From chris@cmc.cwo.net.au Sat Mar 17 20:02:32 2001 Date: Sun, 11 Mar 2001 16:13:41 +1100 From: Chris Keladis To: project@honeynet.org Subject: Scan of the month 1) The scanner is attempting to scan various /16 nets for the rpc.statd vulnerability. 2) The tool scans for and exploits a well-known format string bug in rpc.statd's syslog() call, and gets the remote host to download and install a rootkit. 3) The attacker scanned /16 networks, allthough the tool is capable of scanning /8, /16 & /24's. It scans port 111 to try and use the UNIX portmapper to find the port the rpc.statd daemon is listening on. (it looks for program # 100024 in RPC). If that doesn't work it tries to connect directly to the rpc.statd process by using the port supplied in the -p parameter, and if that doesn't work it bombs out. If the attack is successfull and the shell code is executed and it manages to connect to the remote shell on tcp/39168, it prints "You now have a new server rooted with rpc.statd technique and becys|ReSpEkT scan-h4x0r !". It then proceeds into the runshell() function and executes sh commands to download and install a rootkit called "xzibit" (which is still attainable from the URL in the exploit). xzibit is your basic rootkit replacing ps, top, netstat, and tucking away the information to be hidden in various files under the /dev directory. It runs linsniff, copies a CGI into the cgi-bin directory allowing easy execution of files and viewing the output, it runs a rooted SSH server amongst other basic things. 4) I wouldn't classify the tool as a worm, since a worm is usually self replicating by nature. This tool is just a mass-hack installing rootkits which need manual intervention to exploit further. 5) The tool the rpc.statd exploit was based upon is "statdx.c" posted to BUGTRAQ by ron1n All that was modified was the commands used in the runshell() function to download and install the xzibit rootkit and some banners, comments etc. Bonus question) Judging by the tool writers language s/he seems of european descent (perhaps french/italian/belgian), also it seems the tool may possibly have lived on a Windows machine of some type, since the filename conforms to the 8.3 filename spec and is in upper-case. The attacker is most likely scanning popular cable/*dsl netblocks which usually contain high-speed unsecured Linux boxes. The netblocks align with UUNet, AT&T, @Home, Abovenet etc IPv4 blocks. Regards, Chris.