Security Incidents mailing list archives
Re: nouser - rootkit ? [:multiple root kit thread:]
From: Dan Rohan <dan () anl gov>
Date: Tue, 12 Mar 2002 11:26:59 -0600
I can verify that this practice is in place- Just last week I investigated a break-in with multiple instances of rootkits on a single linux system- the system was both rootkited with the 'adore' kernel module and with a more standard binary type rootkit. I can only draw a conclusion that the hacker was knowingly installing two different rootkits because I found one of the hidden directories where both the adore kit AND the binaries were located. What doesn't make sense in a case like this is what the hacker is trying to accomplish- I tend to think that most security minded folks would never discover a root kit and then 'clean up' without re-installing. It is my personal opinion that that is horribly bad practice. Dan Bruce Ediger wrote:
On Mon, 11 Mar 2002, Konrad Rieck wrote:I wonder if there are really attackers out there installing bogus-rootkits in order to protect the real ones. Has anybody on this list detected such kind of "feints"?I posted to usenet last year with the same question, because one of the machines I tend got rooted. In response, some guy claimed he found a rootkit that had at least two layers: http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net I'm not at all sure I believe this story: IRIX is pretty obscure, and not very widely used. Why would anyone go to the effort of doing a "feint" rootkit to mask a "real" rootkit for so few targets? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- nouser - rootkit ? Dan Uscatu (Mar 10)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
- Re: nouser - rootkit ? Ryan Russell (Mar 11)
- Re: nouser - rootkit ? Konrad Rieck (Mar 11)
- Re: nouser - rootkit ? Bruce Ediger (Mar 12)
- Re: nouser - rootkit ? Kyle R Maxwell (Mar 12)
- Re: nouser - rootkit ? Jose Nazario (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? [:multiple root kit thread:] Dan Rohan (Mar 12)
- Re: nouser - rootkit ? Dave Dittrich (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? Brian Hatch (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
- <Possible follow-ups>
- Re: nouser - rootkit ? Bill_Royds (Mar 12)