- Solution to an old problem with amitcp/ip
- Keeping Miami Deluxe connected
If you install 45.4 then make sure the file size is 27780 bytes.
If it is 32748 bytes then it is actually the dangerous,
fake version 45.5, reporting a wrong version number,
not the "real" version 45.4.
After that you should physically switch off your computer,
wait for 30 seconds, and switch it on again, just in case.
Once you have done that, log into your Internet provider
and change your password. If you have previously already
changed your password, but did not replace the fake library,
then you should change your password again now,
because your account information
may have been compromised again in the meantime.
It is not known for sure yet who the author of that fake library and "collector" of the generated stolen accounts is, but an investigation is underway. Also, there are very strong, yet so far unconfirmed, indications (including witness statements by informants) that the infamous pirate group "Digital Corruption" is to blame for this.
If that turned out to be true then it would only prove once again that software written or distributed by or in cooperation with pirate organizations cannot be trusted, and may have harmful secret side effects.
If you are wondering why it is Nordic Global Inc.
who are making this announcement: the original password list
that was distributed contains a comment in obscene language
that those passwords were obtained through an alleged
"backdoor in Miami".
Do not be fooled by that.
That claim is an obvious lie, a slanderous accusation
attempting to tarnish the reputation of Miami and
Nordic Global Inc., without any factual basis.
Amiga pirate groups, in particular Digital Corruption,
have been targetting
Nordic Global Inc. with accusations like that for quite some
time because of our strong public stand against piracy.
Miami does not have any "backdoors", and could not be used,
and was not used to compile the list, or to provide any information
that appeared on the list.
Nevertheless many users and unfortunately even some developers
and dealers spread the false rumor
that Miami is "dangerous" in any way.
This is obviously not the case.
We felt it necessary to try and find out the truth about
how the list was compiled, not only to document the safety of Miami,
but also to be able to give Amiga users the information
they need to react to this threat and to prevent further damage.
For more information on this attack please visit our web site "http://www.nordicglobal.com/", in particular the "News" section. Holger Kruse, Nordic Global Inc. kruse@nordicglobal.com Amiga News Index Amiga Web Directory Champaign-Urbana Computer Users Group / cucug@cucug.org
This information comes from an AmIRC web page.
Avoiding Port Hacks and Amiga Nukes!
How to avoid Nukes and Port Hacks on your Amiga.
The following Miami information has been supplied by Jazzie
1: Do not accept executable or archived files from someone you don't know
on the internet.
They may claim it is a new virus checker, but how do YOU know
any different?
2: Miami users, run the "MIAMINETSTAT" utility periodically.
AmiTCP users can run the script "NetStat" for the same results.
Make a note of any suspicious connections. BEAR IN MIND: FTP access usually
starts at around Port 1024, but each command takes it one higher.
I don't know where it loops, but it eventually comes back down to 1024.
DCC Chats in IRC also cause ports to be open.
Example:
| Proto | Recv-Q | Send-Q | Local Address | Foreign Address | (state) |
|---|---|---|---|---|---|
| tcp | 0 | 0 | your.domain.1026 | fire1.gte.net.6667 | ESTABLISHED |
| tcp | 0 | 0 | your.domain.1599 | dev.hacker.com.1085 | ESTABLISHED |
Therefore, I KNOW I'm using IRC, so I should have the irc port open.
Looking at the second line however, I haven't a clue where "dev.hacker.com" is, so this could be worrying.
If you are using IRC, try doing /who *dev.hacker.com in the command line.
That may return a nick. If you don't think that user should be
connected, time to reboot.
You may also want log the access, just in case any damage is made, you
can try and trace the users ISP.
There is a method of preventing unwanted access to your machine, which I'll describe in a while.
3: If anyone wants a port checker, we have one available.
Usage is simple, but that will be contained in the archive anyway.
I don't really want to supply source, but it IS legitimate, and it
will tell you if you have any ports open which you should be wary of.
As I said, don't trust any files from people you don't know. So, only
accept this port checker from an OP on DALNET #AmIRC.
TCP Port Checker ©1998 Plexus Digital Solutions
The port checker, should you wish to use it, is freeware, but NOT distributable. It is ONLY to be distributed by #AmIRC admin.
4: How the TCP hack works:
(You don't really think I'm going to tell you this??)
Basically, after the trojan program opens up your port (which can
be quite some time after actually running the program, so don't expect
SNOOPDOS to say "Hey, whats this?!" right away, you can be quite
happy surfing the net.
You may not even be doing anything. you could just be connected, and
not have ANY net applications going... Just Miami or AmiTCP.
If you have a static account, you should be careful. If anyone
SENT you the 'trojan' carrier, they will know your IP address, as this
doesn't change. They can simply PING your IP address to see if you
are connected to the internet.
*Like I say, you don't have to be FTPing or IRCing, as long as those *little modem lights are lit, you may be vulnerable.
As they will know the port which their program opens, they simply have
to connect to your machine, and voila, they have instant access to
EVERYTHING!
Don't think that they can't do anything but look once there...
Bear in mind, that when they gain access, they are presented with a
shell. This is on YOUR system, not theirs. Everything they do, such
as DIR, INFO, ASSIGN, or FORMAT is on YOUR system.
They can instantly find out if you use Miami or Amitcp, and they can
even copy your keyfiles, and your config files.
Imagine, someone copying your mail reader config file. They can easily
read ALL your incoming mail, and worse, they can send offensive mail,
and it will appear from YOU. Now, this isn't just while they are
connected to you, as they can grab your config files, they can send or
read your mail whenever they want.
If they copy your keyfiles, they can then put them on the internet for
others to use. You may then update whatever program (not just internet
utilities) and find that your keyfile has been blacklisted.
It may be that you will only try their program once, so they can gain access to your machine while you have just run their program... but how will they get on in future?
Easy. While they connect to you for the first time, they may change
your startup-sequence.
They may add a simple command to it, or they could be REALLY crafty and
change some of the official workbench programs to open up the port EVERY
time you reboot your machine.
It's worth checking the dates on your S:STARTUP-SEQUENCE and S:USER-STARTUP files every so often, and read them if you think they may have changed without your knowing.
There are some other files you should check for (These are known
port openers):
c: loadwb 29 bytes or thereabouts
l: wb.handler 382 bytes or thereabouts
devs: workbench.device 1136 bytes *
If you EVER find a file DEVS:WORKBENCH.DEVICE, do a version on it.
It will more than likely be LOADWB 38.9
If you DO find this, MOVE (Copy/delete) the DEVS:WORKBENCH.DEVICE to
C:LOADWB, and delete l:wb.handler.
This is the classic port opener.
Run a port checker every week!
5: Denial of Service attacks (Nukes):
There is a denial of service attack going around at the moment which
affects Amigas, so after nuking any PC owner you see, you can now wipe
the smug grin off your face....
There are a number of things to consider here, should you ever think
about 'nuking' a PC owner.
1: It's a known attack/bug
2: It's been fixed
3: There are programs which log the attacks, IP addresses, and times
4: It's against IRC servers rules, and your ISP's rules to launch a
denial of service attack. If these guys log an attack from you,
and decide to complain to your ISP, start looking for another ISP.
5: It CAN cause damage. If the user is writing to his hard disk at
the time of your attack, you might want to find a good lawyer.
Same goes for Amiga users!
While the Amiga nuke attacks a different port, it is possible that this may cause damage too. While fairly remote, the chance is still there.
How do you avoid the Amiga Nuke?
By preventing access to the CHARGEN service on your system.
(Who needs it anyway?)
I have the following setup in Miami:
(From the Miami window, select Database, and the "IP FILTER" tab)
| temp | Protocol | Service | Host | Mask | Allow | Log |
|---|---|---|---|---|---|---|
| 1 | * | 19 | *.*.*.* | N | Y | |
| 2 | * | 139 | *.*.*.* | Y | Y | |
| 3 | * | * | 127.0.0.1 | Y | N | |
| 4 | TCP | AUTH | *.*.*.* | Y | N | |
| 5 | * | * | *.*.*.* | Y | Y | |
| 6 | * | DCHack | *.*.*.* | N | Y | |
| 7 | * | $ | *.*.*.* | Y | N |
The entry in the Miami database is as follows:
In services choose add
In the name box, enter DCHack which is the name of this reported problem.
In the ID box, enter 1599 which is the port reportedly affected.
In the protocol box, enter tcp which is the type of connection which should be prohibited on port 1599.
It is interesting that you can do all these changes in Miami (and do similar changes in AmiTCP/IP). You do not have to download a program patch, about which you know nothing, from a software supplier.
The users of clone computers must depend upon the kindness and honesty of their software suppliers to avoid
these networking problems. Amiga users can see and control what happens on their own machines.
I prefer the way system security is handled on the Amiga.
1. Entries with 127.0.0.1 give you access thru your localhost IP.
2 Allow auth and * access to all users.
3. Deny finger and @ finger is a known problem area and
@ handles most low-numbered services ports.
| auth | *.*.*.* | allow LOG |
| finger | 127.0.0.1 | allow LOG |
| finger | *.*.*.* | deny LOG |
| @ | 127.0.0.1 | allow LOG |
| @ | *.*.*.* | deny LOG |
| * | *.*.*.* | allow LOG |
rdavis@nyx.net
Return to top of page.
Here is an older message, about the fingerd problem with amitcp/ip.
From: fox@ridhughz.demon.co.uk (Ridwan Hughes)
Newsgroups: demon.ip.support.amiga
Subject: Illegal AmiTCP hacking
Date: 07 Nov 96 22:30:49 +0000
Someone on #amiga earler was going around and screwing with people's AmiTCP's,
and all he said really was to lock down in.fingerd and shut down ports or
buy Miami. And what makes me angry about this is that he didn't say fully
how to stop people getting into their systems, just basically "buy Miami"
and this makes me dubious because he was/is selling keyfiles for Miami, so
therefore making some profit out of it.
Now most people who do IRC with AmiTCP only know enough to get by, let alone
work out what he was going on about, well it turns out someone on Dalnet
was going round and using in.fingerd to wipe people's hard drives. It took
a lot of arguing and name calling to finally get an answer from him, but it
wasn't him who told us the solution, hmm..
What you have to do is edit the line in inetd.conf where it says finger, to
this:
finger stream tcp dos bin - echo (whatever finger reply you want)
That should stop in.fingerd being executed when someone fingers your machine and allowing a backdoor into your system.
What annoys me about the whole escapade is that the person, somehow appropriately called Fingers (Mat Bettinson from CU-Amiga) was being very sneaky about what he was doing, now call me misinformed but from mine and others point of view this is hacking because he twice made my machine execute stopnet which closed down my IRC and www sessions, but for some strange reason I was still online, so I typed "netstat all" and the only line that was displayed produced:
tcp 0 0 ridhughz.finger cu-amiga.demon.co.uk. TIME_WAIT
Yes, Fingers was messing with my AmiTCP setup, so I then went and confronted him in #amiga about it, and eventually after being very obnoxious to him, got some sort of reply, mainly the "buy Miami or sort out your ports".
Now I don't have any use for Miami because I have my 2 Amiga's linked together with AmiTCP, which currently Miami is incapable of doing.
It has totally pissed my off, because he could've just said to everyone "anyone using AmiTCP, and have they locked their ports because someone on Dalnet is hacking into people's systems and wiping HD's" without being sneaky and closing people's systems by him himself hacking in and executing stopnet.
Do edit your AmiTCP:db/inetd.conf file now. It is a wise thing to do.
Rid - in a bad mood, a very bad mood
Return to top of page.
OS versions 1.0 and 1.1 were distributed with the Amiga 1000 computer. If you have more information, please e-mail me at the address listed below.
E-Mail rdavis@nyx.net
Return to top of page.