Re: t0rn

[Mixter <mixter () 2XS CO IL>]

There is a kiddy called torn which is currently attacking ircnet
and efnet servers (trying to take down oper channels) with new versions
of the DDoS agent, I expect this is a rootkit/DDoS distribution made by
him, the first I've seen so far. It seems that the rootkit is a variation
of a customized version of lrk5, that I've seen before already, on incidents,
I think. It looks like a fully featured rootkit, so expect replaced binaries,
booby traps, etc. on the system.

> In this case, t0rnserv was listening on port 60001.
tcp or udp?

> There is a README file there, with a date of Feb 5.. I
> think its safe to assume that his one came out then.
according to my info, it is undergoing active development
and being installed on more hosts... so keep an eye out ;/

> -- hub version: 1.666+smurf+yps --
distributed smurf, that's pretty new for the stacheldaht tool
what is yps? anybody know a public DoS method with that name?

> # more pw.h
> /* created password for masterserver */
>
> #define SALT "zAE1nir9mBWTY\0"
looks like a uuencoded hash... lets try john the ripper
bash$ echo root:zAE1nir9mBWTY:0:0:::: > test ; john test
Loaded 1 password (Standard DES [32/32 BS])

Standard crypt()-DES hash, not too strong :)

PS: If you still have the files, I'd be interesting in getting a copy.