-- [ Ko2000 :: Hacking n Tech ] --
Removing BIOS password on an eMachines E525 laptop
After a blue screen a friends eMachine E525 laptop started to ask for both BIOS and HDD password. If this where due to some kind of hardware issue or a prank I do not know.
When pressing F2 during bootup one would get to enter a BIOS password, and after a couple of incorrect tries the laptop would reboot.
I did some tries with the Ultimate Boot CD tools CMOSPWD and WipeCMOS without any luck.
After that I tried contacting the eMachines support, and from them I the following:
You may call 800-237-6483 at a rate of $2.95 per minute (billed to a credit card). However, calling cards are also available in 30 minute, 90 minute, or 1 Year unlimited usage. http://www.emachines.com/support/answers.html
A bit to expensive, so how to fix this myself?
All the info I could find on the net was something like this here: Yahoo Answers - My friends emachines e525 wont start up,how do i fix it?
So, it seems that "disconnecting" the battery for a couple of hours should do the trick.
The eMachines E525 is a bit difficult to disassemble, and to get to the battery you really need to dissemble everything. These YouTube videos did help:
The battery is soldered to the bottom side of the motherboard. I did not want solder to much, so I just used a wire cutter to cut the longer lead to the battery, and to make sure that it was disconnected I put a small piece of paper where I cut the lead. I assume that 24 hours should do the trick, but I went for some travel and left it for aprox. four days.
Then it was just to solder the lead that I cut and put the laptop together. Make sure that you check so that you put all the screws back in the correct places. Do also remember that some screws should go in when the case is put in place. If you screw them in to early you will need to take everything apart again ;).
And that was it, now I can get into the BIOS and change the settings.
Unfortunately the HDD password can not be removed from the BIOS without knowing the HDD password.
With the both a BIOS and HDD password it is still possible to boot from other mediums (like CD-Rom). Just enter the incorrect HDD password (or none) three times and you will get an option to "Try again" or to boot from another medium.
Removing the HDD password did turn out to be very easy. After testing the drive (Toshiba 160Gb) with the software HDD Unlock it turned out that the software could unlock the disc, but without keeping the data.
But with the A-FF Repair Station software I could unlock the drive, keeping the all the data. And the unlock took less than 5 minutes to do. This is a pay per go software, but it was well worth the $50.
The only thing I needed to do the unlock was an PC running XP since I could not get it going using Windows 7 64bit.
Looks like a worm to me
This is an old group post I made about a hacking attempt made on one of my old systems.
-Dec 20 2001
Some days ago when I logged into one of my servers, just to make some small adjustments to a database. I to my surprise found that I could not login as root.
Strange I thought, and called my friend who also have root access, but he had not changed the root password.
A cold feeling swept down my back, and lots of C code scrolled by my eyes. This server was set up for re installation some weeks ago, but I had not come around doing that. And it was a standard Slackware 7 installation with about 11 months of playing around with different server softwares.
I ran a 'ps ax' but found nothing special, or wait a minute, the list was quite short for this machine. Its usually lots of processes going. I went into /etc and after running "ls -ltr" (large, time, reverse) I found that the files host, ftpaccess, ftpusers, shadow, inetd.conf was changed on the same date and time. A file rc.d/rc.sysinit was allso added.
Since I was not root, I could not find anything more because all those files was root.root . I waited some hours, and then I got cold feet. I took the bus to the server room where the server is located, and went 'linux init=/bin/bash rw' on lilo's ass. An 'passwd' and 'sync' later and I had a new root password.
Okay, looking around the system now I found that the commands ps, ls, netstat, named, inetd, crond and a couple more was modified.
With the ps out of order I ran a 'cat /proc/*/stat' to see what processes the machine was running. The commands 'snif' and 'ras2xm' looked a bit interesting, and so I hurried to shut them down.
Back to the /etc/rc.d/rc.sysinit file, this file did not have the +x flag set, and therefore slackware did not run it on boot. Good thing, this file contained one row '/usr/bin/sourcemask'.
# cat /usr/bin/sourcemask cd /usr/man/man1/".. "/.dir ./snif >chipsul & /usr/bin/ras2xm -p 5139 -q
The sourcemask script starts the sniffer and the other ( possible scanning tool? ) I could not find any info anywhere about those programs or their uses, and I dare not to run them outside a controlled environment.
To continue, now I had found all the stuff. Or so I thought. The /usr/man/man1/".. "/.dir did contain tools to backdoor and bufferoverflow sshd, bind and wuftpd servers and other hacking stuff.
I searched a bit on the net, and found a nice thought about running 'find / -nouser -o -nogroup' to find suspicious files on the server. And of it went, and it found a couple of files and one directory in /dev.
/dev/ttyp/ contained two directories '.backup' and 'other'. .backup had my old version of ps, ls, inetd, inetd.conf, named and netstat. And the 'other' directory contained two scripts that seemed to configure the appearance of the hacked ls, ps and netstat commands.
The fun in this was that /dev also contained some other files with some fun information inside:
----------------------------------- server:/dev# cat hdbp 2 sh 2 in.telnetd 3 rpc.rusers 3 mdump 3 chgrp 3 cron server:/dev# cat hdaq 3 45050 3 31083 server:/dev# cat hdap ttyp rpc.rusers hdaq hdbp hdap lispmtopgm.2.gz ldapdelete.2.gz mdump server:/dev# cat xmx 3 in.rexedcs 3 defauths dcs 3 defauths 3 rdcmound 3 rdcbac 3 w 3 s 3 psy 3 bot 3 scan 3 wus 3 klog 3 create 3 crush 3 snif 3 ras2xm 3 sourcemask server:/dev# cat xdta 1 184.108.40.206 1 220.127.116.11 1 18.104.22.168 1 22.214.171.124 1 126.96.36.199 1 hobbiton.org 2 hobbiton.org 3 59311 3 59388 3 31471 3 51211 3 51212 3 51213 3 51214 4 6660 4 6666 4 6667 4 6668 4 6669 4 7000 4 31337 4 5555 4 31336 server:/dev# ----------------------------
The IP 188.8.131.52-241 is a Computer Club (Internet Cafe like) in Timisoara, Romania.
Another fun detail was that with the hacker tools came two core-dump files containing the ENV of the conputers they where run on.
i686 ./scan 148 111 243 USERNAME=root ENV=/root/.bashrc HISTSIZE=1000 HOSTNAME=pirates.crsc.k12.ar.us LOGNAME=root HISTFILESIZE=1000 SSH_TTY=/dev/pts/0 MAIL=/var/spool/mail/root TERM=xterm HOSTTYPE=i386 PATH=/usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin HOME=/root INPUTRC=/etc/inputrc SHELL=/bin/bash USER=root SSH_CLIENT=184.108.40.206 1380 5139 OSTYPE=Linux SHLVL=2 _=./scan i686 ./ben 220.127.116.11 LESSOPEN=|/usr/bin/lesspipe.sh %s USERNAME=root ENV=/root/.bashrc HISTSIZE=1000 HOSTNAME=jun-zhi.com.tw LOGNAME=root SSH_TTY=/dev/pts/4 MAIL=/var/spool/mail/root TERM=xterm HOSTTYPE=i386 PATH=/usr/kerberos/bin:/usr/bin:/bin:/usr/bin:/usr/X11R6/bin:/root/bin KDEDIR=/usr HOME=/root INPUTRC=/etc/inputrc SHELL=/bin/bash USER=root QTDIR=/usr/lib/qt-2.1.0 LANG=en_US SSH_CLIENT=18.104.22.168 1189 3 OSTYPE=Linux _=./ben SHLVL=2
The IP 22.214.171.124 is located somewhere in BOTOSANI, Romania.
Okay. I don't have a chance framing someone for this. And I don't know if I want to. I have had some fun days playing and searching all over the net for clues. And thought that I would be fun to write a (long) posting to this newsgroup about it.
I would love some input from you all about this, I could not find any info about the files. I found some old usenet postings on Japanese about the file ras2xm but thats all. Is this a worm or a hacker?