[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] massive bind8 exploitation - t0rnkit8

Subject: Re: [cobalt-users] massive bind8 exploitation - t0rnkit8
From: "Gerald Waugh" <gerald@xxxxxxxxx>
Date: Mon Feb 12 11:37:12 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Some info I picked up on the bind list.

----- Forwarded message from Roberto <cinini@xxxxxxxx> -----

From: Roberto <cinini@xxxxxxxx>
To: INCIDENTS@xxxxxxxxxxxxxxxxx
Subject:      massive bind8 exploitation - t0rnkit8
Date:         Mon, 12 Feb 2001 14:01:57 -0000

Hola again !
It has become to my attention that there is massive 
bind8.2(p3/p5/p7) exploitation taking place, and 
tornkit8 being used. There are already worms for this 
on many underground irc channels floating around for 
users to use.. 

Here are some things to look out for tornkit8 and also 
if ur bind has been upgraded to 8.2.3-REL chances 
are its the automated worm thats been there...
also u might want to look for dir /lib/ldd.so.. which 
exists on some machines tornkit8 is installed..  there 
is hidden files tks (sniffer) tkp(parser) and tkps(ssh 
snifferlog), also one ssh port being used a lot is 47017
(default tornkit) as well as 47889 keep ur eyes open 
for these..

References:
- Re: [cobalt-users] Changing IP address of a RAQ 3
  - From: elmer

Prev by Date: RE: [cobalt-users] IPs related to hackers
Next by Date: [cobalt-users] Cron <root@ns1> run-parts /etc/cron.quarter-daily
Previous by thread: Re: [cobalt-users] Changing IP address of a RAQ 3
Next by thread: [cobalt-users] filtering attachments on sendmail

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index