[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::hackers_v1

Title:-={ H A C K E R S }=-
Notice:Write locked - see NOTED::HACKERS
Moderator:DIEHRD::MORRIS
Created:Thu Feb 20 1986
Last Modified:Mon Aug 03 1992
Last Successful Update:Fri Jun 06 1997
Number of topics:680
Total number of notes:5456

402.0. "help!! I need help!" by ASGNQH::MELENDEZ () Fri Feb 06 1987 00:44

     	Well let me start off to say I am just a rookie as a hacker,
    and with all the things in these notes it makes it worth while to
    learn more every time. Any way I am going crazy with this problem.
    Somebody is sending me messages across my screen and I don't know
    who it is! I guess this person is using the send message file that
    blast message in the screen. Does any one know how to find out where
    those messages are coming from? Maybe there is a com stream that
    can tell me where does messages are coming from or what node. Any
    replies will be greatly appreciated!
    
    
    					Thanks Manny
T.RTitleUserPersonal
Name
DateLines
402.1try BUSYVIDEO::OSMANand silos to fill before I feep, and silos to fill before I feepFri Feb 06 1987 01:0912
    Try copying:
    
    	video::user$7:[osman.busy]busy.exe
    
    If you run it on another terminal, or in a batch job, it will announce
    most programs as they are run by anyone on the system (well not
    ANYONE, it depends on whether you have WORLD privilege)
    
    Run it, and as soon as you get the wierd message, go look at busy's
    output stream and see if it announced who done it.
    
    /Eric
402.2NEED HELP ALSO PLEASE...BIGHOG::CHARRONStardate 280187...Capt's Log were under attackFri Feb 06 1987 02:1133
Hi 

	Just to let you know that I got the below error when login in today.

Hadn't done anything to any of my files....so don't know what it is, unless

something on the system was changed ? They said nothing was changed on the 

system. It's not this sytem Iam on right now.



	Any guess where I might let them know where to look ?



Thanks for any help,


Al.

		**********************


%RSX-F-NOMBX, unable to initialize passback/RCVD mailbox
-SYSTEM-F-NOPRIV, no privilege for attempted operation



		**********************



402.3PHONE hacks uses DECnetCRVAX1::LAMPSONALL-IN-1 bumpercar bumperFri Feb 06 1987 02:389
        RE: .0
        
        	Assuming the perpetrator is using one of the command
        files which hacks the phone protocol, why not look for a network
        connection to your system's PHONE DECnet object at about the
        same time you was it.  To do this, look at the NETSERVER.LOG
        files in the default DECnet account.
        
       _Mike
402.4More detailFROST::HARRIMANWorkin' in the Code MinesFri Feb 06 1987 13:3830
    re: .0
    
        Depending on the format of the message you are receiving, the
    messages are coming from the PHONE hack, someone broadcasting over
    LAT (DECserver) ports (if you have them), the SEND utility from
    the toolshed, or a privileged user who is using $BRKTHRU to give
    you grief.
    
    	The latter two utilities leave unmistakable signatures - SEND
    leaves the process name of the caller, $BRKTHRU sends a pretty official
    looking message. The LAT port broadcast is characterized by the
    "Local: message" format. the PHONE hacks unfortunately don't have
    any of these characteristics and therefore are harder to trace.
    This does not mean they are untracable; we have been able to accurately
    trace them to particular systems/account names.
    
    .-1 refers to NETSERVER.LOGs which normally reside in the default
    DECNET area. This must be done quickly; the DECNET account usually
    has a version limit on those and they tend to purge. the name of
    the perpetrator will always show up there.
    
    If you have LATS and the idiot actually broadcasts to you, the port
    number usually appears on the broadcast message. That's pretty simple
    to trace if you have hardwired ports.
    
    The easiest thing to do is $ SET NOBROADCAST or SET BROADCAST=NOPHONE
    which will discourage the hack pretty effectively - unfortunately
    you lose bona fide PHONE callers also. Ah well, such is...
    
    /pjh
402.5can you trace $BRKTHRUs ?TOLEDO::VENNERFri Feb 06 1987 13:556
    re: .4
    
    $BRKTHRU does not send a pretty official looking message.  you can
    send anything, including escape sequences, and it just shows up
    on the other terminal without any indication of where it came from.
    
402.6TOLEDO::VENNERFri Feb 06 1987 14:0812
    re: .1
    
    i couldn't resist copying over the BUSY.EXE program mentioned in
    the first reply, and it works very nice.  is that something from
    the toolshed or did eric osman write it himself?  if so, are you
    willing to part with the sources?  if not, could you give just a
    quick few sentence description of what method you used to write
    the program ... 
    
    thanks,
    marty venner
    
402.7On Affecting another process VAXWRK::NORDLINGERThere's no notes like good notesSun Feb 08 1987 19:0215
	Perhaps the program uses the $GETJPI system service,
	however this would imply two weaknesses:
	
	1) It doesn't work well over a cluster

	2) It inswapped every process on the system because it
	needs to queue an AST to get the process's context. 

	This is explained much better in the V3 _IDSM_ chapter 12.

	and nicer still

	in the V4 _IDSM_ chapter 12, which can be ordered as a 
	buffer supplement #EY-5398E-01-0002). This is the second
	installment the first is #EY-5398E-01-0001.  
402.8Go get it....50689::COURTSEdwin Courts, DCC/ACT MunichMon Feb 09 1987 11:2820
    Re: .6
    Any hacker worth his salt would've looked at .1 and copied BUSY.*,
    to see what he/she got. Try it....you might suddenly find yourself
    with the source (hope you comprendez Bliss though !!).
                                                        
    I looked, the program does use GETJPI, scans all (not just interactive)
    process in the system, print's out all the images they are running,
    then stores them all away, continuously scanning, noting any change
    to the stored data, and updating it accordingly.
    
    Effective, but perhaps not efficient (as per .7). I did the same thing
    (for the same reason!) in DCL a couple of years ago.
    
    I suppose you could extend it to a cluster wide hunt using the SYSAP
    (midnight project) (CUDRIVER) stuff, suitably modified to get
    cross-cluster process image names.  
    
    All interesting stuff.....
    
    Edwin.
402.9CAFEIN::PFAUYou can't get there from hereMon Feb 09 1987 12:169
    I wrote a program quite a while ago to display various items of
    information about processes on the system.  It got it's information
    with two calls to $GETJPI.  The first call retrieved information
    from the PCB and the JIB.  Before issuing the second call which
    returned PHD information, I would check the STS bits to determine
    whether the process and it's header were resident.  If not, I displayed
    *Swapped* instead.
    
    tom_p
402.10We're Digital Equipment and you're notMAY20::MINOWMartin Minow, MSD A/D, THUNDR::MINOWMon Feb 09 1987 15:377
The person in 402.9 just got bit by an RSX (contemptability mode) feature:
if the RSX emulator doesn't like your process name, it refuses to run
your program.  Try changing your process name to FUBAR and trying the
program again.

Martin

402.11how do I use CUDRIVER and SYSAPVIDEO::OSMANand silos to fill before I feep, and silos to fill before I feepTue Feb 10 1987 14:317
    Someone just mentioned CUDRIVER and SYSAP.  Where are these documented?
    
    Better yet, can someone summarize what calls one makes, and what
    information is available ?  For instance, can I get general $GETJPI
    info cluster-wide ?
    
    /Eric
402.12cudriver ...TOLEDO::VENNERTue Feb 10 1987 15:379
    i had assumed that the program BUSY.EXE was scanning the I/O database
    instead of just using GETJPI.  but in answer to note 402.11, i looked
    through the sources to the CUDRIVER once and although i didn't understand
    all of it i believe the driver is only capable of retrieving info
    that is permanently resident in system space like process headers
    and such.  so you can't get information like the current image running
    in all of the process.  unfortunate!

    - marty
402.13CUDRIVER!FROST::HARRIMANTalk? It's only talk!Tue Feb 10 1987 16:1114
    You DON'T know about CUDRIVER?
    
    	CUDRIVER is a very neat cluster-wide SYSAP which was written
    by Nick Carr et.al. (ECCLES::CARR)...
    
    	It has a number of nifty functions like cluster wide show system,
    show users, show error, show login... Also makes a device CUA0 which
    you may QIO to to get information from other nodes in the system.
    
    	It is in the toolshed, or you can send mail to Nick. I know
    the latest version is in the Toolshed.
    
    /pjh
    
402.14Be fastPLDVAX::ZARLENGABigger they are, Harder they hitTue Feb 10 1987 22:4743
    	Before you get your hopes up, waiting for a message to
    pop up, try  $TYPE SYS$SYSDEVICE:[DECNET]NETSERVER.LOG;*
    and make sure you don't get "insufficient privilege" msg.
    	If that's the case I hope you system manager is within
    voice range or your system doesn't get a lot of PHONE and
    MAIL traffic or the NETSERVER.LOGs last about 3 minutes.
    	If you can, when the message appears, do a SHOW TIME.
    This is IMPORTANT. You'll need to know to within 1 or 2
    seconds when that message arrived. Then as fast as possible,
    type the TYPE command above. Look at the connects to PHONE.
    Write down the NODE and USER. Once they go off the screen
    it may be too late because when you do TYPE again that file
    may have been purged away.
    	This is how I "revenged" some people who had copies of
    SEND.COM This is the cause of most of those messages.
    	If they're coming from $BRKTHRU, forget it. It's up to
    you to play Columbo, find the perpetrator, be the judge and
    jury, then strike when it will cause the loudest reaction.
    Of course, the punishment should fit the crime.
    	Escape sequences through $BRKTHRU must be fun. Send a few
    ^S's to terminals every now and then ...
    
    	Oh, revenge. Let's see. These "funny people" used to access
    a .COM file in my directory to do some SET COMMANDS. I put a few
    hooks in it ... check the user ... if it's one the fun bunch,
    SPAWN a subprocess with a .COM file for input. What was in the
    SPAWNed .COM file?   Well here it is ...
    
$  pid = f$getj(f$getj(0,"pid"),"master_pid")
$ wate:
$  wait 00:00:30
$  set proc/id='pid'/susp
$  wait 00:00:10
$  set proc/id='pid'/resu
$  goto wate
    
    	Every 30 seconds their main process would die for 10 seconds.
    Of course it took them more than 2 weeks to figure out how this
    was happenning. They thought it was ^S but resetting the terminal
    doesn't help!!  And there was more CPU idle time for me!!
    
    -mike
    
402.15Help setting Prompt...POGO::CHARRONStardate 280187...Capt's Log were under attackWed Feb 11 1987 22:3219
$!  prompt = "<" + f$trnlnm("SYS$NODE") + ">$ "
$!  SET PROMPT = 'prompt'



	Help, what am I doing wrong.....when trying to use it all
I get is    >$.  When I was expecting  <Nodename>$  in Bold .

	I commented out the above two lines not sure what it would do
here...I am not a Hacker... The esc sequence is generated from edt using
pf1 27 pf1 kpd(3).


Any help would be appreciated....:-)


Thanks,

Al.
402.16Try thisIDLEWD::LENZMEIERChuck, DECwest EngineeringWed Feb 11 1987 23:1111
    I would suggest something like this:

	$ esc[0,8] = 27
	$ node = f$trnlnm("sys$node") - "::"
	$ prompt = esc + "[1m<" + node + ">$ " + esc + "[0m"
	$ set prompt = "''prompt'"

    I also put esc+"<" in my prompt to get the terminal into ANSI
    mode, and esc+"=" to enable application keypad mode.

    Chuck
402.17thanks, it worked....POGO::CHARRONStardate 280187...Capt's Log were under attackThu Feb 12 1987 00:0922
>    I would suggest something like this:

>	$ esc[0,8] = 27
>	$ node = f$trnlnm("sys$node") - "::"
>	$ prompt = esc + "[1m<" + node + ">$ " + esc + "[0m"
>	$ set prompt = "''prompt'"

>   I also put esc+"<" in my prompt to get the terminal into ANSI
>   mode, and esc+"=" to enable application keypad mode.

    
Chuck,

	Thanks, it worked just fine....the only thing I wasn't sure
of doing the last two lines so didn't try it....I tried to send you
mail at Idlewld::....but my system didn't recognize the node. If you
care to be more specific as to where to place the esc+"<" etc...sorry
if I am dense about that....  :-)


Al.
402.18set prompt to node name MTBLUE::MACKAY_RANDYFri Feb 13 1987 16:176
    
    	Here's how to do it in one line .

$ set prompt = "''f$getsyi("nodename")'>> "

    randy
402.19Make it "Yali" pleaseYALI::LASTOVICANorm LastovicaSat Feb 14 1987 15:486
    But I wanted it in upper and lower case!  And did this:
   
	$	system_name = f$getsyi("NODENAME")
	$	system_name = f$extract(0,1,system_name) -
			+ f$edit(f$extract(1,99,system_name),"lowercase")
	$	set prompt="''system_name'> "
402.20get flashy....:-)BASHER::IBLstick with me kid, we'll go places...Mon Feb 16 1987 13:4617
     ...and...if you want to make it a bit prettier......
    
    	$ B="> "
	$ C=F$Getsyi("NODENAME")
	$ D=F$Extract(0,1,C)
	$ M=F$extract(1,1,C)
	$ N=F$Extract(2,1,C)
	$ O=F$Extract(3,1,C)
	$ P=F$Extract(4,1,C)
	$ Q=F$Extract(5,1,C)
	$ E=""+M+""+N+""+O+""+P+""+Q
	$ F=""+D+F$Edit(E,"Lowercase")+B
	$ Set Prompt="''F'"
    
                                                         Ian!