remember, you read about it from the Happy Hacker list
first, weeks ago!  If you are a new subscriber, you can see our web page
http://www.feist.com/~tqdb/evis-unv.html for details of exactly how this
attack is done -- and why it wouldn't be elite to do it.

If you think killer ping is bad, just imagine what attacks I'm *not*
telling you about on account of how hairy they are. Bottom line: the
Internet only stays in operation on account of the most elite of hackers
being good guys.

Carolyn Meinel
M/B Research -- The Technology Brokers

---------- Forwarded message ----------
Date: Sat, 9 Nov 1996 06:23:50 -0600
From: Bill Orvis <orvis@llnl.gov>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
Subject: CIAC Bulletin F-04: HP-UX Ping Vulnerability


                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

                           HP-UX  Ping Vulnerability

November 4, 1996 11:00 GMT                                         Number H-04
PROBLEM:       A vulnerability exists with certain ICMP echo requests (ping)
               that can cause an HP-UX system to reboot.
PLATFORM:      HP-UX 9.x and 10.x
DAMAGE:        External users can cause a system to reboot.
SOLUTION:      Apply the system patches recommended by HP.
VULNERABILITY  Any unpatched HP-UX system that answers Ping requests can be
ASSESSMENT:    shut down by an external user.
                            HP-UX Ping Vulnerability

The following advisory was issued by Hewlett-Packard concerning the
vulnerability with incoming Ping packets. Users should follow the
instructions contained in this bulletin and install the indicated patch.
      HEWLETT-PACKARD SECURITY BULLETIN: #000040, 30 October 1996

Hewlett-Packard recommends that the information in the following
Security Bulletin should be acted upon as soon as possible. Hewlett-
Packard will not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this Security
Bulletin as soon as possible.

Permission is granted for copying and circulating this bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the bulletin is
not edited or changed in any way, is attributed to HP, and provided such
reproduction and/or distribution is performed for non-commercial

Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.

PROBLEM:  Vulnerability with specific incoming ICMP Echo Request (ping)
PLATFORM: HP9000 Series 700 and 800 systems.
DAMAGE:   Vulnerability makes it possible for an external user to
          cause a system reboot.
SOLUTION: Apply the following patch:

          Patch Name(Platform/OS)   | Notes
          PHNE_9027 (s700 9.01)     : PHNE_7704 must first be installed
          PHNE_9028 (s700 9.03/5/7) : PHNE_7252 must first be installed
          PHNE_9030 (s700 10.00)    :             No patch dependencies
          PHNE_9032 (s700 10.01)    : PHNE_8168 must first be installed
          PHNE_9034 (s700 10.10)    : PHNE_8063 must first be installed
          PHNE_9036 (s700 10.20)    :             No patch dependencies
          PHNE_8672 (s800 9.00)     : PHNE_7197 must first be installed
          PHNE_9029 (s800 9.04)     : PHNE_7317 must first be installed
          PHNE_9031 (s800 10.00)    :             No patch dependencies
          PHNE_9033 (s800 10.01)    : PHNE_8169 must first be installed
          PHNE_9035 (s800 10.10)    : PHNE_8064 must first be installed
          PHNE_9037 (s800 10.20)    :             No patch dependencies

          Due to the critical nature of this defect, HP is introducing
          this as a non-cumulative patch.  As a result, in cases where
          a dependency exists, the current ARPA Transport cumulative
          patch will need to be installed first.  The two can be
          installed in the same session to minimize system downtime,
          but the prerequisite patch must be loaded first.
          Installation will fail if this is not the case.

AVAILABILITY: All patches are available now.

I. Update

   A. Problem description

   A recent mailing list disclosure described a vulnerability in which
   specific, illegally formatted, incoming ICMP Echo Request (ping)
   traffic could cause a system reboot on some HP9000 Series 700,
   and 800 systems running HP-UX releases 9.X and 10.X.  HP9000 Series
   300 and 400 systems have not been found to be vulnerable.

   B. Fixing the problem

   The vulnerability can be eliminated from HP-UX releases 9.X and 10.X
   by applying either one or two patches.

   C. How to Install the Patch:

     1.  Determine which patch(es) are appropriate for your hardware
         platform and operating system.

     2.  Hewlett-Packard's HP-UX patches are available via email
         and the World Wide Web

         To obtain a copy of the Hewlett-Packard SupportLine email
         service user's guide, send the following in the TEXT PORTION
         OF THE MESSAGE to support@us.external.hp.com (no Subject
         is required):

                               send guide

         The users guide explains the HP-UX patch downloading process
         via email and other services available.

         World Wide Web service for downloading of patches
         is available via our URL:

     3.  Apply the patch(es) to your HP-UX system.  In cases where
         a dependency exists, the current ARPA Transport cumulative
         patch will need to be installed first.  The two can be
         installed in the same session to minimize system downtime,
         but the prerequisite patch must be loaded first.  Installation
         will fail if this is not the case.

     4.  Examine /tmp/update.log (9.X), or /var/adm/sw/swinstall.log
         (10.X), for any relevant WARNINGs or ERRORs.

   D. Impact

   The patches for HP-UX releases 9.X and 10.X provide enhancements
   in the ARPA Transport stack to avoid this vulnerability.

   E. HP SupportLine

   To subscribe to automatically receive future NEW HP Security
   Bulletins from the HP SupportLine mail service via electronic mail,
   send an email message to:

          support@us.external.hp.com   (no Subject is required)

   Multiple instructions are allowed in the TEXT PORTION OF THE MESSAGE,
   here are some basic instructions you may want to use:

   To add your name to the subscription list for new security bulletins,
   send the following in the TEXT PORTION OF THE MESSAGE:

          subscribe security_info

   To retrieve the index of all HP Security Bulletins issued to date,
   send the following in the TEXT PORTION OF THE MESSAGE:

          send security_info_list

   To get a patch matrix of current HP-UX and BLS security patches
   referenced by either Security Bulletin or Platform/OS, put the
   following in the text portion of your message:

          send hp-ux_patch_matrix

   World Wide Web service for browsing of bulletins is available via
   our URL:

          Choose "Support news", then under Support news,
          choose "Security Bulletins"

   F. To report new security vulnerabilities, send email to


   Please encrypt exploit information using the security-alert PGP
   key, available from your local key server, or by sending a
   message with a -subject- (not body) of 'get key' (no quotes) to

CIAC wishes to acknowledge the contributions of Hewlett Packard for the
information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

G-42: Vulnerability in WorkMan Program
G-43: Vulnerabilities in Sendmail
G-44: SCO Unix Vulnerability
G-45: Vulnerability in HP VUE
G-46: Vulnerabilities in Transarc DCE and DFS
G-47: Unix FLEXlm Vulnerabilities
G-48: TCP SYN Flooding and IP Spoofing Attacks
H-01: Vulnerabilities in bash
H-02: SUN's TCP SYN Flooding Solutions
H-03: HP-UX_suid_Vulnerabilities

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95     A comprehensive review of SATAN

Notes 08 - 4/4/95      A Courtney update

Notes 09 - 4/24/95     More on the "Good Times" virus urban legend

Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                       in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
                       America On-Line Virus Scare, SPI 3.2.2 Released,
                       The Die_Hard Virus

Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
                       Windows, beta release of Merlin, Microsoft Word
                       Macro Viruses, Allegations of Inappropriate Data
                       Collection in Win95

Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
                       Conference Announcement, Security and Web Search
                       Engines, Microsoft Word Macro Virus Update

Sun Nov 10 21:58:29 1996

Subject: HH: Email forging tips
From: norzer@fastrans.net

Greetingz . I am new to this list so i dont know if this lil
secret (lame) has ever been brought to anyones attention..

It has to do w/ sending anony email over the net.. Of course, it is
never 100% anonymous when sending anony email using any technique..
Most everyone who knows how to send anony email can find out who's
sending anony email..   The following is just another method to send
anonymous email w/o having to go through all those pain in da ass
mail port programs..

This technique has to do w/ using Lynx (every unix geekz favorite web
browser).. I am assuming since you subscribe to this list you know
what Lynx is.. If not, telnet to your shell account and type "LYNX"
at the prompt and (hopefully) Unix will load up its all text web
browser*..  Next go to a page that has the persons email address on
it, then follow that (MAILTO:) link.. and LYNX will promt you enter
who the message is FROM.. so now you have the opportuny to enter
whatever email address you want..  Anyone who uses email programs
like Eudoara, Pegasus, MS Mail, etc have no way of detecting this..
However, anyone who uses pines (Advanced Header Mode) can find out
where its coming from..

If the person you want to send an anony email to doesnt have a link
to their email on a web page that you know of.. You can do one of 2
  1) Create a web page yourself w/ a link to their email on it..
(Should take 20 seconds)
 2) Lynx gives you the option to CC your messasge to multiple email
addresses.. So you can just send the email to whoever
(postmaster@aol.com maybe?? muhaha) and then just CC their mail
address in the CC field..

 Well.. thatz basically it.. I will be putting up a page w/ all kinds
of cool useful facts, links, tools regarding all aspects of hacking,
corruption in america, Govt Secrets, etc.. Email me if you want me to
notify you when its up.. Laterz

*NOTE... This is also a way to get around the web a hell of alot
quicker w/o having to load all those bandwith hoging, annoying

Self Proclaimed Super Hero,
norzer (Ryan)

Sun Nov 10 21:58:31 1996
From: Carolyn Meinel <>
Subject: HH: Phrack 49

From: Damien Sorder <jericho@dimensional.com>

> Here's another hacker ezine you may enjoy studying. It made the news this
> September for publishing the syn flood exploit, which unfortunately was
> used by a number of clueless wannabe hackers to take Panix and several
> other ISPs off-line for awhile.

Is that to say Daemon9 is a wannabe hacker for releasing it or something?
And how do you know those who did it were clueless? Or maybe they wrote
their own SYN flood code?

Just pointing out that you are quick to brand people as 'wannabe'.

(Moderator's note: In my book, anyone who uses a canned hacker tool such
as the Phrack syn flood exploit is a clueless wannabe. Did any of the
attackers write their own code? Well, it happens that the syn flood
attack has been known since at least 1984. Was it coincidence that a
bunch of syn flood attacks were launched just after the exploit code was
released by Phrack? So flame me if I'm being a big meanie.)

Sun Nov 10 21:58:32 1996
From: Carolyn Meinel <>
Subject: HH: More on syn flood attacks
From: se7en <se7en@dis.org>

On Sat, 9 Nov 1996, Damien Sorder wrote:

> Is that to say Daemon9 is a wannabe hacker for releasing it or something?
> And how do you know those who did it were clueless? Or maybe they wrote
> their own SYN flood code?

I have recruited Daemon9 onto my speaking circuit, and I'll tell you, he
is damn intelligent and very good at what he does. He identified himself
to NASA as the person behind SYN flooding code and exploits, and
demonstrated a version called Poseidon, which is far more lethal than the
Neptune version released to the public.

He explained in great detail why he developed the code and why he
released it. He is true to the hacker spirit by not backing down from
what he believes in. And he showed it once again by not releasing
Poseidon to the public.

Get a clue Carolyn. If anybody is a clueless wannabe, it is you. And yes,
I want this posted on your list.


Mon Nov 11 09:36:45 1996
From: Carolyn Meinel <>
Subject: HH: Linux experimental patches for big 'ping' pkt & SYN flood attacks (fwd)

From: long-morrow@CS.YALE.EDU

Linux experimental patches are now available for protection against
(1) big 'ICMP Echo' datagram (ala Windows 95) and
(2) SYN flood attacks.

via the URL:


- Morrow

Mon Nov 11 23:06:27 1996
From: Carolyn Meinel <>
Subject: HH: Windows security bugs

The question was raised on this list of whether Windows-based networks
should be of interest to hackers. Check this mail list out:


 © 2013 Happy Hacker All rights reserved.