Security Incidents mailing list archives
Re: yes, its t0rn again
From: Joe Stewart <jstewart () LURHQ COM>
Date: Tue, 2 Jan 2001 03:39:50 -0500
On Tuesday 02 January 2001 00:36, you wrote:
Just curious if anyone has turned up any more bits of the new t0rn kit and reported them to you... I am very interested in its ability to avoid md5 checksums. Im guessing it simply trojans your local copy of md5sum, given its installed in the default location. I knew there was a good reason I built my copy of md5sum from source and stuck it in /usr/local/bin/sec-tools/ =)
It could be a Linux kernel module that is being used to redirect exec calls for selected binaries to a trojaned version hidden elsewhere on the system. In this case, md5sum wouldn't detect any changes in the legit binaries, because there wouldn't be any. One such rootkit that uses this method is knark: http://packetstorm.securify.com/UNIX/penetration/rootkits/knark-0.59.tar.gz Regards, -Joe -- Joe Stewart Information Security Analyst LURHQ Corporation =================== jstewart () lurhq com
Current thread:
- yes, its t0rn again johnathan curst (Jan 01)
- Re: yes, its t0rn again Michael Damm (Jan 01)
- Re: yes, its t0rn again Joe Stewart (Jan 02)
- Message not available
- Re: yes, its t0rn again MadHat (Jan 02)
- Re: yes, its t0rn again Jonas Luster (Jan 02)
- Re: yes, its t0rn again MadHat (Jan 02)
- Re: yes, its t0rn again Michael Damm (Jan 01)
- Re: yes, its t0rn again Andrew Edelstein (Jan 03)
- Re: yes, its t0rn again Andreas Hasenack (Jan 03)
- Re: yes, its t0rn again Helmut Springer (Jan 04)
- Re: yes, its t0rn again Aaron (Jan 06)
- Re: yes, its t0rn again Helmut Springer (Jan 06)
- LKM insecurity Greg A. Woods (Jan 06)
- Re: yes, its t0rn again Andreas Hasenack (Jan 03)
- <Possible follow-ups>
- Re: yes, its t0rn again Robert Horn (Jan 04)
- Re: yes, its t0rn again Jeff Bachtel (Jan 04)