From: nobody@shell.portal.com
To: cypherpunks@toad.com
Message Hash: 40348f96980461aeb92450f12eb476c737ebe201de43b586f704a9631b4bcbe9
Message ID: <199401230821.AAA06774@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1994-01-23 08:30:07 UTC
Raw Date: Sun, 23 Jan 94 00:30:07 PST
From: nobody@shell.portal.com
Date: Sun, 23 Jan 94 00:30:07 PST
To: cypherpunks@toad.com
Subject: anonymous mail
Message-ID: <199401230821.AAA06774@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain
ALL THE EFFORTS SEEMS FINALLY TO GET THE TENTACLE LD ATTENTION...
KEEP IT UP CYPHERPUNKS!!!... ANARCHY IS WINNING...
LOVE
MEDUSA
P.S. TO LD...
THE FOLLOWING SHOULD REALLY TURN YOU ON...
finger ld231782@longs.lance.colostate.edu
[longs.lance.colostate.edu]
Login name: ld231782 In real life: L. Detweiler
Office: Home phone: 498-8278
Directory: /users/UNGRAD/ES/ld231782 Shell: /bin/tcsh
Most recent logins:
dolores Fri Jan 21 16:16
keller Sat Jan 22 16:09
Never logged in.
No Plan.
JUST DOING SOME RESEARCH VIA NIC WE FIND THAT THE MACHINE
Non-authoritative answer:
Name: longs.lance.colostate.edu
Address: 129.82.109.16
> set type=mx
> longs.lance.colostate.edu
longs.lance.colostate.edu preference = 0, mail exchanger = longs.lance.col
ostate.edu
longs.lance.colostate.edu preference = 10, mail exchanger = yuma.acns.colo
state.edu
longs.lance.colostate.edu internet address = 129.82.109.16
yuma.acns.colostate.edu internet address = 129.82.100.64
acns.colostate.EDU nameserver = yuma.acns.ColoState.EDU
acns.colostate.EDU nameserver = lamar.ColoState.EDU
yuma.ACNS.ColoState.EDU internet address = 129.82.100.64
lamar.ColoState.EDU internet address = 129.82.103.75
lamar.ColoState.EDU preference = 10, mail exchanger = lamar.ColoState.EDU
lamar.ColoState.EDU preference = 20, mail exchanger = yuma.ACNS.ColoState.ED
U
lamar.ColoState.EDU internet address = 129.82.103.75
yuma.ACNS.ColoState.EDU internet address = 129.82.100.64
and a traceroute to LDs favorite posting machine
the return times indicate that my end is a 9.6 ppp connection 2 hops away
from 4. Note also I didnt query intervening routers and hosts for
information.
Upstream hosts and/or routers may also be compromisable...
4 cix-west2.cix.net (149.20.3.3) 310 ms 260 ms 290 ms
5 ans.cix.net (149.20.5.2) 280 ms 280 ms 280 ms
6 en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5) 270 ms 290 ms 270 ms
7 mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222) 280 ms 320 ms 290 ms
8 t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2) 300 ms 290 ms 300 ms
9 t3-0.Denver-cnss96.t3.ans.net (140.222.96.1) 310 ms 300 ms 310 ms
10 mf-0.Denver-cnss97.t3.ans.net (140.222.96.193) 310 ms 290 ms 310 ms
11 t3-0.enss141.t3.ans.net (140.222.141.1) 300 ms 300 ms 310 ms
12 cu-gw.ucar.edu (192.52.106.4) 300 ms 410 ms 310 ms
13 ucb-ncar.CO.westnet.net (129.19.254.46) 310 ms 129.19.248.62 (129.19.248.62
) 320 ms 330 ms
14 csu-ucb.CO.westnet.net (129.19.254.102) 340 ms 320 ms 340 ms
15 csu-gw-2.UCC.ColoState.EDU (129.82.103.2) 310 ms 450 ms 310 ms
16 longs.lance.colostate.edu (129.82.109.16) 350 ms 330 ms 320 ms
WELL WHAT DOES THIS TELL US TECHNICALLY SO FAR... THERE
IS MOST LIKELY NO EFFECTIVE FIREWALL PROTECTION BETWEEN LD'S FAVORITE MACHINE
AND THE OUTSIDE WORLD AS TRACEROUTE USES UDP PROBES ON RANDOM PORTS.
NO INCOMING UDP BLOCKAGE GENERALLY INDICATES THE SECURITY
OF THAT MACHINE IS NOT DEPENDENT ON PROXY/PACKET FILTERING TYPE ROUTERS AND
FIREWALLED DOMAINS
ADDITIONALLY A ISS LOG RUN VIA
iss -p 129.82.109.16
SHOWED THE FOLLOWING RESULTS :
--> Inet Sec Scanner Log By Christopher Klaus (C) 1993 <--
Email: cklaus@hotsun.nersc.gov coup@gnu.ai.mit.edu
================================================================
Host 129.82.109.16, Port 11 opened. systat udp/tcp users
Host 129.82.109.16, Port 13 opened. daytime udp/tcp
Host 129.82.109.16, Port 17 opened. qotd tcp quote
Host 129.82.109.16, Port 21 opened. ftp tcp
Host 129.82.109.16, Port 23 opened. telnet tcp
Host 129.82.109.16, Port 25 opened. smtp tcp
Host 129.82.109.16, Port 37 opened. time udp/tcp
Host 129.82.109.16, Port 53 opened. domain udp/tcp
Host 129.82.109.16, Port 79 opened. finger tcp
Host 129.82.109.16, Port 109 opened. pop-2 tcp Post Office Protocol
Host 129.82.109.16, Port 110 opened. pop-3
Host 129.82.109.16, Port 111 opened. sunrpc udp/tcp JACKPOT!!!!!!
Host 129.82.109.16, Port 119 opened. nntp tcp
Host 129.82.109.16, Port 210 opened. THIS ONE IS UNUSUAL? i shows closed by foreign host
Host 129.82.109.16, Port 512 opened. biff/exec udp/tcpf
Host 129.82.109.16, Port 513 opened. who/login udp/ tcp
Host 129.82.109.16, Port 514 ("shell" service) opened. syslog/shell udp/tcp
Host 129.82.109.16, Port 515 opened. syslog/printer udp/tcp
Host 129.82.109.16, Port 593 opened. refuses telnet(udp connection) research...
Host 129.82.109.16, Port 704 opened. accepts telnet connection(tcp) echos...
Host 129.82.109.16, Port 1024 opened. accepts telnet connection(tcp)
Host 129.82.109.16, Port 1025 opened. listener RFS remote_file_sharing
Host 129.82.109.16, Port 1031 opened.
Host 129.82.109.16, Port 1032 opened. tcp
Host 129.82.109.16, Port 1033 opened. not checked
Host 129.82.109.16, Port 1034 opened. not checked
Host 129.82.109.16, Port 1035 opened. not checked
Host 129.82.109.16, Port 1036 opened. not checked
Host 129.82.109.16, Port 5599 opened. not checked
Host 129.82.109.16, Port 6667 opened. not checked
THE SCAN WAS TERMINATED AT THIS POINT. IN THE ABOVE LIST
WE FIND SEVERAL GEMS THE BEST OF WHICH IS
SUNRPC :)... so next of course
rpcinfo -p longs.lance.colostate.edu
program vers proto port
100004 2 udp 1029 ypserv
100004 2 tcp 1024 ypserv
100004 1 udp 1029 ypserv
100004 1 tcp 1024 ypserv
100007 2 tcp 1025 ypbind
100007 2 udp 1038 ypbind
100007 1 tcp 1025 ypbind
100007 1 udp 1038 ypbind
100005 1 udp 1071 mountd
100005 1 tcp 1031 mountd
100003 2 udp 2049 nfs
100024 1 udp 1081 status
100024 1 tcp 1032 status
100008 1 udp 1087 walld
100021 1 tcp 1033 nlockmgr
100021 1 udp 1092 nlockmgr
100021 3 tcp 1034 nlockmgr
100021 3 udp 1096 nlockmgr
100020 1 udp 1099 llockmgr
100020 1 tcp 1035 llockmgr
100021 2 tcp 1036 nlockmgr
150001 1 udp 1127 pcnfsd
300019 1 udp 1022
200002 1 udp 1956
whether running regular or secure RPC(the latter requires nfscrack
to crack the secret exponent) this machine is most likely a sparc or compatible
running a given version of SUNOS 4.1.X?(check HINFO if available.)
a check should be made to see which network security patchs
have been applied to this host.
A probe of longs.lance.colostate.edu smtp port :
longs.lance.colostate.edu Sendmail 8.6.4/8.6.4 (LANCE 1.00) ready at xxx,xx2
xxx xxxx xx:xx:xx -xxxx
220 ESMTP spoken here
VRFY ld231782
250 L. Detweiler <ld231782@longs.lance.colostate.edu>
EXPN ld231782
502 That's none of your business
quit
221 longs.lance.colostate.edu closing connection
OK SO FAR SO GOOD HIS MACHINE SHOWS A FAIRLY SECURE SMTP DAEMON.
EXAMINATION OF THAT REVISION AND SOURCE OF SENDMAIL IS
STILL UNDER QUESTION BECAUSE THE CURRENT VERSION 8.65 ADDS EVEN MORE SECURITY
PATCHES
CHECKING FOR ANONYMOUS FTP WE FIND:
Check for anonymous FTP service
connected to 129.82.109.16.
220 longs.lance.colostate.edu FTP server (Version 4.1 Sun Mar 25 22:59:11 EST 19
90) ready.
Name (129.82.109.16:root): anonymous
530 User anonymous unknown.
Login failed.
ftp> quit
500 'SYST': command not understood.
# ftp 129.82.109.16
Connected to 129.82.109.16.
220 longs.lance.colostate.edu FTP server (Version 4.1 Sun Mar 25 22:59:11 EST 19
90) ready.
Name (129.82.109.16:root): ftp
530 User ftp unknown.
Login failed.
ftp> quit
500 'SYST': command not understood.
DETWEILER YOU HAVE BEEN A HYPOCRITE, LIAR AND SCONDREL,
HOWEVER TO REMAIN PROPERLY SENSITIVE TO A NON COMPOS MENTIS
I WILL GIVE YOU A CHANCE TO APOLGIZE BEFORE I HAVE MY TENTACLES
FORM FOR THEIR NEXT ASSAULT. IF YOU DO NOT APLOGIZE
YOU WILL REGRET THE RESULTS OF YOUR ACTIONS.
I AM NOT TOYING AROUND WITH YOU ANY FURTHER . WE ARE HAVING
TENTACLE WHO ARE INFORMATION BROKERS PASSING EVERYTHING WE KNOW ABOUT
YOU TO FEDERAL LAW ENFORCEMENT AND THE AGGRIEVED AND ABUSED PARTIES.
CEASE AND DESIST!
LOVE
MEDUSA
P.S. A ANONYMOUS REMAILER BLOCK TO SEND YOUR APOLGY TO ME FOLLOWS
I MUST HAVE THAT APOLOGY IMMEDIATELY OR FURTHER ACTIONS WILL FOLLOW!
--------8<--cut here-->8--------
::
Encrypted: PGP
-----BEGIN PGP MESSAGE-----
Version: 2.3a
hEwCKlkQ745WINUBAf0Z/wGHrYOMJy7+1M6DSrFtnvVEbEH3Kbi/k04MOgbIhTr+
8HSWOdI6MCl0qHCbB9B+0NZILAsY06dJL5F3L2d3pgAAAVcg0HAS0/wC6qvGO3DL
OzAvOYuUJW0nPLiYYDfotcPYc4ndxLQ/p1FDXc8reECJgrFbjBm2nuMVPNDoI+ba
u93u/sWUHwrZdiVphz0RWzmY+qJb0IlKkoTWBX0Bcz8TzUEVbnhnbOSQfyqAP0Tz
PmoKND1VC2HlPstrd7/20iY4CAxh1bUs+f/ZlOThiHnLPAOXpIb3CWv6dqiNV3Zc
iSaF/AcJr29L/ij27zykuNPRXKvZasNUy2fpPYgtt01/NO3XK9f0E3NyCJJirTa0
rOh0P6j93a1mLaDFXtrMIBA+zOgLetslrgedrpz0qipDS/EHfef635adB8S3UjB6
EgozJG7LSamw2LKZAC6nqzeuGcu5RI61jeLjv4Mf2IkE5WHppCgUyOVLv4/gWyR/
K65K6kyWji+XcBRcQZTe48IthsaR7LJHDabeE6Ha8wqoEPlbOCudIWKd
=AZpv
-----END PGP MESSAGE-----
<To reply, save everything below the "cut here" marks above
<into another file. Type your reply here (below the blank
<line three lines above!) and mail to hfinney@shell.portal.com
Return to January 1994
Return to “nobody@shell.portal.com”
1994-01-23 (Sun, 23 Jan 94 00:30:07 PST) - anonymous mail - nobody@shell.portal.com