From scottn@infront.co.uk Sat Mar 17 19:44:24 2001
Date: Thu, 01 Mar 2001 15:17:33 +0000
From: Scott Nursten <scottn@infront.co.uk>
To: lance@spitzner.net
Subject: Honeynet Project - Scan of the Month

Last correction - I promise :) 


The Challenge: 

    1.What is the blackhat attempting to do with his command line syntax? 

He makes a hidden directory, uses lynx to download his r00tkit (LUCKROOT.TAR), clearly is a unix/linux amateur as he fumbles with tar to unpack the kit. He the proceeds to uses luckgo (a custom made shell script used to invoke luckscan-a) to start his scan on numerous class A's.

    2.What does the tool accomplish? 

If it all works properly, it opens a listening root shell through sshd on  port 6969. 

    3.How does the tool work? 

It scans Class A's for an open port, supplied on the command line (in this case, portmapper - supplied from the luckgo sh script), and on finding open portmap ports, attempts to exploit them with luckstatdx. It appears to only exploit Redhat 6.2 in scripty mode, but is capable of exploiting 6.0 and 6.1.

    4.Is this tool a worm, or would you classify it as something else? 

It's not quite a worm. I don't see it re-fetching or re-running luckgo. I haven't investigated to deeply on the xzibit.tar.gz - work to do. I would say it's just a rootkit. 

    5.Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? 

Having never seen ramen in the wild, I couldn't tell you, but I would guess it's based on ramen. 

Bonus Question: 
What information can you obtain about who is using or created the tool? 

Becys  (Qian Wang) added the sshd part. 

   Qian Wang    becys@yahoo.com
        bSoft
        1 Hensel Dr. Apt.#Z1F
        College Station, Texas 77840
        US
        Phone- (979)862-9233 
        Fax- 



-- 
Scott Nursten - Systems Administrator
Streets Online Ltd.

Business:       +44 (0) 1293 402 040
Fax:            +44 (0) 1293 402 050
Email:          scottn@streetsonline.co.uk

     --------------------------------------------------------------
	"Facts do not cease to exist because they are ignored."      
                                                  Aldous Huxley 
     --------------------------------------------------------------