Security Incidents mailing list archives
Re: nouser - rootkit ?
From: Brian Hatch <incidents () ifokr org>
Date: Mon, 11 Mar 2002 19:45:50 -0800
I am just curious about the "red herring"-part of the story and the term "real rootkit"... I wonder if there are really attackers out there installing bogus-rootkits in order to protect the real ones. Has anybody on this list detected such kind of "feints"? In my opinion this behaviour is very unlikely, but I am willing to learn.
Yes, it is definately real. I've detected it on two honeypots I've run before, as well as one in 'real time' when I was brought in to clean up a compromised machine. The intruders saw that I was onto them, and quickly added a root /etc/passwd entry and shell in /etc/inetd.conf, and left for a week. I cleaned up these backdoors, and left the machine with the 'real' compromises as they were. (I'd moved the actual functionality to a different secure machine, and the client wanted to see if they could catch these guys, and were thus willing to let a vulnerable system stay that way.) Indeed, a week later the intruders came back through their actual back door, checked to see if the fake compromises were cleaned up, and looked at other root activity. (I left some .bash_history entries that made it look like root was checking the system for anything else, but not very successfully.) The intruders figured they'd escaped, and proceeded to abuse the system more. Did we nab them? Nope. The admin that wanted me to find them reported to the higher-ups and they just said to kill the broken machine and let it lie. Oh well. 'Twas fun though, back before the days of honeypots and IDS. But I can't say for sure that those three times are statisticly relevant. But it does happen. -- Brian Hatch "You could be a winner" Systems and No purchase necessary. Security Engineer Details inside." www.hackinglinuxexposed.com Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- Re: nouser - rootkit ?, (continued)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
- Re: nouser - rootkit ? Ryan Russell (Mar 11)
- Re: nouser - rootkit ? Konrad Rieck (Mar 11)
- Re: nouser - rootkit ? Bruce Ediger (Mar 12)
- Re: nouser - rootkit ? Kyle R Maxwell (Mar 12)
- Re: nouser - rootkit ? Jose Nazario (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? [:multiple root kit thread:] Dan Rohan (Mar 12)
- Re: nouser - rootkit ? Dave Dittrich (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? Brian Hatch (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)