Security Incidents mailing list archives
Re: nouser - rootkit ?
From: Eric Brandwine <ericb () UU NET>
Date: 12 Mar 2002 01:08:14 +0000
"kr" == Konrad Rieck <kr () roqe org> writes:
kr> On Mon, Mar 11, 2002 at 05:57:38PM +0000, Eric Brandwine wrote:
Either it's a red herring, and the real root kit is much better hidden, or it'll be almost trivial to clean up. But you've no way of knowing. I'd rebuild the box from scratch, if it were mine.
kr> I am just curious about the "red herring"-part of the story and the kr> term "real rootkit"... kr> I wonder if there are really attackers out there installing bogus-rootkits kr> in order to protect the real ones. Has anybody on this list detected such kr> kind of "feints"? kr> In my opinion this behaviour is very unlikely, but I am willing to learn. I have definitely found systems with multiple rootkits installed on them. Some of them were clearly systems that had been left neglected (someone sets up a factory stock RedHat box in a lab, quits their job, it sits there for 3 years), and repeatedly compromised. On some of them, it's so bad that the kiddies are stepping on each other's toes, and kicking each other off the boxes. Why is their taste in MP3s always so bad? I've also run across occasions when crackers (not kiddies this time) will intentionally use less than their best rootkit on a system, to preserve the 0day in their best. The quality of rootkit used depends on the importance of the system to the attacker. As for a genuine red herring, I can't say. I've never found one, but that doesn't mean that it's not there ;) Perhaps some of the systems that I mention above were cases of that... It's just that this rootkit was so pathetic, either it's a joke, or it's really scary how easy it is to start a career in Internet crime. Either way, the system was clearly vulnerable to something. Someone got in. It's possible that there's another root kit there, installed by the same attacker or another. You can't know until you take the system offline, and look at it without the kernel in the way. I'd rebuild it. And nothing you do will have any effect until you close the hole that they came in through in the first place. ericb -- Eric Brandwine | Operating systems that cannot operate without a UUNetwork Security | windowing system have an inherent security disadvantage ericb () uu net | and should, in general, be eschewed over those that can +1 703 886 6038 | - Dan Farmer Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- nouser - rootkit ? Dan Uscatu (Mar 10)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
- Re: nouser - rootkit ? Ryan Russell (Mar 11)
- Re: nouser - rootkit ? Konrad Rieck (Mar 11)
- Re: nouser - rootkit ? Bruce Ediger (Mar 12)
- Re: nouser - rootkit ? Kyle R Maxwell (Mar 12)
- Re: nouser - rootkit ? Jose Nazario (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? [:multiple root kit thread:] Dan Rohan (Mar 12)
- Re: nouser - rootkit ? Dave Dittrich (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? Brian Hatch (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
- <Possible follow-ups>
- Re: nouser - rootkit ? Bill_Royds (Mar 12)