Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: yes, its t0rn again

Re: yes, its t0rn again

From: Michael Damm <miked_at_ACCESSNW.NET>
Date: Mon, 1 Jan 2001 21:36:03 -0800

Just curious if anyone has turned up any more bits of the new t0rn kit and
reported them to you... I am very interested in its ability to avoid md5
checksums.

Im guessing it simply trojans your local copy of md5sum, given its
installed in the default location. I knew there was a good reason I built
my copy of md5sum from source and stuck it in /usr/local/bin/sec-tools/ =)

Anyway, if you have any more info, I would love to dig into it.

        -Thanks,
          Michael Damm
          Network Operations and
          IT Security Department
          Access Northwest, LLC. 

---
Business:    miked@accessnw.net - http://www.accessnw.net/ - (509) 542-3221
Personal: symetrix@symetrix.org - http://www.symetrix.org/ - (877) 534-6247
On Mon, 1 Jan 2001, johnathan curst wrote:
> Hello Again,
> t0rn is back and seems like the author has been
> paying attention.
>
> First off the compromised machine :
> Redhat 7 (standard lpd exploit used - worm ?)
>
> Standard binaries were replaced as always, as were
> libproc.a, libproc.so.2.0.6, libproc.so and ldconfig was
> run. (Notice a Change compared to old versions ?)
>
> Another substancial Change which i picked up on
> was while setting up a honeypot, i did the usual
> md5sum binary output's saved onto non-writeable
> floppy, but the crontabed script which was checking
> for any changes to the md5sum results, was unable
> to pick up on any difference even though the hackers
> binaries replaced mine. (Any ideas ?) Hence taking
> me longer to detect the comrpomise..
>
> Only reason that i actually found out that i had been
> compromised was because the machine was
> transmitting large amount of data (stachel daemon),
> which then resulted in me ripping the machine apart
> and reinstalling the required files and finding the kit.
>
> Managed to capture the README file of the rootkit
> and a few binaries,
> http://www.geocities.com/john_curst/tk8-readme.txt if
> anyone is intrested.
>
> If anyone has the full version of this kit, I would be
> highly obliged if they could forward it to me.
>
> Regards,
> Johnathan
>
Received on Jan 02 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos