Re: nouser - rootkit ?

From: Eric Brandwine (ericb@UU.NET)
Date: 03/12/02 

To: "Bruce Ediger" <eballen1@qwest.net>
From: Eric Brandwine <ericb@UU.NET>
Date: 12 Mar 2002 16:32:51 +0000

>>>>> "be" == Bruce Ediger <eballen1@qwest.net> writes:

be> On Mon, 11 Mar 2002, Konrad Rieck wrote:
>> I wonder if there are really attackers out there installing bogus-rootkits
>> in order to protect the real ones. Has anybody on this list detected such
>> kind of "feints"?

be> I posted to usenet last year with the same question, because one
be> of the machines I tend got rooted.

be> In response, some guy claimed he found a rootkit that had at least
be> two layers:

be> http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net

be> I'm not at all sure I believe this story: IRIX is pretty obscure,
be> and not very widely used. Why would anyone go to the effort of
be> doing a "feint" rootkit to mask a "real" rootkit for so few targets?

Odd OSes are used by security nuts for just that reason. Banks and
similar often run HP/UX, IRIX, or even odder beasts. I run PPC Linux
on my Mac, and it's fun watching folks try to break in. Often,
sploits will crash daemons (a buffer overflow is a buffer overflow),
but the shell code rarely works on both x86 and PPC.

Reading that post, it looks like his system was compromised multiple
times, by different people, which is a not uncommon occurence.

ericb 

-- 
Eric Brandwine     |  Never underestimate the bandwidth of a station wagon
UUNetwork Security |  full of tapes hurtling down the highway.
ericb@uu.net       |
+1 703 886 6038    |      - Andrew Tanenbaum
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • [NEWS] Symantec VERITAS Multiple Buffer Overflows
    ... Get your security news from a reliable source. ... VERITAS NetBackup 6.0 Client ... Volume Manager Buffer Overflow: ... Database Manager Buffer Overflow: ...
    (Securiteam)
  • [NT] Multiple Vulnerabilities in JanaServer
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Windows platform can act as HTTP/FTP/NEWS/SNTP server, ... JanaServer up to 1.46 was freeware, ... HTTP server buffer overflow ...
    (Securiteam)
  • Re: [Full-disclosure] [NANOG] IOS rootkits
    ... It doesnt need publicity at security conferences ... Full disclosure, while preferable in my ideology, is not the best solution ... In the case of routers which are used for infrastructure as well as ... All that aside, this is a rootkit, not a vulnerability. ...
    (Full-Disclosure)
  • Re: Download freeware RKR scanning software (detect Sony rootkit & others)
    ... Here's how Symantec defines risk level 2: ... No changes to actual security infrastructure is required." ... The Sony rootkit has a moderately high profile in both dimensions. ...
    (comp.security.misc)
  • Re: Download freeware RKR scanning software (detect Sony rootkit & others)
    ... Here's how Symantec defines risk level 2: ... No changes to actual security infrastructure is required." ... The Sony rootkit has a moderately high profile in both dimensions. ...
    (alt.computer.security)