The origins of t0rnkit ?

[Masial <masial () SECURED ORG>]

Hi list,

I am somewhat of a newcommer here, I read the archives but im not yet very
familiar with this list so please dont lapidate me :)

I was recently asked by a friend to look over a box that was hacked using
the now popular wu-ftpd exploit. Surely enough, a rootkit was installed on
his box and we have been looking at this. As I had been tru the CERT paper
recently, my first guess was that the kit used on his box was the t0rnkit,
however, i am no longer certain of this. I have got a copy of the t0rnkit
(thanks to johnathan curst) and started to compare it with stuff found on my
system.

Similarities:

A directory under /dev/ contained a list of files describing the stuff to
hide. In my case they were under /dev/sdc0/.nfs01/ -- files found there
included .1addr, .1file, .1logz and .1proc. Those files had the same use
that they have in the t0rnkit, .1addr=adresses to hide in netstat et al...
etc. (i assume the t0rnkit is known to most of you).

Differences:

My system contained the 't0rnsb' file in its original form 'sauber'. The log
parser was named 'm4c3parse' and the sniffer 'm4c3system'. Now whats
interesting is, the 'sauber' script ends with a german comment "Alles sauber
mein Meister" and my .1addr file (adresses to hide) contained 2 IP blocks
that belong to german ISPs. This leads me to think that this might be the
original source of this t0rnkit.

I am still gathering the files from around the system to build what was
originally in this kit (unknown to me), when i am completed i will gladly
post it here. I belive it is appropriate content for this list?

Questions:

Does this ring a bell for anyone?
Is this a known kit?
Did anyone do an analysis of t0rnkit?
What is the interface of the 'in.inetd' backdoor? Anyone have a client?
Someone mentioned t0rn being a custom lrk5, where could i get that?


M.

(somehow, hackers find my domain 'challenging')