Re: yes, its t0rn again

[MadHat <madhat () UNSPECIFIC COM>]

no offence, but think... if you read the README Johnathan provided, "t0rn"
said they read the list (they mentioned this list specifically, not just
any securityfocus list), so why would you want to broadcast how your
security varies from the norm...  this just gives them more ammo, and
anyone who wants to attack you now can found it on public list archives
when doing a search on your domain...

Be careful what specifics you give out in public forums about your security
setup.  Everything you say here becomes public knowledge and
searchable.  Maybe you have your reasons or don't care, but still, everyone
should keep this in mind.

At 09:36 PM 1/1/2001 -0800, you wrote:
> Just curious if anyone has turned up any more bits of the new t0rn kit and
> reported them to you...  I am very interested in its ability to avoid md5
> checksums.
>
> Im guessing it simply trojans your local copy of md5sum, given its
> installed in the default location.  I knew there was a good reason I built
> my copy of md5sum from source and stuck it in /usr/local/bin/sec-tools/  =)
>
> Anyway, if you have any more info, I would love to dig into it.
>
>         -Thanks,
>           Michael Damm
>           Network Operations and
>           IT Security Department
>           Access Northwest, LLC.
> ---
> Business:    miked () accessnw net - http://www.accessnw.net/ - (509) 542-3221
> Personal: symetrix () symetrix org - http://www.symetrix.org/ - (877) 534-6247
>
> On Mon, 1 Jan 2001, johnathan curst wrote:
>
> > Hello Again,
> > t0rn is back and seems like the author has been
> > paying attention.
> >
> > First off the compromised machine :
> > Redhat 7 (standard lpd exploit used - worm ?)
> >
> > Standard binaries were replaced as always, as were
> > libproc.a, libproc.so.2.0.6, libproc.so and ldconfig was
> > run. (Notice a Change compared to old versions ?)
> >
> > Another substancial Change which i picked up on
> > was while setting up a honeypot, i did the usual
> > md5sum binary output's saved onto non-writeable
> > floppy, but the crontabed script which was checking
> > for any changes to the md5sum results, was unable
> > to pick up on any difference even though the hackers
> > binaries replaced mine. (Any ideas ?) Hence taking
> > me longer to detect the comrpomise..
> >
> > Only reason that i actually found out that i had been
> > compromised was because the machine was
> > transmitting large amount of data (stachel daemon),
> > which then resulted in me ripping the machine apart
> > and reinstalling the required files and finding the kit.
> >
> > Managed to capture the README file of the rootkit
> > and a few binaries,
> > http://www.geocities.com/john_curst/tk8-readme.txt if
> > anyone is intrested.
> >
> > If anyone has the full version of this kit, I would be
> > highly obliged if they could forward it to me.
> >
> > Regards,
> > Johnathan
> >

--
MadHat at unspecific.com