TUCoPS :: Dialup BBSes :: hacker.txt

PC-Board: About a PCB PPE with a backdoor

Attension all PCboard sysops! Be ware of any PPEs written by a user
going by the handle of Ram Drive. Ram Drive is responcibile for
using a backdoor which he wrote in one of the PPEs he sold me.
Ram Drive proceeded to give himself sysop access, as well as
multiple other accounts which he used as backups. He didn't
stop there. He later called back and zipped up my entire BBS
as well as my terminal phonebook(s) and user lists. Then
systimatically deleted one directory after another (this even
includes my DOS dir). Because I was running under OS/2 the system
was stable and did not crash.

Reasons Ram Drive is suspected:

1] Motive - I modded the PPE which I "**BOUGHT**" from Ram Drive. This
   would have made Ram Drive mad enough to attempt to take down the board.

2] I got in a big argumenent w/ Ram Drive a few months back over some
   source code he would not distribute to me. I ended the conversation by
   telling him i would HEX the PPEs if i must. (I was only threatening.
   I never did.) This pissed him off.

3] Since Ram Drive sells this PPE, only three others have it who are
   ME, Ram Drive, and a local sysop. The local sysop is not suspected
   because the hacker connects at 24000 as the sysop only has a 14.4.
   Ram Drive would be the only one to know of the backdoor in the PPE 
   as he was the one who wrote it. Ram Drive connects at 24000 as well.

4] The Hacker would need to know a lot about PCB and Doorway in order
   pull this off.  Since Ram Drive is a Co on a PCB and he ran his
   own PCB he would have the necessary knowledge to pull this off.

5] Any 5th Dimension Software PPE should be immediately deleted as complex
   backdoors were found in a number of them. Obviously they were placed
   there as means of destruction.

6] Even *IF* the hacker is not Ram Drive (very doubtful) he is still
   responsible as he put the backdoor in the PPE in the first place.

7] When in Doorway Ram Drive raised other accounts to sysop level
   as a backup. This way he could use them in case I caught on.
   He raised the following accounts from normal user "75" to sysop level
   "110" - Anaconda, Battleaxe, and Doomsday (as well as his own account).
   
   Here are the actual logs and user list:
   *******************************************************
   07-08-94 (11:16) (1) DOOMSDAY (24000E) (G) KRONICK - NO
         PCBoard Modded Is Now Selected.
         Modem: CONNECT 24000/ARQ
         Caller Number: 4,184
         Caller Security: 75
         %\pcb\text\pcbt.328
         IBM-Elite (1) Conference Abandoned
         %\pcb\text\pcbt.328
         %\pcb\text\pcbt.413  <---Attempted to access Doorway
         %\pcb\text\pcbt.326
         (C:\PCB\CNFN\IBM\ONELINEF) is missing!
         (C:\PCB\CNFN\IBM\ONELINEF) is missing!
   DOOMSDAY IS RUNNING RAD-STATS
         Operator Paged at 11:18
         Reason for paging: (hack?)
         Error: C:\PCB\PPL\CHATBOX\NO.TXT (File not found)
         No one is available right now for a chat.
         (D:\PCB\GEN\BLT1.) is missing!
         CNAV v3.10 [(11:19) Active View]
         CNAV v3.10 [(11:19) Active View]
   DOOMSDAY IS RUNNING RAD-STATS
         Minutes Used: 4
   07-08-94 (11:20) (1) DOOMSDAY Off Normally
   *******************************************************
   07-08-94 (11:21) (1) BATTLEAXE (24000E) (G)
         PCBoard Modded Is Now Selected.
         Modem: CONNECT 24000/ARQ
         Caller Number: 4,185
         Caller Security: 75
         %\pcb\text\pcbt.328
   BATTLEAXE IS RUNNING RAD-STATS
         Minutes Used: 1
   07-08-94 (11:22) (1) BATTLEAXE Off Normally
   *******************************************************
   07-08-94 (11:29) (1) ANACONDA (24000E) (G)
         PCBoard Modded Is Now Selected.
         Modem: CONNECT 24000/ARQ
         Caller Number: 4,186
         Caller Security: 76
         %\pcb\text\pcbt.328
   ANACONDA IS RUNNING RAD-STATS
         Minutes Used: 0
   07-08-94 (11:29) (1) ANACONDA Off Normally
   *******************************************************
   07-08-94 (11:31) (1) RAM DRIVE (24000E) (G)
         PCBoard Modded Is Now Selected.
         Modem: CONNECT 24000/ARQ
         Caller Number: 4,187
         Caller Security: 75
         %\pcb\text\pcbt.328
   RAM DRIVE IS RUNNING RAD-STATS
         CSSC v2.30 [Opened: 11:31]   <----  This is where
         CSSC v2.30 [Closed: 11:32]       I broke in and chated
         CSSC v2.30 [Opened: 11:34]       him twice.
         CSSC v2.30 [Closed: 11:35]
   RAM DRIVE IS RUNNING RAD-STATS
         %\pcb\text\pcbt.413  <-----Attempted to access Doorway Again!!!
         Minutes Used: 4
   07-08-94 (11:35) (1) RAM DRIVE Off Normally

   I changed all 110 accounts back to normal security before he had a
   chance to use them.  As you can see he procedes to use all 3 of the 
   accounts he changed to sysop security before finally using his own 
   account.   While using his own account I broke in and chated him 
   pretending to not know what was going on,  I asked him a few questions
   that only Ram Drive would know the answer and confirmed it was 
   actually Ram Drive.

I modded Rad Stats (a view stats PPE) as well as his PPEs to let me know
when: A- it was run B- the user attempted to gain access to the backdoor.
It simply added a hack line to his user comment. Nailed Doomsday -> Ram Drive
red handed. As you can see by the logs it is obvious this is the same user.


As you can see Ram Drive used the stats program to view his security 
level each time he called. He did this to see if he is at sysop level 
so he can again attempt to delete the board. On the first and last attempt 
(Doomsday and Ram Drive) his account comment was changed to "I am a hacker 
- Running Backdoor in xxxxxx.ppe"
I modded the ppe and took out the backdoor and replaced it w/ a command
to add the above hack line to all accounts that attemt to use the backdoor.

Ram Drive and his software is VERY dangerous to all sysops and users alike.
He should be blacklisted nationwide and his software deleted.

-Razor / Twilight Time   
[The Razor's Edge]


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH