Security Incidents mailing list archives
Re: t0rn
From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Sun, 10 Sep 2000 01:54:12 -0700
On Sat, 9 Sep 2000, Mixter wrote:
There is a kiddy called torn which is currently attacking ircnet and efnet servers (trying to take down oper channels) with new versions of the DDoS agent, I expect this is a rootkit/DDoS distribution made by him, the first I've seen so far. It seems that the rootkit is a variation of a customized version of lrk5, that I've seen before already, on incidents, I think. It looks like a fully featured rootkit, so expect replaced binaries, booby traps, etc. on the system.
Mixter is more in touch with the IRC world than I am, I must admit.
-- hub version: 1.666+smurf+yps --distributed smurf, that's pretty new for the stacheldaht tool what is yps? anybody know a public DoS method with that name?
Hint: "yps" is not a DoS method. ;) I think that someone will be publishing an analysis of this variant of stacheldraht Real Soon Now. ;)
# more pw.h /* created password for masterserver */ #define SALT "zAE1nir9mBWTY\0"looks like a uuencoded hash... lets try john the ripper bash$ echo root:zAE1nir9mBWTY:0:0:::: > test ; john test Loaded 1 password (Standard DES [32/32 BS]) Standard crypt()-DES hash, not too strong :)
I've already got my 500MHz pentium III laptop working on it (for 1 day, 4 hours already...no luck yet.) -- Dave Dittrich Computing & Communications dittrich () cac washington edu Client Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5