Security Incidents mailing list archives
Re: The origins of t0rnkit ?
From: Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>
Date: Mon, 25 Sep 2000 08:33:23 -0000
Hi! 1.) CERT have an analysis out of t0rnkit. 2.) This one is a modified (older version) of t0rnkit, modified to suit the needs of a script kiddie called Mace. 3.) Lrk5 or newer is available from ftp.technotronic.com Kind Regards / Fredrik.
Hi list, I am somewhat of a newcommer here, I read the
archives but im not yet very
familiar with this list so please dont lapidate me :) I was recently asked by a friend to look over a box
that was hacked using
the now popular wu-ftpd exploit. Surely enough, a
rootkit was installed on
his box and we have been looking at this. As I had
been tru the CERT paper
recently, my first guess was that the kit used on his
box was the t0rnkit,
however, i am no longer certain of this. I have got a
copy of the t0rnkit
(thanks to johnathan curst) and started to compare
it with stuff found on my
system. Similarities: A directory under /dev/ contained a list of files
describing the stuff to
hide. In my case they were
under /dev/sdc0/.nfs01/ -- files found there
included .1addr, .1file, .1logz and .1proc. Those
files had the same use
that they have in the t0rnkit, .1addr=adresses to
hide in netstat et al...
etc. (i assume the t0rnkit is known to most of you). Differences: My system contained the 't0rnsb' file in its original
form 'sauber'. The log
parser was named 'm4c3parse' and the
sniffer 'm4c3system'. Now whats
interesting is, the 'sauber' script ends with a
german comment "Alles sauber
mein Meister" and my .1addr file (adresses to hide)
contained 2 IP blocks
that belong to german ISPs. This leads me to think
that this might be the
original source of this t0rnkit. I am still gathering the files from around the system
to build what was
originally in this kit (unknown to me), when i am
completed i will gladly
post it here. I belive it is appropriate content for this
list?
Questions: Does this ring a bell for anyone? Is this a known kit? Did anyone do an analysis of t0rnkit? What is the interface of the 'in.inetd' backdoor?
Anyone have a client?
Someone mentioned t0rn being a custom lrk5,
where could i get that?
M. (somehow, hackers find my domain 'challenging')
Current thread:
- The origins of t0rnkit ? Masial (Sep 18)
- Re: The origins of t0rnkit ? techno (Sep 19)
- Re: The origins of t0rnkit ? Gerrie (Sep 20)
- <Possible follow-ups>
- Re: The origins of t0rnkit ? Guilherme Mesquita (Sep 20)
- Re: The origins of t0rnkit ? David Masten (Sep 21)
- Re: The origins of t0rnkit ? Fredrik Ostergren (Sep 25)
- Re: The origins of t0rnkit ? techno (Sep 19)