Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: t0rn

From: Kevin Houle <kjh () CERT ORG>
Date: Tue, 12 Sep 2000 10:25:05 -0400
Mixter wrote:


There is a kiddy called torn which is currently attacking ircnet
and efnet servers (trying to take down oper channels) with new versions
of the DDoS agent, I expect this is a rootkit/DDoS distribution made by
him, the first I've seen so far. It seems that the rootkit is a variation
of a customized version of lrk5, that I've seen before already, on incidents,
I think. It looks like a fully featured rootkit, so expect replaced binaries,
booby traps, etc. on the system.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mixter wrote:


There is a kiddy called torn which is currently attacking ircnet
and efnet servers (trying to take down oper channels) with new versions
of the DDoS agent, I expect this is a rootkit/DDoS distribution made by
him, the first I've seen so far. It seems that the rootkit is a variation
of a customized version of lrk5, that I've seen before already, on incidents,
I think. It looks like a fully featured rootkit, so expect replaced binaries,
booby traps, etc. on the system.


We first saw 't0rnkit 7.0' on 5/30/2000. The install shell
script for t0rnkit does several things:

 - replaces /usr/bin/login and moves the original to
   /usr/bin/xlogin
 - moves trojan horse config files, t0rnsniff (password sniffer),
   t0rnparse (parser for sniffer output), sshbd.tgz (trojan horse
   sshd), and sauber (log cleaner) into /dev/sdc0/.nfs01/
 - replaces /usr/sbin/in.telnetd with t0rndemon
 - appends the following to either /etc/rc.d/rc.sysinit or
   /etc/rc.d/rc.local
       if [ -x /usr/sbin/in.inetd ]; then
          /usr/sbin/in.inetd -s
       fi
 - replaces /bin/ps, /usr/bin/top, /usr/bin/du, /bin/netstat,
   and /bin/ls with trojan horse copies
 - attempts to insure telnet is enabled in /etc/inetd.conf
 - moves /etc/hosts.deny to /etc/host.deny if it contains the
   string 'ALL'
 - restarts inetd

The kit we have seen targets Linux, Red Hat distributions in
particular.

Regards,
Kevin


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOb48kbvzUwvl02xJEQKvZgCZAZFdy75Sz4sH1yl5jEOGTIVubxoAnR7t
QY4X5s6yIxyorxLM7HNgyU0N
=Vq6U
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: