Security Incidents mailing list archives
Re: yes, its t0rn again - chkrootkit
From: Talisker <Talisker () NETWORKINTRUSION CO UK>
Date: Mon, 8 Jan 2001 20:29:33 -0000
Roberto
Just wondering if anyone has some sort of fix or report of this kit ?
You may want to take a look at chkrootkit http://www.chkrootkit.org it looks for a variety of rootkits including t0rn, I'm not sure whether Nelson has fixed it to find the latest variant yet, but maybe worth a try. It may be worth your while looking at a file integrity checker to help you spot a reocurrence. http://www.networkintrusion.co.uk Talisker's Network Security Tools List ''' (0 0) ----oOO----(_)---------- | The geek shall | | Inherit the earth | -----------------oOO---- |__|__| || || ooO Ooo talisker () networkintrusion co uk The opinions contained within this transmission are entirely my own, and do not necessarily reflect those of my employer. ----- Original Message ----- From: "Roberto" <cinini () TERRA ES> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Monday, January 08, 2001 2:05 PM Subject: Re: yes, its t0rn again
hola, Just wondering if anyone has some sort of fix or report of this kit ? I think my machines maybe infected with this kit to.. i was only able to find one directory, /lib/ldlib.tk which had the t0rn ssh with ssh listening on 47011, login was not backdoored and I was unable to locate config files (shdcf) with help of strings /bin/ps | grep / - which usually worked on lrk* kit's (old t0rn too), lsof also not help much. I didnt have md5 checksum's recorded so i was not able to compare with old ones.. Ciao, Roberto
Current thread:
- Attack Signature Reprodution, (continued)
- Attack Signature Reprodution Alexandre Soares (Jan 06)
- Re: yes, its t0rn again Jeremy 'Circ' Charles (Jan 06)
- bootable readonly media in your pocket Re: yes, its t0rn again marc (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again Michael H. Warfield (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again Jeff (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again marc (Jan 09)
- Re: bootable readonly media in your pocket Kevin Martin (Jan 09)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again Ed Padin (Jan 05)
- Re: bootable readonly media in your pocket Re: yes, its t0rn again Ryan Russell (Jan 05)
- Re: yes, its t0rn again - chkrootkit Talisker (Jan 08)