Re: nouser - rootkit ? [:multiple root kit thread:]

From: Dan Rohan (danat_private)
Date: Tue Mar 12 2002 - 09:26:59 PST

Next message: Rob McCauley: "Re: AW: nouser - rootkit ?"

Previous message: Eric Brandwine: "Re: nouser - rootkit ?"
In reply to: Bruce Ediger: "Re: nouser - rootkit ?"
Next in thread: Dave Dittrich: "Re: nouser - rootkit ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I can verify that this practice is in place-  Just last week I investigated a
break-in
with multiple instances of  rootkits on a single linux system-  the system was
both
rootkited with the 'adore' kernel module and with a more standard binary type
rootkit.  I can only draw a conclusion that the hacker was knowingly installing
two different rootkits because I found one of the hidden directories where both
the adore kit AND the binaries were located.

What doesn't make sense in a case like this is what the hacker is trying to
accomplish-

I tend to think that most security minded folks would never discover a root kit
and then
'clean up' without re-installing.  It is my personal opinion that that is
horribly bad practice.

Dan

Bruce Ediger wrote:

> On Mon, 11 Mar 2002, Konrad Rieck wrote:
>
> > I wonder if there are really attackers out there installing bogus-rootkits
> > in order to protect the real ones. Has anybody on this list detected such
> > kind of "feints"?
>
> I posted to usenet last year with the same question, because one
> of the machines I tend got rooted.
>
> In response, some guy claimed he found a rootkit that had at least
> two layers:
>
> http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net
>
> I'm not at all sure I believe this story: IRIX is pretty obscure,
> and not very widely used.  Why would anyone go to the effort of
> doing a "feint" rootkit to mask a "real" rootkit for so few targets?
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rob McCauley: "Re: AW: nouser - rootkit ?"
Previous message: Eric Brandwine: "Re: nouser - rootkit ?"
In reply to: Bruce Ediger: "Re: nouser - rootkit ?"
Next in thread: Dave Dittrich: "Re: nouser - rootkit ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 16:26:08 PST