From shawn@net-connect.net Sat Mar 17 20:01:26 2001 Date: Fri, 02 Mar 2001 16:11:38 -0600 From: shawn . moyer To: project@honeynet.org Subject: Scan of the month 1. Command line syntax is easy since you provide the source to the tool. The script "luckgo" is a wrapper for two tools, luckscan-a and luckstatdx. It will actually build the tools if they're not there already, and then run them, in a pretty little l33tspeak ANSI color interface. The two arguments following the command line are the octets of the networks to scan. The script forks to the background, and then the two tools scan for rpc.statd and run an automated exploit that appears to bind a shell to port 39168. 2. See above. I got a bit ahead of myself. :) 3. It scans netblocks supplied at the commandline and then runs the exploit against the hosts it finds running statd. 4. It's sort of a semi-automated worm. It doesn't replicate itself, but once someone attaches to the box the script rooted, they can run the tool again, creating a new attack tree from there. 5. r0n1n's statdx and statdx2, posted on Bugtraq 08-05-2000 and 10-11-2000, respectively. Plus, in the source you have: ""statdx modify by becys ". Bonus question: becys.org is reg'd to: Qian Wang becys@yahoo.com bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Phone- (979)862-9233 The reverse lookup, 64.176.171.107, is SWIP'd to Alabanza, Inc. (prolly an ISP), in Baltimore, MD. So where do you guys come up with Romania? I don't see much in the code or the comments to tell me where these guys came from, and I don't know the source IP from the attack, so... Hrmmm... Okay, can I have a cookie now? :) --shawn -- s h a w n m o y e r shawn@net-connect.net Man will occasionally stumble over the truth, but most of the time he will pick himself up and continue on. -- Churchill