Re: possible new tool: std.pl, the rpc.statd linux mass rooter (fwd)

[claymore <claymore () ADELPHIA NET>]

It is not a new script. It has been around a while in some variation or
another. The reason for the different names is that the code is available on
the web...usually with some minor disabling feature so that the pure script
kiddies will not be able to use it. Each person who fixes the code and
compiles it puts thier own name on it. I can provide links to the code if it
would be helpful.

Claymore
the unprofound

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Niels Heinen
Sent: Thursday, December 14, 2000 10:37 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: possible new tool: std.pl, the rpc.statd linux mass rooter
(fwd)


marc wrote:

> Recently a server of ours was compromised.  On it we found a script and
> some programs that were scanning other machines for statd, and then
> automatically rooting the ones it found.
>
> I've done some searches, but found no reference to this.  If it is new, I
> will post more details.  Does anyone recognize this?
>
> #!/usr/bin/perl
> #
> # std.pl v0.2+p3 by KraZee -  10.30.00 private
> # rpc.statd linux mass rooter         [epic]
> #
> # binds rootshell on port 24765 on exploited hosts
> # standard disclaimers apply
> #
> # DO NOT DISTRIBUTE !! DO NOT DISTRIBUTE
>
> I've sent similar msgs to sans and cert, but was unsure where else to
> share this.
>
> marc
>
> marc () zounds net

Yes i have a copy of an rpc automatic hacking tool. It also connects to the
rooted systems in order to see if they are running more then one processors.
If so then it will log the host as compromised if not then it will continue.
The code in the tool i managed to get my hand on was very crappy yours too ?
The tool i have goes by the same name only the name of the author is
different. It is a package with several perl scripts and statdx.c compiled.

Niels