Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: yes, its t0rn again
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: yes, its t0rn again
  • From: Michael Damm <[EMAIL PROTECTED]>
  • Date: Tue, 02 Jan 2001 07:54:12 +0100
  • In-reply-to: <[EMAIL PROTECTED]>
.
 
Just curious if anyone has turned up any more bits of the new t0rn kit and
reported them to you...  I am very interested in its ability to avoid md5
checksums.

Im guessing it simply trojans your local copy of md5sum, given its
installed in the default location.  I knew there was a good reason I built
my copy of md5sum from source and stuck it in /usr/local/bin/sec-tools/  =)

Anyway, if you have any more info, I would love to dig into it.

	-Thanks,
	  Michael Damm
	  Network Operations and
          IT Security Department
	  Access Northwest, LLC.
---
Business:    [EMAIL PROTECTED] - http://www.accessnw.net/ - (509) 542-3221
Personal: [EMAIL PROTECTED] - http://www.symetrix.org/ - (877) 534-6247

On Mon, 1 Jan 2001, johnathan curst wrote:

> Hello Again,
> t0rn is back and seems like the author has been
> paying attention.
>
> First off the compromised machine :
> Redhat 7 (standard lpd exploit used - worm ?)
>
> Standard binaries were replaced as always, as were
> libproc.a, libproc.so.2.0.6, libproc.so and ldconfig was
> run. (Notice a Change compared to old versions ?)
>
> Another substancial Change which i picked up on
> was while setting up a honeypot, i did the usual
> md5sum binary output's saved onto non-writeable
> floppy, but the crontabed script which was checking
> for any changes to the md5sum results, was unable
> to pick up on any difference even though the hackers
> binaries replaced mine. (Any ideas ?) Hence taking
> me longer to detect the comrpomise..
>
> Only reason that i actually found out that i had been
> compromised was because the machine was
> transmitting large amount of data (stachel daemon),
> which then resulted in me ripping the machine apart
> and reinstalling the required files and finding the kit.
>
> Managed to capture the README file of the rootkit
> and a few binaries,
> http://www.geocities.com/john_curst/tk8-readme.txt if
> anyone is intrested.
>
> If anyone has the full version of this kit, I would be
> highly obliged if they could forward it to me.
>
> Regards,
> Johnathan
>
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.