Attension all PCboard sysops! Be ware of any PPEs written by a user
going by the handle of Ram Drive. Ram Drive is responcibile for
using a backdoor which he wrote in one of the PPEs he sold me.
Ram Drive proceeded to give himself sysop access, as well as
multiple other accounts which he used as backups. He didn't
stop there. He later called back and zipped up my entire BBS
as well as my terminal phonebook(s) and user lists. Then
systimatically deleted one directory after another (this even
includes my DOS dir). Because I was running under OS/2 the system
was stable and did not crash.
Reasons Ram Drive is suspected:
1] Motive - I modded the PPE which I "**BOUGHT**" from Ram Drive. This
would have made Ram Drive mad enough to attempt to take down the board.
2] I got in a big argumenent w/ Ram Drive a few months back over some
source code he would not distribute to me. I ended the conversation by
telling him i would HEX the PPEs if i must. (I was only threatening.
I never did.) This pissed him off.
3] Since Ram Drive sells this PPE, only three others have it who are
ME, Ram Drive, and a local sysop. The local sysop is not suspected
because the hacker connects at 24000 as the sysop only has a 14.4.
Ram Drive would be the only one to know of the backdoor in the PPE
as he was the one who wrote it. Ram Drive connects at 24000 as well.
4] The Hacker would need to know a lot about PCB and Doorway in order
pull this off. Since Ram Drive is a Co on a PCB and he ran his
own PCB he would have the necessary knowledge to pull this off.
5] Any 5th Dimension Software PPE should be immediately deleted as complex
backdoors were found in a number of them. Obviously they were placed
there as means of destruction.
6] Even *IF* the hacker is not Ram Drive (very doubtful) he is still
responsible as he put the backdoor in the PPE in the first place.
7] When in Doorway Ram Drive raised other accounts to sysop level
as a backup. This way he could use them in case I caught on.
He raised the following accounts from normal user "75" to sysop level
"110" - Anaconda, Battleaxe, and Doomsday (as well as his own account).
Here are the actual logs and user list:
*******************************************************
07-08-94 (11:16) (1) DOOMSDAY (24000E) (G) KRONICK - NO
PCBoard Modded Is Now Selected.
Modem: CONNECT 24000/ARQ
Caller Number: 4,184
Caller Security: 75
%\pcb\text\pcbt.328
IBM-Elite (1) Conference Abandoned
%\pcb\text\pcbt.328
%\pcb\text\pcbt.413 <---Attempted to access Doorway
%\pcb\text\pcbt.326
(C:\PCB\CNFN\IBM\ONELINEF) is missing!
(C:\PCB\CNFN\IBM\ONELINEF) is missing!
DOOMSDAY IS RUNNING RAD-STATS
Operator Paged at 11:18
Reason for paging: (hack?)
Error: C:\PCB\PPL\CHATBOX\NO.TXT (File not found)
No one is available right now for a chat.
(D:\PCB\GEN\BLT1.) is missing!
�[1;37mCNAV v3.10 �[0m[(11:19) Active View]
�[1;37mCNAV v3.10 �[0m[(11:19) Active View]
DOOMSDAY IS RUNNING RAD-STATS
Minutes Used: 4
07-08-94 (11:20) (1) DOOMSDAY Off Normally
*******************************************************
07-08-94 (11:21) (1) BATTLEAXE (24000E) (G)
PCBoard Modded Is Now Selected.
Modem: CONNECT 24000/ARQ
Caller Number: 4,185
Caller Security: 75
%\pcb\text\pcbt.328
BATTLEAXE IS RUNNING RAD-STATS
Minutes Used: 1
07-08-94 (11:22) (1) BATTLEAXE Off Normally
*******************************************************
07-08-94 (11:29) (1) ANACONDA (24000E) (G)
PCBoard Modded Is Now Selected.
Modem: CONNECT 24000/ARQ
Caller Number: 4,186
Caller Security: 76
%\pcb\text\pcbt.328
ANACONDA IS RUNNING RAD-STATS
Minutes Used: 0
07-08-94 (11:29) (1) ANACONDA Off Normally
*******************************************************
07-08-94 (11:31) (1) RAM DRIVE (24000E) (G)
PCBoard Modded Is Now Selected.
Modem: CONNECT 24000/ARQ
Caller Number: 4,187
Caller Security: 75
%\pcb\text\pcbt.328
RAM DRIVE IS RUNNING RAD-STATS
�[1;37mCSSC v2.30 �[0m[Opened: 11:31] <---- This is where
�[1;37mCSSC v2.30 �[0m[Closed: 11:32] I broke in and chated
�[1;37mCSSC v2.30 �[0m[Opened: 11:34] him twice.
�[1;37mCSSC v2.30 �[0m[Closed: 11:35]
RAM DRIVE IS RUNNING RAD-STATS
%\pcb\text\pcbt.413 <-----Attempted to access Doorway Again!!!
Minutes Used: 4
07-08-94 (11:35) (1) RAM DRIVE Off Normally
I changed all 110 accounts back to normal security before he had a
chance to use them. As you can see he procedes to use all 3 of the
accounts he changed to sysop security before finally using his own
account. While using his own account I broke in and chated him
pretending to not know what was going on, I asked him a few questions
that only Ram Drive would know the answer and confirmed it was
actually Ram Drive.
I modded Rad Stats (a view stats PPE) as well as his PPEs to let me know
when: A- it was run B- the user attempted to gain access to the backdoor.
It simply added a hack line to his user comment. Nailed Doomsday -> Ram Drive
red handed. As you can see by the logs it is obvious this is the same user.
As you can see Ram Drive used the stats program to view his security
level each time he called. He did this to see if he is at sysop level
so he can again attempt to delete the board. On the first and last attempt
(Doomsday and Ram Drive) his account comment was changed to "I am a hacker
- Running Backdoor in xxxxxx.ppe"
I modded the ppe and took out the backdoor and replaced it w/ a command
to add the above hack line to all accounts that attemt to use the backdoor.
Ram Drive and his software is VERY dangerous to all sysops and users alike.
He should be blacklisted nationwide and his software deleted.
-Razor / Twilight Time
[The Razor's Edge]
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
