Tornkit

When tornkit installation is started, it first shuts down the system logging daemon, syslogd.

It replaces several system executables with trojanized versions and adds a trojanized ssh daemon to the system as well.

Configuration files related to trojanized ssh daemon are saved to

/usr/info/.t0rn/shdcf /usr/info/.t0rn/shhk /usr/info/.t0rn/shhk.pub /usr/info/.t0rn/shrs

Trojanized ssh daemon itself will be moved to "/usr/sbin/nscd", and then started. It is also added to the end of the "/etc/rc.d/rc.sysinit" along with the following comment:

# Name Server Cache Daemon..

This way the trojanized sshd will be executed when system restarts. By default it uses port number 47017 for it. This is configurable, and the port number is saved to "/usr/info/.t0rn/shdcf".

Following system files are replaced with trojanized versions:

/bin/login Uses the password hash from "/etc/ttyhash" for backdoor access. Original "/bin/login" is saved to "/sbin/xlogin". /sbin/in.fingerd Altered fingerd that adds an open shell to port 2555 /bin/ls /bin/netstat /bin/ps /sbin/ifconfig /usr/bin/top /usr/bin/du /usr/bin/find These versions of system binaries do not show files, processes or network connections used by the kit.

Date and time stamps are preserved from the original system files and "/bin/login" installed by the kit is modified in a such way that its size appears to be the equal with the original "/bin/login".

The kit creates following configuration files and executables:

/usr/src/.puta/.1addr /usr/src/.puta/.1file /usr/src/.puta/.1logz /usr/src/.puta/.1proc /usr/src/.puta/t0rns /usr/src/.puta/t0rnp /usr/src/.puta/t0rnsb

Finally Tornkit starts a sniffer in background, enables telnetd, rsh and finger daemons in "/etc/inetd.conf", restarts inetd to activate changes made and starts syslogd.