Security Incidents mailing list archives
t0rnkit on solaris machines
From: johnathan curst <john_curst () YAHOO COM>
Date: Fri, 22 Sep 2000 22:56:25 -0000
Hello again, Well after my last post about the linux variation of the tornkit it seems to me that a sunos version of t0rn style trojans are starting to emerge on sunos 5.6/5.7 and i have had a few reports of stachel+yps as well a few trojans with "t0rn" in their name have been seen on Sun machines as well .. i will keep you upto date as soon as i have more information. Again we belive a mass exploitation routine was used like the statd/wuftpd (linux) was used except this time for it seems like sadmind/statd(?) and ofcourse the never ending cmsd. Also after reading a article on zdnet http://www.zdnet.co.uk/news/2000/37/ns-18064.html they seemed to mention that estimate of servers hacked were estimated at few hundrered, which is quite far from the fact. Anyone who will does a sweep for port 511 on the major A class blocks will notice this number is as high as a few thousand, which quite a large number of those include the ddos tool stachel+yps installed on them. If anyone would like to work with me in analysing t0rnkit or any of the t0rn* files i would be glad to work with them. Regards, John
Current thread:
- t0rnkit on solaris machines johnathan curst (Sep 24)