Heads up to all sysadmins out there... you probably already know
but it can't hurt to notify everyone..
please read
http://packetstorm.securify.com/papers/IDS/t0rn.txt
http://www.sans.org/y2k/032401-1230.htm
a quick check (ls -la /usr/src) will show whether you have been compromised
with the T0rn Rootkit. if you see a directory called .puta, your machine
has been compromised.
what it does:
- Sends the contents of /etc/passwd, /etc/shadow, as well as some network
settings to an address in the china.com domain.
- Deletes /etc/hosts.deny, eliminating the host-based perimeter protection
afforded by tcp wrappers.
- Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via inetd,
see /etc/inetd.conf)
- Installs a trojaned version of ssh that listens on 33568/tcp
- Kills Syslogd , so the logging on the system can't be trusted
- Installs a trojaned version of login
- Looks for a hashed password in /etc/ttyhash
- /usr/sbin/nscd (the optional Name Service Caching daemon) is overwritten
with a trojaned version of ssh.
More info will be available from http://www.sans.org/
Cheers,
Dan
