Re: The much popular t0rnkit.

[Masial <masial () SECURED ORG>]

Greetings Erik,

> -----Original Message-----
> From: Erik Tayler
>
> First of all, it is quite doubtful that CERT would serve as a
> suppository for rootkits. Second, a previous poster offered to send the
> kit out to anyone who asked for it, check the archives. But since you
> sound like you haven't already tried such a thing, I'll help you out.

I guess I was asking for this kind of 'flamish' with the tone of my original
message. While you might think that by the way i sound, I'm one lazy bastard
(and i sure am sometimes), I did good research on this. For some reason
however, the securityfocus search engine did not return anything interesting
from an "Entire Site" search on 't0rn'. Might be because I used a zero.
Numerous people have pointed me towards the incidents list and i indeed
found the kit at jonathan's link.

Secondly, I'm going to be as bold as ask 'why not' to CERT serving as a
'suppository' (typo there?) for rootkits. This was the whole point of my
semi-rant. Why not? Why wont anybody archive rootkits so us admins can
examine them and draw conclusions from them or learn to recognise typical
behaviour patterns and expect/prevent them more efficiently. What happened
to something called 'full disclosure'? How would the lock makers make better
locks if they cant take a peek at what tools are used to pick their locks?
[insert full disclosure arguments here]

> If the kit isn't on the web, consider contacting John (sorry John).

I'm not exactly sure why you apologise to John there.


Thank you very much for taking the time to helping me out!

M.

PS: I am not sure either why you CCd the list but I returned the courtesy.