Back in the blackhat days, I do recall toying with t0rn and another kit very similar from some uk group I owned. Both had similar problems, espicially the ps trojan, and lsof. Don't know if it was fixed in a later release ( this was 4+ years ago) but it does look to be a clueless script kid, who doesn't know his shits not working. As far as ownership of lsof heres paste of one of the boxes I run which is FreeBSD 4.8. As a side note, FreeBSD 5.0 requires suid to actually use the program by default.
[(02:19 PM)] [([EMAIL PROTECTED])] [(/usr/local/sbin)] # ls -all | grep lsof -rwxr-sr-x 1 root kmem 107692 Apr 22 19:57 lsof Hope this can be some help As a side note, FreeBSD 5.0 requires suid to actually use the program by default. -----Original Message----- From: Earnest [mailto:[EMAIL PROTECTED] Sent: Sunday, June 22, 2003 7:14 AM To: [EMAIL PROTECTED] Subject: lsof t0rn problem Hello All, This morning I had some problems on the server, so I started to investigate and found out that libncurses.so.4 was missing... I recently upgraded mysql from 3.53 to 4.0.13 but that was it! Okay, I did ln -s libncurses.so.5.2 libncurses.so.4 This quick fix resolved some problems. Then I ran chkrootkit and found out that some of the files are (might be) infected with t0rn... Which might be no problem, because chkrootkit checks libncurses as far as I know. To make sure, I ran lsof, and no was no output at all. ls -la /usr/sbin/lsof told me that a different user (other than root) owned lsof... I downloaded a clean version of lsof, compiled, ran but the output seemed usual, no suspicious files or ports. Besides, the /usr/sbin/lsof had a "sia" set of attributes (which did not allow root to unlink the file of top of that)... I changed that, and replaced the suspicious binary with a freshly compiled one. The question is: is it a hacker attack? or some buggy software?? (mysql?) has anyone come across weird things like this? regards Earnest ------------------------------------------------------------------------ --- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------