XXX Supplied by BIG GAY AL HUGER of #phrack XXX
-------------------------------------



----- Forwarded message from Dragos Ruiu <dr@kyx.net> -----

Delivered-To: xxxxxxxxxxxxxxxx
From: Dragos Ruiu <dr@kyx.net>
Organization: kyx.net
To: dr@dursec.com, rongula31@hotmail.com, ken.williams@ey.com,
	roesch@sourcefire.com, fygrave@scorpions.net, vision@whitehats.com,
	rfp@wiretrip.net, aleph1@securityfocus.com, wooc@powersurfr.com,
	apr.inc@powersurfr.com, conroy.badger@powersurfr.com,
	crystal@positioning-research.com, jason.dorie@blackboxgames.com,
	darryl_turner@yahoo.com, mrandles@softhome.net,
	vizuelle@eudoramail.com, fyodor@insecure.org, spikeman@spikeman.net,
	lance@spitzner.net, listuser@seifried.org, mfranz@cisco.com,
	phillip.ibis@blackboxgames.com, cwallace@exceedia.com, priest@sfu.ca,
	hdm@digitaloffense.net, rhamel@kpmg.ca, nico@securite.org,
	kaneda@securite.org, dsward9s@pacbell.net,
	andy@dragonfly.demon.co.uk, ktwo@ktwo.ca, kinkster1@shaw.ca,
	ajarman@metacomcorp.com, zindelak@telusplanet.net, jeff@wwti.com,
	smkoen@hotmail.com, cwilson2@kpmg.ca, newspixie@hotmail.com,
	mock@obscurity.org, j@lords.com, ksoze@obscurity.org,
	frank@atstake.com, fishy@powersurfr.com, cakeislove@hotmail.com,
	tiffany_kary@zd.com, stephenn@powersurfr.com,
	webmaster@pneumafables.com, bsapiro@kpmg.ca, kmx@egatobas.org,
	hectorh@pobox.com, emmanuel@relaygroup.com, vanja@vanja.com,
	dje@bht.com, dugsong@monkey.org, lyndon@orthanc.ab.ca,
	mts@off.off.to, paudley@blackcat.ca, robert_david_graham@yahoo.com,
	spambait-kyx@inetgrity.com, chris@obscurity.org,
	peter_wong@pmc-sierra.com, janet@lomas.ab.ca,
	dfreelove@yottayotta.com, dowen@intravelnet.com, randlest@oanet.com,
	jay@bastille-linux.org, phil@ccc-ltd.com, jed@pickel.net,
	gshipley@neohapsis.com, deraison@cvs.nessus.org, maxx@securite.org,
	mixter@newyorkoffice.com, deraadt@cvs.openbsd.org,
	dittrich@cac.washington.edu, bgreenbaum@securityfocus.com,
	neil@bortnak.com, annemarie@counterpane.com,
	chris.kuethe@ualberta.ca, bob.beck@ualberta.ca, tan@atstake.com,
	natasha@snort.org, arr@watson.org, aempirei@ucla.edu,
	ggolomb@enterasys.com, jfrank@b-ap.com, robert@infoserf.net,
	kkuehl@cisco.com, donna.andert@sun.com, bmc@snort.org,
	jgary@clicktosecure.com, jpavlick@sourcefire.com,
	talisker@networkintrusion.co.uk, jwalchuc@enterasys.com, itay@imc.nl,
	halvar@blackhat.com, Sk!ppY@IdealRealms.com, forrest@code-lab.com,
	mconley@atstake.com, jennifer@granick.com, scott@microsoft.com,
	ah@securityfocus.com, cruci@hwa-security.net, solar@openwall.com,
	ivan.arce@corest.com, rlogan@camisade.com, cmg@uab.edu, jed@grep.net,
	v0nelm0@best.com, snorthcutt@hawaiian.net, frank@ccc.de,
	dmckay@microsoft.com, jwilkins@bitland.net, kf@gnosys.biz,
	unlearn@ne.mediaone.net, jpr5@darkridge.com, shok@dataforce.net,
	thegnome@nmrc.org, ofir@sys-security.com, provos@umich.edu,
	silvio@big.net.au, mike@infonexus.com, crispin@wirex.com,
	halfdead@digitalnerds.net, niness@devilness.org,
	curtis.king@messagingdirect.com, rob@incident-response.org
Subject: kyxspam: kiddie games
Date: Wed, 17 Jul 2002 12:27:05 -0700
X-Mailer: KYX-CP/M [version core00-mail-92]

(There is some small effort to find out where the kids
are getting some kyx stuff from for their little games, 
but the url below should at least be a warning that 
you should check your servers, cause the kids seem
to be spending an awful lot of time and energy on
this list (must be nice). The below just looks like a
way for some kids to get in trouble.

But I agree with Greg, like what if no-one pays attention.
Heh. 

BTW please make sure to use the new to line. It's important
that the address for halfdead be updated because Jim Jones
has an account on phear.org.  Speaking of  jj :-), GOBBLES 
emailed to make sure that I know that the turkeys and the
el8 kids are not one and the same.  Thanks... nice to know 
they care what I say. :-)

The below should be a little warning that some people appear 
to have too much time on their hands and not a lot of wisdom.
It just looks like a way for some kids to get in trouble.
Ultimately, there seems to be a lot of anti-Honeynet (which
for some reason <cheap shot suppressed> they can't 
differentiate from this list) pent up rage in these little 
creatures... or is it fear that motivates? Caveat delivered...

Also please as a convenience to readers prefix subject lines
to list with a kyxspam: label. Thanks. p.s. Hi Max.

cheers, --dr :-)

 
url: http://www.eurocompton.net/~fuk/phrack/own-kyx.pl

#!/usr/bin/perl
# usage: own-kyx.pl narc1.txt
#
# this TEAM #PHRACK script will extract the email addresses 
# out of the narc*.txt files, enumerate the primary MX and NS 
# for each domain, and grab the SSHD and APACHE server version
# from each of these hosts (if possible). 
#
# For educational purposes only. Do not use.

use IO::Socket;

if ($#ARGV<0) {die "you didn't supply a filename\n";}
$nrq =$ARGV[0];

$msearch = '([^":\s<>()/;]*@[^":\s<>()/;\.]*.[^":\s<>()/;]*)';

open (INF, "$nrq") or die $!;

while(<INF>){
 	    if (m,$msearch,ig){push(@targets, "$&");}
            }

close INF;

foreach $victim (@targets) {
        print "=====\t$victim \t=====\n";
	my ($lusr, $domn) = split(/@/, $victim);
	$smtphost = `host -tMX $domn |cut -d\" \" -f7 | head -1`;
	$smtphost =~  s/[\r\n]+$//ge;
        print ":: Primary MX located at $smtphost\n";
        sshcheq($smtphost);
        apachecheq($smtphost);
        $nshost = `host -tNS $domn |cut -d\" \" -f4 | head -1`;
        $nshost =~  s/[\r\n]+$//ge;
        sleep(3);
        print ":: Primary NS located at $nshost\n";
        sshcheq($nshost);
	apachecheq($nshost);
        print "\n\n";
	sleep(3);
      
}

sub sshcheq {
	(my $sshost) = @_;
        print ":: Testing $sshost for sshd version\n";
        $g = inet_aton($sshost); my $prot = 22;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')) or die "$!\n";
        if(connect(S,pack "SnA4x8",2,$prot,$g)) {
        	my @in;
	        select(S); $|=1; print "\n";
        	while(<S>){ push @in, $_;}
	        select(STDOUT); close(S); 
                foreach $res (@in) {
	                if ($res =~ /SSH/) {
			chomp $res; print ":: SSHD version - $res\n";
                        }
		}        
	} else { return 0; }
}

sub apachecheq {
        (my $whost) = @_;
        print ":: Testing $whost for Apache version\n";
        $g = inet_aton($whost); my $prot = 80;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')) or die "$!\n";
        if(connect(S,pack "SnA4x8",2,$prot,$g)) {
                my @in;
                select(S); $|=1; print "HEAD / HTTP/1.0\r\n\r\n";
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S);
                foreach $res (@in) {
                        if ($res =~ /ache/) {
                        chomp $res; print ":: HTTPD version - $res\n";
                        }
                }
        } else { return 0; }
}

--kyx--

----- End forwarded message -----