On Tue, 13 Jul 1999, Hector Leon wrote: [From flushot.c] > ip->id = htons(1234); Hi, The exploit posted earlier as "flushot" has been re-released over the past year several times. The posting by Hector Leon gives credit for flushot.c to Dark Shadow, yet on the Dark Shadow website (http://www.angelfire.com/ar/WarzonE/flushot.html), flushot.c is available for download, with different source code (giving credit to Legion 2000). Here are the assorted banner functions found: 1234.c (tonyat_private / Cameleon Groupe) printf("\n1234 1.0 BY CAMELEON G.\n"); printf("reprise de came.c and ssping.c\n\n"); bloop.c (Legion2000 Security Research) printf("Bloop v 1.0\n\n"); printf("\n\n"); flushot.c (DarkShadow / The flu Hacking Group) printf("Remote Flushot v 1.0\n\n"); printf("\n\n"); arcticbrew.c (Mac X / The Arctic League) printf("\nArctic Brew!\n"); printf("kinda close 2 ssping and land\n\n"); Although 1234.c was released long before the others, I don't know who the original author was. Either way, the practice of re-releasing other people's code is out of control here :) FYI, tcpdump of an attack from any of them: SOURCE > TARGET: icmp: parameter problem - octet 0 (frag 1234:9@0+) SOURCE > TARGET: (frag 1234:16@8+) This attack does not seem to affect Win98SE (4.10.2222A) nor Win2000 (5.00.2072). Max Vision Senior Security Architect Globalstar L.P.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:16 PDT