Re: t0rn (the rootkit)

[johnathan curst <john_curst () YAHOO COM>]

I found something on a server a few weeks ago 
which was compromised by "t0rn" which might be of 
some use...


FANCY ASCII SAYING t0rnkit
-----[ version 6.66 .. 2308200 .. 
torn () secret-service co uk ]----



-|  Ok a bit about the kit... Version based on lrk 
style trojans
-|  made up from latest linux sources .. special 
thanks to
-|  k1ttykat/j0hnny7 for this..

-|  First rootkit of its kind that is all 
precompiled and yet allows
-|  you to define a password.. password is stored 
in a external encrypted
-|  file. The trojans using this are 
login/ssh/finger ..

-|  This kit was designed with the main idea of 
being portable and quick
-|  to be mainly used for mass hacking linux's, 
hence the precompiled bins.

-|  Usage : ./t0rn <password> <ssh-port>

-|  ----------
-|  this will be the new ssh and login password
-|  to use it with login u must...

-|  [login]

-|  * the default password is "t0rnkit"
-|  bash# export DISPLAY=t0rnkit-looser
-|  bash# telnet tornkit.com
-|  Trying 127.0.0.1...
-|  Linux 2.2.16 (tornkit.com)

-|  login: torn <this can be anything>
-|  Password:arf
-|  bash#

etc... 

I did manage to leech a copy of the files as it 
seemed that my server was being used as a ftp dump 
site by him... if you would like a copy of this 
rootkit let me know

Regards,

Johnathan Curst


> There is a kiddy called torn which is currently 
attacking ircnet
> and efnet servers (trying to take down oper 
channels) with new versions
> of the DDoS agent, I expect this is a 
rootkit/DDoS distribution made by
> him, the first I've seen so far. It seems that 
the rootkit is a variation
> of a customized version of lrk5, that I've seen 
before already, on incidents,
> I think. It looks like a fully featured rootkit, 
so expect replaced binaries,
> booby traps, etc. on the system.
>
> > In this case, t0rnserv was listening on port 
60001.
> tcp or udp?
>
> > There is a README file there, with a date of 
Feb 5.. I
> > think its safe to assume that his one came out 
then.
> according to my info, it is undergoing active 
development
> and being installed on more hosts... so keep an 
eye out ;/
> > -- hub version: 1.666+smurf+yps --
> distributed smurf, that's pretty new for the 
stacheldaht tool
> what is yps? anybody know a public DoS method 
with that name?
> > # more pw.h
> > /* created password for masterserver */
> >
> > #define SALT "zAE1nir9mBWTY\0"
> looks like a uuencoded hash... lets try john the 
ripper
> bash$ echo root:zAE1nir9mBWTY:0:0:::: > test ; 
john test
> Loaded 1 password (Standard DES [32/32 BS])
>
> Standard crypt()-DES hash, not too strong :)
>
> PS: If you still have the files, I'd be 
interesting in getting a copy.
>