1994-01-23 - anonymous mail

Header Data

From: nobody@shell.portal.com
To: cypherpunks@toad.com
Message Hash: 5bfb95661fab07c3046c28cb917f2444692788c5cdbbc07cc40dfda5b01fbfa2
Message ID: <199401230821.AAA06745@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1994-01-23 08:28:24 UTC
Raw Date: Sun, 23 Jan 94 00:28:24 PST

Raw message

From: nobody@shell.portal.com
Date: Sun, 23 Jan 94 00:28:24 PST
To: cypherpunks@toad.com
Subject: anonymous mail
Message-ID: <199401230821.AAA06745@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


ALL THE EFFORTS SEEMS FINALLY TO GET THE TENTACLE LD ATTENTION...
KEEP IT UP CYPHERPUNKS!!!... ANARCHY IS WINNING...



     LOVE
     MEDUSA
P.S. TO LD...
THE FOLLOWING SHOULD REALLY TURN YOU ON...

finger ld231782@longs.lance.colostate.edu

[longs.lance.colostate.edu]
Login name: ld231782                    In real life: L. Detweiler
Office:                         Home phone: 498-8278
Directory: /users/UNGRAD/ES/ld231782    Shell: /bin/tcsh
Most recent logins:
        dolores      Fri Jan 21 16:16
        keller       Sat Jan 22 16:09
Never logged in.
No Plan.

JUST DOING SOME RESEARCH VIA NIC WE FIND THAT THE MACHINE
Non-authoritative answer:
Name:    longs.lance.colostate.edu
Address:  129.82.109.16

> set type=mx
> longs.lance.colostate.edu

longs.lance.colostate.edu       preference = 0, mail exchanger = longs.lance.col
ostate.edu
longs.lance.colostate.edu       preference = 10, mail exchanger = yuma.acns.colo
state.edu
longs.lance.colostate.edu       internet address = 129.82.109.16
yuma.acns.colostate.edu internet address = 129.82.100.64
acns.colostate.EDU      nameserver = yuma.acns.ColoState.EDU
acns.colostate.EDU      nameserver = lamar.ColoState.EDU
yuma.ACNS.ColoState.EDU internet address = 129.82.100.64
lamar.ColoState.EDU     internet address = 129.82.103.75
lamar.ColoState.EDU     preference = 10, mail exchanger = lamar.ColoState.EDU
lamar.ColoState.EDU     preference = 20, mail exchanger = yuma.ACNS.ColoState.ED
U
lamar.ColoState.EDU     internet address = 129.82.103.75
yuma.ACNS.ColoState.EDU internet address = 129.82.100.64

and a traceroute to LDs favorite posting machine
the return times indicate that my end is a 9.6 ppp connection 2 hops away
from 4. Note also I didnt query intervening routers and hosts for
information.
Upstream hosts and/or routers may also be compromisable...

 4  cix-west2.cix.net (149.20.3.3)  310 ms  260 ms  290 ms
 5  ans.cix.net (149.20.5.2)  280 ms  280 ms  280 ms
 6  en-0.San-Francisco-cnss11.t3.ans.net (192.103.60.5)  270 ms  290 ms  270 ms
 7  mf-0.San-Francisco-cnss8.t3.ans.net (140.222.8.222)  280 ms  320 ms  290 ms
 8  t3-1.Seattle-cnss88.t3.ans.net (140.222.88.2)  300 ms  290 ms  300 ms
 9  t3-0.Denver-cnss96.t3.ans.net (140.222.96.1)  310 ms  300 ms  310 ms
10  mf-0.Denver-cnss97.t3.ans.net (140.222.96.193)  310 ms  290 ms  310 ms
11  t3-0.enss141.t3.ans.net (140.222.141.1)  300 ms  300 ms  310 ms
12  cu-gw.ucar.edu (192.52.106.4)  300 ms  410 ms  310 ms
13  ucb-ncar.CO.westnet.net (129.19.254.46)  310 ms 129.19.248.62 (129.19.248.62
)  320 ms  330 ms
14  csu-ucb.CO.westnet.net (129.19.254.102)  340 ms  320 ms  340 ms
15  csu-gw-2.UCC.ColoState.EDU (129.82.103.2)  310 ms  450 ms  310 ms
16  longs.lance.colostate.edu (129.82.109.16)  350 ms  330 ms  320 ms


WELL WHAT DOES THIS TELL US TECHNICALLY SO FAR... THERE
IS MOST LIKELY NO EFFECTIVE FIREWALL PROTECTION BETWEEN LD'S FAVORITE MACHINE
AND THE OUTSIDE WORLD AS TRACEROUTE USES UDP PROBES ON RANDOM PORTS.
NO INCOMING UDP BLOCKAGE GENERALLY INDICATES THE SECURITY
OF THAT MACHINE IS NOT DEPENDENT ON PROXY/PACKET FILTERING TYPE ROUTERS AND
 FIREWALLED DOMAINS

ADDITIONALLY A ISS LOG RUN VIA

iss -p 129.82.109.16

SHOWED THE FOLLOWING RESULTS :
  -->    Inet Sec Scanner Log By Christopher Klaus (C) 1993    <--
              Email: cklaus@hotsun.nersc.gov coup@gnu.ai.mit.edu
       ================================================================
Host 129.82.109.16, Port 11 opened. systat    udp/tcp    users
Host 129.82.109.16, Port 13 opened. daytime   udp/tcp 
Host 129.82.109.16, Port 17 opened. qotd      tcp        quote
Host 129.82.109.16, Port 21 opened. ftp       tcp          
Host 129.82.109.16, Port 23 opened. telnet    tcp
Host 129.82.109.16, Port 25 opened. smtp      tcp
Host 129.82.109.16, Port 37 opened. time      udp/tcp
Host 129.82.109.16, Port 53 opened. domain    udp/tcp
Host 129.82.109.16, Port 79 opened. finger    tcp
Host 129.82.109.16, Port 109 opened. pop-2      tcp Post Office Protocol
Host 129.82.109.16, Port 110 opened. pop-3 
Host 129.82.109.16, Port 111 opened. sunrpc   udp/tcp JACKPOT!!!!!! 
Host 129.82.109.16, Port 119 opened. nntp     tcp
Host 129.82.109.16, Port 210 opened. THIS ONE IS UNUSUAL? i shows closed by foreign host
Host 129.82.109.16, Port 512 opened. biff/exec udp/tcpf
Host 129.82.109.16, Port 513 opened. who/login  udp/ tcp 
Host 129.82.109.16, Port 514  ("shell" service) opened. syslog/shell  udp/tcp
Host 129.82.109.16, Port 515 opened. syslog/printer    udp/tcp
Host 129.82.109.16, Port 593 opened. refuses telnet(udp connection) research...
Host 129.82.109.16, Port 704 opened. accepts telnet connection(tcp) echos...
Host 129.82.109.16, Port 1024 opened. accepts telnet connection(tcp)
Host 129.82.109.16, Port 1025 opened. listener RFS remote_file_sharing
Host 129.82.109.16, Port 1031 opened.
Host 129.82.109.16, Port 1032 opened. tcp
Host 129.82.109.16, Port 1033 opened. not checked
Host 129.82.109.16, Port 1034 opened. not checked
Host 129.82.109.16, Port 1035 opened. not checked
Host 129.82.109.16, Port 1036 opened. not checked
Host 129.82.109.16, Port 5599 opened. not checked
Host 129.82.109.16, Port 6667 opened. not checked

THE SCAN WAS TERMINATED AT THIS POINT. IN THE ABOVE LIST
WE FIND SEVERAL GEMS THE BEST OF WHICH IS
SUNRPC   :)... so next of course

 rpcinfo -p longs.lance.colostate.edu
   program vers proto   port
    100004    2   udp   1029  ypserv
    100004    2   tcp   1024  ypserv
    100004    1   udp   1029  ypserv
    100004    1   tcp   1024  ypserv
    100007    2   tcp   1025  ypbind
    100007    2   udp   1038  ypbind
    100007    1   tcp   1025  ypbind
    100007    1   udp   1038  ypbind
    100005    1   udp   1071  mountd
    100005    1   tcp   1031  mountd
    100003    2   udp   2049  nfs
    100024    1   udp   1081  status
    100024    1   tcp   1032  status
    100008    1   udp   1087  walld
    100021    1   tcp   1033  nlockmgr
    100021    1   udp   1092  nlockmgr
    100021    3   tcp   1034  nlockmgr
    100021    3   udp   1096  nlockmgr
    100020    1   udp   1099  llockmgr
    100020    1   tcp   1035  llockmgr
    100021    2   tcp   1036  nlockmgr
    150001    1   udp   1127  pcnfsd
    300019    1   udp   1022
    200002    1   udp   1956


 whether running regular or secure RPC(the latter requires nfscrack
to crack the secret exponent) this machine is most likely a sparc or compatible
running a given version of SUNOS 4.1.X?(check HINFO if available.)
 a check should be made to see which network security patchs
have been applied to this host.

A probe of longs.lance.colostate.edu smtp port :
longs.lance.colostate.edu Sendmail 8.6.4/8.6.4 (LANCE 1.00) ready at xxx,xx2
 xxx xxxx xx:xx:xx -xxxx
220 ESMTP spoken here
VRFY ld231782
250 L. Detweiler <ld231782@longs.lance.colostate.edu>
EXPN ld231782
502 That's none of your business
quit
221 longs.lance.colostate.edu closing connection


OK SO FAR SO GOOD HIS MACHINE SHOWS A FAIRLY SECURE SMTP DAEMON.
EXAMINATION OF THAT REVISION AND SOURCE OF SENDMAIL IS
STILL UNDER QUESTION BECAUSE THE CURRENT VERSION 8.65 ADDS EVEN MORE SECURITY
PATCHES 
CHECKING FOR ANONYMOUS FTP WE FIND:



 Check for anonymous FTP service

connected to 129.82.109.16.
220 longs.lance.colostate.edu FTP server (Version 4.1 Sun Mar 25 22:59:11 EST 19
90) ready.
Name (129.82.109.16:root): anonymous
530 User anonymous unknown.
Login failed.
ftp> quit
500 'SYST': command not understood.
# ftp 129.82.109.16
Connected to 129.82.109.16.
220 longs.lance.colostate.edu FTP server (Version 4.1 Sun Mar 25 22:59:11 EST 19
90) ready.
Name (129.82.109.16:root): ftp
530 User ftp unknown.
Login failed.
ftp> quit
500 'SYST': command not understood.


DETWEILER YOU HAVE BEEN A HYPOCRITE, LIAR AND SCONDREL,
HOWEVER TO REMAIN PROPERLY SENSITIVE TO A NON COMPOS MENTIS
I WILL GIVE YOU A CHANCE TO APOLGIZE BEFORE I HAVE MY TENTACLES
FORM FOR THEIR NEXT ASSAULT. IF YOU DO NOT APLOGIZE
YOU WILL REGRET THE RESULTS OF YOUR ACTIONS.
I AM NOT TOYING AROUND WITH YOU ANY FURTHER . WE ARE HAVING
TENTACLE WHO ARE INFORMATION BROKERS PASSING EVERYTHING WE KNOW ABOUT
YOU TO FEDERAL LAW ENFORCEMENT AND THE AGGRIEVED AND ABUSED PARTIES.
CEASE AND DESIST!

       LOVE
       MEDUSA
P.S. A ANONYMOUS REMAILER BLOCK TO SEND YOUR APOLGY TO ME FOLLOWS
I MUST HAVE THAT APOLOGY IMMEDIATELY OR FURTHER ACTIONS WILL FOLLOW!

--------8<--cut here-->8--------
::
Encrypted: PGP

-----BEGIN PGP MESSAGE-----
Version: 2.3a

hEwCKlkQ745WINUBAf0Z/wGHrYOMJy7+1M6DSrFtnvVEbEH3Kbi/k04MOgbIhTr+
8HSWOdI6MCl0qHCbB9B+0NZILAsY06dJL5F3L2d3pgAAAVcg0HAS0/wC6qvGO3DL
OzAvOYuUJW0nPLiYYDfotcPYc4ndxLQ/p1FDXc8reECJgrFbjBm2nuMVPNDoI+ba
u93u/sWUHwrZdiVphz0RWzmY+qJb0IlKkoTWBX0Bcz8TzUEVbnhnbOSQfyqAP0Tz
PmoKND1VC2HlPstrd7/20iY4CAxh1bUs+f/ZlOThiHnLPAOXpIb3CWv6dqiNV3Zc
iSaF/AcJr29L/ij27zykuNPRXKvZasNUy2fpPYgtt01/NO3XK9f0E3NyCJJirTa0
rOh0P6j93a1mLaDFXtrMIBA+zOgLetslrgedrpz0qipDS/EHfef635adB8S3UjB6
EgozJG7LSamw2LKZAC6nqzeuGcu5RI61jeLjv4Mf2IkE5WHppCgUyOVLv4/gWyR/
K65K6kyWji+XcBRcQZTe48IthsaR7LJHDabeE6Ha8wqoEPlbOCudIWKd
=AZpv
-----END PGP MESSAGE-----

<To reply, save everything below the "cut here" marks above
<into another file.  Type your reply here (below the blank 
<line three lines above!) and mail to hfinney@shell.portal.com





Thread