Roberto
> Just wondering if anyone has some sort of fix or
> report of this kit ?
You may want to take a look at chkrootkit http://www.chkrootkit.org it looks
for a variety of rootkits including t0rn, I'm not sure whether Nelson has
fixed it to find the latest variant yet, but maybe worth a try. It may be
worth your while looking at a file integrity checker to help you spot a
reocurrence.
http://www.networkintrusion.co.uk
Talisker's Network Security Tools List
'''
(0 0)
----oOO----(_)----------
| The geek shall |
| Inherit the earth |
-----------------oOO----
|__|__|
|| ||
ooO Ooo
talisker_at_networkintrusion.co.uk
The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.
----- Original Message -----
From: "Roberto" <cinini_at_TERRA.ES>
To: <INCIDENTS_at_SECURITYFOCUS.COM>
Sent: Monday, January 08, 2001 2:05 PM
Subject: Re: yes, its t0rn again
> hola,
>
> Just wondering if anyone has some sort of fix or
> report of this kit ? I think my machines maybe
> infected with this kit to.. i was only able to find one
> directory, /lib/ldlib.tk which had the t0rn ssh with ssh
> listening on 47011, login was not backdoored and I
> was unable to locate config files (shdcf) with help of
> strings /bin/ps | grep / - which usually worked on lrk*
> kit's (old t0rn too), lsof also not help much.
>
> I didnt have md5 checksum's recorded so i was not
> able to compare with old ones..
>
> Ciao,
> Roberto
>
Received on Jan 08 2001
Intro
