Soft2Secure

Youthful Exploits of an Early ISP. Part 3

Youthful Exploits of an Early ISP. Part 3

Dop trying to get root access back Mike “Dop” Dopheide: Okay, so we get root access, we’re playing around and everything’s great and no one really cares. But we got lazy; they upgrade system – and we lost all of our access. And I can’t remember why we decided we needed to get it back, but I remember we were in one of my friends’ basement hanging out, and I said: “We need to get root access back, how are we going to do that?” And I figured all we got to do is boot it on a floppy, so we tried it. So, this is Kevin’s map of the office.

Kevin Nassery: It’s a photo collage.

Mike “Dop” Dopheide: The office itself is right across the street from a junior high school. And the admin would always sit out here in the front room with all the servers. The RADIUS server and the modem racks were all in the back. So we got this genius plan: we were all just going to drive over there at night, and my friends were going to distract the admin – he was kind of lazy. So they distracted him, and I’m like “Oh yeah, I got to go to the bathroom,” which is right there on the picture by the way, the toilet. So I go back there and I’m like putting floppies in in the dark; I’m doing that and everything’s great. And then my floppy won’t boot because I had a bad right when I made it. So we go through all this effort and it totally fails. But the worst part of that is then we had to keep playing out this: “Oh, we’re just hanging out, right?” But now I can’t go to the bathroom because I’d already faked that I had to go to the bathroom. Anyway, that was an adrenalin rush. But that was stupid.

Story with 'nobody's' file ownership Kevin Nassery: I was talking about that eclectic UNIX admin; this was one of his more genius ideas, in which somehow he came up in his head that it was more secure for him to give ownership of his files to “nobody”, like the UNIX 99/nobody ID. We couldn’t really figure out why that was, but it was pretty quick to figure out how to exploit it, because the web server ran as “nobody” at the time, it was before people really started separating those IDs. So we just created a simple CGI that we could hit from the web; the web server would execute and give us a SUID nobody shell, and then we were able to basically just use that shell, become him, use his rlogin stuff to other remote systems so it would give us at least a user level access to other remote systems. And I think this guy probably had other stuff too that easily gave us root: you know, sending the root.rlogin on a server to his user ID, stuff like that. So, that’s just kind of the attack chain.

Oh, another thing he did – I mentioned that NeXT didn’t have a great browser, and I think Dop mentioned to – so they would run Netscape primarily off the SGI box, the Indy, and remote display it over. But to automate this, he once basically built an account on that SGI called “Netscape”, and it just auto-displayed back to his thing. And the funny thing was you could just sit down and at that user interface, when it was running IREX login services, just type “netscape” – and it would give you a default X login and you could run whatever you wanted from a terminal launch or something like that. And once cane saw a friend of ours do it, he was like “What the …!”

Same type of thing with the HP-UX system they had later on. All the user shells were set to ‘/bin/false’, so we couldn’t log into it remotely, but if you were physically at the system it didn’t matter what your shell was set to as long as it’s authorized by X. So you would sit down, launch it, and it would give you that X thing, and you could right-click and say ‘run’, you know, xterm, so a couple of times that was used while people were distracted to gain permanent access.

He used his own username as the password to the junior high library dial-up, which was cracked and then used by me when I didn’t want people to know who was logging in.

Oh, this guy was so weird! I’m 12-13 years old, I leave my jacket at the office after Perl UNIX SIG meeting, I forget it. I realize it a couple of days later after school, I come to the ISP and I’m like: “Hey, I left my jacket here”, and it’s not there. And then 15 minutes later he comes in wearing my jacket. I mean, a) he was 25 and I was 12, and my jacket fit him; and b) it was the weirdest thing ever. I got my jacket back but I didn’t really want to wear it.

The Quake hack Mike “Dop” Dopheide: This was largely propagated by maniac. This was 1997; a lot of us had gone off to college. ‘mrx’ was working at the ISP and he did nothing all day long except play Quake. He was way better than us, and we couldn’t possibly beat him. So, what do you do when you can’t win an unfair fight? You cheat. So we got a root access on the Quake server…

Kevin Nassery: …The Quake server, which was also primary DNS and RADIUS for the ISP. This is the timeline that we’re running at.

Mike “Dop” Dopheide: Alright, so ‘maniac’ installed the Quake mod that would make us invincible, but also there was a button, because we couldn’t catch him either. It wasn’t just that we were invincible and he was better than us – we couldn’t catch him. So we just added ‘kill mrx’ button.

Kevin Nassery: So, anytime you’d get close to him, you’d just press the button.

Mike “Dop” Dopheide: Yeah, and he was getting really upset because he thought he might be losing his edge. He didn’t care we had root on his box. Once he found out it was just a joke, he was like: “Oh!”

Kevin Nassery: He was relieved – at least we didn’t actually beat him at a game of Quake.

Mike “Dop” Dopheide: I’m going to add one more Quake story, because there was a guy in college in dorm room that was really-really into Quake, played constantly. One evening a bunch of us – while he was playing in the college dorm room, not a very big room – stole his mattress that was on the top bunk and put it above the stalls in the bathroom. Eventually when he came to the bathroom he’s like: “Hey guys, someone stole someone’s bed and put it in the bathroom!” And we’re like: “Yeah…, it’s yours!”

Staff augmentation Kevin Nassery: It was probably the most addictive kind of thing back then. It was great. So, there’re kind of two tails of staff augmentation. One: after this ISP got bought and sold, cane worked with somebody else to start an ISP; and mrx was kind of involved a little bit, but there wasn’t a lot of system administration talent in this small town, so I at 15 was probably the most qualified system administrator to hire. I started to work from, like, 15 to 18; I ran the system administration for the new ISP start-up. maniac ended up using his access after it got bought, they kind of neglected a lot of systems, so technical support for the company he was working at. So, for his friends and family he ended up doing a lot of work using his compromised access just to fix his friends’ and family’s stuff.

Mike “Dop” Dopheide: Yeah, and kind of along the same lines, I had friends that, for whatever reason their account would get disabled – perhaps they weren’t paying anymore – I just re-enabled it. I did it about four or five times, and I’d tell them: “Stop disabling his account!” And they just kept doing it. I couldn’t really figure out what they were thinking.

Kevin Nassery: Also, they stopped growing and investing in the modem pool, so in order to dial in or to help other people dial in, Dop and maniac would trim people off the idle timers, so you just dropped lines off the modem pools so people could dial in for free.

Also Read:

Youthful Exploits of an Early ISP by “Dop” and “KevNr”.

Youthful Exploits of an Early ISP. Part 2.

Youthful Exploits of an Early ISP. Part 4.

Posted in: KnowledgeBase

Leave a Comment (0) ↓