Re: nouser - rootkit ?

From: Konrad Rieck (kr@roqe.org)
Date: 03/11/02 

Date: Mon, 11 Mar 2002 23:59:59 +0100
From: Konrad Rieck <kr@roqe.org>
To: incidents@securityfocus.com

On Mon, Mar 11, 2002 at 05:57:38PM +0000, Eric Brandwine wrote:
> Either it's a red herring, and the real root kit is much better
> hidden, or it'll be almost trivial to clean up. But you've no way of
> knowing. I'd rebuild the box from scratch, if it were mine.

I am just curious about the "red herring"-part of the story and the
term "real rootkit"...

I wonder if there are really attackers out there installing bogus-rootkits
in order to protect the real ones. Has anybody on this list detected such
kind of "feints"?

In my opinion this behaviour is very unlikely, but I am willing to learn.

Regards,
Konrad 

-- 
Konrad Rieck <kr@roqe.org> -------------- http://www.inf.fu-berlin.de/~rieck
# Roqefellaz, http://www.roqe.org - PGP Key, http://www.roqe.org/keys/kr.pub
# ----------- Fingerprint 5803 E58E D1BF 9A29 AFCA  51B3 A725 EA18 ABA7 A6A3

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com