massive bind8 exploitation - t0rnkit8

[Roberto <cinini () TERRA ES>]

Hola again !
It has become to my attention that there is massive 
bind8.2(p3/p5/p7) exploitation taking place, and 
tornkit8 being used. There are already worms for this 
on many underground irc channels floating around for 
users to use.. 

Here are some things to look out for tornkit8 and also 
if ur bind has been upgraded to 8.2.3-REL chances 
are its the automated worm thats been there...
also u might want to look for dir /lib/ldd.so.. which 
exists on some machines tornkit8 is installed..  there 
is hidden files tks (sniffer) tkp(parser) and tkps(ssh 
snifferlog), also one ssh port being used a lot is 47017
(default tornkit) as well as 47889 keep ur eyes open 
for these..

More info as i get it !

Sincerly,
Roberto