Re: nouser - rootkit ?

From: Kyle R Maxwell (kylemaxwell@yahoo.com)
Date: 03/12/02 

Date: Tue, 12 Mar 2002 11:08:06 -0800 (PST)
From: Kyle R Maxwell <kylemaxwell@yahoo.com>
To: Bruce Ediger <eballen1@qwest.net>, incidents@securityfocus.com

Obscure though it may be, a rootkit might have been written for IRIX
either due to intentional targeting of a particular organization, or
with the realization that IRIX deployments are typically fairly
powerful installations, not your run-of-the-mill ISP (this includes
folks like NASA, etc.) There have even been a few major websites that
ran on IRIX for a good amount of time.

So an IRIX rootkit, while not near as common as one for, say, Solaris
or Linux, might still be useful to a lot of folks.

--- Bruce Ediger <eballen1@qwest.net> wrote:
> On Mon, 11 Mar 2002, Konrad Rieck wrote:
>
> > I wonder if there are really attackers out there installing
> bogus-rootkits
> > in order to protect the real ones. Has anybody on this list
> detected such
> > kind of "feints"?
>
> I posted to usenet last year with the same question, because one
> of the machines I tend got rooted.
>
> In response, some guy claimed he found a rootkit that had at least
> two layers:
>
>
http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net
>
> I'm not at all sure I believe this story: IRIX is pretty obscure,
> and not very widely used. Why would anyone go to the effort of
> doing a "feint" rootkit to mask a "real" rootkit for so few targets?

=====
Kyle Maxwell [kylemaxwell@yahoo.com]
http://Xwell.org Infosec, Unix, maths
"That that is is that that is not is not."

__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com