Roberto
> Just wondering if anyone has some sort of fix or
> report of this kit ?
You may want to take a look at chkrootkit http://www.chkrootkit.org it looks
for a variety of rootkits including t0rn, I'm not sure whether Nelson has
fixed it to find the latest variant yet, but maybe worth a try. It may be
worth your while looking at a file integrity checker to help you spot a
reocurrence.

http://www.networkintrusion.co.uk
Talisker's Network Security Tools List
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall |
  | Inherit the earth |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo
taliskernetworkintrusion.co.uk

The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.

----- Original Message -----
From: "Roberto" <cininiTERRA.ES>
To: <INCIDENTSSECURITYFOCUS.COM>
Sent: Monday, January 08, 2001 2:05 PM
Subject: Re: yes, its t0rn again

> hola,
>
> Just wondering if anyone has some sort of fix or
> report of this kit ? I think my machines maybe
> infected with this kit to.. i was only able to find one
> directory, /lib/ldlib.tk which had the t0rn ssh with ssh
> listening on 47011, login was not backdoored and I
> was unable to locate config files (shdcf) with help of
> strings /bin/ps | grep / - which usually worked on lrk*
> kit's (old t0rn too), lsof also not help much.
>
> I didnt have md5 checksum's recorded so i was not
> able to compare with old ones..
>
> Ciao,
> Roberto
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]