RE: any1 stumbled across eCkit ?

["Ryan Sweat" <ryans () cecentertainment com>]

This is a modified t0rnkit, and td is definately stacheldraht.  I've done
some anylysis and I've found the master server is 212.204.245.141, which
also has this rootkit installed.

The file /lib/libext-2.so contains the encrypted trojan sshd password,
fairly simple to decrypt.


-Ryan

-----Original Message-----
From: Fredrik Ostergren [mailto:fredrik.ostergren () freebox com]
Sent: Thursday, November 29, 2001 3:56 AM
To: incidents () securityfocus com
Subject: Re: any1 stumbled across eCkit ?


> At 16:40 26-11-2001 -0500, you wrote:
> >
> version 2.0.6. I guess they are installed to hide
some process.

tk = t0rnkit.

a well-known rootkit which is common in the
scriptkiddie world. Alot of different versions
circulating. Try doing strings ps | grep /
and check for suspicious strings. Go check those
files and you will find the controlling file. Also check
the ls trojan for the same stuff.

> In /lib/ldd.so/ i found the patch script and a file called
td. Strings
> revealed that it is some kind of testing program but i
don't know for sure.

Probably not tfn2k, more likely it's stacheldraht which
is also often included with those different t0rnkit
versions.


Contact me at press () alldas de if you need more info
or if you wan't me to do an analysis or something.
Thanks!

/ Fredrik

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com