Security Incidents mailing list archives
Re: nouser - rootkit ?
From: Eric Brandwine <ericb () UU NET>
Date: 12 Mar 2002 16:32:51 +0000
"be" == Bruce Ediger <eballen1 () qwest net> writes:
be> On Mon, 11 Mar 2002, Konrad Rieck wrote:
I wonder if there are really attackers out there installing bogus-rootkits in order to protect the real ones. Has anybody on this list detected such kind of "feints"?
be> I posted to usenet last year with the same question, because one be> of the machines I tend got rooted. be> In response, some guy claimed he found a rootkit that had at least be> two layers: be> http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net be> I'm not at all sure I believe this story: IRIX is pretty obscure, be> and not very widely used. Why would anyone go to the effort of be> doing a "feint" rootkit to mask a "real" rootkit for so few targets? Odd OSes are used by security nuts for just that reason. Banks and similar often run HP/UX, IRIX, or even odder beasts. I run PPC Linux on my Mac, and it's fun watching folks try to break in. Often, sploits will crash daemons (a buffer overflow is a buffer overflow), but the shell code rarely works on both x86 and PPC. Reading that post, it looks like his system was compromised multiple times, by different people, which is a not uncommon occurence. ericb -- Eric Brandwine | Never underestimate the bandwidth of a station wagon UUNetwork Security | full of tapes hurtling down the highway. ericb () uu net | +1 703 886 6038 | - Andrew Tanenbaum Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- nouser - rootkit ? Dan Uscatu (Mar 10)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
- Re: nouser - rootkit ? Ryan Russell (Mar 11)
- Re: nouser - rootkit ? Konrad Rieck (Mar 11)
- Re: nouser - rootkit ? Bruce Ediger (Mar 12)
- Re: nouser - rootkit ? Kyle R Maxwell (Mar 12)
- Re: nouser - rootkit ? Jose Nazario (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? [:multiple root kit thread:] Dan Rohan (Mar 12)
- Re: nouser - rootkit ? Dave Dittrich (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? Brian Hatch (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
- <Possible follow-ups>
- Re: nouser - rootkit ? Bill_Royds (Mar 12)