Re: How to tell if a Linux machine is a zombie?

[Angelo Bertolli <angelo@freeshell.org>]

Russell L. Harris wrote:
> Yesterday I read another article bemoaning the large number of Window$
> machines which have been commandeered remotely and turned into
> spam-spewing zombies.
>
> If I understand the matter correctly, a firewall can protect only
> against incoming messages, and is useless against spyware which
> "phones home" or zombie-ware which spews email spam.
>
> So, before I preach about the dangers of spyware and zombies to my
> buddies using Window$, how can I be certain that my own Debian machine
> has not been compromised and has not become a zombie?  Is there a
> simple test which I can run on a weekly basis?  
>
> My LAN is protected by a machine running SmoothWall Express 2.0,
> acting as a firewall and router.  Would an internal firewall package be
> useful in this environment?
>   
As someone mentioned Linux already has an internal firewall.

Depending on the state of your machine, once there is a root compromise, 
there is only one or two sure-fire ways to see if you're a zombie.

1) Set up a brand new intermediate machine that captures all network 
traffic from the machine you're questioning and see what it's doing.

2) If  you have a hash of all the files (like tripwire provides) on some 
media that was NOT compromised, you can check those.