Underground: Hacking, madness and obsession on the electronic frontier - Suelette Dreyfus

Using normal address formats for a variety of networks, he tried telling the gateway to make a connection. X.25. TCP/IP. Whatever lay beyond the gateway didn't respond. Anthrax looked around until he found a sample of addresses in a help file. None of them worked, but they offered a clue as to what format an address might take.

Each address had six digits, the first three numbers of which corresponded to telephone area codes in the Washington DC area. So he picked one of the codes and started guessing the last three digits.

Hand scanning was a pain, as ever, but if he was methodical and persistent, something should turn up. 111. 112. 113. 114. 115. On it went. Eventually he connected to something—a Sunos Unix system—which gave him a full IP address in its login message. Now that was handy. With the full IP address, he could connect to System X again through the Internet directly—avoiding the gateway if he chose to. It's always helpful in covering your tracks to have a few different routing options. Importantly, he could approach System X through more than just its front door.

Anthrax spiralled through the usual round of default usernames and passwords. Nothing. This system required a more strategic attack.

He backed out of the login screen, escaped from the gateway and went to another Internet site to have a good look at System X from a healthy distance. He `fingered' the site, pulling up any bit of information System X would release to the rest of the Internet when asked. He probed and prodded, looking for openings. And then he found one. Sendmail.

The version of Sendmail run by System X had a security hole Anthrax could exploit by sending himself a tiny backdoor program. To do this, he used System X's mail-processing service to send a `letter' which contained a tiny computer program. System X would never have allowed the program to run normally, but this program worked like a letter bomb. When System X opened the letter, the program jumped out and started running. It told System X that anyone could connect to port 2001—to an interactive shell—of the computer without using a password.

A port is a door to the outside world. TCP/IP computers use a standard set of ports for certain services. Port 25 for mail. Port 79 for Finger. Port 21 for FTP. Port 23 for Telnet. Port 513 for Rlogin. Port 80 for the World Wide Web. A TCP/IP based computer system has 65535 ports but most of them go unused. Indeed, the average Unix box uses only 35, leaving the remaining 65500 ports sitting idle. Anthrax simply picked one of these sleepy ports, dusted off the cobwebs and plugged in using the backdoor created by his tiny mail-borne program.

Connecting directly to a port created some problems, because the system wouldn't recognise certain keystrokes from the port, such as the return key. For this reason, Anthrax had to create an account for himself which would let him telnet to the site and login like any normal user. To do this, he needed root privileges in order to create an account and, ultimately, a permanent backdoor into the system.

He began hunting for vulnerabilities in System X's security. There was nothing obvious, but he decided to try out a bug he had successfully used elsewhere. He had first learned about it on an international phone conference, where he had traded information with other hackers and phreakers. The security hole involved the system's relatively obscure load-module program. The program added features to the running system but, more importantly, it ran as root, meaning that it had a free run on the system when it was executed. It also meant that any other programs the load-module program called up also ran as root. If Anthrax could get this program to run one of his own programs—a little Trojan—he could get root on System X.

The load-module bug was by no means a sure thing on System X. Most commercial systems—computers run by banks or credit agencies, for example—had cleaned up the load-module bug in their Sunos computers months before. But military systems consistently missed the bug. They were like turtles—hard on the outside, but soft and vulnerable on the inside. Since the bug couldn't be exploited unless a hacker was already inside a system, the military's computer security officials didn't seem to pay much attention to it. Anthrax had visited a large number of military systems prior to System X, and in his experience more than 90 per cent of their Sunos computers had never fixed the bug.