Re: The origins of t0rnkit ?

[Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>]

Hi!
1.) CERT have an analysis out of t0rnkit. 
2.) This one is a modified (older version) of t0rnkit, 
modified to suit the needs of a script kiddie called 
Mace. 
3.) Lrk5 or newer is available from 
ftp.technotronic.com

Kind Regards

/ Fredrik.

> Hi list,
>
> I am somewhat of a newcommer here, I read the 
archives but im not yet very
> familiar with this list so please dont lapidate me :)
>
> I was recently asked by a friend to look over a box 
that was hacked using
> the now popular wu-ftpd exploit. Surely enough, a 
rootkit was installed on
> his box and we have been looking at this. As I had 
been tru the CERT paper
> recently, my first guess was that the kit used on his 
box was the t0rnkit,
> however, i am no longer certain of this. I have got a 
copy of the t0rnkit
> (thanks to johnathan curst) and started to compare 
it with stuff found on my
> system.
>
> Similarities:
>
> A directory under /dev/ contained a list of files 
describing the stuff to
> hide. In my case they were 
under /dev/sdc0/.nfs01/ -- files found there
> included .1addr, .1file, .1logz and .1proc. Those 
files had the same use
> that they have in the t0rnkit, .1addr=adresses to 
hide in netstat et al...
> etc. (i assume the t0rnkit is known to most of you).
>
> Differences:
>
> My system contained the 't0rnsb' file in its original 
form 'sauber'. The log
> parser was named 'm4c3parse' and the 
sniffer 'm4c3system'. Now whats
> interesting is, the 'sauber' script ends with a 
german comment "Alles sauber
> mein Meister" and my .1addr file (adresses to hide) 
contained 2 IP blocks
> that belong to german ISPs. This leads me to think 
that this might be the
> original source of this t0rnkit.
>
> I am still gathering the files from around the system 
to build what was
> originally in this kit (unknown to me), when i am 
completed i will gladly
> post it here. I belive it is appropriate content for this 
list?
> Questions:
>
> Does this ring a bell for anyone?
> Is this a known kit?
> Did anyone do an analysis of t0rnkit?
> What is the interface of the 'in.inetd' backdoor? 
Anyone have a client?
> Someone mentioned t0rn being a custom lrk5, 
where could i get that?
> M.
>
> (somehow, hackers find my domain 'challenging')