6084709 2001-02-12  20:46  /28 rader/ Mathias Hansson (hopped up on what you mopped up)
Mottagare: Cracking erfarenhetsutbyte <10457>
Ärende: tr0nkit8 
------------------------------------------------------------
(. najs med exploits som fixar burken .)
"
From: Roberto <cinini@TERRA.ES>
Subject:      massive bind8 exploitation - t0rnkit8  
To: INCIDENTS@SECURITYFOCUS.COM

Hola again !
It has become to my attention that there is massive
bind8.2(p3/p5/p7) exploitation taking place, and
tornkit8 being used. There are already worms for this
on many underground irc channels floating around for
users to use..

Here are some things to look out for tornkit8 and also
if ur bind has been upgraded to 8.2.3-REL chances
are its the automated worm thats been there...
also u might want to look for dir /lib/ldd.so.. which
exists on some machines tornkit8 is installed..  there
is hidden files tks (sniffer) tkp(parser) and tkps(ssh
snifferlog), also one ssh port being used a lot is 47017
(default tornkit) as well as 47889 keep ur eyes open
for these..

More info as i get it !

Sincerly,
Roberto
"
(6084709) ------------------------------------------