>>>>> "kr" == Konrad Rieck <krat_private> writes: kr> On Mon, Mar 11, 2002 at 05:57:38PM +0000, Eric Brandwine wrote: >> Either it's a red herring, and the real root kit is much better >> hidden, or it'll be almost trivial to clean up. But you've no way of >> knowing. I'd rebuild the box from scratch, if it were mine. kr> I am just curious about the "red herring"-part of the story and the kr> term "real rootkit"... kr> I wonder if there are really attackers out there installing bogus-rootkits kr> in order to protect the real ones. Has anybody on this list detected such kr> kind of "feints"? kr> In my opinion this behaviour is very unlikely, but I am willing to learn. I have definitely found systems with multiple rootkits installed on them. Some of them were clearly systems that had been left neglected (someone sets up a factory stock RedHat box in a lab, quits their job, it sits there for 3 years), and repeatedly compromised. On some of them, it's so bad that the kiddies are stepping on each other's toes, and kicking each other off the boxes. Why is their taste in MP3s always so bad? I've also run across occasions when crackers (not kiddies this time) will intentionally use less than their best rootkit on a system, to preserve the 0day in their best. The quality of rootkit used depends on the importance of the system to the attacker. As for a genuine red herring, I can't say. I've never found one, but that doesn't mean that it's not there ;) Perhaps some of the systems that I mention above were cases of that... It's just that this rootkit was so pathetic, either it's a joke, or it's really scary how easy it is to start a career in Internet crime. Either way, the system was clearly vulnerable to something. Someone got in. It's possible that there's another root kit there, installed by the same attacker or another. You can't know until you take the system offline, and look at it without the kernel in the way. I'd rebuild it. And nothing you do will have any effect until you close the hole that they came in through in the first place. ericb -- Eric Brandwine | Operating systems that cannot operate without a UUNetwork Security | windowing system have an inherent security disadvantage ericbat_private | and should, in general, be eschewed over those that can +1 703 886 6038 | - Dan Farmer Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 12:28:11 PST