Home    Scripts    Utilities     Softwares     Awards     Contact Me
Linux
Command Summary
File Permisions
Users/Groups
Partitions/FileSystems
SSH
IPTables
Apache
MD5 Checksum
MySQL
Bind
DjbDNS
CronD
Qmail
Vpopmail
Courier-IMAP
SpamAssassin
ClamAV
CVS
OpenVPN
PLESK
Setting up USB Wireless Modem HUAWEI ETS2551
RootKits
SHV4
T0rnKit
Flea
F**Kit
Networking
RedHat
Mandrake
Debian
Fedora
SlackWare
Gentoo
SUSE
Centos
FreeBSD
Encodings
Base64
QuotedPrintable
UU
URL
Encryption
RSA
BlowFish
DES
Tripple DES
2 Key Triple DES
SSL
Certificate Parser
CSR Parser

TornKit Rootkit (t0rnkit)


IMPORTANT: This rootkit reset the timestamps of the files after replacing them. So dont try to detect it with the modified date of files.

Symtomps


  • tar and ps command are giving "Segmentation Faults"
  • Some commands can give these errors
    /lib/ld-linux.so.1: bad ELF interpreter: No such file or directory
    Or
    error while loading shared libraries: libc.so.5: cannot open shared object file: No such file or directory
  • It is possible that you never get any of above errors. :(

    Confirm the presence of T0rnkit

  • Look for a directory /usr/src/.puta/
  • Look for a directory /usr/info/.t0rn

    Ok I think enough evidence

    Full T0rnkit Finger Prints

    Advanced users click here to see full installation script of t0rnkit rootkit
    click here to see the list of files included in this original rootkit
    It replace these command files
     /usr/bin/find
    /bin/login
    /sbin/ifconfig
    /bin/ps
    /bin/ls
    /bin/netstat
    /usr/bin/pstree
    /usr/bin/top
    /usr/sbin/in.fingerd

    Configuration files related to trojanized ssh daemon are saved to
    /usr/info/.t0rn/shdcf
    /usr/info/.t0rn/shhk
    /usr/info/.t0rn/shhk.pub
    /usr/info/.t0rn/shrs

    Trojanized ssh daemon itself will be moved to "/usr/sbin/nscd", and then started. It is also added to the end of the "/etc/rc.d/rc.sysinit" along with the following comment:

    # Name Server Cache Daemon..

    This way the trojanized sshd will be executed when system restarts. By default it uses port number 47017 for it. This is configurable, and the port number is saved to "/usr/info/.t0rn/shdcf".

    The kit creates following configuration files and executables:
     /usr/src/.puta/t0rns (standard linux sniffer)
    /usr/src/.puta/t0rnp (snifferlog parser)
    /usr/src/.puta/t0rnsb (log cleaner)
    /usr/src/.puta/.1file (Files list to hide from ls command)
    /usr/src/.puta/.1proc (Process list to hide from ps command)
    /usr/src/.puta/.1logs (Log to hide)
    /usr/src/.puta/.1addr (Address list to hide from netstat)

    Tornkit also starts a sniffer in background,
    It enables telnetd, rsh and finger daemons in "/etc/inetd.conf", restarts inetd to activate changes made and starts syslogd.


    • SourceForge.net Logo









    All trade marks are property of respective owners
    All rights reserved 2003-2007, Openpages.info, Multan, Pakistan
              Contact Me