------- Forwarded message follows -------
Date sent: Thu, 28 Sep 2000 09:33:20 +0100
Send reply to: Talisker <[email protected]>
From: Talisker <[email protected]>
Subject: Re: t0rn
Originally to: Ovanes Manucharyan <[email protected]>
To: [email protected]
I have recently been advised of this tool
chkrootkit
which looks for evidence on your hosts for rootkits having been
installed. I haven't used it myself so I can't vouch for it's
effectiveness. For want of a better place I have put it with file
integrity checkers
----- Original Message -----
From: "Ovanes Manucharyan" <[email protected]>
To: <[email protected]>
Sent: Friday, September 08, 2000 4:58 PM
Subject: t0rn
> I am wondering if anyone has experience with the
> following stacheldraht variation.
>
> The top level directory structure looks like this
>
>
> -rw-r--r-- 1 root 50 27 Jul 18 19:24
> .1addr
> -rw-r--r-- 1 root 50 72 Jul 18 19:24
> .1file
> -rw-r--r-- 1 root 50 21 Jul 18 19:24
> .1logz
> -rw-r--r-- 1 root 50 38 Jul 18 19:24
> .1proc
> drwxr-xr-x 4 root root 512 Aug 24 01:48
> stachel
> -rw-r--r-- 1 root other 82177 Sep 4 14:57
> system
> -rwxr-xr-x 1 root root 505 Aug 5 06:00
> t0rn-kill
> -rwxr-xr-x 1 root root 6232 Sep 9 1999
> t0rnparse
> -rwxr-xr-x 1 root root 7622 Aug 5 06:00
> t0rns5
> -rwxr-xr-x 1 root root 1345 Sep 9 1999
> t0rnsauber
> -rwxr-xr-x 1 root root 9361 Sep 9 1999
> t0rnsniff
> -rwxr-xr-x 1 root root 7724 Aug 5 06:00
> t0rnst
>
> =========
>
> the directory stachel contains the binary t0rnserv +
> source files...
>
> There is a README file there, with a date of Feb 5.. I
> think its safe to assume that his one came out then.
>
>
> In this case, t0rnserv was listening on port 60001.
>
> The system was rootkitted to hide the directory of
> these programs.
>
> Does anyone know the key for the encryption of the
> master IP address & other data?
>
> How can I retrieve this information.
>
>
> Here is some info which might help..
>
> ===================================================
>
> # strings t0rnserv|more
> %d.%d.%d.%d
> zAE1nir9mBWTY
> * mtimer reached *
> .quit
> exiting...
> you need to stop the packet action first.
> .help
> .version
> -- hub version: 1.666+smurf+yps --
> setusize
> setisize
> mdos
> mping
> mudp
> micmp
> msyn
>
> ===================================================
>
> # more pw.h
> /* created password for masterserver */
>
> #define SALT "zAE1nir9mBWTY\0"
>
>
> ***How can I decrypt this pw.
>
> ===================================================
>
> Sincerely,
>
> Ovanes
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Mail - Free email you can access from anywhere!
> http://mail.yahoo.com/ >
------- End of forwarded message -------
generated by msg2page 0.06 on Jul 21, 2006 at 19:05:08
search: