Date: Tue, 12 Dec 2000 20:28:52 -0800
From: Mail <flameboy3@home.com>
To: project@honeynet.org
Subject: Scan of the month

i belive the first attacker used wuscan.c for his scan
he then used bobek to try and exploit
the program tries to open /bin/sh and sends the email
venglin@kocham.kasie.com
i think that email varies with the bobek version
 
the attack was unsucessful
 
the second attack could have been related 6 hours later is pretty close.
could have been a list of ips he was mass scanning/rooting.
 
the secound time, the attacker tries to exploit rpc.statd (port 111)
the exploit looks as if it could be a modification of statdx.c to
automaticly execute those extra commands
 
the string of commands creates the user "user" password "eliteness"
(i ran a cracker out of curiosity, password was around the top of the
dictionary)
it also adds user "sendmail" uid0 gid0 with no password
probably so the attacker can su to sendmail after logging in as user
 
then it binds a port by adding the line to inetd.conf and then rehashing
inetd
 
then it deletes hosts.deny... curious why he would do this
does the system allow all hosts when hosts.deny is missing?
if this is true, the attacker probably rm'ed it to make sure he would
have a path to the system
 
it would be interesting to know if the attacker came back and logged in
with the accounts or the port backdoor, and what he did after that :-)
 
also, where did he get the ip? did it from from IRC? was this a random
attack? mass class scan??
-flameboy