[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: The origins of t0rnkit ?
From:       Fredrik Ostergren <fredrik.ostergren () FREEBOX ! COM>
Date:       2000-09-25 8:33:23
[Download RAW message or body]

Hi!
1.) CERT have an analysis out of t0rnkit. 
2.) This one is a modified (older version) of t0rnkit, 
modified to suit the needs of a script kiddie called 
Mace. 
3.) Lrk5 or newer is available from 
ftp.technotronic.com

Kind Regards

/ Fredrik.

> Hi list,
> 
> I am somewhat of a newcommer here, I read the 
archives but im not yet very
> familiar with this list so please dont lapidate me :)
> 
> I was recently asked by a friend to look over a box 
that was hacked using
> the now popular wu-ftpd exploit. Surely enough, a 
rootkit was installed on
> his box and we have been looking at this. As I had 
been tru the CERT paper
> recently, my first guess was that the kit used on his 
box was the t0rnkit,
> however, i am no longer certain of this. I have got a 
copy of the t0rnkit
> (thanks to johnathan curst) and started to compare 
it with stuff found on my
> system.
> 
> Similarities:
> 
> A directory under /dev/ contained a list of files 
describing the stuff to
> hide. In my case they were 
under /dev/sdc0/.nfs01/ -- files found there
> included .1addr, .1file, .1logz and .1proc. Those 
files had the same use
> that they have in the t0rnkit, .1addr=adresses to 
hide in netstat et al...
> etc. (i assume the t0rnkit is known to most of you).
> 
> Differences:
> 
> My system contained the 't0rnsb' file in its original 
form 'sauber'. The log
> parser was named 'm4c3parse' and the 
sniffer 'm4c3system'. Now whats
> interesting is, the 'sauber' script ends with a 
german comment "Alles sauber
> mein Meister" and my .1addr file (adresses to hide) 
contained 2 IP blocks
> that belong to german ISPs. This leads me to think 
that this might be the
> original source of this t0rnkit.
> 
> I am still gathering the files from around the system 
to build what was
> originally in this kit (unknown to me), when i am 
completed i will gladly
> post it here. I belive it is appropriate content for this 
list?
> 
> Questions:
> 
> Does this ring a bell for anyone?
> Is this a known kit?
> Did anyone do an analysis of t0rnkit?
> What is the interface of the 'in.inetd' backdoor? 
Anyone have a client?
> Someone mentioned t0rn being a custom lrk5, 
where could i get that?
> 
> 
> M.
> 
> (somehow, hackers find my domain 'challenging')
> 
> 

[prev in list] [next in list] [prev in thread] [next in thread]