From ted@tni.net Sat Mar 17 20:03:21 2001 Date: Thu, 15 Mar 2001 20:44:36 -0500 From: Ted Hale To: project@honeynet.org Cc: "Ted Hale (E-mail)" Subject: scan of the month [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] project@honeynet.org answers to scan of the month Mar, 2001 1. What is the blackhat attempting to do with his command line syntax? The commands do the following: - connect to a directory to hide files in. - download a tar file of cracking tools - unpack the tar file - connect to directory with cracking tools - run the tool against several network ranges 2. What does the tool accomplish? Searches for systems vulnerable to a specific NFS exploit and installs a rootkit on any system it can crack. 3. How does the tool work? Two tools are used. The first scans for systems with port 111 (RPC) available. When such a system is found, the second tool will be run against that system. The second tool uses a known exploit in NFS to create a port bound root shell. It then connects to this shell and has the system download and install a rootkit. 4. Is this tool a worm, or would you classify it as something else? Since this tool is initiated manually and does not spread itself, it is not a worm. I would classify it as an automated cracking tool. 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? The tools are not original. The portscanner is based on pscan-a with a few lines added to run the second tool on possible victim systems. The second tool is statdx (by ron1n) with the commands executed on the remote system changed to download and install a rootkit. Bonus - What information can you obtain about who is using or created the tool? The creator of the tool is not English speaking. There is a comment line in the modified statdx.c file which I first thought was French, but it appears not to be. Your description of this scan says it is from the Romanian blackhat community. So I will assume it is Romanian. The person who used the tools is probably not experienced with Unix, since they took four tries to get the tar command right. They were also sloppy and duplicated a couple of the scans. Ted Hale ted@tni.net