Date: Sat, 30 Dec 2000 17:18:21 +0100 From: Gijs Hollestelle To: project@honeynet.org Subject: Scan of the month 10 Hi guys, First of all compliments on a great job you are doing with these honeypots etc. I would like to see more on setting up a honey pot securely and attracking the crackers. Now for the questions you posted in the scan of the month #10: 1. Just fire up www.whiteheats.com and search for 10101 in the archNIDS box. This 'll tell you it's a tool called 'probe-myscan'. Writte by some german dude in linux. 2. After doing a disassembly i found that it does a chroot and chdir to / and then execs a shell so it breaks out of a chroot jail and spawns a shell. 3. No it isnt if it was it would ask for a shell command instead of Login Incorrect 4. Rpc.statd (since this is a script kiddie just do a google search for rpc port 39168) 5. Disassembling this exploit-code tells us he calls socketcall 4 times, dup 3 times and exec 1 time and then exit. He binds the port using these socket calls. He then redirects output to it using the dup calls and executes the shell. So technicaly speaking he binds the shell at the exec call (where there first is a shell) this is the last but one CD 80 occurence. 6. 2 users are created one called user, with uid 5000 (normal user) and one called sendmail with uid 0 (root) the password is hashed and i could not recover it by using John so i guess it's a pretty strong one. Keep up the good work! -- Gijs I say don't drink and drive, you might spill your beer.