babilonics.com

T0rn rootkit analysis by: Toby Miller

.--.
l$$$$l ------ [ design by j0hnny7 / zho-d0h ]----
l$$$$l .-. .-. .-.
l$$$$l .,g%T$$b%g,. .,g%T$$$T%y,. .,g%T$T%y,.l$$$l .-. l$$$l
.glS$$$$Slyl$$$$' '$$$$lg$$$T' '$$$$ll$$$$' '$$$$l$$$l.,gdT$'l$$$l,gl$$$lp,.
l$$$$$$$$$$l$$$$ $$$$l$$$$$ '---'l$$$$ $$$$l$$$$T"~'' l$$$llll$$$lllll
'"lT$$$$Tl"l$$$$ $$$$l$$$$$ l$$$$ $$$$l$$$$Tbg. l$$$l'"l$$$l"'
l$$$$l l$$$$. ,$$$$l$$$$$ l$$$$ $$$$l$$$l~"$Tp._l$$$l l$$$l
l$$$$l ~"$TbggdT$"~ '---' '---' `---"---' '---"---' l$$$l
l$$$$l .,. ::' there is no stopping, what can't be stopped... ''---'
`$$$$Tbg.gdT$
`--------'
-----[ version 6.66 .. 2308200 .. torn@secret-service.co.uk ]----

-| Ok a bit about the kit... Version based on lrk style trojans
-| made up from latest linux sources .. special thanks to
-| k1ttykat/j0hnny7 for this..
-| First rootkit of its kind that is all precompiled and yet allows
-| you to define a password.. password is stored in a external encrypted
-| file. The trojans using this are login/ssh/finger ..
-| This kit was designed with the main idea of being portable and quick
-| to be mainly used for mass hacking linux's, hence the precompiled bins.
-| Usage : ./t0rn

-|
-| ----------
-| this will be the new ssh and login password
-| to use it with login u must...
-| [login]
-| * the default password is "t0rnkit"
-| bash# export DISPLAY=t0rnkit-looser
-| bash# telnet tornkit.com
-| Trying 127.0.0.1...
-| Linux 2.2.16 (tornkit.com)
-| login: torn
-| Password:arf
-| bash#
-| [ssh]
-| * the defualt port is 47017
-| ssh -l t0rnkit-looser -p
-|
-| since this version you can now change ur ssh port as well..
-| so..
-| ssh -l -p
-| [finger]
-| finger password@tornkit.com
-| this adds a simple inetd bindshell..
-| then .. telnet to host on 2555
-|
-| -------
-| ok our hidden dir for this version is ... /usr/src/.puta
-| file hiding still similiar to lrk...
-| .1file <- files ... echo "filename" >> /usr/src/.puta/.1file
-| .1proc <- proc's to hide - "t0rn*" is hidden by default
-| .1addr <- lrk style address hiding from netstat...
-|
-| ------------------------------
-| 't0rnsb' - sauber by socked - log cleaner
-| 't0rns' - standard linux sniffer
-| 't0rnp' - snifferlog parser
-|
-| ----------
-| current patches include a very stupid wuftpd patch.. and a
-| rpm -U statd patch..
-|
-| -----------------------------------------
-| fly out to in no particulr order...
-| X-ORG/etC!/m0s/Blackhand/tnt/APACHE/sv3ta/Sl|der/dor/angelz/
-| Annihilat/Unkn0wn/j0hnny7/k1ttykat/_random/dR_hARDY/
-| Cvele/DR_SNK/flyahh/sensei/snake/#etcpub and everyone i forgot... innit.
-| and a special greeet goes out to mah babehh xeni !
------ [ EOF ] ------------------------------------------------------------