Analysis of t0rnkit 8

Text: t0rnkit analysis
Author: lockdown(www.lockeddown.net)
Date: July 11, 2001

I got my hands on a copy of the rootkit tornkit v8 so I decided to do a write up on it. I have not installed because I only have a single box and don't want to deal with it. Lets start with what is mentioned in the readme:

"New dirs..(proc/log/hosts/file are now hidden in /usr/include/*.h respectively)"
"Sniffer/Sauber/Parser now moved to /lib/ldd.so/"
"slocate (not really needed since updatedb uses find and find is backdoored but added none the less)"
"lsof (ok so i forgot about this)"
"ssh l/p logger - way too many people rely on ssh innit"
"hey bitchass admin lets see u find the md5sum difference now :)"

Now onto the install script. Here are 3 variables and there defaults meant to be changed:
hax0r=tornkit8@usa.net
dpass=t0rnkit
dport=47017

The first action taken is syslogd is killed. Then libproc.a, libproc.so, and libproc.so.2.0.6 are copied to /lib (note: libproc.so is a symbolic link to libproc.so.2.0.6). ldconfig is run to update the new librarys. Then before going any further it does a check to see if tornkit is already installed using the following command: grep in.inetd /etc/rc.d/rc.sysinit(I think that looks for old versions, for this version I would grep for xntps). It checks syslog.conf for remote logging and if detetected notify's the user. The password is encrypted using pg and stored in /lib/libest-2.so.7. SSH is trojaned. The orignal /bin/login is backed up to /bin/xlogin. It then deletes the directory it works out of and the compressed copy. syslogd is started along with inetd or xinted.

The following files are installed:
/lib/libproc.a
/lib/libproc.so.2.0.6
/lib/libproc.so (symbolic link to /lib/libproc.so.2.0.6)
/lib/lidps1.so
/usr/include/file.h
/usr/include/hosts.h
/usr/include/log.h
/usr/include/proc.h
/lib/lblip.tk/shdcf2
/lib/lblip.tk/shhk.pub
/lib/lblip.tk/shk
/lib/lblip.tk/shrs
/usr/sbin/xntps (129.112.21.181 hardcoded into binary)
/dev/srd0 (contains encrypted md5sums)
/lib/ldd.so/tks (sniffer)
/lib/ldd.so/tkp (parser)
/lib/ldd.so/tksb (long cleaner)

The following binarys are replaced with trojans (time stamps are restored):
/bin/ps
/sbin/ifconfig
/bin/netstat
/usr/bin/top
/usr/bin/slocate
/bin/login (extra bytes are added to match file sizes)
/bin/ls
/usr/bin/find
/usr/bin/dir
/usr/sbin/lsof
/usr/bin/md5sum
/sbin/syslogd
/usr/bin/pstree

The md5 checksum for the following binarys is encrypted and stored in /dev/srd0:
/sbin/ifconfig
/bin/ps
/bin/ls
/bin/netstat
/usr/bin/find
/usr/bin/top
/usr/sbin/lsof
/usr/bin/slocate
/usr/bin/dir
/usr/bin/md5sum
/bin/login