**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 2, Issue #2.03 (Sepember 14, 1990) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet) ARCHIVISTS: Bob Krause / Alex Smith USENET readers can currently receive CuD as alt.society.cu-digest. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. It is assumed that non-personal mail to the moderators may be reprinted, unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Date: September From: Entity Subject: A comment on Zod's case ******************************************************************** *** CuD #2.03: File 4 of 4: A Comment on the Zod Case *** ******************************************************************** I hope to present you with some of the details regarding Zod's bust so that your readers can be more familiar with the case. Sometime around late October 1989 or so, Zod set up a multi user chat system on a US Air Force system. The program he was using was Hans Kornedor's chat program , which many of you may recognize as the chat program used on the ALTOS german hacker chat systems. In any case, Zod modified this program, making superficial changes and labelled it TDON chat. What he did was infiltrate a US Air Force UNIX system at Andrews Air Force Base. Because of the extremely lax security on the system, he was easily able to gain super user privileges and set up an SUID shell in one of the directories. He then changed the password on an unused account (Foster. Password was TDON) and set his TDON chat system up. He then went onto places such as TCHH (Germany), ALTGER (Germany) and QSD (France) and started spreading the news of this great new chat. Thankfully, not many people paid any attention to Zod (who is world reknown to be a class "A" bozo.) Very few people called and of those who did, it was mostly american users on telenet, although there were a few european callers as well. I was actually invited to the system by an up and coming VAX/VMS hacker who used the alias 'Corrupt' (he was part of the group HiJiNx!). I knew him from meetings on the various european chat systems as well as him being on the Corrupt Computing Canada BBS System in Toronto, Canada. Last I heard, he was busted as well, although I am not sure of on what charges. The chat itself was up for maybe a week -- a week and a half at best. At this point you are probably wondering who would be suicidal enough to set up a hacker chat system on a US Air Force system, right? Well, there's more to Zod's stupidity than just that. In addition to setting up the chat, Zod decided that he would be smart and in the .login script for the foster account he added in the TEE command to log everything to a file. For those unfamiliar with UNIX, the tee command basically takes the input coming into the user's TTY, and makes a copy of it into a specified file. Zod had this input go into a directory with the filename the same as the user's process ID. I guess Zod's intention was to at a later time peruse these files for useful information, but what he ended up doing was handing us all to the authorities on a silver platter. Now one of the modifications that Zod had made to the chat program was to add in a shell escape. I never did figure out what the escape sequence was (not that I ever looked very hard), but I noticed that if I lifted my phone up, (thereby sending garbage over the modem) and put it back down, I would automatically be plopped into the shell! It was here that I discovered all the craziness that Zod had set up. You can imagine my surprise when I looked at some of the files in my directory and discovered that this chat system had been set up on a military unix machine! It was then that I found all the TEE'd files, the source code to his TDON chat, and the SUID root shell. Again for those unfamiliar with unix, an SUID root shell basically allows a user to run this file and gain superuser privileges by temporarily changing their User ID to that of root (superuser). Those familiar with hacking unix's will agree that it is never a good idea to leave such a file around on a system since it can be easily detected if not hidden properly. Not only was this file NOT hidden, it was put in plain view of the system administrator! If my memory serves correctly, it was put into the /tmp directory under a very obvious filename! Of course, the biggest problem with this particular set up was the TEE'd log files that zod had created. Those files had some very far reaching consequences as I shall describe in just a minute. Because of Zod's generosity in logging all chat sessions, Air Force Security staff had no reason to do any additional logging of information. What the security staff did was first of all change the password on the foster/tdon account and then made backups of all the chat session files. These were then compiled into a huge document (looks to be about 800-900 pages) and was edited to take out overlapping chat processes. I have managed to acquire this document through a friend of mine who was recently charged for infiltrating several systems. Part of the evidence was that document submitted by the Andrews Air Force base. For the benefit of those people who called this chat and who gave out incriminating evidence, I will just briefly list their names. You guys should realize that your particular sessions were logged and are included as part of the evidence. I would not be surprised if a further investigation stemming from Zod's bust were to be carried out. The people who should be watching their tails are: Sam Brown, Hunter, Phreakenstein, Outlaw, Corrupt and Jetscream. These are obviously not the only people who were logged, but they do represent those who passed out accounts and passwords and other incriminating information on the chat, as well as having spent the most amount of time on there. So how does this lead up to Zod's arrest? Well, I'm not positive. On the Air Force machine, zod was dumb enough to leave his name plastered all over the chat including on the logon screen. Of course this cannot be used solely as evidence enough to convict, but it sure as hell points in his direction. Zod was also not a very careful person -- this is of course obvious from him having set up the Air Force Chat, but in addition, he left behind a lot of clues. He wasn't a very competent hacker and never cleaned up after himself. I assume it wasn't very difficult to track him down from his blatant misuse of the City University system in Washington. It is my understanding that Corrupt and others were busted indirectly because of him. Perhaps someone closer to the source can confirm this. In any case, what all this goes to show you is how the stupidity of one individual can lead to the problems of so many others. By setting up a hacker chat system on the Andrews Air Force base system, he committed a great mistake. By then inviting so many hackers from the international hack scene, he committed a greater sin. But for actually logging all this information and never deleting it, he committed the ultimate crime. This kid is a royal pain in the posterior and a serious threat to all hackers. - Entity/CCCAN! (Corrupt Computing Canada) ******************************************************************** ------------------------------ **END OF CuD #2.03** ******************************************************************** !  Downloaded From P-80 International Information Systems 304-744-2253 12yrs+