Security Incidents mailing list archives
Re: t0rn
From: Talisker <Talisker () NETWORKINTRUSION CO UK>
Date: Thu, 28 Sep 2000 09:33:20 +0100
I have recently been advised of this tool chkrootkit which looks for evidence on your hosts for rootkits having been installed. I haven't used it myself so I can't vouch for it's effectiveness. For want of a better place I have put it with file integrity checkers I have info on it at http://www.networkintrusion.co.uk/integrity/ Take Care Andy http://www.networkintrusion.co.uk The IDS & Scanner list ----- Original Message ----- From: "Ovanes Manucharyan" <ovanes_m () YAHOO COM> To: <INCIDENTS () securityfocus com> Sent: Friday, September 08, 2000 4:58 PM Subject: t0rn
I am wondering if anyone has experience with the following stacheldraht variation. The top level directory structure looks like this -rw-r--r-- 1 root 50 27 Jul 18 19:24 .1addr -rw-r--r-- 1 root 50 72 Jul 18 19:24 .1file -rw-r--r-- 1 root 50 21 Jul 18 19:24 .1logz -rw-r--r-- 1 root 50 38 Jul 18 19:24 .1proc drwxr-xr-x 4 root root 512 Aug 24 01:48 stachel -rw-r--r-- 1 root other 82177 Sep 4 14:57 system -rwxr-xr-x 1 root root 505 Aug 5 06:00 t0rn-kill -rwxr-xr-x 1 root root 6232 Sep 9 1999 t0rnparse -rwxr-xr-x 1 root root 7622 Aug 5 06:00 t0rns5 -rwxr-xr-x 1 root root 1345 Sep 9 1999 t0rnsauber -rwxr-xr-x 1 root root 9361 Sep 9 1999 t0rnsniff -rwxr-xr-x 1 root root 7724 Aug 5 06:00 t0rnst ========= the directory stachel contains the binary t0rnserv + source files... There is a README file there, with a date of Feb 5.. I think its safe to assume that his one came out then. In this case, t0rnserv was listening on port 60001. The system was rootkitted to hide the directory of these programs. Does anyone know the key for the encryption of the master IP address & other data? How can I retrieve this information. Here is some info which might help.. =================================================== # strings t0rnserv|more %d.%d.%d.%d zAE1nir9mBWTY * mtimer reached * .quit exiting... you need to stop the packet action first. .help .version -- hub version: 1.666+smurf+yps -- setusize setisize mdos mping mudp micmp msyn =================================================== # more pw.h /* created password for masterserver */ #define SALT "zAE1nir9mBWTY\0" ***How can I decrypt this pw. =================================================== Sincerely, Ovanes __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/