Re: nouser - rootkit ?
From: Bruce Ediger (eballen1@qwest.net)Date: 03/12/02
- Previous message: Konrad Rieck: "Re: nouser - rootkit ?"
- In reply to: Konrad Rieck: "Re: nouser - rootkit ?"
- Next in thread: Kyle R Maxwell: "Re: nouser - rootkit ?"
- Next in thread: Dave Dittrich: "Re: nouser - rootkit ?"
- Reply: Kyle R Maxwell: "Re: nouser - rootkit ?"
- Reply: Dan Rohan: "Re: nouser - rootkit ? [:multiple root kit thread:]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 11 Mar 2002 20:26:00 -0700 (MST) From: "Bruce Ediger" <eballen1@qwest.net> To: incidents@securityfocus.com
On Mon, 11 Mar 2002, Konrad Rieck wrote:
> I wonder if there are really attackers out there installing bogus-rootkits
> in order to protect the real ones. Has anybody on this list detected such
> kind of "feints"?
I posted to usenet last year with the same question, because one
of the machines I tend got rooted.
In response, some guy claimed he found a rootkit that had at least
two layers:
http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net
I'm not at all sure I believe this story: IRIX is pretty obscure,
and not very widely used. Why would anyone go to the effort of
doing a "feint" rootkit to mask a "real" rootkit for so few targets?
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Konrad Rieck: "Re: nouser - rootkit ?"
- In reply to: Konrad Rieck: "Re: nouser - rootkit ?"
- Next in thread: Kyle R Maxwell: "Re: nouser - rootkit ?"
- Next in thread: Dave Dittrich: "Re: nouser - rootkit ?"
- Reply: Kyle R Maxwell: "Re: nouser - rootkit ?"
- Reply: Dan Rohan: "Re: nouser - rootkit ? [:multiple root kit thread:]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
