Security Incidents mailing list archives

Re: t0rn

From: Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>
Date: Sun, 10 Sep 2000 09:38:08 -0000

Hi!
I believe t0rn and Danny-boy work on the same net 
and are killing ircnet/efnet ircds. We have a copy of 
Danny-boy's newest rootkit for linux/sunos, the Linux 
version is (probably) made by t0rn and is the same kit 
as t0rnkit but with small changes, some echo's and 
such things. If I have time, I can put an analysis out of 
this kit, I got shitloads of work to do anyhow so I will 
see what I can do, however, +yps is made by 
psychoid. Some bugs removed from the normal 
stacheldraht+1.666 source and added ack/nul flood 
and perhaps some other once which I can't 
remember now. David Dittritch (or how he spell his 
name) have added stacheldraht-1.666+yps to his 
ddos tool list as "stacheldraht-2", look in that list for 
more info. 

Kind Regards

/ Fredrik

There is a kiddy called torn which is currently

attacking ircnet

and efnet servers (trying to take down oper

channels) with new versions

of the DDoS agent, I expect this is a rootkit/DDoS

distribution made by

him, the first I've seen so far. It seems that the

rootkit is a variation

of a customized version of lrk5, that I've seen

before already, on incidents,

I think. It looks like a fully featured rootkit, so expect

replaced binaries,

booby traps, etc. on the system.

In this case, t0rnserv was listening on port 60001.

tcp or udp?

There is a README file there, with a date of Feb

5.. I

think its safe to assume that his one came out

then.

according to my info, it is undergoing active

development

and being installed on more hosts... so keep an eye

out ;/

-- hub version: 1.666+smurf+yps --

distributed smurf, that's pretty new for the

stacheldaht tool

what is yps? anybody know a public DoS method

with that name?

# more pw.h
/* created password for masterserver */

#define SALT "zAE1nir9mBWTY\0"

looks like a uuencoded hash... lets try john the

ripper

bash$ echo root:zAE1nir9mBWTY:0:0:::: > test ;

john test

Loaded 1 password (Standard DES [32/32 BS])

Standard crypt()-DES hash, not too strong :)

PS: If you still have the files, I'd be interesting in

getting a copy.

Current thread:

t0rn Ovanes Manucharyan (Sep 08)
- Re: t0rn Mixter (Sep 12)
  - Re: t0rn Dave Dittrich (Sep 12)
  - Re: t0rn Kevin Houle (Sep 12)
- Re: t0rn Talisker (Sep 28)
- <Possible follow-ups>
- Re: t0rn Fredrik Ostergren (Sep 12)