Security Incidents mailing list archives
Re: nouser - rootkit ?
From: Bill_Royds () pch gc ca
Date: Tue, 12 Mar 2002 12:10:02 -0500
From monitoring router logs, I have found that sometimes a machine is
rooted more than once. The first kiddie roots the machine, installs a rootkit, but doesn't fix the vulnerability. A subsequent cracker roots it again, installing a different rootkit. It is not a feint, just the fact the rooting a box doesn't necessarily fix the vulnerability. Oh yes, it was an IRIX box rooted with telnet vulnerability. Bill Royds Acting System Administrator, Canadian Heritage Information Network (819) 994-1200 X 239 "Bruce Ediger" <eballen1 () qwest net> 03/11/02 10:26 PM To: incidents () securityfocus com cc: "Konrad Rieck" <kr () roqe org> Subject: Re: nouser - rootkit ? On Mon, 11 Mar 2002, Konrad Rieck wrote:
I wonder if there are really attackers out there installing
bogus-rootkits
in order to protect the real ones. Has anybody on this list detected
such
kind of "feints"?
I posted to usenet last year with the same question, because one of the machines I tend got rooted. In response, some guy claimed he found a rootkit that had at least two layers: http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net I'm not at all sure I believe this story: IRIX is pretty obscure, and not very widely used. Why would anyone go to the effort of doing a "feint" rootkit to mask a "real" rootkit for so few targets? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: nouser - rootkit ?, (continued)
- Re: nouser - rootkit ? Ryan Russell (Mar 11)
- Re: nouser - rootkit ? Konrad Rieck (Mar 11)
- Re: nouser - rootkit ? Bruce Ediger (Mar 12)
- Re: nouser - rootkit ? Kyle R Maxwell (Mar 12)
- Re: nouser - rootkit ? Jose Nazario (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? [:multiple root kit thread:] Dan Rohan (Mar 12)
- Re: nouser - rootkit ? Dave Dittrich (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? Brian Hatch (Mar 12)