Rootkit warning! (Was: Re: LS_COLORS error)
On Thursday 05 June 2003 18:08, Neilen wrote:
> I'm running sid. Some time in the last week (did unfortunately not
> notice exactly when), I started getting the following error from ls:
> brick@hilife:~/public_html$ ls
> ls: unrecognized prefix: do
> ls: unparsable value for LS_COLORS environment variable.
I had this some time ago. You might want to check for t0rnkit in case someone
hacked you machine. The "devious" thing about the kit's files is that they're
marked "undeletable" with chattr (see man chattr and man lsattr), so even
root can't delete them directly.
I'll append a kind of "in-group whitepaper" I found.
Indepth Analysis of Tornkit v8
Author: Mostarac, firstname.lastname@example.org
Why: To make the E-Light(copyright by author) people think ;) (torn dont flame me for this)
Finally I got some time off my job to play with my computers and
while doing that I was installing some new dists of RedHat and
Slackware. There was one machine I hacked into that some "elite"
group from holland was using to store all of their arsenal of
"weapons", including some new exploits and of course, rootkits.
Among those rootkits was tornkit v8, so I downloaded it to get
a closer look.
Tornkit is the package assembled by torn/etC! and is based upon LinuxRootKit5
or LRK5 which can be downloaded almost everywhere. It is a widely spread rookit
found almost on all rooted machines up to date. Essential with tornkit is
that torn made this rootkit for massrooting purpose, but have put significant
ammount of own backdoors inside which allows the maker of the rootkit to quickly
get access to machines rooted and hacked by others.
The making of rootkit was easy since it is based on LRK5 done by lord somer, but
the idea of making a massrooter and publishing it out so that scriptkidz can
download it and do the hard job is brilliant.
While talking to torn on ircnet, he promised that
the new version of tk would include some new stuff and sure he did.
Version 8 of tornkit works on both 6.x and 7.x redhats which is the
big news too.
The files included are:
bin.tgz - dir,login,encrypt,ifconfig,K20fwall(very interesting),
find,ls,lsof(cheers for that torn),md5sum(and this)
ssh-only.tgz - ssh(trojaned for logging the ssh usage)
ssh.tgz - sharsed(sshd-trojaned and backdoored), shdcf2(sshd config),
shhk.pub+shk+shrs(ssh private keys)
conf.tgz - file.h,hosts,h,lidps1.so,log.h,proc.h
lib.tgz - libproc.a,libproc.so.2.0.6,libproc.so(symlink to 2.0.6)
t0rn - installation file
tornkit-README - readme of coz( must send all the greetz :> )
First of all, the syslogd is killed and the trojaned libproc.so.2.0.6
library is installed to /lib and the symbolic link is made from
libproc.so.2.0.6->libproc.so, which is part of procps RPM packages
and probably there for better processhiding.
After that, the password which is given or defined by the user either
in the torn-install file or by the commandprompt is encrypted and put
into the /lib/libext-2.so.7 file (torn darling, again is this a BAD
idea because of the fixed filenames, the change in tacticts is needed
to protect against current Rootkit-Detection-Software and IDS.
Configuration files are then being copied to:
/lib/lidps1.so (pstree hiding?)
/usr/include/file.h (file hiding)
/usr/include/proc.h (ps proc hiding)
/usr/include/log.h (log hiding)
/usr/include/hosts.h (netstat and net-hiding)
/lib/lblip.tk/ <- backdoored ssh configuration files
/dev/sdr0 <- systems md5 checksum
/lib/ldd.so <- placing tks(sniffer), tkp(parser) and tksb(log cleaner)
The names of the files could be changed, but what ordinary "hackers"
dont do is hexediting the executables and changing the paths by that
way. It amazes me that torn or someone @etc! didnt came up with this
idea of flexible paths, when there is such a huge ammount of hex-editing
software today. The advantage of this rootkit is a usage of trojaned
md5sum which makes it hard for some IDS's like Tripwire to secure the
This next part of installation is specially interesting. This dutch
"hacker-group" that I found the rootkit at has known from before that
torn usually puts backdoors in almost every thing in his package, so
they excluded login(as it comes with the precompiled backdoorpass)
but what these excellent minds have missed is a small file called
K20fwall which is placed into /etc/rc.d/rc3.d and started upon installation.
What this file does is that it tries to contact 2 ip-adresses:
188.8.131.52 resolved to cshel.unm.edu(not up)
184.108.40.206 resolved to tumb1.biblio.tu-muenchen.de(rh6.2)
What I checked is the destination, size and content of the packet:
Packet lenght: 42bytes
0000 ff ff ff ff ff ff 00 90 27 59 02 f8 08 06 00 01 ÿÿÿÿÿÿ.. 'Y.ø....
0010 08 00 06 04 00 01 00 90 27 59 02 f8 c0 a8 00 01 ........ 'Y.øÀ¨..
0020 00 00 00 00 00 00 81 18 af 2c ........ ¯,
What all of these "Elite" or what I call them "E-Light" hackers are missing
is that they are just a tool of someone else a piece in a huge plan.
What K20fwall is doing isthat it notifies the owner, in this case probably
torn(etC!) that the machine has got tornkit installed. The ssh backdoor which
is implemented into the rootkit is also backdoored (the sshd binary contains
a hardcoded adress 220.127.116.11 resolves to uroboros.swmed.edu) which allows
torn&friends to freely enter the machine and/or make it a part of something
much much bigger. What that something is I cant say but I can only guess that
it is about a huge dosnet being made for some purpose, but of course, this is
just a conspiracy theory. Only the administrator of those machines which K20fwall
is contacting could answer to that question BEFORE ppl from etC! read this paper
and remove their tracks. What we have seen in USA recently has made me
think that, as some companies use to say, NOTHING is IMPOSSIBLE.
For those who want to check their systems I would give a small hint.
First update your packages, yes, the RPM packages by simply doing
rpm -ivh package --force on the following packages:
Packagenames may vary a bit in different distributions.
Do rpm -qf /fullpath/filename to see which package you need to reinstall to
be sure that your system is not affected, then you can try by typing netstat
or just look for the suspicios lines in /etc/rc.d/rc.sysinit(rc.local) because
these are the places that backdoored ssh's are placed.
So with this paper, I would like to encourage all those "E-Light" hackers
out there to hack even more machines and by that contribute to something
which we will only expirience in near future. Maybe these would be the
guys who will "shutdown the Internet" :) That sounds so cool and I cant wait
to see some results. Of course all access to the hundreds or thousands of
different machines around the world cannot be other but good because today
information is power and power is information, and thats why I understand torn
and people from etC!. I hope you will soon demonstrate at least a bit of
what I just mentioned in this text :) I think that etC! and guys like torn
are not making the world unsecure, but more secure because people are at
last getting som understanding in these things especially as torn&etC!
introduced the terms of masshacking together with mixter.
I know that I will loose some "owned" machines because of this paper but hey,
its time for me to calm down, stop doing this stupid hacking/dossing thing
and make some money. I am currently searching for businesspartners to start
a securitycompany in Sweden(Stockholm) or abroad. Feel free to mail me with
your opinions or businesspropositions.
Mostarac, email@example.com @2001AD