> I am just curious about the "red herring"-part of the story and the > term "real rootkit"... > > I wonder if there are really attackers out there installing > bogus-rootkits in order to protect the real ones. Has anybody on this list > detected such kind of "feints"? Not directly, but I have found multiple rootkits installed on a compromised server late last year. I can think of a number of reasons why the attacker would want to install more than one, but staying in control even if one is discovered is surely a plausible option. On the other hand, this strikes me as a very dumb move. If the sysadmin is bright enough to find the rootkit, I sure do hope that he also realizes that the only way to a clean system is through a full reinstall. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 08:41:17 PST