Hello, I wrote the Passive OS perl scripts for Lance a while back. I didn't know you had monthly scans until just yesterday. That is really cool. Well I downloaded the scan logs and did a quick analysis of it (I know I need to take my time). But I really liked the recover off a tcpdump file. I couldn't find a utility to do this for me so I wrote one. I thought you might be interested in having the program. You can make it available if you want. I used perl to code it, both because I like perl and also the lovely TCT uses lots of perl :) It's a bit crude right now and can't do passive downloads and it doesn't set the name of the files for you but hey ... it's only v0.1 right? BTW, my preliminary guesses to the questions (because I might get caught up and not have enough time to give them proper attention) are as follows: Q1: WU-FTPd SITE EXEC 7 exploit. Most probably the zxploit from copy.tgz Q2: Had shell through ftp which he wiped out the nobody account and created a dns account. He then telneted in and created some hidden directories and downloaded his three programs from teleport:gucamole@ftp.teleport.go.ro At which time he gets three tar balls: zer0, copy, & ooty. He then extracts these and runs the Go script from zer0.tar.gz. Q3: Well, actually the Go script tried to hid from MAC times with the touch -acmr . This uses an untouched file as a reference and sets the new file to the same MAC as the old one. Q4: The rootkit is t0rn's and the adore kernel module. I'm not familiar with t0rn but adore is not new. It mainly looks like t0rn just takes adore and adds modified ssh daemons to port 6666 (per default). So I guess you could say it's a modified adore rootkit. Q5: Recovered the binaries and included the perl script I wrote that can do this for you. Q6: It appears to hide files in the process list as well as basic masking of promiscuous mode. It also can redirect file IO but I don't *think* I saw that used. Q7: How to extract binary data from tcpstreams :) Also became more familiar with the pre-cooked scripts that are in use for rootkits and xploits. Q8: Well I need to do more such as jot down times of each thing I see etc. I really just read through the packets and made my program to extract the downloads and then read through those. Total it took me about 1 hour to read the sniffer logs and around 4 hours to get the bugs worked out of my program :) Bonus: Well I'm not sure really want is desired here. I guess you could write a letter to the machine that most of the activity came from and write to either root/administrator. Or you could write to the attacks account (teleport). I wouldn't suggest the later though. As far as logs go, could you just give them the remote syslog file (since his Go script wouldn't be able to detect it) and the tcpdump file to verify times and events? Oh well, Hope you enjoy the script! PS. Hopefully I didn't just re-invent the wheel. If you know where I can get utilities like these or even the script kiddie tar balls I would be interested. I already visit places like packetstorm to get the more mainstream stuff (like adore) but I'm referring to the IRC junk (like t0rn) that I don't have time to search for. Later, Craig Smith Cardinal Solutions csmith@cardinalsolutions.com -- Win95 is not a virus; a virus does something. -- unknown source