From jtestart@acs.ryerson.ca Fri Mar 23 10:14:55 2001 Date: Thu, 22 Mar 2001 12:05:27 -0500 From: Jason Testart To: project@honeynet.org Subject: Scan 13 Hopefully I am not too late in submitting! My comclusions are based on looking at the source code. Note sure if this response is technical enough, I am not a low-level C programmer! 1.What is the blackhat attempting to do with his command line syntax? Scan groups of 65536 hosts, starting with machines in the 216.200.0.0/16 netblock. 2.What does the tool accomplish? Gains root on Linux machines with the statd vulnerability and installs a rootkit on the victim hosts. 3.How does the tool work? The tool is composed of three parts: luckgo (shell script), luckscan-a (C program) and luckstatdx (C program). "luckgo" is a colour-enabled front-end shell script that takes 3 parameters, each one being a part of the IP address block to scan. luckgo builds luckscan-a and luckstatdx and then calls luckscan-a to scan the specified range of IP addresses for an open port 111. "luckscan-a" scans the specified range of IP addresses for open port 11, and if a hosts qualifies, the tool calls luckstatdx. Note, from what I can tell, it's main target is hosts running Redhat 6.2. "luckstatdx" is the actual expolit code for the statd vulnerability. Upon successful comprimise, it downloads and installs a rootkit from another site. 4.Is this tool a worm, or would you classify it as something else? I would classify it as an automated scan and attack tool. 5.Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? Pieces of it are original, but I am sure the actual expolit code is a previous tool. Don't know that much about Linux expolit toolo. Bonus Question: What information can you obtain about who is using or created the tool? The person who wrote at least part of the tool likes rap/hip-hop music. The name of the rootkit indicates this (name of a rap artist from Detroit) [ Part 2, "Card for Jason Testart" Text/X-VCARD (Name: ] [ "jtestart.vcf") 12 lines. ] [ Unable to print this part. ]