Security Incidents mailing list archives
AW: nouser - rootkit ?
From: vogt () hansenet com
Date: Tue, 12 Mar 2002 10:21:27 +0100
I am just curious about the "red herring"-part of the story and the term "real rootkit"... I wonder if there are really attackers out there installing bogus-rootkits in order to protect the real ones. Has anybody on this list
detected such kind of "feints"?
Not directly, but I have found multiple rootkits installed on a compromised server late last year. I can think of a number of reasons why the attacker would want to install more than one, but staying in control even if one is discovered is surely a plausible option. On the other hand, this strikes me as a very dumb move. If the sysadmin is bright enough to find the rootkit, I sure do hope that he also realizes that the only way to a clean system is through a full reinstall. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- AW: nouser - rootkit ? vogt (Mar 12)
- Re: AW: nouser - rootkit ? Rob McCauley (Mar 12)