Re: nouser - rootkit ?

[Eric Brandwine <ericb () UU NET>]

> > > > > "be" == Bruce Ediger <eballen1 () qwest net> writes:

be> On Mon, 11 Mar 2002, Konrad Rieck wrote:
> > I wonder if there are really attackers out there installing bogus-rootkits
> > in order to protect the real ones. Has anybody on this list detected such
> > kind of "feints"?

be> I posted to usenet last year with the same question, because one
be> of the machines I tend got rooted.

be> In response, some guy claimed he found a rootkit that had at least
be> two layers:

be> http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net

be> I'm not at all sure I believe this story: IRIX is pretty obscure,
be> and not very widely used.  Why would anyone go to the effort of
be> doing a "feint" rootkit to mask a "real" rootkit for so few targets?

Odd OSes are used by security nuts for just that reason.  Banks and
similar often run HP/UX, IRIX, or even odder beasts.  I run PPC Linux
on my Mac, and it's fun watching folks try to break in.  Often,
sploits will crash daemons (a buffer overflow is a buffer overflow),
but the shell code rarely works on both x86 and PPC.

Reading that post, it looks like his system was compromised multiple
times, by different people, which is a not uncommon occurence.

ericb
-- 
Eric Brandwine     |  Never underestimate the bandwidth of a station wagon
UUNetwork Security |  full of tapes hurtling down the highway.
ericb () uu net       |
+1 703 886 6038    |      - Andrew Tanenbaum
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com