From rkt@pobox.com Sat Mar 17 20:01:30 2001 Date: Sun, 4 Mar 2001 01:13:15 -0800 (PST) From: Royans K Tharakan To: project@honeynet.org Subject: March: Scan of the month >What is the blackhat attempting to do with his command line syntax? -->Jan 8 18:49:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 210 The command line is the first and second byte of the class b network address it attempts to scan. >What does the tool accomplish? This is a automated statd exploit script/proggy which scans and installs a rootkit other systems. >How does the tool work? The script luckgo is a simple script which compiles and starts up the scanner luckscan-a. This scanner scans port 111 on the given class b address. --> printf("Usage: %s [b-block] [c-block]\n", argv[0]); This is a simple port scanner. Once a scanner detects a victim it initiates the statd exploit. The statdxploit opens port 16 on the victim with access to shell /bin/sh. Next the exploit connects to the port and gets a file ( http://www.becys.org/xzibit.tar.gz) from an exploit site after which it installs the exploit which probably restarts the whole process all over again. >Is this tool a worm, or would you classify it as something else? This doesn't look like a worm. LUCKROOT.TAR seems be way different from what gets installed on the victim. A 'worm' installs itself. Hence I disagree that this is a worm. Tool which it downloads from http://www.becys.org/xzibit.tar.gz looks more like a small rootkit with scanners and distributed attack tools. It modifies key rc scripts and install a http cgi script for remote access. It also installs a backdoored sshd it seems. Anyway the point is that this is not a worm, but just an attack script which installs rootkits. Also from the keystroke logged it seems that LUCKROOT was actually installed manually. This was not automated. >Is this tool original, or is it simply based on previous tools? If based >on previous tools, which ones and what is modified? I believe that the statdx exploit(luckstatdx) is modified. Instead of just starting up a listenning port for /bin/sh, this script goes a step ahead and installs the rootkit for the attacker. >Bonus Question: >What information can you obtain about who is using or created the tool? The following URL will provide the whois lookup on becys.org from where the tool is downloaded. Since the tool is still available on this site, I'd assume that the owner of this site has intentionally put it there. Hence leading me to belive that the owner of this site is also the creator of this tool or atleast reponsible in some way for its existance. http://www.networksolutions.com/cgi-bin/whois/whois?STRING=becys.org&STRING=Search -- --Royans K Tharakan------------ --http://security.royans.net/-- -------------------------------