AW: nouser - rootkit ?

[vogt () hansenet com]

> I am just curious about the "red herring"-part of the story and the 
> term "real rootkit"...
>
> I wonder if there are really attackers out there installing 
> bogus-rootkits in order to protect the real ones. Has anybody on this list

> detected such kind of "feints"? 

Not directly, but I have found multiple rootkits installed on a compromised
server late last year. I can think of a number of reasons why the attacker
would want to install more than one, but staying in control even if one is
discovered is surely a plausible option.

On the other hand, this strikes me as a very dumb move. If the sysadmin is
bright enough to find the rootkit, I sure do hope that he also realizes that
the only way to a clean system is through a full reinstall.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com