yes, its t0rn again

[johnathan curst <john_curst () YAHOO COM>]

Hello Again,
t0rn is back and seems like the author has been 
paying attention.

First off the compromised machine : 
Redhat 7 (standard lpd exploit used - worm ?)

Standard binaries were replaced as always, as were 
libproc.a, libproc.so.2.0.6, libproc.so and ldconfig was 
run. (Notice a Change compared to old versions ?)

Another substancial Change which i picked up on 
was while setting up a honeypot, i did the usual 
md5sum binary output's saved onto non-writeable 
floppy, but the crontabed script which was checking 
for any changes to the md5sum results, was unable 
to pick up on any difference even though the hackers 
binaries replaced mine. (Any ideas ?) Hence taking 
me longer to detect the comrpomise.. 

Only reason that i actually found out that i had been 
compromised was because the machine was 
transmitting large amount of data (stachel daemon), 
which then resulted in me ripping the machine apart 
and reinstalling the required files and finding the kit. 

Managed to capture the README file of the rootkit 
and a few binaries, 
http://www.geocities.com/john_curst/tk8-readme.txt if 
anyone is intrested.

If anyone has the full version of this kit, I would be 
highly obliged if they could forward it to me.

Regards,
Johnathan