Security Incidents mailing list archives
t0rn
From: Ovanes Manucharyan <ovanes_m () YAHOO COM>
Date: Fri, 8 Sep 2000 08:58:55 -0700
I am wondering if anyone has experience with the following stacheldraht variation. The top level directory structure looks like this -rw-r--r-- 1 root 50 27 Jul 18 19:24 .1addr -rw-r--r-- 1 root 50 72 Jul 18 19:24 .1file -rw-r--r-- 1 root 50 21 Jul 18 19:24 .1logz -rw-r--r-- 1 root 50 38 Jul 18 19:24 .1proc drwxr-xr-x 4 root root 512 Aug 24 01:48 stachel -rw-r--r-- 1 root other 82177 Sep 4 14:57 system -rwxr-xr-x 1 root root 505 Aug 5 06:00 t0rn-kill -rwxr-xr-x 1 root root 6232 Sep 9 1999 t0rnparse -rwxr-xr-x 1 root root 7622 Aug 5 06:00 t0rns5 -rwxr-xr-x 1 root root 1345 Sep 9 1999 t0rnsauber -rwxr-xr-x 1 root root 9361 Sep 9 1999 t0rnsniff -rwxr-xr-x 1 root root 7724 Aug 5 06:00 t0rnst ========= the directory stachel contains the binary t0rnserv + source files... There is a README file there, with a date of Feb 5.. I think its safe to assume that his one came out then. In this case, t0rnserv was listening on port 60001. The system was rootkitted to hide the directory of these programs. Does anyone know the key for the encryption of the master IP address & other data? How can I retrieve this information. Here is some info which might help.. =================================================== # strings t0rnserv|more %d.%d.%d.%d zAE1nir9mBWTY * mtimer reached * .quit exiting... you need to stop the packet action first. .help .version -- hub version: 1.666+smurf+yps -- setusize setisize mdos mping mudp micmp msyn =================================================== # more pw.h /* created password for masterserver */ #define SALT "zAE1nir9mBWTY\0" ***How can I decrypt this pw. =================================================== Sincerely, Ovanes __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/