Re: t0rn

[Dave Dittrich <dittrich () CAC WASHINGTON EDU>]

On Sat, 9 Sep 2000, Mixter wrote:

> There is a kiddy called torn which is currently attacking ircnet
> and efnet servers (trying to take down oper channels) with new versions
> of the DDoS agent, I expect this is a rootkit/DDoS distribution made by
> him, the first I've seen so far. It seems that the rootkit is a variation
> of a customized version of lrk5, that I've seen before already, on incidents,
> I think. It looks like a fully featured rootkit, so expect replaced binaries,
> booby traps, etc. on the system.

Mixter is more in touch with the IRC world than I am, I must admit.

> > -- hub version: 1.666+smurf+yps --
> distributed smurf, that's pretty new for the stacheldaht tool
> what is yps? anybody know a public DoS method with that name?

Hint: "yps" is not a DoS method. ;)

I think that someone will be publishing an analysis of this variant
of stacheldraht Real Soon Now. ;)

> > # more pw.h
> > /* created password for masterserver */
> >
> > #define SALT "zAE1nir9mBWTY\0"
> looks like a uuencoded hash... lets try john the ripper
> bash$ echo root:zAE1nir9mBWTY:0:0:::: > test ; john test
> Loaded 1 password (Standard DES [32/32 BS])
>
> Standard crypt()-DES hash, not too strong :)

I've already got my 500MHz pentium III laptop working on it (for 1 day,
4 hours already...no luck yet.)

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5