[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: Re: The origins of t0rnkit ?
From: Fredrik Ostergren <fredrik.ostergren () FREEBOX ! COM>
Date: 2000-09-25 8:33:23
[Download RAW message or body]
Hi!
1.) CERT have an analysis out of t0rnkit.
2.) This one is a modified (older version) of t0rnkit,
modified to suit the needs of a script kiddie called
Mace.
3.) Lrk5 or newer is available from
ftp.technotronic.com
Kind Regards
/ Fredrik.
> Hi list,
>
> I am somewhat of a newcommer here, I read the
archives but im not yet very
> familiar with this list so please dont lapidate me :)
>
> I was recently asked by a friend to look over a box
that was hacked using
> the now popular wu-ftpd exploit. Surely enough, a
rootkit was installed on
> his box and we have been looking at this. As I had
been tru the CERT paper
> recently, my first guess was that the kit used on his
box was the t0rnkit,
> however, i am no longer certain of this. I have got a
copy of the t0rnkit
> (thanks to johnathan curst) and started to compare
it with stuff found on my
> system.
>
> Similarities:
>
> A directory under /dev/ contained a list of files
describing the stuff to
> hide. In my case they were
under /dev/sdc0/.nfs01/ -- files found there
> included .1addr, .1file, .1logz and .1proc. Those
files had the same use
> that they have in the t0rnkit, .1addr=adresses to
hide in netstat et al...
> etc. (i assume the t0rnkit is known to most of you).
>
> Differences:
>
> My system contained the 't0rnsb' file in its original
form 'sauber'. The log
> parser was named 'm4c3parse' and the
sniffer 'm4c3system'. Now whats
> interesting is, the 'sauber' script ends with a
german comment "Alles sauber
> mein Meister" and my .1addr file (adresses to hide)
contained 2 IP blocks
> that belong to german ISPs. This leads me to think
that this might be the
> original source of this t0rnkit.
>
> I am still gathering the files from around the system
to build what was
> originally in this kit (unknown to me), when i am
completed i will gladly
> post it here. I belive it is appropriate content for this
list?
>
> Questions:
>
> Does this ring a bell for anyone?
> Is this a known kit?
> Did anyone do an analysis of t0rnkit?
> What is the interface of the 'in.inetd' backdoor?
Anyone have a client?
> Someone mentioned t0rn being a custom lrk5,
where could i get that?
>
>
> M.
>
> (somehow, hackers find my domain 'challenging')
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic