> I am just curious about the "red herring"-part of the story and the > term "real rootkit"... > > I wonder if there are really attackers out there installing bogus-rootkits > in order to protect the real ones. Has anybody on this list detected such > kind of "feints"? > > In my opinion this behaviour is very unlikely, but I am willing to learn. Yes, it is definately real. I've detected it on two honeypots I've run before, as well as one in 'real time' when I was brought in to clean up a compromised machine. The intruders saw that I was onto them, and quickly added a root /etc/passwd entry and shell in /etc/inetd.conf, and left for a week. I cleaned up these backdoors, and left the machine with the 'real' compromises as they were. (I'd moved the actual functionality to a different secure machine, and the client wanted to see if they could catch these guys, and were thus willing to let a vulnerable system stay that way.) Indeed, a week later the intruders came back through their actual back door, checked to see if the fake compromises were cleaned up, and looked at other root activity. (I left some .bash_history entries that made it look like root was checking the system for anything else, but not very successfully.) The intruders figured they'd escaped, and proceeded to abuse the system more. Did we nab them? Nope. The admin that wanted me to find them reported to the higher-ups and they just said to kill the broken machine and let it lie. Oh well. 'Twas fun though, back before the days of honeypots and IDS. But I can't say for sure that those three times are statisticly relevant. But it does happen. -- Brian Hatch "You could be a winner" Systems and No purchase necessary. Security Engineer Details inside." www.hackinglinuxexposed.com Every message PGP signed
This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 12:50:09 PST