[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    t0rnkit on solaris machines
From:       johnathan curst <john_curst () YAHOO ! COM>
Date:       2000-09-22 22:56:25
[Download RAW message or body]

Hello again,
Well after my last post about the linux variation 
of the tornkit it seems to me that a sunos version 
of t0rn style trojans are starting to emerge on 
sunos 5.6/5.7 and i have had a few reports 
of stachel+yps as well a few trojans with 
"t0rn" in their name have been seen on Sun 
machines as well .. i will keep you upto date as 
soon as i have more information. Again we belive a 
mass exploitation routine was used like the 
statd/wuftpd (linux) was used except this time for 
it seems like sadmind/statd(?) and ofcourse the 
never ending cmsd.

Also after reading a article on zdnet 
http://www.zdnet.co.uk/news/2000/37/ns-18064.html
they seemed to mention that estimate of servers 
hacked were estimated at few hundrered, which is 
quite far from the fact. Anyone who will does a 
sweep for port 511 on the major A class blocks 
will notice this number is as high as a few 
thousand, which quite a large number of those 
include the ddos tool stachel+yps installed on 
them.

If anyone would like to work with me in analysing 
t0rnkit or any of the t0rn* files  i would be glad 
to work with them.


Regards,
John

[prev in list] [next in list] [prev in thread] [next in thread]