From berjo@ozemail.com.au Sat Mar 17 20:03:06 2001 Date: Wed, 14 Mar 2001 19:02:17 +1100 From: John Berkers To: "Project Honeynet (E-mail)" Subject: Scan of the Month - March 2001 [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Hi all, This is my first attempt at analysing one of these scans. I think I'm pretty much on the right track. The answers: 1. The blackhat is scanning several class B address ranges for RedHat 6.x rpc.statd format string remote root vulnerability, and attempt to gain root on other systems. 2. The tool scans and compromises systems using the rpc.statd unchecked buffer vulnerability in the specified range. 3. The luckgo script compiles the luckscan-a and luckstatdx utilities which are then used to initiate a scan of the specified range in order to determine the presence of vulnerable systems. luckgo calls luckscan-a with the specified range (216.210 in the first scan) and specifies that luckscan-a should attempt connection to port 111 (sunrpc) when scanning the systems. When luckscan-a finds a vulnerable system it calls luckstatdx to attempt to gain root on the system by exploiting an unchecked buffer vulnerability. As systems are rooted the results are dumped into scan.log. 4 This tool is not a worm as it does not replicate itself from system to system. It merely alerts the initiator of the script to the availability of freshly rooted systems. If I were to classify it I would call it a script kiddie tool, since it allows anyone with very little experience to scan for and exploit systems with the rpc.statd vulnerability. 5. luckstatdx appears to be based on statdx by ron1n (shellcode@hotmail.com) in fact the code is almost verbatim, only the names of the guilty have been changed. luckscan-a appears to be based on either statdx-scan by b10nic or scan by Volatile (upon which statdx-scan is allegedly based). It appears to have been modified to allow optional scanning down to a Class C by specifying additional parameters. If not supplied it just scans the Class A. Bonus: The user of the tool is likely to be just a script kiddie with little or no *nix experience. The blackhat may just be following a set of instructions supplied by another blackhat. The creator of the tool is not much more than a script kiddie, but has enough knowledge to make changes to a script in order for it to appear as his own creation (thief/plagiarist). I found most of this info by scanning through the source code, and by searching for similar exploits at Packetstorm. Regards, John Berkers Network/Firewall Administrator E-mail: berjo@ozemail.com.au ------------ Output from pgp ------------ Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government. File is signed. signature not checked. Signature made 2001/03/14 08:02 GMT key does not meet validity threshold. WARNING: Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "(KeyID: 0x26708921)".