[704] in Intrusion Detection Systems
No subject found in mail header
daemon@ATHENA.MIT.EDU (IDS Moderator)
Mon Jul 1 08:34:53 1996
Date: Mon, 1 Jul 1996 16:59:00 +1000
From: IDS Moderator <ruf@osiris.cs.uow.edu.au>
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
I decided to digest a number of responses to the rootkit source availability.
-----------------------------------------------------------------------------
Date: Wed, 26 Jun 1996 10:14:48 -0500
From: brian <brianc@telepath.com>
Organization: demented enterprises, ltd
Message-ID: <31D153E8.5CF6@telepath.com>
yes, well, if you keep up to date with all the patches, most of the
stuff on those web pages is useless.. unless, of course, your one of
the sysadmins who don't know what security is. don't lose too much
sleep over it. half of the stuff is 80's source code, the other half,
is easily countered, with just a bit of work on the admins side.
-----------------------------------------------------------------------------
Date: Thu, 27 Jun 1996 00:38:31 +0300 (EET DST)
From: Yiorgos Adamopoulos <Y.Adamopoulos@noc.ntua.gr>
Organization: NTUA-NOC, National Technical University of Athens, GREECE
Message-Id: <199606262138.AAA14955@noc.ntua.gr>
While on a similar search on AltaVista I visited a hacker page where
a file rs2.c was. The banner claims that you wrote it. What does it
do?
PS: To add more on the admins nightmare... Have a look at
http://www.paranoia.com/~ice9
-----------------------------------------------------------------------------
Date: Wed, 26 Jun 1996 14:58:55 -0700 (PDT)
From: Security Administrator <noid@exo.com>
Message-ID: <Pine.LNX.3.91.960626145737.18893A-100000@server.snni.com>
if finding unix rootkits bothers you..check out www.underground.org.
Homepage of Aleph1 (moderator of BugTraq). nothing but exploits, bugs and
evil hacker stuff. One stop shopping if you look at it..
-noid
-----------------------------------------------------------------------------
Date: Thu, 27 Jun 1996 10:39:46 WET
From: "J.R.Valverde (jr)" <jrvalverde@samba.cnb.uam.es>
Message-ID: <009A479D.6C02D63B.62@samba.cnb.uam.es>
On the contrary, I think it's great. That way you can know and
understand the weaknesses, how they work and are exloited, and prepare
fixes. And what's even more important:
You can *LEARN* what are the mistakes made by system programmers
that lead to security or any other type of errors.
There are still many lessons to be learnt on programming, debugging,
design, planning, etc... in a word, software engineering. After all we are
humans and make errors. The very fact that we made them makes it more
difficult for us to detect them ourselves. I find it great that when some
one finds errors their code is available to the author so s/he can learn
what are the mistakes s/he tends to oversee and correct his/her behaviour
accordingly.
But I think it is better to learn from one's errors than to expect
that no one notices or publicizes them.
jr
-----------------------------------------------------------------------------
Date: Fri, 28 Jun 1996 11:29:34 -200
From: "Andrejs Bojars" <AB@main.unib.bkc.lv>
Organization: Unibank of Latvia
Message-ID: <1B12384C67@main.unib.bkc.lv>
aga, skaisti, buus laikam jaasagraabj :)
no savas puses varu iedoe teel dazhus jaukus linkus no mana bookmark
faila:
http://l0pht.com
http://www.paranoia.com/~coldfire/index.html
http://www.cdwarez.com
http://ritalin.shout.net/~anemic/hotlist.html
http://www.intersurf.com/~materva/files.html
http://jax.gttw.com:80/~bugman/hack.htm
http://wildsau.idv.uni-linz.ac.at/~klon/underground/underground.html
http://www.primenet.com/~rwaldin/FlicIP.html
http://icecube.acf-lab.alaska.edu/~fstbo/warez/home.html
http://www.intersurf.com/~materva/list.html#hacking
http://www.rit.edu/~jmb8902/hacking.html
http://jax.gttw.com/~bugman/jolly/jolly.htm
http://www.worldaccess.nl/~remko/
http://www.2600.com/
http://www.shadow.net/~critta66/
http://www.synapse.net/~koolaid/cracks.html
http://www.scit.wlv.ac.uk/~cs6171/
> Things like "Alta Vista" are your friend!
sure.
btw
vai Tu esi uzdevis shaadu rekvestu:
root:0:0
:)
aarkaartiigi jauki rezultaati gadaas... passwd failus var vaakt....
a.
-----------------------------------------------------------------------------
Date: Sat, 29 Jun 1996 14:19:58 +0200 (MET DST)
From: "Rob J. Nauta" <rob@brasaap.iaehv.nl>
Message-Id: <199606291219.OAA01571@brasaap.iaehv.nl>
I've grabbed it too (took about 2 hours because of a very slow link). This
is what is in it:
drwx------ 1013/2000 0 Jun 22 08:16 1996 rootkit/
-rw------- 1013/2000 4877 Jun 22 06:14 1996 rootkit/du.c
-rw------- 1013/2000 12503 Jun 22 06:14 1996 rootkit/es.c
-rw------- 1013/2000 5588 Jun 22 06:14 1996 rootkit/du5.c
-rw------- 1013/2000 3031 Jun 22 06:15 1996 rootkit/fix.c
-rw------- 1013/2000 8583 Jun 22 06:15 1996 rootkit/if.c
-rw------- 1013/2000 1727 Jun 22 06:15 1996 rootkit/host.c
-rw------- 1013/2000 21262 Jun 22 06:15 1996 rootkit/ifconfig.c
-rw------- 1013/2000 14505 Jun 22 06:17 1996 rootkit/inet.c
-rw------- 1013/2000 629 Jun 22 06:17 1996 rootkit/ipintrq.c
-rw------- 1013/2000 17661 Jun 22 06:17 1996 rootkit/ls.c
-rw------- 1013/2000 24450 Jun 22 06:17 1996 rootkit/ls5.c
-rw------- 1013/2000 6660 Jun 22 06:18 1996 rootkit/main.c
-rw------- 1013/2000 5975 Jun 22 06:18 1996 rootkit/ns.c
-rw------- 1013/2000 7883 Jun 22 06:19 1996 rootkit/mbuf.c
-rw------- 1013/2000 36196 Jun 22 06:19 1996 rootkit/ps.c
-rw------- 1013/2000 11161 Jun 22 06:20 1996 rootkit/revarp.c
-rw------- 1013/2000 8697 Jun 22 06:20 1996 rootkit/route.c
-rw------- 1013/2000 28908 Jun 22 06:21 1996 rootkit/sl.c
-rw------- 1013/2000 2000 Jun 22 06:21 1996 rootkit/z2.c
-rw------- 1013/2000 2810 Jun 22 06:22 1996 rootkit/unix.c
-rw------- 1013/2000 30720 Jun 22 06:34 1996 rootkit/XtermSpy.tar
-rw------- 1013/2000 776 Jun 22 06:47 1996 rootkit/invis.c
-rw------- 1013/2000 35003 Jun 22 06:47 1996 rootkit/newhak20.zip
-rw------- 1013/2000 1242 Jun 22 06:47 1996 rootkit/sendmail.sh
-rw------- 1013/2000 866 Jun 22 06:47 1996 rootkit/socdmini.c
-rw------- 1013/2000 21415 Jun 22 06:48 1996 rootkit/socdmn13.zip
-rw------- 1013/2000 0 Jun 22 06:49 1996 rootkit/PasswdLeach
-rw------- 1013/2000 20480 Jun 22 06:49 1996 rootkit/fspscan.tar
-rw------- 1013/2000 230286 Jun 22 06:51 1996 rootkit/ptm228.zip
-rw------- 1013/2000 1157 Jun 22 06:53 1996 rootkit/.comments
-rw------- 1013/2000 22941 Jun 22 06:54 1996 rootkit/DTMF-decoder
-rw------- 1013/2000 68891 Jun 22 06:55 1996 rootkit/Whitebox.ami
-rw------- 1013/2000 322529 Jun 22 06:57 1996 rootkit/bbeep010.zip
-rw------- 1013/2000 42643 Jun 22 06:56 1996 rootkit/boxes.zip
-rw------- 1013/2000 6868 Jun 22 06:55 1996 rootkit/omnibox.exe
-rw------- 1013/2000 4456 Jun 22 06:57 1996 rootkit/redbox.txt
-rw------- 1013/2000 32340 Jun 22 06:57 1996 rootkit/tmaster.zip
-rw------- 1013/2000 332473 Jun 22 07:00 1996 rootkit/p80box.zip
-rw------- 1013/2000 3142 Jun 22 06:59 1996 rootkit/white.faq
-rw------- 1013/2000 75769 Jun 22 07:01 1996 rootkit/bd60.lha
-rw------- 1013/2000 3107 Jun 22 07:01 1996 rootkit/red.faq
-rw------- 1013/2000 481 Jun 22 07:11 1996 rootkit/gethsts
-rw------- 1013/2000 85206 Jun 22 07:20 1996 rootkit/bow5.txt
-rw------- 1013/2000 11208 Jun 22 07:31 1996 rootkit/trisec.tgz
-rw------- 1013/2000 10744 Jun 22 07:38 1996 rootkit/nfsshell.zip
-rw------- 1013/2000 2380 Jun 22 07:38 1996 rootkit/slugger.zip
-rw------- 1013/2000 33792 Jun 22 07:39 1996 rootkit/lhand.tar
-rw------- 1013/2000 61440 Jun 22 07:39 1996 rootkit/ypx.tar
-rw------- 1013/2000 79041 Jun 22 07:40 1996 rootkit/rootkit.zip
-rw------- 1013/2000 20524 Jun 22 07:45 1996 rootkit/hacker_test.txt
-rw------- 1013/2000 5872 Jun 22 07:58 1996 rootkit/ghba.c
-rw------- 1013/2000 0 Jun 22 07:58 1996 rootkit/marry.c
-rw------- 1013/2000 3722 Jun 22 07:58 1996 rootkit/probe.c
-rw------- 1013/2000 17334 Jun 22 07:59 1996 rootkit/sequence.c
-rw------- 1013/2000 9767 Jun 22 07:59 1996 rootkit/spoof.c
-rw------- 1013/2000 74155 Jun 22 08:00 1996 rootkit/rootkit-linux.tgz
-rw------- 1013/2000 14207 Jun 22 08:01 1996 rootkit/linux_sn.gz
-rw------- 1013/2000 30720 Jun 22 08:02 1996 rootkit/udpstorm.tar
-rw------- 1013/2000 3124 Jun 22 08:14 1996 rootkit/arnudp001.c
-rw------- 1013/2000 5772 Jun 22 08:02 1996 rootkit/nuke.c
-rw------- 1013/2000 12544 Jun 22 08:03 1996 rootkit/sunsniff.c
-rw------- 1013/2000 3072 Jun 22 08:03 1996 rootkit/rdist.hak
drwx------ 1013/2000 0 Jun 22 08:09 1996 rootkit/exploit/
-rw------- 1013/2000 753 Jun 22 08:05 1996 rootkit/exploit/irix-colorview.asc
-rw------- 1013/2000 305 Jun 22 08:05 1996 rootkit/exploit/irix-serial_ports.asc
-rw------- 1013/2000 2561 Jun 22 08:09 1996 rootkit/exploit/linux-abuser.asc
-rw------- 1013/2000 1171 Jun 22 08:08 1996 rootkit/exploit/linux-dump.txt.asc
-rw------- 1013/2000 3033 Jun 22 08:09 1996 rootkit/exploit/linux-filter.asc
-rw------- 1013/2000 699 Jun 22 08:08 1996 rootkit/exploit/linux-lpr.sh.asc
-rw------- 1013/2000 8550 Jun 22 08:08 1996 rootkit/exploit/linux-mailx.asc
-rw------- 1013/2000 1959 Jun 22 08:09 1996 rootkit/exploit/linux-mh.asc
-rw------- 1013/2000 4250 Jun 22 08:09 1996 rootkit/exploit/linux-pop3d.asc
-rw------- 1013/2000 3273 Jun 22 08:08 1996 rootkit/exploit/linux-restorefont.asc
-rw------- 1013/2000 2279 Jun 22 08:08 1996 rootkit/exploit/linux-rxvt.txt.asc
-rw------- 1013/2000 2686 Jun 22 08:08 1996 rootkit/exploit/linux-sigurg.c.asc
-rw------- 1013/2000 842 Jun 22 08:08 1996 rootkit/exploit/linux-splitvt.c.asc
-rw------- 1013/2000 2562 Jun 22 08:09 1996 rootkit/exploit/linux-wozzeck.asc
-rw------- 1013/2000 1406 Jun 22 08:07 1996 rootkit/exploit/multiple-xfree.asc
-rw------- 1013/2000 660 Jun 22 08:07 1996 rootkit/exploit/sol-expre-vi.asc
-rw------- 1013/2000 378 Jun 22 08:07 1996 rootkit/exploit/sol-ffcore.sh.asc
-rw------- 1013/2000 3040 Jun 22 08:07 1996 rootkit/exploit/sol-holeutmp.c.asc
-rw------- 1013/2000 4518 Jun 22 08:07 1996 rootkit/exploit/sol-psrace.asc
-rw------- 1013/2000 951 Jun 22 08:07 1996 rootkit/exploit/sol-swapuid.asc
-rw------- 1013/2000 4180 Jun 22 08:07 1996 rootkit/exploit/sun-chuidproc.c.asc
-rw------- 1013/2000 99 Jun 22 08:06 1996 rootkit/exploit/sun-loadmodule1.sh.asc
-rw------- 1013/2000 183 Jun 22 08:06 1996 rootkit/exploit/sun-loadmodule2.sh.asc
-rw------- 1013/2000 4621 Jun 22 08:06 1996 rootkit/exploit/sun-passwdrace.sh.asc
-rw------- 1013/2000 2454 Jun 22 08:06 1996 rootkit/exploit/sun-psrace.c.asc
-rw------- 1013/2000 1373 Jun 22 08:06 1996 rootkit/exploit/sun-rdist-overflow.sh.asc
-rw------- 1013/2000 328 Jun 22 08:05 1996 rootkit/exploit/sun-rdist-p.sh.asc
-rw------- 1013/2000 260 Jun 22 08:05 1996 rootkit/exploit/sun-rdist-u.sh.asc
-rw------- 1013/2000 427 Jun 22 08:05 1996 rootkit/exploit/ult-chroot.asc
-rw------- 1013/2000 1444 Jun 22 08:05 1996 rootkit/exploit/ult-msgs.asc
-rw------- 1013/2000 3770 Jun 22 08:02 1996 rootkit/exploit/hpux-vhe.asc
-rw------- 1013/2000 5193 Jun 22 08:03 1996 rootkit/flash4.c
-rw------- 1013/2000 18685 Jun 22 08:12 1996 rootkit/ypghost060.tar.gz
-rw------- 1013/2000 14044 Jun 22 08:14 1996 rootkit/hsh002.c
-rw------- 1013/2000 9950 Jun 22 08:14 1996 rootkit/ypsnarf.c
drwx------ 1013/2000 0 Jun 22 08:31 1996 rootkit/misc/
-rw------- 1013/2000 3438 Jun 22 08:17 1996 rootkit/misc/a_bomb.zip
-rw------- 1013/2000 43653 Jun 22 08:18 1996 rootkit/misc/aio5.zip
-rw------- 1013/2000 732 Jun 22 08:19 1996 rootkit/misc/amail.zip
-rw------- 1013/2000 732 Jun 22 08:19 1996 rootkit/misc/amail.zi
-rw------- 1013/2000 3504 Jun 22 08:20 1996 rootkit/misc/anarch.zip
-rw------- 1013/2000 3713 Jun 22 08:20 1996 rootkit/misc/arpanet1.zip
-rw------- 1013/2000 5603 Jun 22 08:21 1996 rootkit/misc/arpanet2.zip
-rw------- 1013/2000 3847 Jun 22 08:21 1996 rootkit/misc/arpanet3.zip
-rw------- 1013/2000 2050 Jun 22 08:22 1996 rootkit/misc/arpanet4.zip
-rw------- 1013/2000 17040 Jun 22 08:23 1996 rootkit/misc/atomic.zip
-rw------- 1013/2000 1189 Jun 22 08:23 1996 rootkit/misc/autovon1.zip
-rw------- 1013/2000 4345 Jun 22 08:29 1996 rootkit/misc/mnt.tar.gz
-rw------- 1013/2000 47258 Jun 22 08:29 1996 rootkit/misc/nfsshell.c
-rw------- 1013/2000 79041 Jun 22 08:30 1996 rootkit/misc/rootkit.zip
-rw------- 1013/2000 2226 Jun 22 08:30 1996 rootkit/misc/rpc_chk.sh
-rw------- 1013/2000 13472 Jun 22 08:30 1996 rootkit/misc/seq_number.c
-rw------- 1013/2000 21415 Jun 22 08:30 1996 rootkit/misc/socket_demon13.zip
-rw------- 1013/2000 19845 Jun 22 08:30 1996 rootkit/misc/xwatchwin.tar.gz
-rw------- 1013/2000 2855 Jun 22 08:30 1996 rootkit/misc/xkey.c
-rw------- 1013/2000 577 Jun 22 08:30 1996 rootkit/misc/xcrowbar.c
-rw------- 1013/2000 8065 Jun 22 08:31 1996 rootkit/misc/ypx.sh.gz
-rw------- 1013/2000 19638 Jun 22 08:31 1996 rootkit/misc/solsniffer.c
-rw------- 1013/2000 12449 Jun 22 08:31 1996 rootkit/misc/ESniff.c
It isn't a very good collection. The file is big because it includes
some vague PC software, but most zip files are corrupted.
Most files don't have anything to do with UNIX security, white.faq
is a textfile about building a portable dialer. The PC software are
mostly dialers and box software.
It includes my own software, YPX no less than 3 times, both in the
misc directory as well as a ypx.tar.gz which includes both source and
the shar file. misc/ESniff.c is the same as es.c, and some other
thinsg are also duplicated. It includes modified versions of ls, du,
ifconfig, etc, which are easy to modify by the user himself, and it
includes tools like host.c which are totally legitimate.
Finally, it includes two versions of the original rootkit:
-rw------- 1013/2000 74155 Jun 22 08:00 1996 rootkit/rootkit-linux.tgz
-rw------- 1013/2000 79041 Jun 22 07:40 1996 rootkit/rootkit.zip
which both show their original early 1994 dates. The inconsistent
archiving is also remarkable, gzipped PC software, and tar, tgz, zip,
lha format files with pure UNIX source. I guess the .ami files are
amiga binaries.
To summarize: it looks like someone finally got their hands on the
original rootkit from 1994, and bundled it with an incredible amount
of crap. To call it 'rootkit' is misleading, although it includes the
original. It includes nothing special, no ip spoofers, only well-known
sniffers, which suggests the guy that put this together did it with
just stuff from some www pages, bugtraq archive and HPAV ftp sites.
There are better hacker archives around, like http://www.escape.com/~t3/
it looks like most of those tools are grabbed from there anyway.
-----------------------------------------------------------------------------
--
+---------------------+--------------------------------------------------+
| ____ ___ | Justin Lister ruf@cs.uow.edu.au |
| | \\ /\ __\ | Center for Computer Security Research |
| | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-214-327|
| | _ \\ /| _/ | University of Wollongong fax: 61-42-214-329|
| |_/ \/ \_/ |_| (tm) | LiNuX- iNTEL justification. mobile: 61-0412139269|
| | Computer Security a utopian dream... |
+---------------------+--------------------------------------------------+
