Security Incidents mailing list archives
The origins of t0rnkit ?
From: Masial <masial () SECURED ORG>
Date: Mon, 18 Sep 2000 12:09:37 -0400
Hi list, I am somewhat of a newcommer here, I read the archives but im not yet very familiar with this list so please dont lapidate me :) I was recently asked by a friend to look over a box that was hacked using the now popular wu-ftpd exploit. Surely enough, a rootkit was installed on his box and we have been looking at this. As I had been tru the CERT paper recently, my first guess was that the kit used on his box was the t0rnkit, however, i am no longer certain of this. I have got a copy of the t0rnkit (thanks to johnathan curst) and started to compare it with stuff found on my system. Similarities: A directory under /dev/ contained a list of files describing the stuff to hide. In my case they were under /dev/sdc0/.nfs01/ -- files found there included .1addr, .1file, .1logz and .1proc. Those files had the same use that they have in the t0rnkit, .1addr=adresses to hide in netstat et al... etc. (i assume the t0rnkit is known to most of you). Differences: My system contained the 't0rnsb' file in its original form 'sauber'. The log parser was named 'm4c3parse' and the sniffer 'm4c3system'. Now whats interesting is, the 'sauber' script ends with a german comment "Alles sauber mein Meister" and my .1addr file (adresses to hide) contained 2 IP blocks that belong to german ISPs. This leads me to think that this might be the original source of this t0rnkit. I am still gathering the files from around the system to build what was originally in this kit (unknown to me), when i am completed i will gladly post it here. I belive it is appropriate content for this list? Questions: Does this ring a bell for anyone? Is this a known kit? Did anyone do an analysis of t0rnkit? What is the interface of the 'in.inetd' backdoor? Anyone have a client? Someone mentioned t0rn being a custom lrk5, where could i get that? M. (somehow, hackers find my domain 'challenging')
Current thread:
- The origins of t0rnkit ? Masial (Sep 18)
- Re: The origins of t0rnkit ? techno (Sep 19)
- Re: The origins of t0rnkit ? Gerrie (Sep 20)
- <Possible follow-ups>
- Re: The origins of t0rnkit ? Guilherme Mesquita (Sep 20)
- Re: The origins of t0rnkit ? David Masten (Sep 21)
- Re: The origins of t0rnkit ? Fredrik Ostergren (Sep 25)
- Re: The origins of t0rnkit ? techno (Sep 19)