Security Incidents mailing list archives

Re: nouser - rootkit ?

From: Konrad Rieck <kr () roqe org>
Date: Mon, 11 Mar 2002 23:59:59 +0100

On Mon, Mar 11, 2002 at 05:57:38PM +0000, Eric Brandwine wrote:

Either it's a red herring, and the real root kit is much better
hidden, or it'll be almost trivial to clean up.  But you've no way of
knowing.  I'd rebuild the box from scratch, if it were mine.


I am just curious about the "red herring"-part of the story and the 
term "real rootkit"...

I wonder if there are really attackers out there installing bogus-rootkits
in order to protect the real ones. Has anybody on this list detected such
kind of "feints"? 

In my opinion this behaviour is very unlikely, but I am willing to learn.

Regards,
Konrad

-- 
Konrad Rieck <kr () roqe org> -------------- http://www.inf.fu-berlin.de/~rieck
# Roqefellaz, http://www.roqe.org - PGP Key, http://www.roqe.org/keys/kr.pub
# ----------- Fingerprint 5803 E58E D1BF 9A29 AFCA  51B3 A725 EA18 ABA7 A6A3

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

nouser - rootkit ? Dan Uscatu (Mar 10)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
  - Re: nouser - rootkit ? Ryan Russell (Mar 11)
  - Re: nouser - rootkit ? Konrad Rieck (Mar 11)
    - Re: nouser - rootkit ? Bruce Ediger (Mar 12)
    - Re: nouser - rootkit ? Kyle R Maxwell (Mar 12)
    - Re: nouser - rootkit ? Jose Nazario (Mar 12)
    - Re: nouser - rootkit ? Eric Brandwine (Mar 12)
    - Re: nouser - rootkit ? [:multiple root kit thread:] Dan Rohan (Mar 12)
    - Re: nouser - rootkit ? Dave Dittrich (Mar 12)
    - Re: nouser - rootkit ? Eric Brandwine (Mar 12)
    - Re: nouser - rootkit ? Brian Hatch (Mar 12)
- <Possible follow-ups>
- Re: nouser - rootkit ? Bill_Royds (Mar 12)