Security Incidents mailing list archives
yes, its t0rn again
From: johnathan curst <john_curst () YAHOO COM>
Date: Mon, 1 Jan 2001 17:19:37 -0000
Hello Again, t0rn is back and seems like the author has been paying attention. First off the compromised machine : Redhat 7 (standard lpd exploit used - worm ?) Standard binaries were replaced as always, as were libproc.a, libproc.so.2.0.6, libproc.so and ldconfig was run. (Notice a Change compared to old versions ?) Another substancial Change which i picked up on was while setting up a honeypot, i did the usual md5sum binary output's saved onto non-writeable floppy, but the crontabed script which was checking for any changes to the md5sum results, was unable to pick up on any difference even though the hackers binaries replaced mine. (Any ideas ?) Hence taking me longer to detect the comrpomise.. Only reason that i actually found out that i had been compromised was because the machine was transmitting large amount of data (stachel daemon), which then resulted in me ripping the machine apart and reinstalling the required files and finding the kit. Managed to capture the README file of the rootkit and a few binaries, http://www.geocities.com/john_curst/tk8-readme.txt if anyone is intrested. If anyone has the full version of this kit, I would be highly obliged if they could forward it to me. Regards, Johnathan
Current thread:
- yes, its t0rn again johnathan curst (Jan 01)
- Re: yes, its t0rn again Michael Damm (Jan 01)
- Re: yes, its t0rn again Joe Stewart (Jan 02)
- Message not available
- Re: yes, its t0rn again MadHat (Jan 02)
- Re: yes, its t0rn again Jonas Luster (Jan 02)
- Re: yes, its t0rn again MadHat (Jan 02)
- Re: yes, its t0rn again Michael Damm (Jan 01)
- Re: yes, its t0rn again Andrew Edelstein (Jan 03)
- Re: yes, its t0rn again Andreas Hasenack (Jan 03)
- Re: yes, its t0rn again Helmut Springer (Jan 04)
- Re: yes, its t0rn again Aaron (Jan 06)
- Re: yes, its t0rn again Helmut Springer (Jan 06)
- LKM insecurity Greg A. Woods (Jan 06)
- Re: yes, its t0rn again Andreas Hasenack (Jan 03)