Robert Davis rdavis@nyx.net

Page last modified, 15 July 2000
On this page:

- The datatypes.library trojan

- About your Amiga and net security

- Solution to an old problem with amitcp/ip

- Keeping Miami Deluxe connected

- Versions of the Amiga OS

On other pages:

- To the first hints page

- To the second hints page

- Amiga and modem connections

- Return to my home page


Some important stuff:

All the information in these Hints files involve modifications to software and hardware which I have done myself, and which worked on my Amigas. If you have a problem, you are encouraged to send me e-mail describing the difficulty, but I will not be responsible for any of the changes or modifications you make to your own computer and its software.

The datatypes.library trojan

Security Advisory for Amiga Internet Users by Nordic Global Inc., 12/05/98, for immediate release
During the first week of December a list of over 700 stolen user names, passwords and host names of Internet service providers was circulated in the "scene" and posted in several places, including Usenet. Most public postings did not include the passwords, but they ARE present in the original list, i.e. the list DOES exist, and presents a real threat to users on the list. Anyone in possession of the list can use entries on the list to break into Internet accounts of corresponding users, unless those users changed their passwords in the meantime.
In other words: if YOU appear on the list then anyone who has that list can break into YOUR Internet account, until/unless you change your password. Some of the entries on the list were obtained using "normal" means, i.e. by breaking into ISP routers or exploiting known Unix or NT system vulnerabilities. Things like that happen all the time, and are difficult to prevent.
However many entries on the list were obtained using a different mechanism: a "Trojan" distributed to Amiga users, that secretely spied username/password information out, and sent them to an Internet account, where that information was gathered by pirates.
After a lot of false and sometimes slanderous rumors how that secret mechanism works and which program is to blame, a joint effort by Nordic Global Inc. and several helpful users, who wish to stay anonymous, finally determined the precise way the passwords were gathered:
A pirate group spread a fake version of "datatypes.library" via Aminet. That version has a version number of either 45.4 or 45.5 (depending on when and how you check the version), and a file size of 32748 bytes.
The library contains a concealed Trojan that reads usernames and passwords from the Internet settings files on your harddisk, and sends them by email to a pirate group, who then collects that information and enters it into a database. If you have that version of "datatypes.library" installed, then you are strongly advised to delete it, and to replace it with one of the legitimite, safe versions of datatypes.library, e.g. one of
39.11 (from Workbench disks)
40.6 (from Workbench disks)
45.3 (from Aminet)
45.4 (from Aminet)

If you install 45.4 then make sure the file size is 27780 bytes. If it is 32748 bytes then it is actually the dangerous, fake version 45.5, reporting a wrong version number, not the "real" version 45.4.
After that you should physically switch off your computer, wait for 30 seconds, and switch it on again, just in case. Once you have done that, log into your Internet provider and change your password. If you have previously already changed your password, but did not replace the fake library, then you should change your password again now, because your account information may have been compromised again in the meantime.

It is not known for sure yet who the author of that fake library and "collector" of the generated stolen accounts is, but an investigation is underway. Also, there are very strong, yet so far unconfirmed, indications (including witness statements by informants) that the infamous pirate group "Digital Corruption" is to blame for this.

If that turned out to be true then it would only prove once again that software written or distributed by or in cooperation with pirate organizations cannot be trusted, and may have harmful secret side effects.

If you are wondering why it is Nordic Global Inc. who are making this announcement: the original password list that was distributed contains a comment in obscene language that those passwords were obtained through an alleged "backdoor in Miami".
Do not be fooled by that.
That claim is an obvious lie, a slanderous accusation attempting to tarnish the reputation of Miami and Nordic Global Inc., without any factual basis. Amiga pirate groups, in particular Digital Corruption, have been targetting Nordic Global Inc. with accusations like that for quite some time because of our strong public stand against piracy. Miami does not have any "backdoors", and could not be used, and was not used to compile the list, or to provide any information that appeared on the list.
Nevertheless many users and unfortunately even some developers and dealers spread the false rumor that Miami is "dangerous" in any way. This is obviously not the case. We felt it necessary to try and find out the truth about how the list was compiled, not only to document the safety of Miami, but also to be able to give Amiga users the information they need to react to this threat and to prevent further damage.

For more information on this attack please visit our web site "http://www.nordicglobal.com/", in particular the "News" section. Holger Kruse, Nordic Global Inc. kruse@nordicglobal.com Amiga News Index Amiga Web Directory Champaign-Urbana Computer Users Group / cucug@cucug.org

Information about your Amiga and system security

Next Item: System security with amitcp/ip

This information comes from an AmIRC web page.

Avoiding Port Hacks and Amiga Nukes!

How to avoid Nukes and Port Hacks on your Amiga.

The following Miami information has been supplied by Jazzie

1: Do not accept executable or archived files from someone you don't know on the internet.
They may claim it is a new virus checker, but how do YOU know any different?

2: Miami users, run the "MIAMINETSTAT" utility periodically.
AmiTCP users can run the script "NetStat" for the same results.
Make a note of any suspicious connections. BEAR IN MIND: FTP access usually starts at around Port 1024, but each command takes it one higher. I don't know where it loops, but it eventually comes back down to 1024.

DCC Chats in IRC also cause ports to be open.
Example:
Proto Recv-QSend-QLocal AddressForeign Address(state)
tcp00your.domain.1026fire1.gte.net.6667ESTABLISHED
tcp00your.domain.1599dev.hacker.com.1085ESTABLISHED
The first line beginning with tcp is my IRC connection. The foreign address is always the port number you joined the server with. The port your end (1026) may be different each time you connect to a server.

Therefore, I KNOW I'm using IRC, so I should have the irc port open.

Looking at the second line however, I haven't a clue where "dev.hacker.com" is, so this could be worrying.

If you are using IRC, try doing /who *dev.hacker.com in the command line.
That may return a nick. If you don't think that user should be connected, time to reboot.
You may also want log the access, just in case any damage is made, you can try and trace the users ISP.

There is a method of preventing unwanted access to your machine, which I'll describe in a while.

3: If anyone wants a port checker, we have one available.
Usage is simple, but that will be contained in the archive anyway. I don't really want to supply source, but it IS legitimate, and it will tell you if you have any ports open which you should be wary of.

As I said, don't trust any files from people you don't know. So, only accept this port checker from an OP on DALNET #AmIRC.
TCP Port Checker 1998 Plexus Digital Solutions

The port checker, should you wish to use it, is freeware, but NOT distributable. It is ONLY to be distributed by #AmIRC admin.

4: How the TCP hack works:
(You don't really think I'm going to tell you this??)
Basically, after the trojan program opens up your port (which can be quite some time after actually running the program, so don't expect SNOOPDOS to say "Hey, whats this?!" right away, you can be quite happy surfing the net.
You may not even be doing anything. you could just be connected, and not have ANY net applications going... Just Miami or AmiTCP. If you have a static account, you should be careful. If anyone SENT you the 'trojan' carrier, they will know your IP address, as this doesn't change. They can simply PING your IP address to see if you are connected to the internet.

*Like I say, you don't have to be FTPing or IRCing, as long as those *little modem lights are lit, you may be vulnerable.

As they will know the port which their program opens, they simply have to connect to your machine, and voila, they have instant access to EVERYTHING!
Don't think that they can't do anything but look once there... Bear in mind, that when they gain access, they are presented with a shell. This is on YOUR system, not theirs. Everything they do, such as DIR, INFO, ASSIGN, or FORMAT is on YOUR system.
They can instantly find out if you use Miami or Amitcp, and they can even copy your keyfiles, and your config files.
Imagine, someone copying your mail reader config file. They can easily read ALL your incoming mail, and worse, they can send offensive mail, and it will appear from YOU. Now, this isn't just while they are connected to you, as they can grab your config files, they can send or read your mail whenever they want.
If they copy your keyfiles, they can then put them on the internet for others to use. You may then update whatever program (not just internet utilities) and find that your keyfile has been blacklisted.

It may be that you will only try their program once, so they can gain access to your machine while you have just run their program... but how will they get on in future?

Easy. While they connect to you for the first time, they may change your startup-sequence.
They may add a simple command to it, or they could be REALLY crafty and change some of the official workbench programs to open up the port EVERY time you reboot your machine.

It's worth checking the dates on your S:STARTUP-SEQUENCE and S:USER-STARTUP files every so often, and read them if you think they may have changed without your knowing.

There are some other files you should check for (These are known port openers):
c: loadwb 29 bytes or thereabouts
l: wb.handler 382 bytes or thereabouts
devs: workbench.device 1136 bytes *

If you EVER find a file DEVS:WORKBENCH.DEVICE, do a version on it.
It will more than likely be LOADWB 38.9
If you DO find this, MOVE (Copy/delete) the DEVS:WORKBENCH.DEVICE to C:LOADWB, and delete l:wb.handler.

This is the classic port opener.
Run a port checker every week!

5: Denial of Service attacks (Nukes):
There is a denial of service attack going around at the moment which affects Amigas, so after nuking any PC owner you see, you can now wipe the smug grin off your face....

There are a number of things to consider here, should you ever think about 'nuking' a PC owner.
1: It's a known attack/bug
2: It's been fixed
3: There are programs which log the attacks, IP addresses, and times
4: It's against IRC servers rules, and your ISP's rules to launch a denial of service attack. If these guys log an attack from you, and decide to complain to your ISP, start looking for another ISP.
5: It CAN cause damage. If the user is writing to his hard disk at the time of your attack, you might want to find a good lawyer.

Same goes for Amiga users!

While the Amiga nuke attacks a different port, it is possible that this may cause damage too. While fairly remote, the chance is still there.

How do you avoid the Amiga Nuke?
By preventing access to the CHARGEN service on your system.
(Who needs it anyway?)
I have the following setup in Miami:
(From the Miami window, select Database, and the "IP FILTER" tab)
tempProtocolServiceHostMaskAllowLog
1*19*.*.*.*
NY
2*139*.*.*.*
YY
3**127.0.0.1
YN
4TCPAUTH*.*.*.*
YN
5***.*.*.*
YY
6*DCHack*.*.*.*
NY
7*$*.*.*.*
YN
Meaning:
Line 1: This line prevents the Amiga nuke attack from locking your machine, and generates a log so you can trace the individual.
Line 2: This catches anyone who does a channel wide (IRC) BREAK95 or Winnuke. The Amiga is not bothered by such stupidity, but I want to know when it happens. You may leave this one out if you wish.
Line 3: Allows you total access (YOU are 127.0.0.1) without logging.
Line 4: Allows TCP AUTH requests, without logging. These are ok, but you wouldn't want a log of them all!
Line 5: Log ALL other requests...This has one sad side effect. If ever you use FTP, it will generate a log for each ftp request you make. It's annoying I know, but thats the price of safety.
Line 6: A reported hack on another web page involves a way to read the contents of your Amiga's hard drive. This line along with an entry in the Miami database should fix that specific problem.
Line 7: Allow all remaining ports to be accessed but not to generate a log.

The entry in the Miami database is as follows:
In services choose add
In the name box, enter DCHack which is the name of this reported problem.
In the ID box, enter 1599 which is the port reportedly affected.
In the protocol box, enter tcp which is the type of connection which should be prohibited on port 1599.

It is interesting that you can do all these changes in Miami (and do similar changes in AmiTCP/IP). You do not have to download a program patch, about which you know nothing, from a software supplier. The users of clone computers must depend upon the kindness and honesty of their software suppliers to avoid these networking problems. Amiga users can see and control what happens on their own machines. I prefer the way system security is handled on the Amiga.


The following AmiTCP information has been supplied by StarDustr
Users with AmiTCP may wish to add the following to their AmiTCP:db/inet-access files. (Requires a Registered version of AmiTCP)

1. Entries with 127.0.0.1 give you access thru your localhost IP.
2 Allow auth and * access to all users.
3. Deny finger and @ finger is a known problem area and @ handles most low-numbered services ports.
auth*.*.*.*allow LOG
finger127.0.0.1allow LOG
finger*.*.*.*deny LOG
@127.0.0.1allow LOG
@*.*.*.*deny LOG
**.*.*.*allow LOG
If you DENY * this closes the ports you need for IRC DCC connections and FTP connections. (and maybe others)

rdavis@nyx.net

Return to top of page.


System security with amitcp/ip

Next item Keeping Miami Deluxe connected

Here is an older message, about the fingerd problem with amitcp/ip.

From: fox@ridhughz.demon.co.uk (Ridwan Hughes)
Newsgroups: demon.ip.support.amiga
Subject: Illegal AmiTCP hacking
Date: 07 Nov 96 22:30:49 +0000

Someone on #amiga earler was going around and screwing with people's AmiTCP's, and all he said really was to lock down in.fingerd and shut down ports or buy Miami. And what makes me angry about this is that he didn't say fully how to stop people getting into their systems, just basically "buy Miami" and this makes me dubious because he was/is selling keyfiles for Miami, so therefore making some profit out of it.
Now most people who do IRC with AmiTCP only know enough to get by, let alone work out what he was going on about, well it turns out someone on Dalnet was going round and using in.fingerd to wipe people's hard drives. It took a lot of arguing and name calling to finally get an answer from him, but it wasn't him who told us the solution, hmm..
What you have to do is edit the line in inetd.conf where it says finger, to this:

finger stream tcp dos bin - echo (whatever finger reply you want)

That should stop in.fingerd being executed when someone fingers your machine and allowing a backdoor into your system.

What annoys me about the whole escapade is that the person, somehow appropriately called Fingers (Mat Bettinson from CU-Amiga) was being very sneaky about what he was doing, now call me misinformed but from mine and others point of view this is hacking because he twice made my machine execute stopnet which closed down my IRC and www sessions, but for some strange reason I was still online, so I typed "netstat all" and the only line that was displayed produced:

tcp 0 0 ridhughz.finger cu-amiga.demon.co.uk. TIME_WAIT

Yes, Fingers was messing with my AmiTCP setup, so I then went and confronted him in #amiga about it, and eventually after being very obnoxious to him, got some sort of reply, mainly the "buy Miami or sort out your ports".

Now I don't have any use for Miami because I have my 2 Amiga's linked together with AmiTCP, which currently Miami is incapable of doing.

It has totally pissed my off, because he could've just said to everyone "anyone using AmiTCP, and have they locked their ports because someone on Dalnet is hacking into people's systems and wiping HD's" without being sneaky and closing people's systems by him himself hacking in and executing stopnet.

Do edit your AmiTCP:db/inetd.conf file now. It is a wise thing to do.

Rid - in a bad mood, a very bad mood

Return to top of page.


Next item Amiga OS versions

Keeping Miami Deluxe connected

The TCP/IP stack, Miami Deluxe, written by Holger Kruse, offers an easy way to keep your Amiga connected to your Internet Service Provider even if you don't do anything like send a command to the WWW or read an e-mail.
Do the following while you are not connected to your ISP.
Just go to the main Miami Deluxe window and select Interfaces. Then click once to highlight the interface to modify, such as ppp0 | dialer. Click on Edit. Then click on Auto-connect/disconnect. Then click on the behavior line and choose simulate activity Click to send an ICMP ping after (for example) 120 seconds.
Click OK twice then save your interface file back into the Miami directory.
This change in configuration creates a keep-alive packet which is sent to your ISP after the chosen time passes and you have not sent any other command to your ISP.
You must note that some ISPs do not like users running a keep-alive and some will disconnect you anyway after a certain time period, such as one or two hours.
Return to top of page

Amiga OS versions

The Amiga operating system has gone through many revisions.
Here is a partial list ...
Amiga OS 1.0 version
Amiga OS 1.1 version
Amiga OS 1.2 version 33.x (where x is a minor revision number)
Amiga OS 1.3 version 34.x
Amiga OS 1.4 version 35.x (released only to developers)
Amiga OS 2.0 version 36.x
Amiga OS 2.04 and 2.05 version 37.x
Amiga OS 2.1 version 38.x
Amiga OS 3.0 version 39.x
Amiga OS 3.1 version 40.x
Amiga OS 3.5 version 44.2 (requires OS 3.1 Kickstart)

OS versions 1.0 and 1.1 were distributed with the Amiga 1000 computer. If you have more information, please e-mail me at the address listed below.

E-Mail rdavis@nyx.net

Return to top of page.


Created on Amiga