Re: nouser - rootkit ?

[Bill_Royds () pch gc ca]

> From monitoring router logs, I have found that sometimes a machine is 
rooted more than once.
The first kiddie roots the machine, installs a rootkit, but doesn't fix 
the vulnerability.
A subsequent cracker roots it again, installing a different rootkit.
It is not a feint, just the fact the rooting a box doesn't necessarily fix 
the vulnerability.
Oh yes, it was an IRIX box rooted with telnet vulnerability.


Bill Royds
Acting System Administrator,
Canadian Heritage Information Network
(819) 994-1200 X 239





"Bruce Ediger" <eballen1 () qwest net>
03/11/02 10:26 PM

 
        To:     incidents () securityfocus com
        cc:     "Konrad Rieck" <kr () roqe org>
        Subject:        Re: nouser - rootkit ?


On Mon, 11 Mar 2002, Konrad Rieck wrote:

> I wonder if there are really attackers out there installing 
bogus-rootkits
> in order to protect the real ones. Has anybody on this list detected 
such
> kind of "feints"?

I posted to usenet last year with the same question, because one
of the machines I tend got rooted.

In response, some guy claimed he found a rootkit that had at least
two layers:

http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net

I'm not at all sure I believe this story: IRIX is pretty obscure,
and not very widely used.  Why would anyone go to the effort of
doing a "feint" rootkit to mask a "real" rootkit for so few targets?





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com