Re: nouser - rootkit ?

[Eric Brandwine <ericb () UU NET>]

> > > > > "kr" == Konrad Rieck <kr () roqe org> writes:

kr> On Mon, Mar 11, 2002 at 05:57:38PM +0000, Eric Brandwine wrote:
> > Either it's a red herring, and the real root kit is much better
> > hidden, or it'll be almost trivial to clean up.  But you've no way of
> > knowing.  I'd rebuild the box from scratch, if it were mine.

kr> I am just curious about the "red herring"-part of the story and the 
kr> term "real rootkit"...

kr> I wonder if there are really attackers out there installing bogus-rootkits
kr> in order to protect the real ones. Has anybody on this list detected such
kr> kind of "feints"? 

kr> In my opinion this behaviour is very unlikely, but I am willing to learn.

I have definitely found systems with multiple rootkits installed on
them.  Some of them were clearly systems that had been left neglected
(someone sets up a factory stock RedHat box in a lab, quits their job,
it sits there for 3 years), and repeatedly compromised.  On some of
them, it's so bad that the kiddies are stepping on each other's toes,
and kicking each other off the boxes.  Why is their taste in MP3s
always so bad?

I've also run across occasions when crackers (not kiddies this time)
will intentionally use less than their best rootkit on a system, to
preserve the 0day in their best.  The quality of rootkit used depends
on the importance of the system to the attacker.

As for a genuine red herring, I can't say.  I've never found one, but
that doesn't mean that it's not there ;) Perhaps some of the systems
that I mention above were cases of that...  It's just that this
rootkit was so pathetic, either it's a joke, or it's really scary how
easy it is to start a career in Internet crime.

Either way, the system was clearly vulnerable to something.  Someone
got in.  It's possible that there's another root kit there, installed
by the same attacker or another.  You can't know until you take the
system offline, and look at it without the kernel in the way.  I'd
rebuild it.

And nothing you do will have any effect until you close the hole that
they came in through in the first place.

ericb
-- 
Eric Brandwine     |  Operating systems that cannot operate without a
UUNetwork Security |  windowing system have an inherent security disadvantage
ericb () uu net       |  and should, in general, be eschewed over those that can
+1 703 886 6038    |      - Dan Farmer
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com