Security Incidents mailing list archives
Re: t0rn
From: Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>
Date: Sun, 10 Sep 2000 09:38:08 -0000
Hi! I believe t0rn and Danny-boy work on the same net and are killing ircnet/efnet ircds. We have a copy of Danny-boy's newest rootkit for linux/sunos, the Linux version is (probably) made by t0rn and is the same kit as t0rnkit but with small changes, some echo's and such things. If I have time, I can put an analysis out of this kit, I got shitloads of work to do anyhow so I will see what I can do, however, +yps is made by psychoid. Some bugs removed from the normal stacheldraht+1.666 source and added ack/nul flood and perhaps some other once which I can't remember now. David Dittritch (or how he spell his name) have added stacheldraht-1.666+yps to his ddos tool list as "stacheldraht-2", look in that list for more info. Kind Regards / Fredrik
There is a kiddy called torn which is currently
attacking ircnet
and efnet servers (trying to take down oper
channels) with new versions
of the DDoS agent, I expect this is a rootkit/DDoS
distribution made by
him, the first I've seen so far. It seems that the
rootkit is a variation
of a customized version of lrk5, that I've seen
before already, on incidents,
I think. It looks like a fully featured rootkit, so expect
replaced binaries,
booby traps, etc. on the system.In this case, t0rnserv was listening on port 60001.tcp or udp?There is a README file there, with a date of Feb
5.. I
think its safe to assume that his one came out
then.
according to my info, it is undergoing active
development
and being installed on more hosts... so keep an eye
out ;/
-- hub version: 1.666+smurf+yps --distributed smurf, that's pretty new for the
stacheldaht tool
what is yps? anybody know a public DoS method
with that name?
# more pw.h /* created password for masterserver */ #define SALT "zAE1nir9mBWTY\0"looks like a uuencoded hash... lets try john the
ripper
bash$ echo root:zAE1nir9mBWTY:0:0:::: > test ;
john test
Loaded 1 password (Standard DES [32/32 BS]) Standard crypt()-DES hash, not too strong :) PS: If you still have the files, I'd be interesting in
getting a copy.