Re: nouser - rootkit ?

[Brian Hatch <incidents () ifokr org>]

> I am just curious about the "red herring"-part of the story and the 
> term "real rootkit"...
>
> I wonder if there are really attackers out there installing bogus-rootkits
> in order to protect the real ones. Has anybody on this list detected such
> kind of "feints"? 
>
> In my opinion this behaviour is very unlikely, but I am willing to learn.

Yes, it is definately real.  I've detected it on two honeypots I've
run before, as well as one in 'real time' when I was brought in
to clean up a compromised machine.  The intruders saw that I
was onto them, and quickly added a root /etc/passwd entry and
shell in /etc/inetd.conf, and left for a week.  I cleaned up these
backdoors, and left the machine with the 'real' compromises as they
were.  (I'd moved the actual functionality to a different secure
machine, and the client wanted to see if they could catch these
guys, and were thus willing to let a vulnerable system stay that
way.)  Indeed, a week later the intruders came back through their
actual back door, checked to see if the fake compromises were
cleaned up, and looked at other root activity.  (I left some
.bash_history entries that made it look like root was checking
the system for anything else, but not very successfully.)  The
intruders figured they'd escaped, and proceeded to abuse the system
more.

Did we nab them?  Nope.  The admin that wanted me to find them
reported to the higher-ups and they just said to kill the broken
machine and let it lie.  Oh well.

'Twas fun though, back before the days of honeypots and IDS.

But I can't say for sure that those three times are statisticly
relevant.  But it does happen.


--
Brian Hatch                  "You could be a winner"
   Systems and                No purchase necessary.
   Security Engineer          Details inside."
www.hackinglinuxexposed.com

Every message PGP signed

Attachment: _bin
Description: