Security Incidents mailing list archives

Re: yes, its t0rn again

From: Roberto <cinini () TERRA ES>
Date: Mon, 8 Jan 2001 14:05:37 -0000

hola,

Just wondering if anyone has some sort of fix or 
report of this kit ? I think my machines maybe 
infected with this kit to.. i was only able to find one 
directory, /lib/ldlib.tk which had the t0rn ssh with ssh 
listening on 47011, login was not backdoored and I 
was unable to locate config files (shdcf) with help of 
strings /bin/ps | grep / - which usually worked on lrk* 
kit's (old t0rn too), lsof also not help much. 

I didnt have md5 checksum's recorded so i was not 
able to compare with old ones..

Ciao,
Roberto

Current thread:

Re: yes, its t0rn again, (continued)
- - Re: yes, its t0rn again Jeff Bachtel (Jan 04)
    - Attack Signature Reprodution Alexandre Soares (Jan 06)
    - Re: yes, its t0rn again Jeremy 'Circ' Charles (Jan 06)
  - bootable readonly media in your pocket Re: yes, its t0rn again marc (Jan 05)
    - Re: bootable readonly media in your pocket Re: yes, its t0rn again Michael H. Warfield (Jan 05)
    - Re: bootable readonly media in your pocket Re: yes, its t0rn again Jeff (Jan 05)
    - Re: bootable readonly media in your pocket Re: yes, its t0rn again marc (Jan 09)
    - Re: bootable readonly media in your pocket Kevin Martin (Jan 09)
    - Re: bootable readonly media in your pocket Re: yes, its t0rn again Ed Padin (Jan 05)
    - Re: bootable readonly media in your pocket Re: yes, its t0rn again Ryan Russell (Jan 05)
- Re: yes, its t0rn again Roberto (Jan 08)
  - Re: yes, its t0rn again - chkrootkit Talisker (Jan 08)