Security Incidents mailing list archives
Re: yes, its t0rn again
From: Michael Damm <miked () ACCESSNW NET>
Date: Mon, 1 Jan 2001 21:36:03 -0800
Just curious if anyone has turned up any more bits of the new t0rn kit and reported them to you... I am very interested in its ability to avoid md5 checksums. Im guessing it simply trojans your local copy of md5sum, given its installed in the default location. I knew there was a good reason I built my copy of md5sum from source and stuck it in /usr/local/bin/sec-tools/ =) Anyway, if you have any more info, I would love to dig into it. -Thanks, Michael Damm Network Operations and IT Security Department Access Northwest, LLC. --- Business: miked () accessnw net - http://www.accessnw.net/ - (509) 542-3221 Personal: symetrix () symetrix org - http://www.symetrix.org/ - (877) 534-6247 On Mon, 1 Jan 2001, johnathan curst wrote:
Hello Again, t0rn is back and seems like the author has been paying attention. First off the compromised machine : Redhat 7 (standard lpd exploit used - worm ?) Standard binaries were replaced as always, as were libproc.a, libproc.so.2.0.6, libproc.so and ldconfig was run. (Notice a Change compared to old versions ?) Another substancial Change which i picked up on was while setting up a honeypot, i did the usual md5sum binary output's saved onto non-writeable floppy, but the crontabed script which was checking for any changes to the md5sum results, was unable to pick up on any difference even though the hackers binaries replaced mine. (Any ideas ?) Hence taking me longer to detect the comrpomise.. Only reason that i actually found out that i had been compromised was because the machine was transmitting large amount of data (stachel daemon), which then resulted in me ripping the machine apart and reinstalling the required files and finding the kit. Managed to capture the README file of the rootkit and a few binaries, http://www.geocities.com/john_curst/tk8-readme.txt if anyone is intrested. If anyone has the full version of this kit, I would be highly obliged if they could forward it to me. Regards, Johnathan
Current thread:
- yes, its t0rn again johnathan curst (Jan 01)
- Re: yes, its t0rn again Michael Damm (Jan 01)
- Re: yes, its t0rn again Joe Stewart (Jan 02)
- Message not available
- Re: yes, its t0rn again MadHat (Jan 02)
- Re: yes, its t0rn again Jonas Luster (Jan 02)
- Re: yes, its t0rn again MadHat (Jan 02)
- Re: yes, its t0rn again Michael Damm (Jan 01)
- Re: yes, its t0rn again Andrew Edelstein (Jan 03)
- Re: yes, its t0rn again Andreas Hasenack (Jan 03)
- Re: yes, its t0rn again Helmut Springer (Jan 04)
- Re: yes, its t0rn again Aaron (Jan 06)
- Re: yes, its t0rn again Helmut Springer (Jan 06)
- LKM insecurity Greg A. Woods (Jan 06)
- Re: yes, its t0rn again Andreas Hasenack (Jan 03)
- <Possible follow-ups>
- Re: yes, its t0rn again Robert Horn (Jan 04)