Re: AW: nouser - rootkit ?

[Rob McCauley <robmccau () RadOnc Duke EDU>]

On Tue, 12 Mar 2002 vogt () hansenet com wrote:

> On the other hand, this strikes me as a very dumb move. If the sysadmin is
> bright enough to find the rootkit, I sure do hope that he also realizes that
> the only way to a clean system is through a full reinstall.

On the contrary, I'd say it was a smart move.  Far too many people who
should know better advocate cleaning up a compromised system rather than
wiping it and reinstalling.  I've always thought upon reading such
recommendations that intruders would do well to entrench themselves deeply
in a system, then leave a throwaway rootkit such that it would be found if
anyone went looking.  Those who advocate cleaning a system rather
than reinstalling it really should stop.  :)  I do believe it can be done,
but it would require booting from trusted media and a full audit of the
system, at a minimum.  Reinstalling is generally easier and faster, and
much more likely to leave you with a clean system.

Rob

-- 
------------------------------------------------------------------------------
Rob McCauley
Radiation Oncology
Duke University Medical Center


> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com