Security Incidents mailing list archives
Re: t0rn
From: Kevin Houle <kjh () CERT ORG>
Date: Tue, 12 Sep 2000 10:25:05 -0400
Mixter wrote:
There is a kiddy called torn which is currently attacking ircnet and efnet servers (trying to take down oper channels) with new versions of the DDoS agent, I expect this is a rootkit/DDoS distribution made by him, the first I've seen so far. It seems that the rootkit is a variation of a customized version of lrk5, that I've seen before already, on incidents, I think. It looks like a fully featured rootkit, so expect replaced binaries, booby traps, etc. on the system.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mixter wrote:
There is a kiddy called torn which is currently attacking ircnet and efnet servers (trying to take down oper channels) with new versions of the DDoS agent, I expect this is a rootkit/DDoS distribution made by him, the first I've seen so far. It seems that the rootkit is a variation of a customized version of lrk5, that I've seen before already, on incidents, I think. It looks like a fully featured rootkit, so expect replaced binaries, booby traps, etc. on the system.
We first saw 't0rnkit 7.0' on 5/30/2000. The install shell script for t0rnkit does several things: - replaces /usr/bin/login and moves the original to /usr/bin/xlogin - moves trojan horse config files, t0rnsniff (password sniffer), t0rnparse (parser for sniffer output), sshbd.tgz (trojan horse sshd), and sauber (log cleaner) into /dev/sdc0/.nfs01/ - replaces /usr/sbin/in.telnetd with t0rndemon - appends the following to either /etc/rc.d/rc.sysinit or /etc/rc.d/rc.local if [ -x /usr/sbin/in.inetd ]; then /usr/sbin/in.inetd -s fi - replaces /bin/ps, /usr/bin/top, /usr/bin/du, /bin/netstat, and /bin/ls with trojan horse copies - attempts to insure telnet is enabled in /etc/inetd.conf - moves /etc/hosts.deny to /etc/host.deny if it contains the string 'ALL' - restarts inetd The kit we have seen targets Linux, Red Hat distributions in particular. Regards, Kevin -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOb48kbvzUwvl02xJEQKvZgCZAZFdy75Sz4sH1yl5jEOGTIVubxoAnR7t QY4X5s6yIxyorxLM7HNgyU0N =Vq6U -----END PGP SIGNATURE-----