Security Incidents mailing list archives
Re: AW: nouser - rootkit ?
From: Rob McCauley <robmccau () RadOnc Duke EDU>
Date: Tue, 12 Mar 2002 11:55:59 -0500 (EST)
On Tue, 12 Mar 2002 vogt () hansenet com wrote:
On the other hand, this strikes me as a very dumb move. If the sysadmin is bright enough to find the rootkit, I sure do hope that he also realizes that the only way to a clean system is through a full reinstall.
On the contrary, I'd say it was a smart move. Far too many people who should know better advocate cleaning up a compromised system rather than wiping it and reinstalling. I've always thought upon reading such recommendations that intruders would do well to entrench themselves deeply in a system, then leave a throwaway rootkit such that it would be found if anyone went looking. Those who advocate cleaning a system rather than reinstalling it really should stop. :) I do believe it can be done, but it would require booting from trusted media and a full audit of the system, at a minimum. Reinstalling is generally easier and faster, and much more likely to leave you with a clean system. Rob -- ------------------------------------------------------------------------------ Rob McCauley Radiation Oncology Duke University Medical Center
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- AW: nouser - rootkit ? vogt (Mar 12)
- Re: AW: nouser - rootkit ? Rob McCauley (Mar 12)