Re: Iptables firewall

To: debian-firewall@lists.debian.org
Subject: Re: Iptables firewall
From: jmm19@humboldt.edu
Date: Mon, 19 Jul 2004 14:11:16 -0700 (PDT)
Message-id: <[🔎] 65158.68.121.164.187.1090271476.squirrel@webmail.humboldt.edu>
In-reply-to: <[🔎] 87hds4v7pw.fsf@enki.rimspace.net>
References: <[🔎] 40FABD9B.80106@verizon.net> <[🔎] 87ekn8j1kn.fsf@enki.rimspace.net><[🔎] 64872.68.121.150.231.1090215970.squirrel@webmail.humboldt.edu> <[🔎] 87hds4v7pw.fsf@enki.rimspace.net>

Recently I had this warning issued by an antivirus program.  I must say
that clamav or f-prot did not detect this warning:

"/proc/kcore
 Date: 18.07.2004  Time: 19:37:56  Size: 278798336
 ALERT: [BDS/VirtualRoot virus] /proc/kcore <<< Contains a signature of
the (dangerous) backdoor program BDS/VirtualRoot        Backdoor server
programs"

This is given as an alert.

kcore appears to be an alias of the memory in the system.  I wonder if one
can set up a firewall to avoid any attempts to /proc in general or
/proc/kcore in particular.

Apparently since it is a virtual space, deleting the signature could crash
the system.  How is this virus getting in?

After a clean reboot, the antivirus did not detect anything in /proc. 
Debsums appear to be fine and chkrootkit states that everything is ok
except:  "Checking `bindshell'... INFECTED (PORTS:  1524 31337)" but since
I am running portsentry I consider this a normal false positive.

Any ideas?

Reply to:

Follow-Ups:
- Re: Iptables firewall
  - From: Daniel Pittman <daniel@rimspace.net>

References:
- Iptables firewall
  - From: Sykotic <sykoticchaos@verizon.net>
- Re: Iptables firewall
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: Iptables firewall
  - From: jmm19@humboldt.edu
- Re: Iptables firewall
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Re: Iptables firewall
Next by Date: Re: Iptables firewall
Previous by thread: Re: Iptables firewall
Next by thread: Re: Iptables firewall
Index(es):
- Date
- Thread