From guillaume@sky.fr Sat Mar 17 20:01:36 2001 Date: Mon, 05 Mar 2001 11:36:06 +0100 From: Guillaume To: project@honeynet.org Subject: luckgo.tar. [ The following text is in the "koi8-r" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Hi ! First, I am not a C developper. I just capture things from the wild-wild-web using a snort/acid re-designed combination. I found your challenge of the month while searching some info about attacks I detect for some weeks now ran using the same tools you are trying to decode. (Isn't the Internet so small ? :-)). So I am just trying.... :-) The Challenge: 1. What is the blackhat attempting to do with his command line syntax? As far as I understand (once again, I am not C developper but I have some Perl konwledge...) the luckscan part of the tool ...scans (how unpredictable... ;-)) a net and tries to open sockets for the luckstatdx tool to connect to. If found, the luckstatdx tool tries to run some shell, by breaking into some Redhat nfs implementations (stating from the code, nfs-utils-0.1.6.2, knfsd-1.4.7-7 and 1.2.2-4 are vulnerable). 2. What does the tool accomplish? If a vulnerable rpc.statd daemon is found and broken, luckstatdx tool install a so-called tg.tgz tool (sorry, I didn't capture it... yet ! :-)). I did not found that rg.tgz tools, but I have a so-called x file (yes, hacker's humour...) that in fact is a shell script pointing to www.thehappy.org (same kind of ... humour...) Program was launched in background,it will scan,get root and install a rOOtKiT for U." echo "My master is OutS|der:happy@lugoj.ro" echo "Luv ya c0ri !" echo "Greeting to :all haxors from Lugoj and #hacks , #hackings and #darkhackers !" echo "" gcc -o luckscan-a luckscan-a.c > /dev/null 2>&1 gcc -o luckstatdx luckstatdx.c > /dev/null 2>&1 For what I understand, this script somehow connect to www.thehappy.org (registration [compromised] site ? I capture the luck tools from a compromised DNS server...), launches compilations and starts scanning from this machine to re-run the luck toolkit again... I have no proof of that, but I think that the trojan may use the registration form to get future victims addresses : i.e. : you enter a domain (.tv should be huge asked for !!) and you are in the next to-be-scanned server list !! But untill I have found the rg tools, it is just speculation... 3. How does the tool work? Not so well against my networks !! :-) 4. Is this tool a worm, or would you classify it as something else? A sh*t ?? :-) More seriously, something like a worm/trojan installer... 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? Based on statdx exploit-ceode. Modified by a so-self-named 0uts|der.... A variation on rpc.statdx (IDS442 Max Vision whitehats.com). Hope I am not so long for the truth..... :o) Guillaume Arcas Self-Home-Made Security and Network Intrusion Analysis ... Beginner (understand: Yet Another Richard Stevens Reader !) E-mail : guillaume@sky.fr or gas@anteria.fr PS : if you are interested in receiving a free copy of the x script, just e-mail me (including a valid credit card number... Just joking, as usual ! 8-))