Date: Sat, 30 Dec 2000 17:18:21 +0100
From: Gijs Hollestelle <gijs@gewis.win.tue.nl>
To: project@honeynet.org
Subject: Scan of the month 10

Hi guys,

First of all compliments on a great job you are doing with these honeypots
etc. I would like to see more on setting up a honey pot securely and
attracking the crackers. Now for the questions you posted in the scan of the
month #10:

1. Just fire up www.whiteheats.com and search for 10101 in the archNIDS box.
This 'll tell you it's a tool called 'probe-myscan'. Writte by some 
german dude in linux.
2. After doing a disassembly i found that it does a chroot and chdir to /
and then execs a shell so it breaks out of a chroot jail and spawns a shell.
3. No it isnt if it was it would ask for a shell command instead of Login
Incorrect
4. Rpc.statd (since this is a script kiddie just do a google search for rpc
port 39168)
5. Disassembling this exploit-code tells us he calls socketcall 4 times, dup
3 times and exec 1 time and then exit. 
He binds the port using these socket calls. He then redirects output to it
using the dup calls and executes the shell.  So technicaly speaking he binds 
the shell at the exec call (where there first is a shell) this is the last but 
one CD 80 occurence.
6. 2 users are created one called user, with uid 5000 (normal user) and one
called sendmail with uid 0 (root) the password is hashed and i could not
recover it by using John so i guess it's a pretty strong one.

Keep up the good work!

-- 
Gijs

I say don't drink and drive,
  you might spill your beer.