Security Incidents mailing list archives
Re: nouser - rootkit ?
From: Konrad Rieck <kr () roqe org>
Date: Mon, 11 Mar 2002 23:59:59 +0100
On Mon, Mar 11, 2002 at 05:57:38PM +0000, Eric Brandwine wrote:
Either it's a red herring, and the real root kit is much better hidden, or it'll be almost trivial to clean up. But you've no way of knowing. I'd rebuild the box from scratch, if it were mine.
I am just curious about the "red herring"-part of the story and the term "real rootkit"... I wonder if there are really attackers out there installing bogus-rootkits in order to protect the real ones. Has anybody on this list detected such kind of "feints"? In my opinion this behaviour is very unlikely, but I am willing to learn. Regards, Konrad -- Konrad Rieck <kr () roqe org> -------------- http://www.inf.fu-berlin.de/~rieck # Roqefellaz, http://www.roqe.org - PGP Key, http://www.roqe.org/keys/kr.pub # ----------- Fingerprint 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- nouser - rootkit ? Dan Uscatu (Mar 10)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
- Re: nouser - rootkit ? Ryan Russell (Mar 11)
- Re: nouser - rootkit ? Konrad Rieck (Mar 11)
- Re: nouser - rootkit ? Bruce Ediger (Mar 12)
- Re: nouser - rootkit ? Kyle R Maxwell (Mar 12)
- Re: nouser - rootkit ? Jose Nazario (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? [:multiple root kit thread:] Dan Rohan (Mar 12)
- Re: nouser - rootkit ? Dave Dittrich (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? Brian Hatch (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
- <Possible follow-ups>
- Re: nouser - rootkit ? Bill_Royds (Mar 12)