Hello Again,
t0rn is back and seems like the author has been
paying attention.
First off the compromised machine :
Redhat 7 (standard lpd exploit used - worm ?)
Standard binaries were replaced as always, as were
libproc.a, libproc.so.2.0.6, libproc.so and ldconfig was
run. (Notice a Change compared to old versions ?)
Another substancial Change which i picked up on
was while setting up a honeypot, i did the usual
md5sum binary output's saved onto non-writeable
floppy, but the crontabed script which was checking
for any changes to the md5sum results, was unable
to pick up on any difference even though the hackers
binaries replaced mine. (Any ideas ?) Hence taking
me longer to detect the comrpomise..
Only reason that i actually found out that i had been
compromised was because the machine was
transmitting large amount of data (stachel daemon),
which then resulted in me ripping the machine apart
and reinstalling the required files and finding the kit.
Managed to capture the README file of the rootkit
and a few binaries,
http://www.geocities.com/john_curst/tk8-readme.txt if
anyone is intrested.
If anyone has the full version of this kit, I would be
highly obliged if they could forward it to me.
Regards,
Johnathan
Received on Jan 01 2001
Intro
