This is a modified t0rnkit, and td is definately stacheldraht. I've done some anylysis and I've found the master server is 212.204.245.141, which also has this rootkit installed. The file /lib/libext-2.so contains the encrypted trojan sshd password, fairly simple to decrypt. -Ryan -----Original Message----- From: Fredrik Ostergren [mailto:fredrik.ostergrenat_private] Sent: Thursday, November 29, 2001 3:56 AM To: incidentsat_private Subject: Re: any1 stumbled across eCkit ? > >At 16:40 26-11-2001 -0500, you wrote: >> >version 2.0.6. I guess they are installed to hide some process. tk = t0rnkit. a well-known rootkit which is common in the scriptkiddie world. Alot of different versions circulating. Try doing strings ps | grep / and check for suspicious strings. Go check those files and you will find the controlling file. Also check the ls trojan for the same stuff. >In /lib/ldd.so/ i found the patch script and a file called td. Strings >revealed that it is some kind of testing program but i don't know for sure. Probably not tfn2k, more likely it's stacheldraht which is also often included with those different t0rnkit versions. Contact me at pressat_private if you need more info or if you wan't me to do an analysis or something. Thanks! / Fredrik ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 29 2001 - 14:45:05 PST