From Mark.Corrao@sheppard.af.mil Sat Mar 17 20:01:43 2001 Date: Mon, 5 Mar 2001 18:56:35 -0000 From: Corrao Mark 1Lt 82 CS/SCB To: "'project@honeynet.org'" Cc: "'markcorrao@msn.com'" Subject: Scan of the month #13 [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Here are my answers to scan 13... ---------------------- 1. What is the blackhat attempting to do with his command line syntax? The attackers previously comprised the Honeypot and used it as an attacking vector for the scanning of other class B networks. Did they compromise it via LUCKROOT? The attacker was looking for a private/hidden mail directory, no luck according to the time stamp he didn't do anything else but look for the directories. Could have been looking to verify sendmail was running for the root kit install script to mail target information. Didn't need to look for a .mail directory to do that. Using lynx; uploaded LUCKROOT.TAR from becys.org Attempted to uncompress LUCKROOT.TAR - First attempt the z anf f switches were in wrong order (on some *nix machines this order locks them up, stalls, errors out, etc.) - Second and third, forgot what they were typing or the case. - Fourth Succesfully extracted. - Changed directory to luckroot. - Executed luckgo script multiple times on different networks. ---------------------- 2. What does the tool accomplish? The tool accomplishes a network scan of port 111 to find a running rpc service and attmepts an rpc.statd exploit. If a system is compromised a Root Kit , sniffer, etc are uploaded. ---------------------- 3. How does the tool work? The luckgo script performs the following: - Compiles the two tools (luckscan.c and luckstatdx.c) extracted from LUCKROOT.TAR. They are used to scan a network and attempt exploit of the rpc.statd vulnerability via port 111. - Removes the scan log if one was created. - Accepts the first Octet of a network to scan. It will take an entire class C network address if the octets are seperated by spaces, however you cannot change the port via command line. - Luckscan is then executed and the network specified is scanned. If a system running statd is found then luckstatdx is called via the system() command and attempts the exploit, if successful it then sends commands via NFS: - First changes to the top level directory / - Second, prints out basic system information - Third shows the user and group of the process invoking the id command - Fourth a compressed root kit (xzibit.tar.gz) is downloaded via wget from becys.org and installed. - Fifth uncompresses the kit - Sixth installs the kit - Removes the lamerk directory and the compressed rootkit. - A root shell is left running bound to port 39168. The Install script performs the following: Removes valid copies and installs its own versions of ps, netstat, top, ifconfig (date stamp of Sep 25 1983). Most likely coded with options to drop the attacker to the command shell or execute attack/exploit in background. Creates 3 new directories under /dev: they are dsx, caca, and /ida/.inet Moves attackers tools into the /dev/ida/.inet directory tried to upload a missing c source file; sl2new.c (there was a binary) Moves its own version of hdparm, which is a script to execute Linsniffer and the Secure Shell Daemon, to /usr/bin Changes the attribute of hdparm to immutable, so no one but SU/root can remove it. Executes hdparm, Executes linsniffer and sets up a secure shell port listening on port 6969 service called acmsoda. LinSniffer is exactly that a sniffer. It sniffs the first 512 bytes of all packets and looks for traffic destined to ports 21, 23, 110, 109, 143, 513, and 106. All nice ports that you would most likely use a password to login into after connection. It writes this info to tcp.log There is also a perl script,sense, uploaded with the Root Kit which when ran against tcp.log sorts the data captured by LinSniffer for easier snarfing. Attempts to ID the password, destination, etc... Appends rc.sysinit to execute the hdparm script on boot of the linux system. It then copies a file called becys.cgi to the cgi-bin directory if a local web-server exists in stadard/default file configuratioin. This script allows you to execute shell commands via HTTP. Finally it creates a tmp directory and gathers the network connection info, hostname, and username of the current session then mails them to becys@becys.org. When done removes the temp directory. ---------------------------- 4. Is this tool a worm, or would you classify it as something else? No, it must, as written, be executed explicitly from a machine, either local or remotely. In contrast to the RAMEN worm which only loaded itself and conintued to propogate through class B networks without loading root kits, etc... It is a blackhat tool in the purest sense. Contains all the info and tools necessary to take over a vulnerable system quietly... ---------------------------- 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? Either, or. There were several programs written to exploit the rpc.statd vulnerability. This tool/exploit has roots in T0rnkit and Ramen. Same set up; binded some sort of a shell to a high number port. Attacker directories placed under /dev. Root Kits had same programs or variations, like the ls command. Adds a line in a rc.* file to re-start the system on re-boot, like the windows run keys. ---------------------------- Bonus Question What information can you obtain about who is using or created the tool? Qian Wang owner of becys organization web page is refered to several times througout the tools involved as BeCys... He is most likely the original author of LuckRoot. His background lends to the experience and knowledge to write these tools... He is a Physic student at Texas A&M University - Condensed matter and materials He is an admin in the computer support section of the Department of Physics He specializes in Linux Systems The tools were all downloaded via command line syntax from his web-site. The LUCKROOT.TAR script and tools were downloaded from becys.org The Root Kit and supporting files were also downloaded from becys. The victim's host information is mailed to becys@becys.org. The site could have been compromised previously and tools uploaded by original attackers, leaving Qian Wang a victim only. Especially with all the mention of BeCys.org, it wouldn't be to hard to track this down. Usually a non script-kiddie attack is not coming from where it seems at first. Mark Corrao