Information about the t0rn Rootkit

This rootkit was written to be fast and easy to install. It was found in
some infected Redhat 6.0/7.0/7.1 systems. A complete analyse of the T0rn
rootkit, done by Toby Miller to SANS, can be found in the link:
http://www.ossec.net/rootkits/studies/t0rn.txt
The README file can be read here

torn.tar.gz c3ad66bd670fdf7a2eb6a7d736c75b80

Files to search:

• usr/src/.puta
• usr/info/.t0rn
• lib/ldlib.tk
• etc/ttyhash
• sbin/xlogin
• */ldlib.tk
• */.t0rn
• */tk8
• */.puta
• */libproc.a

Openned ports used by t0rn:

• 47107
• 19923

*All files with an "*" need to be search in all system
**If you have any more information, send to: mail1, or to mail2.




$RootCheck: torn.php ,v 1.0 2003/10/16, Daniel B. Cid$