F O R C E F I L E S Volume #5 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From The Depths Of - THE REALM -, By: ----====} THE FORCE {====---- 08/06/87 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= UNIX ---- Unix systems have got a lot and I mean a lot of defaults. The major ones are: who/who, uucp/uucp, daemon/daemon, tty/tty, test/test, bin/bin adm/adm, nuucp/nuucp, learn/learn, sys/sys, root/root, uuhost/uuhost games/games, root/system, trouble/trouble There are others, which you will have to find in the UNIX Scan which is about to follow. Another very good use of unix machines is an outdial facility that most of them are equipped with. Just type in 'man cu' once in, for more information. Again there a lot of files on UNIX machines so I won't go into any great detail of it's workings. (well to tell the truth, I am not all that hot when it comes to technical info on this system) The following is a root library taken from a UNIX V, containing all the recognised defaults, commands etc. Brought to you By: BOBO $ ls /* /oldunix /tccalendar.dbf /tccalendar.mem /console /dbase_1 /dgmon /filledt /go /informix_3 /mbox /moveprofile /multiplan_1 /secret.file /send /tmpfile /tty21 /unix /write /bck: /bin: appt ar as basename caldr cat cc chgrp chmod chown cmp conv convert cp cpio cprs crypt date dd df diff dirname dis du dump echo ed env expr false file find grep kill ld line list ln login lorder ls mail make mesg mkdir mv newgrp nice nm nohup od passwd pdp11 pr ps pwd red rm rmail rmdir rsh sed sh size sleep sort strip stty su sum sync tail tee time touch true tty u370 u3b u3b2 u3b5 uname vax wc who write /boot: hdelog idisk iuart kernel mem ports ptc pts stubs sxt tty /dev: sa boot console contty diskette dsk hdelog idsk00 idsk01 idsk02 idsk03 idsk04 idsk05 idsk06 idsk07 idsk08 idsk09 idsk0a idsk0b idsk0c idsk0d idsk0e idsk0f idsk10 idsk11 idsk12 idsk13 idsk14 idsk15 idsk16 idsk17 idsk18 idsk19 idsk1a idsk1b idsk1c idsk1d idsk1e idsk1f ifdsk00 ifdsk01 ifdsk02 ifdsk03 ifdsk04 ifdsk05 ifdsk06 ifdsk07 install kmem mainstore mem null ptc00 ptc01 ptc02 ptc03 ptc04 ptc05 ptc06 ptc07 ptc08 ptc09 ptc10 ptc11 ptc12 ptc13 ptc14 ptc15 rsa rdiskette rdsk ridsk00 ridsk01 ridsk02 ridsk03 ridsk04 ridsk05 ridsk06 ridsk07 ridsk08 ridsk09 ridsk0a ridsk0b ridsk0c ridsk0d ridsk0e ridsk0f ridsk10 ridsk11 ridsk12 ridsk13 ridsk14 ridsk15 ridsk16 ridsk17 ridsk18 ridsk19 ridsk1a ridsk1b ridsk1c ridsk1d ridsk1e ridsk1f rifdsk00 rifdsk01 rifdsk02 rifdsk03 rifdsk04 rifdsk05 rifdsk06 rifdsk07 rinstall rsave save swap sxt sxt000 sxt001 sxt002 sxt003 sxt004 sxt005 sxt006 sxt007 sxt010 sxt011 sxt012 sxt013 sxt014 sxt015 sxt016 sxt017 sxt020 sxt021 sxt022 sxt023 sxt024 sxt025 sxt026 sxt027 sxt030 sxt031 sxt032 sxt033 sxt034 sxt035 sxt036 sxt037 sxt040 sxt041 sxt042 sxt043 sxt044 sxt045 sxt046 sxt047 sxt050 sxt051 sxt052 sxt053 sxt054 sxt055 sxt056 sxt057 syscon systty ttp00 ttp01 ttp02 ttp03 ttp04 ttp05 ttp06 ttp07 ttp08 ttp09 ttp10 ttp11 ttp12 ttp13 ttp14 ttp15 tty tty11 tty12 tty13 tty14 tty15 tty21 tty22 tty23 tty24 tty25 /dgn: ports sbd x.ports x.sbd edt_data /etc: timezone bcheckrc brc bzapunix cgetty checkall checklist chroot ckauto clri coredirs crash cron dcopy devnm dfsck disketteparm drvinstall dummy.sf edittbl errdump ff fmtflop fmthard fsck fsck1b fsdb fsdb1b fsstat fstab fuser getmajor getty gettydefs group grpck hdeadd hdefix hdelogger helpadm init inittab inittab.old install ioctl.syscon junk killall labelit ldsysdump led link log magic master.d mkboot mkfs mknod mkunix mnttab motd mount mountall mvdir ncheck newboot old.stdprofile opasswd passwd passwd.bak passwd.old pciconfig pcidaemon.eth pciout.232 pciout.eth pciptys pciserver.232 pciserver.eth ports prepcigettydef prepciinittab profile prtconf prtvtoc ps_data pump pwck rc.d rc0 rc2 save.d savecpio setclk setmnt shutdown shutdown.d stdprofile sysdef system telinit termcap tm uadmin umount umountall unlink utmp volcopy vtoc wall whodo wtmp /instal: /instal unreadable /install: /install unreadable /lib: cm4defs comp cpp crt0.o fcrt0.o fmcrt0.o lboot libpw.a libc.a libld.a libm.a libp mboot mcrt0.o nmawk optim pump /lost+found: /mnt: /root: /save: /tmp: /usr: 123 3bnet adm admin ahp ajk alj bht bin bjc bjm bjz bkl bkm bls cbb cdev cep chh cjw cle clh cma coldwel1 coldwel2 coldwel3 coldwell cta ctc dcp dda demo dgh dgm dll dlp dpr dsd dsh egs ehb ejf elx enl extra gcg gello gkm guest haverkam hcc hfs hjc include irv jaw jbg jci jee jeh jev jhd jja jkp jmr jpf jpn jth jty jwb kla lbin lbo lib lit llg lls lost+found lrb lrk ltc mail man mdk mgr mjp mku mlt mmg msl nab news njb options pam pci pgb phb phm plm preserve psd pub ret rfl rlm rlv rns rnv rsb russ rwm sap sas shg sla smb smk spool src ssb sup tll tm tmp twp unify von vov[dn wes whn wit wpt a.out a.out.pdp aardvark ac acc acct acctcms acctcom acctcon acctcon1 acctcon2 acctdisk acctdusg acctmerg accton acctprc acctprc1 acctsh acctwtmp ad adb addbib adduser admin adventure aliases aliens altblk analyz apropos ar ar.pdp arcv arff arithmetic arp ar.pdp as as.pdp asa ascii asktime assign asy at atq atrm autoconf awk back backgammon badsect banner bas basename bc bcd bdiff bfs biff binmail bj bk boggle boot bugflier bs cal calendar canfield cat catman cb cc cd cdc cflow chargefee chase checkcw checkers checklist checkmm checknr chess chfn chgrp ching chmem chmod chown chparm chroot chsh ckpacct clear clri cmp col colcrt comb comm compact comsat config connect cons convert copy core cp cpio cpp cprs craps crash cref cribbage cron crypt csh csplit css ct ctags cu cut cw cwcheck cxref dab144 date dbx dc dcheck dd deassign del delta deroff devinfo devnm df dh diction diff diff3 diffmk dir dircmp dirname dis disable disk dispart disktab display dmc dmesg dmf dn doctor dodisk doscat doscp dosdel dosdir dosis dosmkdir doswrite cpd dpr drtest drum dtype du dump dumpdir dumppfs dz e ebcdic ec echo ed edquota efl egrep en enable env environ eqn eqnchar eqncheck errfile error ex expand explain expr eyacc f77 factor false fastboot fcntl fd fed ffill fget fgrep file filehdr filesystems fill find finger fish fixascii fl fmt fold format fortran fortune fp fpr freq fs fsck fsdb fsend fspec fsplit fstab ftpd fwtmp gcat gcore gcosmail gdev ged get getopt gets gettable getty gettydefs gettytab ghose gps graph graphics greek grep group groups grpcheck grpcheck gutil halt haltsys hangman gd hd hdr head help hex hier history hk hold hostid hostname hosts hp hpio ht htable hy hyphen icheck id ifconfig ik il imp implog implogd indent ined inet init initab inode install intro iostat ip ipcrm ipcs issue istat join jotto just kasb keyboard kg kgmon kill killall kmem l last lastcomm lastlogin lc ld ld.pdp ldfcn learn leave lex li life line linenum link lint lisp liszt ln lo lock login logname look lookbib lorder lp lpc lpd lpq lpr lprm lpstat ls ls7 lxref m4 machid mail mailaddr make makedev makekey man manroff mant master master.dec master.u3b maze me mem memuse mesg mille mkdir mkfs mklost+found mknod mkproto mkstr mkuser mm mmcheck mmt mnttab mnacct monop moo more mosd mount mptx ms msgs mt mtab mtio mv mvdir ncheck neqn net netstat netutil newaliases newfile newform newfs newgrp news nl nm nm.pdp nohup nroff nroff7 nscstat nsctorje null nulladm number nusend od pac pack pagesize panic param passd paste pc pcat pcl pdx phones pi pix plot pmerge pnch ports portstatus pr prctmp prdaily prep primetime print printcaps printevn prmail prof profile proto protocols prs prtacct ps pstat pti ptx pty pup put put7 pwadmin pwck pwcheck pwd px pxp pxref qconfig qdaemon quiz quot quota quotacheck quotaon rain random ranlib ratfor rc rcp rcvhex rdump readfile reboot refer refrom regcmp regexp reloc remote remsh renice repquota reset restor mrrestore rev reversi rexecd rjestat rlogin relogind rm rmail rmdel rmdir rmhist rmt rmuser robots roff roffbib rogue route routed rpl rrstore rsh rshd rstat runacct ruptime rwho rwhod rx rxformat sa sact sadp sag sar sash savcore scat scc sccsdiff sccsfile scnhdr script sdb sddate sdiff se sed see send sendbug sendmail services setmnt setnode settime sh shutacct shutdown size size.pdp skulker sky sleep snake sno soelim sorry sort sortbib spell spline split splp ssp stab stackuse stat sticky stlogin strings strip strip.pdp stuct ststat stty style su subset sum sum7 sumdir swapon symorder syms sync sysadmin syslog system tab tabs tail take take7 talk tar tbl tc tcp tee telnet telnetd term termcap test tftpd time timex tip tm toc touch tp tplot trek trman troff troff7 trouble trpt true ts tset tsort ttt tty ttys ttytype tu tunefs turnacct twinkle types typo uda udp ul umask umount un uname unget uniq units unlink unmount unpack untab up update updater uptime ut utmp users uu uuclean uucp uuencode uulog uuname uupick uusend uusnap uustat uusub uuto uux va va vc versions vfont vfontinfo vgrind vgrindefs vi vip vipq vmstat vp vpr vsh vtroff vv vwidth w wait wall wc what whatis whereis which who whoami whodo worm worms write wtmp wtmpfix wump xargs xref xsend xstr yacc yes zork Now just you try and go throught all that hehehe.. PRIMENETS, DIALCOM - PRIMOS ---------------------------- This is where the fun is and these are my favourite systems, as you are about to find out. PRIMOS DEFAULTS ~~~~~~~~~~~~~~~ Both Primenets, Dialcoms, and other systems running Primos, have got default accounts. They are not unique to all the systems, but rather to different versions of Primos. The most common ones include. TEST/TEST, TEST/PRIME, GAMES/GAMES, DEMO/DEMO, SYSTEM/SYSTEM, HELP/HELP NETMAN, DUMMY. PRIMOS SUBDIRECTORIES ~~~~~~~~~~~~~~~~~~~~~ Primos has a large number of subdirectories, where system files are kept along with other various information. A lot of them are password protected, but directories without protection can also be of great use. To access a directory, from the primos prompt: (The prompt can be specified for each individual systems, but most common ones are '>' for Dialcoms, 'Ok and ER!' for Primenetes. The following are but a few directories common to most Primos systems: CATINF - usually has no password protection. It's a master directory for information and help files. ie Typing INFO NAME will usually go to the directory and look up file NAME. This is found on Dialcom systems. Primenets have the same directory, but often called INFO or HELP. CATLIB - This is a goodie. This one contains the system files for commands etc. With access to it, you can basically modify the routines to suit your needs. Naturally it's protected. SYSOVL - This one again has usually no protection and I believe it contains the various codes for languages, ie PASCAL, FORTRAN etc as well as error codes. It does contain a few interesting system files. SAD - A system directory. I have only got into this one once on a primenet, but I never had enough time on it to find out what it was about gggrrr. LOGIN - Another protected directory, but I guess the name says it all. WATCHDOG- This special directory is set up on most systems for security and diagnostic purposes. It allowes a user to monitor the systems which includes the actions of people etc. Again, it's well protected. There can be virtually hundereds directories, which don't actually belong to to specific UFD's and they are worth investigating. Again use logical names for each system. The NETLINK facility found on Systems running PRIMOS, makes them very usefull. Other systems may also have simmilar gateways, but the availibility of multiple circuits is paradise. There are several versions of NETLINK, but there are sufficient help files on most systems to work out what's going on. So far, a Primos system is the best I have found for Sprinting NUA's, if it has a slack security. The following is a sprinter which will run internally from primos. ------------------------------------------------------------------------------- This program runs internaly on virtually all systems running the Primos OS. ie DIALCOM SYSTEMS, PRIMENETS etc. The Idea has been based on the original concept by THUNDERBIRD 1, but with a few alterations and updates, to make the process faster and safer. The Success rate is about 99% and can use multiple circuits (with a lower success rate). THE BASIC PROGRAM ~~~~~~~~~~~~~~~~~ Ok, lets say you are in a primos system, here is what u do: >BASIC (Takes you into basic version something or other) (once in, you'll get the '*' Prompt and just type the following) * 5 DEFINE FILE #1 = "SOURCE" * 8 WRITE #1,"COMO -N" * 9 WRITE #1,"COMO DATA" * 10 WRITE #1,"NETLINK" * 15 FOR X = 100000 TO 100999 * 20 WRITE #1,"C :0311030";X;" -FCTY" * 25 A=A+1 * 30 IF A = x GOTO 100 * 35 B=B+1 * 40 IF B = 200 GOTO 200 * 55 NEXT X * 60 WRITE #1,"D ALL" * 65 WRITE #1,"Q" * 70 WRITE #1,"COMO -E" * 75 WRITE #1,"COMO -T" * 80 END * 100 WRITE #1,"D ALL" * 105 A=0 * 110 GOTO 55 * 200 WRITE #1,"D ALL" * 205 WRITE #1,"Q" * 210 WRITE #1,"NETLINK" * 215 B=0 * 220 GOTO 55 IF THE VERSION OF BASIC DOES NOT SUPPORT FILE MANIPULATION, YOU WILL HAVE TO REPLACE ALL 'WRITE #1,' STATEMENTS WITH A PRINT STATEMENT, AND RUN IT MANUALLY. ie: - from primos: COMO -N COMO SOURCE BASIC LOAD PROGRAM RUN Q COMO -E COMO -T ED CODE you then edit the code file and remove all the junk at the end and at the beginning of the file which had been saved as well. That's basically the program. Now for the explanation: 5 - Defines filename 'SOURCE' which is the source code for the sprinter. 8 - Stops all text sent by the Prime system from being sent to the video output, thus the computer can execute anything at it's maximum speed, without being slowed down with 1200/1200 baud. setting COMO -N causes the sprinter to run at the computers maximum speed which I think is in excess of 9600 baud, since the storage speed still restricts the NETLINK execution which should be at around 56000 baud. (I could be wrong on this one.. I am assuming it, since a lot of networks run at 56000 with only some at 9600 baud. Take your pick. Since nothing is going to the video display, it means if you are connecting to lets say MINERVA via MIDAS, both MIDAS and MINERVA operators at the consoles, can't see what you are doing. This doesn't mean that it's safe, but quite the opposite. If any user either online or at the console is in the Watchdog utility, you will stick out like a sore thumb. 9 - Opens an output file, to which all the data from netlink is stored in. Since nothing is being displayed on the video displays, all the results are sent to the filename DATA which u later edit and retrieve the results of the sprint. 10 - Activates the NETLINK gateway. 15 - A loop to set the required sprint Range. 20 - Writes all NUA's in the required range into the source file. 25 - Sets Counter for A, which determines number of circuits to be used. 30 - Determines after how many circuits to disconnect. I recomend you use at least 5 for the best accuracy. (Warrning: if x is set to a larger number, particularly at prime time, it will jam the system). If you wish to use multiple circuits at the one time, ie sprinting virtually 10 or more NUA's at the one time, just set the value of x to around 10. I'll explain later on, how to run all at the one time, although you will loose accuracy. 35 - Sets Counter for B, which will give you the indication of progress. 40 - Will give indication of progress every 200 NUA's. Primos will display a message to your terminal although all I/O goes to the drives. It's a handy way of determining the progress. 55 - Completes the loop for X. 60 - Writes a D ALL at the end of the SOURCE file, to disconnect any connected circuits. 65 - Writes 'Q' to exit out of NETLINK 70 - Sends COMO -E to primos, which closes the DATA file. 75 - Sends COMO -T to primos, which cancels the COMO -N command. 80 - The END of program 100,110 A routine, to disconnect all circuits after a particular number of circuits is in use. 200,220 A routine to display an error message per every 200 NUA's sprinted, which will give you indication of progress. It disconncts all Circuits, quits NETLINK and RE-enters NETLINK. Upon re-entry, a warning message is displayed. It also clears the system if it gets jamed from all that connecting. --------------------------------------------------------------------------- To start up the Sprinter you do the following: * SAVE PROGRAM (rem: You might like to use the program again, so you can save it) * QUIT (rem: Exit to primos) >DO SOURCE (rem: Execute line by line what is in the SOURCE file) Now all that remains is to send '@' at regular intervals, since once connected the primos can't disconnect itself. sending the @ is the tricky bit. IT will determine the best accuracy and speed. On a area such as TYMNET 310600 where there are a lot of NUA's it is better to send the @ at about 10 second intervals. On the less populated areas, it's better to extend the time. If you send the @ at less than 10 second intervals, you will almost double the speed, but half the accuracy. PHANTOMS -------- Primos has a similar system to the BATCH on VAX's etc. That is, it will execute a program and run it, without the user having to be online. In primos, they call it a PHANTOM. You can run the Sprinter as a phantom, thus you can have the above program going for a few weeks and then login to collect your resulrs. This one you will have to figure out for yourselves though. I don't think this info should be freely available to all. USING MULTIPLE CIRCUITS ~~~~~~~~~~~~~~~~~~~~~~~ There are basically two ways in which you can run a number of programs at the one time. The first one, is to set value for x in the A counter to the maximum the system will give you. ie 10-20 depending on the number of users on the system. Basically all you do, is send the @ about every 2 seconds, and this is what happens. Netlink is instructed to connect to lets say: @ C :0311030100341 -FCTY Now before it has the chance to establish the connection, the @ returns back to NETLINK. and another command is sent from Primos, this time: @ C :0311030100342 -FCTY Now you have 2 circuits connected, since the @ RETURN alone doesn't disconnect a circuit, but exits. You do that one after another, and after no time, you have 10 circuits working at the one time. (this is usefull for areas where the responce from remote host takes a long time) After all the NUA's are packed, you simply send a D ALL command which disconnects all circuits. Those which came up with an error, will have allready disconnected, so only the ones which give DISCONNECTED message have been connected. (if u can follow that). There are a few major problems. This method runs very very fast ,but, if a system is BUSY, you miss it. Also, you will get a false message for the last NUA's before the D ALL command, which haven't had enough time to connect. Only way to prevent that, is to stick a few WAIT commands before the D ALL command. (just modify the basic program). I personally don't like using this method. The next one is a lot better, more dangerous, far more accurate and doesn't tie you down while sprinting. This is what you do: When you login to minerva for example, go to Netlink straight away. From it, just connect back to the Primos system you are in by typing the NUA. ie from Minerva type @ C :200000 -FCTY to connect to itself. Now login again, under the same account. Now you set up your sprinter and let it go. When everything is running, you press @ which this time will bring you back to the netlink you were in originally, while the sprinter is running in the backround on circuit #1. Ok, now you connect to the same system as before, on circuit #2 and repeat the whole process, this time with a few changes: In line #9 instead of 9 WRITE #1,"COMO DATA", simply type: 9 WRITE #1,"COMO DATA2" if you continue on circuit #3 next time change the file name to DATA3 etc, thus the individual programs will not overwrite each other. Also change line #5 in a simmilar fashion from SOURCE to SOURCE2, SOURCE3 etc. The last thing to change is the way you activate the Sprinter. Second or third time round, you can't type >DO SOURCE, because it would destroy the previous source file. Thus the first time you type: >DO SOURCE second time around type: >DO2 SOURCE2 third: >DO3 SOURCE3 etc To Disconnect a particular connection in a loop just use the escape character '@'. Use '@@' to disconnect from the second leaving the first connected, '@@@' from the third etc. Lets say you did it 3 times and you are back in NETLINK. The sprinter is running on circuits #1, #2, and #3 ( I wouldn't recomend more than 3, but if there are no operators on duty, you can do as many as you like. The beauty of this method is that you still have Circuit #4, #5 etc, to do what ever you want to. ie hack into systems, call your favourite BBS in the States etc. The only problem we have is disconnecting, since as I said before, Primos can't disconnect automatically with this program and pressing @ will be picked up by the first netlink system you are going through. Well, it's quite simple. every minute or so, since you are having fun on circuit #4, connect to each of the circuits 1,2 and 3 by typing @ CONT 1 or CONT 2 etc. when connected type @ this will send the command on to the system bypasing the initial netlink. if that doesn't work, since I found on some systems it don't, type it should basically do the same job. EDITING THE RESULTS ~~~~~~~~~~~~~~~~~~~ After your sprints are finished, you are stuck with a very very large file 'DATA' with all the results and the prospect of d/loading it is not a very pleasing one. Well, simply do this: >ED DATA (go to Text Editor and load file DATA) C/Conn/Conn/* (will display all the NUA's which connected) C/Bus/Bus/* (will display all the NUA's which were busy) If you were using multiple circuits, you must type: C/Dis/Dis/* (it will give u a list of all the disconnected circuits which is the only way u can detect connections) GENERAL HINTS ~~~~~~~~~~~~~ DO NOT GO CRAZY WITH THIS PROGRAM.....If you attempt something like 10000 NUA's at the one time. THe DATA file will get very very large and you may end up giving the system a pain in the I/O. Generally keep it down to about 1000 or max 2000 at a time. Believe me I know!! I tried doing the TYMNET area in one go, and I brought the entire system down for 3 HRS, so don't do it. Another rather important note. Delete all trace of any files after you have finished. ie delete the program itself, the SOURCE file, DATA file and the C_DO file, which is created on the execution of the DO SOURCE command. MOST IMPORTANT...BEFORE YOU START, CHECK THE DIRECTORY. IF THE USER HAS A FILE CALLED C_DO ALREADY PRESENT, RENAME IT TO SOMETHING ELSE AND CHANGE IT BACK TO C_DO AFTER YOU HAVE FINISHED AND DELETED ALL YOUR FILES. To rename a file type: >REN C_DO,NAME If you know more about Primos, you can stick the program and all your files into some neglected directory and subdirectory, which can be accessed from any ID and just leave them there, to save you the effort on your next session. Well, now you have the basic Idea of the COMO and DO command and some working knowledge of the Basic prime use. The possibilities are endless. You can modify the program to give you the user directory or hack passwords into password protected subdirectories. One other thing, If you are not sure what you are doing, or are on your last account, it's simply not worth the trouble. ------------------------------------------------------------------------------- PRIMOS TROJANS -------------- There are a number of ways to set up a few trojans inside Primos systems. Last time I had a trojan running on minerva, It got around 100 accounts, but I made a few mistakes, which I paid for dearly. Hopefully, you will not make the same mistakes. FOR GODS SAKE, DON'T ALL RACE TO MINERVA AND SET UP WHAT I AM ABOUT TO DESCRIBE, USE THIS ONLY ON OTHER PRIME SYSTEMS YOU HACK IN THE FUTURE. ie DIALCOMS, PRIMENETS etc, Since there is a limit with how much you can get away with, in the one system. The first place to start has a lot to do with SOCIAL ENGINEERING. You must put yourself into the shoes of your victim. The trojan must be convincing enough, for him not to suspect anything and for you to get his password without him realising it. It's also a good idea if the System Operators don't catch on too quickly, and you should know how to combat the measures they are going to take to fix it all up. There are far more sophisticated methods than what I'm about to propose, but I am assuming that you only have a very low access account to work with. First of all, you will need an unused account. By that I mean a user who forgot about his ID and doesn't use it, for if he was to use it in the middle of your trojan, that would be it. A person who hasn't been on his account for a few years will do great, and there are some of those around. If not, you can use what are called GHOST Accounts. This are simply ID's that a system manager has assigned to users in his UFD Directory when the users don't really exist. To find them, just try to attach to the next ID in the series, catalog it's directory and if there are no files, or time/date labels are very old, just change the password and claim the ID. Always try to aim for the 001 account, because they are just more convincing. Next thing you will need, is an account with Authority within the system, ie of a person who helps out new users, or someone with the company that owns the system. Example of this would be a OTCxxx Account on MINERVA, or BTGxxx on BT GOLD. If you have access to such an account, they are great, but they are not really neccassary. Now that you have that you can start. 1 - Write a Program in Primos BASIC, to simulate the system login. It has to be an exac replica if it is to work proply. When the user tries to login, it will save everything in a file. 2 - It would be too much work trying to actually set up something for the user to actually use, so at the login, just say that the system is not available. Ie down for updates and it will be up in a a few days. Simple as that. 3 - To automatically execute the basic program at login, we must create a file called C_ID which should just contain the following. TY FILENAME if you want the user to receive some additional instructions before logging into the fake system entry BASIC LOAD NEWS where News is the name of the fake basic prog. RUN Since all but the first are echoed to the screen, you can work them into some sort of an introduction, which aparently describes an alternate system option. ie: - Text from TY FILENAME (the command not echoed) - Rest of the commands from C_ID file - More text from basic program. - Login. If you are fortunate to have a version of basic which is interactive with primos, well, you are laughing. 3 - The major problem, is getting the user to login under the ID where the trojan is waiting. For this, use your imagination. Look at the system, the type of users it has and look at what it lacks. Then create it. The trick is to get it accross to the victim in a convincing way. 4 - Well what do you know, we have an unprotected Directory called CATINF which are unknown to virtually all regular users so, we are going to a create a new subdirectory called BUSINESS. In the Subdirectory we place a file describing the new free business information Dbase and all about how to access it. We call the file NEWS. 5 - Next stage is to make sure that if there is a user directory, the victim does not decide to look into it, and see whether it's on the level. We locate the directory files. It will probably be found in CATINF, with in some subdirectory. We should be familiar with the DIALCOM directory setup, so just edit the relavant files using the editor, and replace it. 6 - The last step is to inform the user and convince him, that it will be to his advantage to type INFO BUSINESS NEWS, which will re-call the file, which if worded nicelly, will compell our dear victim to login to the Trojan and see what he can get out of it. You can do this by simply sending mail to the person. This is where the ID with authority comes in. If on Minerva for example a user receives the message from an OTC account, there will be little doubt in his mind as to the authentity, however people are quite stupid in a lot of ways, so if you just send it from any ole ID, ie, even the one with the trojan in it, it should also be effective. To Login to the account, without you yourself being stuck in the works, just plan ahead in the basic program, or there are other means hehe. (Again this bit of info is not for public circulation, but if you read the files carefully and with a bit of skill you'll figure it out.) When I ran a trojan on minerva this is what I did. Minerva had a habbit of running incredibly slow at prime time. This wasted a lot of time and thus a lot of the user's money in on-line charges. Well, I came up with the idea of a pseudo system, which will speed up the execution time of the system. I wrote the fake login as a simple basic program and set everything up on a unused ID. I installed a file in catinf, describing the features of the system etc, so that they would get all the info when they typed >INFO ACCESS PSEUDO I was lucky enough to have an OTC account. Mr Curtis was Curtious enough hehe to use his name as the password. I promoted Mr Curtis to a Pseudo System Administrator and I sent a brief letter to the victims telling them about it and to type >INFO ACCESS PSEUDO. They all thought they would save big bucks and came like flies to the honey. I just logged in every few minutes and picked up their passwords. Unfortunatelly I made some mistakes, so this is what you should watch out for: - Choose your victims with care, the new users make the best targets. - Don't go crazy and set up few thousand people at the one time. Just don't over do it. - When the trojan is discovered, they can either do the following: 1> Nothing since a scandal would effect business and just increase security to watch out for hackers. 2> Leave the trojan going and have your arse when you call to pick up the passowrds, which they will probably change anyway. 3> Send mail to all the users, informing them to change their passwords if they used the business system. 4> Initiate a compulsory password change for all users 5> Send a notice displayed at login to change the password if one used the trojan. END END