Saturday, May 31, 2003

Linux CD's

IBM has a nice howto for burning CDs on Linux

Passive Network Reconaisance

Truncode has a paper discussing Passive Network Reconaisance.

(Note: requires an understanding of packet headers.)

Shadowbane goes berserk

This one's bound to become part of classic lore.

Seems that the MMORG Shadowbane was hacked and unknown persons altered the game world enough that it became very difficult to survive in the game, especially for newbies. Some players are angered, others thought it was a hoot.

Regardless, the parent company has rolled the game back to just before the attack and things are back to normal.

Read more about it at SmartHack.

Auditing Web Site Authentication

NetSec pointed out Auditing Web Site Authentication, parts 1 and 2.

Online Status Indicator II

You can also get real annoying graphics to use with the online status indicator.

Note: if your browser is set up correctly, clicking on the smilie will bring up a chat screen. Clicking on "Status" will take you to

Friday, May 30, 2003

Honeypotting with VMWare

Kurt Seifried has a good article about honeypotting with VMWare.

Online Status Indicator

Cool! While digging around log files (router logs at that), tripped across They provide the indicators that you now see at the top of the right-hand column. (If the middle is grey, I'm offline.)

Perfect for blogging!


Linux Productivity Magazine Archives has an article explaining the basics of using IPTables.

Thursday, May 29, 2003

Oh my aching head!

Didn't know whether to file this under "Okay, I'm being silly", "Boneheaded Doings", or "Crime & Punishment"

Uhoh, thought processes slowing! Eyesight getting cloudy! Let me see if I can get this out straight:

SCO is suing IBM for promoting Linux over Unix while selling it's own version of Linux and is thinking about suing Linus for copyright infringement while owning neither copyright or trademark. Somewhere in there, they sold a license to Microsoft which they weren't allowed to sell? Which Microsoft denies was purchased to support SCO's legal fees?

Oh, and what is now the SCO Group used to be known as Caldera who at one point had sued Microsoft for unfair competition for crippling attempts to run IE on DRDOS which at one point was owned by Novell? And that the documents used against Microsoft in that lawsuit are being shredded by the SCO group even after a court order from Sun (because Sun has their own antitrust case against Microsoft)?

Meanwhile there's hints of SCO suing everyone? (Trivia: Where'd Microsoft's original TCP stack come from?)

Is that right? Ouch. brain hertz!

Oh, and can I get my money back from SCO/Caldera if I return the disk that contains that screwed up desktop scheme (so's I don't get sued by SCO/Caldera for owning the d*mn thing!)?

How geeky?

Okay, just so there's no confusion, I'm 48.52071% Geek.

Thanks to Craig @ for pointing it out.

Wednesday, May 28, 2003

Perl: Finding stuff

Linux Magazine has an article about locating files via Perl functions (you may need this a bit more often than you think) entitled "Finding Stuff by Randall Schwartz.

Monday, May 26, 2003

Seriously: Coasters

(heh) For those of you that are serious about the usage of the term "coasters", JinxHackwear sells the cork backings to turn those hated snail spam CD's into something useful.

Also, announcing the birth of a new category to the right: Geek Swag.

Enumeration Basics

It's on the really basic side of things but...

EBCFG has an simple article about enumeration (what a hacker will often do prior to attacking a site). Another word for it is reconaisance.

SED basics

Unix Review has a pretty decent article about SED basics.

Distributed password hacking

Just so's y'all know, hackers are developing tools which facilitate distributed password cracking.


Sunday, May 25, 2003

More silly Google stuff

Yep. I've got nothing better to do on a Sunday morning than dig this stuff up:

Here's what kept us up late two weeks ago

Two weeks ago, I blogged about my sister-in-law's place of employment being the location for a hostage situation. Kenneth Hunt has a pointer to an article describing the incident, entitled "Hacking victim goes postal".

Entertaining yourself? has a pointer to an article about a bored admin purposely exposing himself to a trojan just to facilitate tracking the hackers.

Bootable CD's

In my ongoing quest to learn how to create bootable *nix/*BSD CD's, this might be of value.

Source: Freshmeat.

802.11B channels

UnixWiz has a nice diagram which depicts how the various 802.11b channels overlap.

Internet MetaWeather

Ever wonder how the Internet is doing? MetaWeather has a nice display of the current latencies between the major network service providers.


I've also added a page which contains the output of my favorite site database. If you've got a good one to add or want to yell at me about a dead link: joat (at)

Friday, May 23, 2003

Zines and stuff

I've added a Zines link to the menu bar above and will add links to that page as I get a gander at them. The intent is to have a good list of zines, mailing lists, etc. for news sources.

Send me any links you'd like to add.

Using Perl for InfoSec has a pointer to an article entitled "The Mystery of the Red Worm" which describes a (supposed) real-world example of using Perl to figure out what's occurring on your network.

(Hint: The title of the article is a hint!)

Another comic site

Oh, this is sick: a Peeps fixation! Especially, "Who peeped in the pool?".

The main URL for the site is Doctor Fun. Thanks to Slashdot for pointing it out.

Bass Ackwards!

From the Microsoft's marketing department strikes again Department:

Just rec'd the latest version of SysAdmin magazine (which, BTW, I highly recommend), tore open the plastic, and discovered a CDROM in the back:

Windows Services for Unix 3.0

Hmm... Intriguing. It even has a "LinuxWorld" logo in the upper-left corner.

"I wonder what it services it has that runs on Unix....?" I had to go find a knife to cut the usual you-open-this-you've-agreed-to-our-licensing-scheme seal before eagerly starting to read.

"Argh!!!  #&@#*!  It's Unix Services for Windows!"

Would someone please call Redmond and let them know when you say "for Unix", it means it runs on Unix, and that their product should be called Unix Services for Windows!

What!?  You expect me to buy and install a Windows server just so's I can use this?


Seeing your work on the screen

In tonight's installment, a young coder unexpectantly sees his own code used on the big screen. Funny!

From: Fyodor []
Sent: Thursday, May 15, 2003 5:17 AM
Subject: Whoa!

Hi Everyone. There is a disturbance in the force! You may recall a couple weeks ago that MS started recommending Nmap on some of their web pages. That was strange, but I did not foresee the anomalous omens that would ensue.

Like almost any self-respecting geek, I bought tickets to
'Matrix: Reloaded' several weeks back (no spoilers, I promise). After all, who can resist the combination of philosophical mind games and Trinity (Carrie-Anne Moss) in that tight leather bodysuit?

So after waiting an hour in a line snaking out of the theatre to the parking lot, I finally got in to my 10pm Wednesday showing. All was going well until Trinity needed to do some hacking. Oh, no! I was sure we'd see a silly "Hackers"-esque 3D animated "hacking scene". Not so! Trinity is as smart as she is seductive! She whips out Nmap (!!!), scans her target, finds 22/tcp open, and proceeds with an

Monday, May 19, 2003


Yet another oddity found while digging for blog stuff; found a definition for the word: scambaiting which describes the new hobby of leading on scam artists with false information and then posting the correspondence on the web.

While not a recommended sport, the page that it came off of is pretty interesting: WordSpy, a site devoted to recently coined words and/or phrases.

Sunday, May 18, 2003

Hacking the Fizzer Worm * News has a pointer to an article about how some systems administrators are exploiting the worms update feature to get it to remove itself from infected systems.

Saturday, May 17, 2003


Sorry for the two-day break, work required that I code after hours and after the hour drive home, well, you know.

Anyways, I've back-filled the last two days. Enjoy!

IPSec Interoperability has an article entitled "How to setup IPSec for Linux, OpenBSD and PGPNet" which describes how to set up IPSec so that those versions are interoperable (the example uses Win98 for PGPNet).

SSH Tunneling

Developer Shed has an article which amounts to a how-to for tunneling via SSH. Thanks to Jim O'Halloran for pointing it out.

Friday, May 16, 2003

RSS Feed HowTo

Search Engine Watch has an article entitled "Making An RSS Feed" which gives a good explanation of the basics and how to roll your own.

Thursday, May 15, 2003

DNS Cache Poisoning

SecurityFocus has an article explaining the history and coming attractions of DNS cache poisoning.

While cache poisoining is generally considered a "bad thing" (tm), it can also be used for good (like most hacker tools). For example, say you have a heavily loaded web cache and would like to initiate some sort of content filtering but can't afford the commercial software.

All you have to do is set up an additional Bind DNS server that only the web cache will use. Then grab the various freely available bad-site lists (Google/Yahoo/etc. for them!) and write a perl script to add them to the named.conf file as authoritive zone. All of the zones should reference the same zone file (possible if you use the implicit shortcuts [blank LHS, ampersands, wildcards, etc.]) In that single zone file, you only need the following A record:

* IN A

where you change to the IP address of a webserver which displays something innocuous (suggestion: the default page could present your organization's acceptable usage policy).

It's cheesy but works when you don't have a budget for anything better. You can protect the poisoned DNS server by setting up iptables, IPFW, or whatever similar method your OS uses so that only the web cache can access it. I came up with this method after trying to continuously add keywords to Squid filters (the basic filter only allows 256 entries per line and above a certain number of lines noticeably slows) or filters to the firewall (which also noticeably slowed). Poisoning a DNS only eats up additional memory and doesn't affect the speed of the network.

The bad news is that this can turn into a full-time job, keeping up with your in-house surfers, but it is an option. Just for the record, I had over 21,000 zones poisoned and didn't affect network speed.

The article is a good read though.

Wednesday, May 14, 2003

Fizzer Hype

Following is a summary about the Fizzer worm that I've built from various sites. (The summary is aimed more at the service provider or corporate level but you get the idea.) At first glance it's pretty scary (which is why the media liked it) but if you look closer there are very easy-to-perform methods of blocking the worm.

Fizzer is a mass-mailing worm that also attempts to spread through P2P file sharing. It contains an IRC backdoor, a DoS attack tool, a key logger, an AIMbot, an anti-virus killer, a built-in SMTP engine and a built-in web server.

Once the worm has infected a machine, it attempts to connect to Geocities to obtain updates (supposedly Geocities has already disabled the site). The worm scans for e-mail addresses in the Windows address book, Outlook contacts, cookie files, temporary Internet files, and the current user's personal folder and randomly manufactured addresses. It is capable of spoofing the "From:" address in any mail that it sends out. It is capable of using it's own SMTP engine or any of several hundred external mail servers (an open relay list?).

The IRC backdoor connects to one of over a hundred IRC servers. A very extensive list of the IRC servers it can connect to is available at the BullGuard link below. It has been reported that the worm spouts miscellaneous drivel in the IRC channels such as:

   the horribly bad wealth
   Hate is beauty. :)

This may be the same strings that are used in the subject lines of the mass mailings. The links at the end of this document list those possible strings.

The default port for the web server is TCP port 81. The web server acts as a command console, displays various information about the infected machine and allows various of the attack commands to be executed.

The default ports for the IRC backdoor include TCP ports 2018-2021. This allows remote control of the infected system.

Signs to watch for at the NOC level:
- abnormal increases in mail traffic
- attempts to connect to IRC ports (TCP 6660-6670) (This should already be blocked at the premise router
- attempts to connect to AOL IM services (TCP port 5190)
- active searches should include network scans for services listening on TCP ports 81, 1214, 2018, 2019, 2020, 2021

Recommendations for minimizing risk of infection:

- block outbound IRC traffic
- block outbound AOL IM traffic
- block outbound Kazaa traffic
- log all high-port to high-port traffic. Review logs on a daily basis. High port to high port traffic should be tested to determine if it is Kazaa-based.
- ensure the proper anti-open-relay configurations are applied to all mail servers and e-mail handling systems
- employ visual metrics so that NOC personnel have an idea of what "normal" and "abnormal" traffic looks like.
- use the most recent anti-virus scan engines and signature files

One of the difficulties with the above is the recommendation of blocking KaZaA traffic. While TCP port 1214 is the default, KaZaA is capable of using dynamically assigned ports. This means that NOC personnel will have to monitor high-port to high-port traffic and test anything that looks suspicious.

Systems affected: Win95/98/ME/NT/2K/XP



The McAfee link above has a good analysis of the worm.

Tuesday, May 13, 2003

Trustix 2 Beta 2

Ever get the feeling that you were living inside of a cliche?

MIne? How about: you know you're having a bad week when:

  • You find yourself watching a news feed hoping not to see your sister-in-law at her place of employment which also is the current scene of a hostage situation which includes automatic firearms.
  • you contract some sort of bug which requires 10 minutes rest for every 5 minutes of movement.
  • your friend calls to let you know their dog died a very painful death (massive and abrupt liver failure)(the dog was a friend of the family too)
  • and finally, you come home from work, on Monday, with one ankle much bigger than the other.

Luckily, I have a recliner, a big bag of ice and a really long network cable.

Anyways, today's entry comes from HelpNet Security. They have a short announcement concerning the realease of the second beta version of Trustix 2, intended for those of us/you that "just gotta have" the cutting edge stuff.

For those of you that don't know what Trustix is: it's a Linux distribution that's supposed to be very secure and is intended for use as a server (there's no X included). You can read more about it at it's home page.

Sunday, May 11, 2003

Open Source Digest

Afogen pointed to this one, an open source newsletter called Open Source Digest. It's not posted on a regular basis, but does have some interesting article titles.

Saturday, May 10, 2003

Acer 3300u

For the second weekend in a row, I've successfully geeked on the cheap. I recently bought an Acer 3300U flatbed scanner from the clearance bin. Cost me $10 (actually $30 with a $20 instant rebate which the store still honored). It worked nicely under Windows but I rarely use Windows and wanted it over on the Linux box with all my other toys (some work, some don't).

To make a few hours of pounding short, I basically worked from this. I had to change a few things:

  • "options scanner vendor=0x04a5 product=0x20de" vice "options scanner vendor=0x04a5 product=0x20b0"
  • "firmware /etc/sane.d/u222v062.bin" vice "firmware /usr/local/etc/sane.d/u176v042.bin"
  • and had to tell xsane where to find it --> "xsane snapscan:/dev/usb/scanner0" (autodetect didn't work in this case)

but that's all it took to get it to work under XSane.

Mega-thanks to!!

USB BlueTooth

I've recently had to talk, at length, about the difference between various wireless technologies and even had to explain that BlueTooth is adhoc but adhoc doesn't necessarily mean BlueTooth.

So when LSN pointed this out, I just had to add it to the "For Future Reference" category. Anyone seen these in the states yet?

No entry

Sorry, no regular entry tonight. My sister-in-law is a member of campus police at Case Western. We're watching the news and the feed from If it gets over soon, I'll post later.

Friday, May 9, 2003

Accent reversion

I apologize for the horrible grammer/spelling in the post about my hometown. While typing, the words flow from my head to my fingers and I guess that when I'm thinking about the old neighborhood, my accent and speech patterns return (dropped consonants, one-word greetings, multiple word slurs, etc.).

I've made repairs to the previous post. Guess it doesn't help that I've lived in Hawaii, Chicago, and the South during the last 20 years.

Mahalo, y'all!

Basic Snort use

RootPrompt has a pointer to an article entitled "Guide To Using Snort For Basic Purposes" which describes configuration basics for Snort.

Thursday, May 8, 2003

Michal Zalewski

Found this after visiting The Museum of Broken Packets which had been pointed out by the TaoSecurity blog.

In short, Michal Zalewski has been a contributor to phrack and has various oddities/interesting items on his site including encryption tools, C tools, security tools and a really odd chatbot. All-in-all, a prolific author.

Tuesday, May 6, 2003

Photos from home

During the war many blogs turned into channels for political vents, the owners ranting about their own political views. I like to think I made my blog better by not violating the purpose of the primary intention of having this blog. But when something like below happens, I'm more than willing to blog about it.
I'll be the first to admit that I grew up in an area populated by old hippies and hillbillies (when the railroad left, the area went into deep recession). What do these people to when one of their own undergoes surgery? Throw a fund-raiser! (This is the same area of the state that sponsored and sold tapes to B.A.N.D.I.T.S.) (Google THAT one!)

Caption from the Evening Tribune:
Garner Rush, front left, hugs a friend while dancing to solar-powered live music at Pollywogg Hollier near Phillips Creek Sunday during a fundraiser for Rush, who is recovering from surgery following a ruptured appendix.

SSH Key Interoperability has an article about converting SSH keys between OpenSSH, (F-Secure), Sun SSH, and PuTTY implementations. For anyone that heavily uses SSH (sysadmins!), this is a must know.

Sunday, May 4, 2003

Why forging e-mail should be considered identity theft...

Here's a good reason why forging e-mail headers should be considered identity theft. It can ruin someone's reputation, career, or sleep.

Personally, I don't care if it's made up addresses that most spammers use. The idea is that they're pretending to be someone else when they send those e-mails. (Ignoring the fact that, occasionally, they'll accidentally use the address of a real person.) (Okay, including the fact...)

Geek alert! Geek alert!

Yesssss! I have attained additional geek points this afternoon.

I was killing time in Radio Shack today while my wife was "saving money" in Fashion Bug. I noticed that the price for a SnapDialer cable had dropped to below $20, so I took a chance. Luckily, I decided not to buy the software at the same time.

I took it home, did a quick Google search, and found Nate Carlson's page. It only took a half-hour of tweaking his scripts before I was online (at 9600 baud) at the local chat site.

Slow as it was (I haven't used 9600 baud in over a year), I still consider it a valuable addition to capabilities since I don't have any Internet access if I go visit my parents. Now I won't have to go without for extended periods of time. I may have to drive to the top of the nearest hill to get a signal but at least I'll be able to grab my mail.

Look at this to take a gander at my settings.

Saturday, May 3, 2003

joatBlog templates

(It's not really a template or a style. Rather, consider it a method of handling the templates and styles.)

A couple people requested that I post my blog configs, so here they are. It's the result of constant tweaking (I've been told I fidget too much) and experimenting with various tools. There's a chance that no two of these tarballs will ever be the same. Please note that this is a work-in-progress.

A nice thing about the method I've used is that it breaks up the site config into much smaller, easier-to-manage chunks (heavy use of PHP's include command).

Prerequisites: An MT blog and a PHP-capable web server.

If you use this method, please give me credit, a shoutout, or a trackback. You don't have to. It's just nice to have your work appreciated.

Friday, May 2, 2003

Detectecting NAT Devices

Here's another method for detecting NAT devices. Based on Steve Belovin's paper, "A Technique for Counting NATted Hosts" and Toby Miller's "Passive OS Fingerprinting: Details and Techniques, this technique uses the sflow tool.

It makes some assumptions about operating systems and where in a network you are able to capture traffic but should be a good starting point for gathering an in-depth picture of, at least, your own network.

OpenLDAP Address Book

O'Reilly has an article about configuring OpenLDAP to act has your mail client's address book.