Re: yes, its t0rn again - chkrootkit

[Talisker <Talisker () NETWORKINTRUSION CO UK>]

Roberto
> Just wondering if anyone has some sort of fix or
> report of this kit ?
You may want to take a look at chkrootkit http://www.chkrootkit.org it looks
for a variety of rootkits including t0rn, I'm not sure whether Nelson has
fixed it to find the latest variant yet, but maybe worth a try.  It may be
worth your while looking at a file integrity checker to help you spot a
reocurrence.

http://www.networkintrusion.co.uk
Talisker's Network Security Tools List
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo
talisker () networkintrusion co uk

The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "Roberto" <cinini () TERRA ES>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Monday, January 08, 2001 2:05 PM
Subject: Re: yes, its t0rn again


> hola,
>
> Just wondering if anyone has some sort of fix or
> report of this kit ? I think my machines maybe
> infected with this kit to.. i was only able to find one
> directory, /lib/ldlib.tk which had the t0rn ssh with ssh
> listening on 47011, login was not backdoored and I
> was unable to locate config files (shdcf) with help of
> strings /bin/ps | grep / - which usually worked on lrk*
> kit's (old t0rn too), lsof also not help much.
>
> I didnt have md5 checksum's recorded so i was not
> able to compare with old ones..
>
> Ciao,
> Roberto