Re: AW: nouser - rootkit ?

From: Rob McCauley (robmccau@RadOnc.Duke.EDU)
Date: 03/12/02

• Previous message: Dan Rohan: "Re: nouser - rootkit ? [:multiple root kit thread:]"
• In reply to: vogt@hansenet.com: "AW: nouser - rootkit ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 12 Mar 2002 11:55:59 -0500 (EST)
From: Rob McCauley <robmccau@RadOnc.Duke.EDU>
To: vogt@hansenet.com

On Tue, 12 Mar 2002 vogt@hansenet.com wrote:

> On the other hand, this strikes me as a very dumb move. If the sysadmin is
> bright enough to find the rootkit, I sure do hope that he also realizes that
> the only way to a clean system is through a full reinstall.

On the contrary, I'd say it was a smart move. Far too many people who
should know better advocate cleaning up a compromised system rather than
wiping it and reinstalling. I've always thought upon reading such
recommendations that intruders would do well to entrench themselves deeply
in a system, then leave a throwaway rootkit such that it would be found if
anyone went looking. Those who advocate cleaning a system rather
than reinstalling it really should stop. :) I do believe it can be done,
but it would require booting from trusted media and a full audit of the
system, at a minimum. Reinstalling is generally easier and faster, and
much more likely to leave you with a clean system.

Rob

-- 
------------------------------------------------------------------------------
Rob McCauley
Radiation Oncology
Duke University Medical Center
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Dan Rohan: "Re: nouser - rootkit ? [:multiple root kit thread:]"
• In reply to: vogt@hansenet.com: "AW: nouser - rootkit ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Urgent!!! My computer seems to be hacked, pls HELP!!! ... Then run a rootkit ... would harden ssh access, ... Reinstalling a system is far easier and quicker than ... (comp.security.ssh) Re: think I may have been rootkitted ... In these directories I found the hackers rootkit and ... I ended up reinstalling because I could not get some of ... the rpms to reinstall. ... (comp.os.linux.security) Re: think I may have been rootkitted ... In these directories I found the hackers rootkit and ... I ended up reinstalling because I could not get some of ... the rpms to reinstall. ... (comp.os.linux.security) RPC EXPLOIT statdx ... Subject: optic rootkit ... I don't know what is the purpose of xchk. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ... (Incidents) Re: Anyone know this rootkit (rootkits?) (details and files attached) ... Basicaly I think it's a mix of a few very common kits rolled up into one. ... > extract a couple of the rootkit dirs, ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ... (Incidents)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-03