Security Incidents mailing list archives
Re: t0rn (the rootkit)
From: johnathan curst <john_curst () YAHOO COM>
Date: Sun, 10 Sep 2000 09:34:59 -0000
I found something on a server a few weeks ago which was compromised by "t0rn" which might be of some use... FANCY ASCII SAYING t0rnkit -----[ version 6.66 .. 2308200 .. torn () secret-service co uk ]---- -| Ok a bit about the kit... Version based on lrk style trojans -| made up from latest linux sources .. special thanks to -| k1ttykat/j0hnny7 for this.. -| First rootkit of its kind that is all precompiled and yet allows -| you to define a password.. password is stored in a external encrypted -| file. The trojans using this are login/ssh/finger .. -| This kit was designed with the main idea of being portable and quick -| to be mainly used for mass hacking linux's, hence the precompiled bins. -| Usage : ./t0rn <password> <ssh-port> -| ---------- -| this will be the new ssh and login password -| to use it with login u must... -| [login] -| * the default password is "t0rnkit" -| bash# export DISPLAY=t0rnkit-looser -| bash# telnet tornkit.com -| Trying 127.0.0.1... -| Linux 2.2.16 (tornkit.com) -| login: torn <this can be anything> -| Password:arf -| bash# etc... I did manage to leech a copy of the files as it seemed that my server was being used as a ftp dump site by him... if you would like a copy of this rootkit let me know Regards, Johnathan Curst
There is a kiddy called torn which is currently
attacking ircnet
and efnet servers (trying to take down oper
channels) with new versions
of the DDoS agent, I expect this is a
rootkit/DDoS distribution made by
him, the first I've seen so far. It seems that
the rootkit is a variation
of a customized version of lrk5, that I've seen
before already, on incidents,
I think. It looks like a fully featured rootkit,
so expect replaced binaries,
booby traps, etc. on the system.In this case, t0rnserv was listening on port
60001.
tcp or udp?There is a README file there, with a date of
Feb 5.. I
think its safe to assume that his one came out
then.
according to my info, it is undergoing active
development
and being installed on more hosts... so keep an
eye out ;/
-- hub version: 1.666+smurf+yps --distributed smurf, that's pretty new for the
stacheldaht tool
what is yps? anybody know a public DoS method
with that name?
# more pw.h /* created password for masterserver */ #define SALT "zAE1nir9mBWTY\0"looks like a uuencoded hash... lets try john the
ripper
bash$ echo root:zAE1nir9mBWTY:0:0:::: > test ;
john test
Loaded 1 password (Standard DES [32/32 BS]) Standard crypt()-DES hash, not too strong :) PS: If you still have the files, I'd be
interesting in getting a copy.
Current thread:
- Re: t0rn (the rootkit) johnathan curst (Sep 12)
- Re: t0rn (the rootkit) Jeffrey F. Lawhorn (Sep 12)