From hedley@pacbell.net Fri Mar 23 10:14:32 2001 Date: Wed, 21 Mar 2001 04:13:28 -0800 (PST) From: hedley@pacbell.net To: project@honeynet.org Subject: Scan 13 My responses to your Q's for Scan 13 follow: Thanks! Hedley -------------------------------------------------------- What is the blackhat attempting to do with his command line syntax? He is invoking a script that then invokes a tool in the kit that scans for RPC statd vulnerabilties. The options to the luckgo script in his specific attacks are Class B addresses. What does the tool accomplish? It scans a class of IP space and installs itself at each compromised RH 6.2 system. (ostensibly RH 6.2 but the systems type table is the same for 6.0 6.1 and 6.2. Some of the addresses in the luckgo script look to me like Pacbell DSL and @Home subscriber IP's. Probably a rich source of targets given the prevalence of Linux servers in residential settings. How does the tool work? The luckscan tool, once provided with a particular class of IP space and a port (111 in this case), will explore the classes space, using up to 1000 sockets at a time, if it can get a connection on 111 from any of the IP's in the given space, it then uses a second tool, luckstatdx to explore the ip address and if possible overrun the statd buffer using the well known format string exploit. A small buffer of code containing an invokation of /bin/sh tied to port 0x9900 is executed once the compromised buffer overrun routine attempts to return. This shell, running as root, then is provided with a tarfile via a wget from becsys's web site. An install is run on that tarfile. The user of the luckgo script via luckscan-a and finally luckstatdx now is provided with an opportunity to type strings into this root compromised shell sitting on port 0x9900. Since xzibit.tar.gz (the downloaded and installed file(s)) live on this machine now, presumably the attacker can use those files to further extend his/her reach. Interestingly, I don't see how luckscan-a ever terminates. There is a while(!done) (done an automatic in main()) and it is never set to 1. Thus the luck go script will explore only one class B space by my reckoning. Is this tool a worm, or would you classify it as something else? It is not a worm in the true sense of the 'worm' term. It is a user propaged worm, in that, once provided with a shell at the compromised host, the user could then start a toolkit from there. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? I cannot be certain but I would wager it is derivative of the Ramen toolkit since the basic format string code has been in the wild for sometime via that toolkit. Bonus Question: What information can you obtain about who is using or created the tool? There are some names that are in the code: becsys I suspect becsys may be from South America (Brazil) or Portugal proper with this comment in luckstatdx.c // Aici cred ca trebuie un exit.