|
Attension all PCboard sysops! Be ware of any PPEs written by a user going by the handle of Ram Drive. Ram Drive is responcibile for using a backdoor which he wrote in one of the PPEs he sold me. Ram Drive proceeded to give himself sysop access, as well as multiple other accounts which he used as backups. He didn't stop there. He later called back and zipped up my entire BBS as well as my terminal phonebook(s) and user lists. Then systimatically deleted one directory after another (this even includes my DOS dir). Because I was running under OS/2 the system was stable and did not crash. Reasons Ram Drive is suspected: 1] Motive - I modded the PPE which I "**BOUGHT**" from Ram Drive. This would have made Ram Drive mad enough to attempt to take down the board. 2] I got in a big argumenent w/ Ram Drive a few months back over some source code he would not distribute to me. I ended the conversation by telling him i would HEX the PPEs if i must. (I was only threatening. I never did.) This pissed him off. 3] Since Ram Drive sells this PPE, only three others have it who are ME, Ram Drive, and a local sysop. The local sysop is not suspected because the hacker connects at 24000 as the sysop only has a 14.4. Ram Drive would be the only one to know of the backdoor in the PPE as he was the one who wrote it. Ram Drive connects at 24000 as well. 4] The Hacker would need to know a lot about PCB and Doorway in order pull this off. Since Ram Drive is a Co on a PCB and he ran his own PCB he would have the necessary knowledge to pull this off. 5] Any 5th Dimension Software PPE should be immediately deleted as complex backdoors were found in a number of them. Obviously they were placed there as means of destruction. 6] Even *IF* the hacker is not Ram Drive (very doubtful) he is still responsible as he put the backdoor in the PPE in the first place. 7] When in Doorway Ram Drive raised other accounts to sysop level as a backup. This way he could use them in case I caught on. He raised the following accounts from normal user "75" to sysop level "110" - Anaconda, Battleaxe, and Doomsday (as well as his own account). Here are the actual logs and user list: ******************************************************* 07-08-94 (11:16) (1) DOOMSDAY (24000E) (G) KRONICK - NO PCBoard Modded Is Now Selected. Modem: CONNECT 24000/ARQ Caller Number: 4,184 Caller Security: 75 %\pcb\text\pcbt.328 IBM-Elite (1) Conference Abandoned %\pcb\text\pcbt.328 %\pcb\text\pcbt.413 <---Attempted to access Doorway %\pcb\text\pcbt.326 (C:\PCB\CNFN\IBM\ONELINEF) is missing! (C:\PCB\CNFN\IBM\ONELINEF) is missing! DOOMSDAY IS RUNNING RAD-STATS Operator Paged at 11:18 Reason for paging: (hack?) Error: C:\PCB\PPL\CHATBOX\NO.TXT (File not found) No one is available right now for a chat. (D:\PCB\GEN\BLT1.) is missing! [1;37mCNAV v3.10 [0m[(11:19) Active View] [1;37mCNAV v3.10 [0m[(11:19) Active View] DOOMSDAY IS RUNNING RAD-STATS Minutes Used: 4 07-08-94 (11:20) (1) DOOMSDAY Off Normally ******************************************************* 07-08-94 (11:21) (1) BATTLEAXE (24000E) (G) PCBoard Modded Is Now Selected. Modem: CONNECT 24000/ARQ Caller Number: 4,185 Caller Security: 75 %\pcb\text\pcbt.328 BATTLEAXE IS RUNNING RAD-STATS Minutes Used: 1 07-08-94 (11:22) (1) BATTLEAXE Off Normally ******************************************************* 07-08-94 (11:29) (1) ANACONDA (24000E) (G) PCBoard Modded Is Now Selected. Modem: CONNECT 24000/ARQ Caller Number: 4,186 Caller Security: 76 %\pcb\text\pcbt.328 ANACONDA IS RUNNING RAD-STATS Minutes Used: 0 07-08-94 (11:29) (1) ANACONDA Off Normally ******************************************************* 07-08-94 (11:31) (1) RAM DRIVE (24000E) (G) PCBoard Modded Is Now Selected. Modem: CONNECT 24000/ARQ Caller Number: 4,187 Caller Security: 75 %\pcb\text\pcbt.328 RAM DRIVE IS RUNNING RAD-STATS [1;37mCSSC v2.30 [0m[Opened: 11:31] <---- This is where [1;37mCSSC v2.30 [0m[Closed: 11:32] I broke in and chated [1;37mCSSC v2.30 [0m[Opened: 11:34] him twice. [1;37mCSSC v2.30 [0m[Closed: 11:35] RAM DRIVE IS RUNNING RAD-STATS %\pcb\text\pcbt.413 <-----Attempted to access Doorway Again!!! Minutes Used: 4 07-08-94 (11:35) (1) RAM DRIVE Off Normally I changed all 110 accounts back to normal security before he had a chance to use them. As you can see he procedes to use all 3 of the accounts he changed to sysop security before finally using his own account. While using his own account I broke in and chated him pretending to not know what was going on, I asked him a few questions that only Ram Drive would know the answer and confirmed it was actually Ram Drive. I modded Rad Stats (a view stats PPE) as well as his PPEs to let me know when: A- it was run B- the user attempted to gain access to the backdoor. It simply added a hack line to his user comment. Nailed Doomsday -> Ram Drive red handed. As you can see by the logs it is obvious this is the same user. As you can see Ram Drive used the stats program to view his security level each time he called. He did this to see if he is at sysop level so he can again attempt to delete the board. On the first and last attempt (Doomsday and Ram Drive) his account comment was changed to "I am a hacker - Running Backdoor in xxxxxx.ppe" I modded the ppe and took out the backdoor and replaced it w/ a command to add the above hack line to all accounts that attemt to use the backdoor. Ram Drive and his software is VERY dangerous to all sysops and users alike. He should be blacklisted nationwide and his software deleted. -Razor / Twilight Time [The Razor's Edge]