Re: nouser - rootkit ?

From: Bill_Royds@pch.gc.ca
Date: 03/12/02


From: Bill_Royds@pch.gc.ca
To: "Bruce Ediger" <eballen1@qwest.net>
Date: Tue, 12 Mar 2002 12:10:02 -0500

From monitoring router logs, I have found that sometimes a machine is
rooted more than once.
The first kiddie roots the machine, installs a rootkit, but doesn't fix
the vulnerability.
A subsequent cracker roots it again, installing a different rootkit.
It is not a feint, just the fact the rooting a box doesn't necessarily fix
the vulnerability.
Oh yes, it was an IRIX box rooted with telnet vulnerability.

Bill Royds
Acting System Administrator,
Canadian Heritage Information Network
(819) 994-1200 X 239

"Bruce Ediger" <eballen1@qwest.net>
03/11/02 10:26 PM

 
        To: incidents@securityfocus.com
        cc: "Konrad Rieck" <kr@roqe.org>
        Subject: Re: nouser - rootkit ?

On Mon, 11 Mar 2002, Konrad Rieck wrote:

> I wonder if there are really attackers out there installing
bogus-rootkits
> in order to protect the real ones. Has anybody on this list detected
such
> kind of "feints"?

I posted to usenet last year with the same question, because one
of the machines I tend got rooted.

In response, some guy claimed he found a rootkit that had at least
two layers:

http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net

I'm not at all sure I believe this story: IRIX is pretty obscure,
and not very widely used. Why would anyone go to the effort of
doing a "feint" rootkit to mask a "real" rootkit for so few targets?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com