From krassi@gmx.net Sat Mar 17 20:02:10 2001 Date: Thu, 8 Mar 2001 23:56:03 +0100 (MET) From: Krassimir Tzvetanov To: project@honeynet.org Subject: Scan of the month Hi, this is my analysis. Since I don't know the gender of the attacker, instead of saying he/she, I'll asume it is IT. 1. It was scanning class A networks. The shellscr/exploit also have the option to narrow the scan to class b and c. so basicly: ./luckgo 216 210 means network 216.210.x.x 2. The tool scans for open port 111 on each host. If the port is found the exploit is executed. 3. It overflows a buffer in statd the shell code binds shell code to port 39168. The exploit executes a command that will download and install a rootkit. The shell code is for Inter Processor (NOP is 0x90). 4. This is not a worm. It may be classified as single vulnerability scanner (including automated exploitation) - script kiddie style :) 5. The tool is modified. The original exploit was released by ron1n in July/2000. In this script the line that is executed on the remote system is modified. The aim is automated download and installation of the rootkil xzibit. The script is modified on Windows machine probably by Wordpad, Word. (The CR at the end of each line are proof for that). Notes: The scanner uses non-blocking I/O and keeps the state of each socket in a structure associated with it. --------- the rootkit - replaces ps, top, netstat, ifconfig. - Installs sniffer - Creates files /dev/dsx and /dev/caca to save some configs there. - Creates /dev/ida/.inet - Modifies rc.sysinit so that it will start the sniffer at every system boot. the sniffer file is /dev/ida/.inet/tcp.log - Plus it installs some version of sshd with configuration file /dev/ida/.inet/s - Installs backdoor cgi - it allowes execution of arbitrary commands. - also sends email informing the system is rooted. - sense - is interface to the sniffer logs. - sl2 is a kind of port scanner. Possible contact information of the attacker (probably true): Qian Wang becys@yahoo.com bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Phone- (979)862-9233 The analysis was performed without running any of the programs. Krassi -- Sent through GMX FreeMail - http://www.gmx.net