Date: Tue, 12 Dec 2000 20:28:52 -0800 From: Mail To: project@honeynet.org Subject: Scan of the month i belive the first attacker used wuscan.c for his scan he then used bobek to try and exploit the program tries to open /bin/sh and sends the email venglin@kocham.kasie.com i think that email varies with the bobek version the attack was unsucessful the second attack could have been related 6 hours later is pretty close. could have been a list of ips he was mass scanning/rooting. the secound time, the attacker tries to exploit rpc.statd (port 111) the exploit looks as if it could be a modification of statdx.c to automaticly execute those extra commands the string of commands creates the user "user" password "eliteness" (i ran a cracker out of curiosity, password was around the top of the dictionary) it also adds user "sendmail" uid0 gid0 with no password probably so the attacker can su to sendmail after logging in as user then it binds a port by adding the line to inetd.conf and then rehashing inetd then it deletes hosts.deny... curious why he would do this does the system allow all hosts when hosts.deny is missing? if this is true, the attacker probably rm'ed it to make sure he would have a path to the system it would be interesting to know if the attacker came back and logged in with the accounts or the port backdoor, and what he did after that :-) also, where did he get the ip? did it from from IRC? was this a random attack? mass class scan?? -flameboy