Day of the Hacker (Summer, 1995) -------------------------------- By Mr. Galaxy I run a BBS in Atlanta, GA. This is a true story of how my BBS was hacked, and how I came to appreciate it. Several years ago I started a bulletin board in Atlanta, GA. I tried several test versions of the available popular bulletin board systems of that time and ended up choosing to run a Wildcat BBS. The software installed quickly, and as the manual said, I was up and running within the hour. Wow! I was excited! What a neat hobby! Over the months, the BBS grew and grew. First, I added one hard drive and then two. Later, I added one CD-ROM, then another, then another, and even another. Wow! This was neat stuff. People began calling from around the world. I started "meeting" new and exciting people. At the time, I was very security conscious. Each person had 30 days to try the BBS, and then if they didn't subscribe, they would get downgraded to a very low access level. People joined and joined, and all was right with the world. Then I started having weirdos call. Some would log on without filling out the short questionnaire. Others would fill the questionnaire with false information. I started getting pissed off. I, then, decided to buy a caller ID box. These boxes had just come out, and I was determined to stop these guys. Each night I would carefully compare my activity log against my 40-memory caller ID box. Those entering false information were locked out. A log book was kept of the evildoers. Bam! I'd locked one out. Smack! I'd then lock another out. Wow, this was fun! What a great time I was having. I was a super SYSOP. I had the power! Don't mess with me! I was getting some folks pissed off. Fake logins increased. Threats increased. I countered with the phone company's phone block feature. Ha! Don't mess with me...I'm a super SYSOP! The BBS continued to grow...I now had a massive system. I was keeping out the evil enemies...and winning! My doomsday was about to begin, yet I wasn't afraid because my software user manual told me that no one had ever hacked a correctly set up Wildcat BBS. I was so proud of myself. I had written my own BBS upload virus-scanning program. I used a massive batch file to scan upload files with two virus scanners and an ANSI bomb detector. Ha! Let them try something! They can't beat me! Well, they tried and tried to beat my super system...Every time they tried, they failed. Again and again they tried. Again and again they failed! Ha! I was a super SYSOP. Don't mess with me! I grew more confident...I was invincible! Let them attack! I had the super computer, the super intellect...They were nothing more than insects to me! The laughter in my mind grew in its intensity... Doomsday Strikes One night I arrived home later than normal. Boy, I was tired. What a long day...As I was about to fall into bed, I decided to check my e-mail on the BBS. I turned on my monitor and saw a message, which stated I had an "Environment error..." At the time I was using DR DOS 6. I grabbed my DR DOS manual and tried to find out what this meant. After not being able to find any meaningful information about this error, I decided to reboot my computer. After all, I was used to the machine freezing...I had so many TSRs loading in for my four CD-ROMs that freezing was common. I often had to reboot my computer to restart my system after someone had attempted to download from one of my CD-ROMs. I wouldn't say this freezing problem happened every night; in fact, it really only happened once or twice a month, but I was never surprised when it happened. When I came home and saw this error message, I just assumed this was one of my usual "freeze-ups." I rebooted the computer. The machine whirred and clicked as it started up. As it booted, I noticed that when the computer executed the MSCDEX.EXE program in the AUTOEXEC.BAT file, the file appeared to load, but the indicator lights on the CDROMs didn't blink in sequence like they used to do. Damn! I asked myself what was happening. I couldn't figure it out! On a whim, I grabbed my antivirus scanning program and scanned my computer. Bells started to sound. Oh crap! I had the Screaming Fist II virus! How had it gotten there? I began to swear in several languages. My computer rebooted itself. Damn! This time the machine refused to completely boot up. A cursor sat there in the top right hand corner of my screen, doing nothing! I reset the machine again! Nothing! I was worried. The hard drives in my machine were compressed using SUPERSTOR. In order to boot up my machine from a clean floppy, I not only had to find a clean DR DOS boot-up disk, but I also had to find the correct compression files to run in my new CONFIG.SYS file. After 40 minutes of failed attempts, I was finally able to boot my system. I ran my virus cleaning program, and then rebooted my machine from the hard drive. My machine was running! Yea! I had won! I was a god! Don't mess with me; I'm a super SYSOP! Then, midnight struck. My machine bleeped and reset itself. Huh!? What had happened?! My CMOS was erased, gone! My computer now no longer knew what types of hard drives I had or what type of floppies I had. The list went on and on. Oh man, I was furious! I vowed to search the Earth forever for this evil hacker of destruction. I labored on into the night. Due to the nature of my job, I was experienced with computers, and I was able to recover within a couple of hours. I finally restored my CMOS, cleaned the infected files, rescanned my system with other virus scanners, and got my system working. It was now 4:00 a.m. ...I was exhausted. With a smirk of satisfaction I went to sleep...after I had disabled the uploading function. The next day I scoured the activity log. Ah ha! The guy had called at 2:00 a.m. the previous morning, and I simply had not noticed the problem until late at night later that day. Unfortunately, when the BBS went down, people had called again and again attempting to get on the board. The caller ID had lost the call! So many people had called that I had lost perhaps the most important clue as to my caller's identity. Damn! At this point I decided to determine what the hacker had done to zap me. As I can best determine from the activity logs, the caller had performed a multi-file batch upload. He had uploaded a file called PKUNZIP.BAT and another file, COMMAND.COM. I began to understand what this guy had done. I was impressed. This guy knew how Wildcat BBSs work! When a file is uploaded to a Wildcat BBS, the file is often uploaded into a directory called C:\WILDCAT\WCWORK\NODE1. In the Wildcat manual, the SYSOP is given some sample lines of a file called SCANFILE.BAT. SCANFILE.BAT is the batch file that the SYSOP creates to scan files that are uploaded. I had used the sample lines from the manual as a template to create my super SCANFILE.BAT batch program. My attacker had batch uploaded a file called PKUNZIP.BAT and an additional infected COMMAND. COM file. When my SCANFILE.BAT file tried to unzip the files in my C:\WILDCAT\WCWORK\NODE1 directory, the PKUNZIP.BAT file was run rather than my legitimate PKUNZIP.EXE file! The PKUNZIP.BAT file ran the infected COMMAND. COM file, which in turn turned the Screaming Fist II virus loose upon my system before the SCANFILE.BAT batch file ever got to a point where it could scan the uploaded files! What the attacker didn't know and couldn t have known was that I was using DR DOS, not MS-DOS. When the infected COMMAND.COM file was run, the virus loaded itself into memory, but DR DOS didn't appear to like the non DR DOS COMMAND.COM program. I believe at this point DR DOS essentially "puked" giving the now infamous environmental error. It was this error or conflict with DR DOS that actually kept many of my files from being infected. In all, only about 25 files ever became infected. Unfortunately, the files that did become infected governed the drives compression routines. The great "problem" was restoring these files. I didn't have a ready backup, I didn't have my files where I could easily find them, and I couldn't find my operating system files. The super SYSOP wasn't so super after all. After several days of analysis of what had happened, I rewrote my SCANFILE.BAT file, turned my upload feature back on, and began the BBS again. I was now very respectful of what this guy had done. In fact, as the weeks passed, I came to appreciate the intellect and cunning of this hacker. I hope that one day I can have a conversation with this special person. If this special person is out there and can figure out who I am, I hope he will call me. I'd love to meet him... Since the time of my "hacking" I have come to respect my fellows in cyberspace to a much greater degree. I now feel that I am a part of this wonderful infinite world. Have I, the hacked, become a hacker? I suppose it depends on your definition...