[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Rootkit warning! (Was: Re: LS_COLORS error)

On Thursday 05 June 2003 18:08, Neilen wrote:
> Hi.
> I'm running sid.  Some time in the last week (did unfortunately not
> notice exactly when), I started getting the following error from ls:
> brick@hilife:~/public_html$ ls
> ls: unrecognized prefix: do
> ls: unparsable value for LS_COLORS environment variable.

I had this some time ago. You might want to check for t0rnkit in case someone 
hacked you machine. The "devious" thing about the kit's files is that they're 
marked "undeletable" with chattr (see man chattr and man lsattr), so even 
root can't delete them directly.

I'll append a kind of "in-group whitepaper" I found.

Got Backup?
	Indepth Analysis of Tornkit v8

Author: Mostarac, yuggoboy@hotmail.com
Year: @2001AD
Why: To make the E-Light(copyright by author) people think ;) (torn dont flame me for this)

Finally I got some time off my job to play with my computers and 
while doing that I was installing some new dists of RedHat and 
Slackware. There was one machine I hacked into that some "elite" 
group from holland was using to store all of their arsenal of 
"weapons", including some new exploits and of course, rootkits.
Among those rootkits was tornkit v8, so I downloaded it to get 
a closer look. 

Tornkit is the package assembled by torn/etC! and is based upon LinuxRootKit5
or LRK5 which can be downloaded almost everywhere. It is a widely spread rookit 
found almost on all rooted machines up to date. Essential with tornkit is 
that torn made this rootkit for massrooting purpose, but have put significant 
ammount of own backdoors inside which allows the maker of the rootkit to quickly 
get access to machines rooted and hacked by others.

The making of rootkit was easy since it is based on LRK5 done by lord somer, but 
the idea of making a massrooter and publishing it out so that scriptkidz can 
download it and do the hard job is brilliant.

While talking to torn on ircnet, he promised that 
the new version of tk would include some new stuff and sure he did.
Version 8 of tornkit works on both 6.x and 7.x redhats which is the
big news too.

The files included are:

bin.tgz - 	dir,login,encrypt,ifconfig,K20fwall(very interesting),
		find,ls,lsof(cheers for that torn),md5sum(and this)

ssh-only.tgz - 	ssh(trojaned for logging the ssh usage)

ssh.tgz -	sharsed(sshd-trojaned and backdoored), shdcf2(sshd config),
		shhk.pub+shk+shrs(ssh private keys)

conf.tgz - 	file.h,hosts,h,lidps1.so,log.h,proc.h

lib.tgz - 	libproc.a,libproc.so.2.0.6,libproc.so(symlink to 2.0.6)

t0rn - 		installation file

tornkit-README - readme of coz( must send all the greetz :> )

First of all, the syslogd is killed and the trojaned libproc.so.2.0.6
library is installed to /lib and the symbolic link is made from 
libproc.so.2.0.6->libproc.so, which is part of procps RPM packages 
and probably there for better processhiding. 
After that, the password which is given or defined by the user either 
in the torn-install file or by the commandprompt is encrypted and put 
into the /lib/libext-2.so.7 file (torn darling, again is this a BAD 
idea because of the fixed filenames, the change in tacticts is needed 
to protect against current Rootkit-Detection-Software and IDS.

Configuration files are then being copied to:
/lib/lidps1.so (pstree hiding?)
/usr/include/file.h (file hiding)
/usr/include/proc.h (ps proc hiding)
/usr/include/log.h (log hiding)
/usr/include/hosts.h (netstat and net-hiding)
/lib/lblip.tk/ <- backdoored ssh configuration files
/dev/sdr0 <- systems md5 checksum
/lib/ldd.so <- placing tks(sniffer), tkp(parser) and tksb(log cleaner)

The names of the files could be changed, but what ordinary "hackers" 
dont do is hexediting the executables and changing the paths by that 
way. It amazes me that torn or someone @etc! didnt came up with this 
idea of flexible paths, when there is such a huge ammount of hex-editing 
software today. The advantage of this rootkit is a usage of trojaned 
md5sum which makes it hard for some IDS's like Tripwire to secure the 

This next part of installation is specially interesting. This dutch 
"hacker-group" that I found the rootkit at has known from before that 
torn usually puts backdoors in almost every thing in his package, so 
they excluded login(as it comes with the precompiled backdoorpass)
 but what these excellent minds have missed is a small file called 
K20fwall which is placed into /etc/rc.d/rc3.d and started upon installation.
What this file does is that it tries to contact 2 ip-adresses: 		resolved to cshel.unm.edu(not up) 	resolved to tumb1.biblio.tu-muenchen.de(rh6.2)

What I checked is the destination, size and content of the packet:

Packet lenght: 		42bytes
Packet contained:
0000  ff ff ff ff ff ff 00 90  27 59 02 f8 08 06 00 01   ÿÿÿÿÿÿ.. 'Y.ø....
0010  08 00 06 04 00 01 00 90  27 59 02 f8 c0 a8 00 01   ........ 'Y.øÀ¨..
0020  00 00 00 00 00 00 81 18  af 2c                     ........ ¯,  

What all of these "Elite" or what I call them "E-Light" hackers are missing 
is that they are just a tool of someone else a piece in a huge plan. 
What K20fwall is doing isthat it notifies the owner, in this case probably 
torn(etC!) that the machine has got tornkit installed. The ssh backdoor which 
is implemented into the rootkit is also backdoored (the sshd binary contains 
a hardcoded adress resolves to uroboros.swmed.edu) which allows 
torn&friends to freely enter the machine and/or make it a part of something 
much much bigger. What that something is I cant say but I can only guess that 
it is about a huge dosnet being made for some purpose, but of course, this is 
just a conspiracy theory. Only the administrator of those machines which K20fwall 
is contacting could answer to that question BEFORE ppl from etC! read this paper 
and remove their tracks. What we have seen in USA recently has made me 
think that, as some companies use to say, NOTHING is IMPOSSIBLE.

For those who want to check their systems I would give a small hint.
First update your packages, yes, the RPM packages by simply doing 
rpm -ivh package --force on the following packages:


Packagenames may vary a bit in different distributions.
Do rpm -qf /fullpath/filename to see which package you need to reinstall to 
be sure that your system is not affected, then you can try by typing netstat 
or just look for the suspicios lines in /etc/rc.d/rc.sysinit(rc.local) because
 these are the places that backdoored ssh's are placed.

So with this paper, I would like to encourage all those "E-Light" hackers 
out there to hack even more machines and by that contribute to something 
which we will only expirience in near future. Maybe these would be the 
guys who will "shutdown the Internet" :) That sounds so cool and I cant wait 
to see some results. Of course all access to the hundreds or thousands of 
different machines around the world cannot be other but good because today 
information is power and power is information, and thats why I understand torn 
and people from etC!. I hope you will soon demonstrate at least a bit of 
what I just mentioned in this text :) I think that etC! and guys like torn 
are not making the world unsecure, but more secure because people are at 
last getting som understanding in these things especially as torn&etC! 
introduced the terms of masshacking together with mixter.

I know that I will loose some "owned" machines because of this paper but hey, 
its time for me to calm down, stop doing this stupid hacking/dossing thing 
and make some money. I am currently searching for businesspartners to start 
a securitycompany in Sweden(Stockholm) or abroad. Feel free to mail me with 
your opinions or businesspropositions.

Mostarac, yuggoboy@hotmail.com @2001AD

Reply to: