From Rod.Nayfield@qwest.com Fri Mar 23 10:14:10 2001 Date: Tue, 20 Mar 2001 18:32:45 -0700 From: "Nayfield, Rod" To: "'project@honeynet.org'" Subject: Scan of the month [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] --------------------------------------------------- 1. What is the blackhat attempting to do with his command line syntax? 2. What does the tool accomplish? 3. How does the tool work? --------------------------------------------------- (Answering these 3 with a narrative:) (Using the first execution of luckgo as an example) ./luckgo 216 210 luckgo is a script front-end to luckscan-a. The benefit of using luckgo is that it compiles luckscan-a (and the luckstatdx program luckscan-a uses). However our hacker really isn't getting much benefit from the luckgo script here, as his LUCKGO.TAR file contains these executables (compiled for a 386 linux machine) and his script merely tests for the existence of the executable. Our hacker would have to understand that his script was not working because of a binary incompatability, delete the executeables, and re-run luckgo to compile the new binaries. This could cause cross-platform issues for an inexperienced hacker. However, this script does save our hacker the trouble of having to remember that portmapper is on port 111. And it makes his job easier by adding colors. Now that our hacker has his colors, the script calls luckscan-a with the following arguments: ./luckscan 216 111 210 (with 216 and 210 taken from the luckgo command line) Luckscan is a port scanner, with a specific purpose: run a script if it can get a connection to a specific port So, using the above command line, luckscan will scan 216.210.0.0 through 216.210.255.255 on port 111. Any successful connections will result in running this command: ./luckstatdx -d 0 [ip of machine] that will attempt to install code on the targeted machine which allows the running of arbitrary commands. It attempts to use a format string vulnerability in the way rpc.statd calls syslog to execute code as root. This code will, if successful, spawn a root shell which can be spoken to on port 39168. Once it attempts to install this root shell, the script will then (via the root shell) run some informational commands (to verify that it got root priv) and then download another tar file, extract it, install the root kit (lamerk) and delete the tar and installation file. One interesting note is that it is currently hardcoded to redhat 6.2 - this attack will most likely fail if rh6.1 or any other linux is the target. (which may still have the vulnerability, just not for this particular tool) --------------------------------------------------- 4. Is this tool a worm, or would you classify it as something else? I do not have access to lamerk at this time. The tool is no longer at the URL hardcoded into the program. I assume that the lamerk package is NOT an instance of this tool and therefore it is not executing itself on other computers. This tool is an automated hacking tool, designed to compromise as many systems as possible ("limiting" the tool to scanning a class C or class B requires more arguments than the syntax in the shell script...) I would classify it as a "script kiddie" tool. With a couple of fixes, it could be a very general-purpose tool for mass attacking, and require little or no intelligence from the executor. --------------------------------------------------- 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? (this isn't fair to management types like me who haven't been hands-on in years. I can't tell what changed because I've never seen this type of tool before.) becys (becys@becys.org) claims to have modified the original (statdx) into luckstatdx. This modification seems to be based around what commands are actually run on the hacked machine, plus a couple of text changes. He/she might have also ripped out code for other versions of linux besides RH6.2. I also believe that (s)he created the (flawed, see above) shell script to run it all. The comment "Aici cred ca trebuie un exit" from luckstatdx.c seems to translate to something like "here i guess that must exit" (used http://www.castingsnet.com/dictionaries/) Considering google only has 3 matches for "becys", and one of them in romanian, combined with the romanian in the source code, leads me to believe that he really is becys@yahoo.com, lives in romania, and is (this is fuzzy) trying to sell a chip to improve the performance of a diesel engine at http://www.rdsnet.ro/rds-bin/publicitate_detaliu?anunttype_id=1