Re: Iptables firewall

To: debian-firewall@lists.debian.org
Subject: Re: Iptables firewall
From: Daniel Pittman <daniel@rimspace.net>
Date: Tue, 20 Jul 2004 09:22:42 +1000
Message-id: <[🔎] 87hds3twe5.fsf@enki.rimspace.net>
References: <[🔎] 40FABD9B.80106@verizon.net> <[🔎] 87ekn8j1kn.fsf@enki.rimspace.net> <[🔎] 64872.68.121.150.231.1090215970.squirrel@webmail.humboldt.edu> <[🔎] 87hds4v7pw.fsf@enki.rimspace.net> <[🔎] 65158.68.121.164.187.1090271476.squirrel@webmail.humboldt.edu>

On 20 Jul 2004, jmm wrote:
> Recently I had this warning issued by an antivirus program. I must say
> that clamav or f-prot did not detect this warning:
>
> "/proc/kcore
> Date: 18.07.2004  Time: 19:37:56  Size: 278798336
> ALERT: [BDS/VirtualRoot virus] /proc/kcore <<< Contains a signature of
> the (dangerous) backdoor program BDS/VirtualRoot Backdoor server
> programs"
>
> This is given as an alert.

You don't say which package detected this problem, so it is hard to say
if it is real or not. Assuming that it is correct, though...

> kcore appears to be an alias of the memory in the system. I wonder if one
> can set up a firewall to avoid any attempts to /proc in general or
> /proc/kcore in particular.

...a "firewall" is not what you need here. That term is for a packet
filtering system intended to prevent undesired network traffic getting
to machines.

What you are talking about is some sort of restrictive file system
permission set, or some sort of sandbox. That is a different problem
domain.

For what it is worth, /proc/kcore is *already* set with one of the most
restrictive sets of permissions possible, 'read only to root only'.

> Apparently since it is a virtual space, deleting the signature could crash
> the system.  How is this virus getting in?

Well, my guess would be that you had a vulnerable service running, or an
easily guessed password, and someone broke into the system that way,
then installed a rootkit to retain access to your system.

/proc/kcore shows the presence of the tool in kernel memory, but is very
unlikely to be the source of the infection.

> After a clean reboot, the antivirus did not detect anything in /proc. 
> Debsums appear to be fine and chkrootkit states that everything is ok
> except: "Checking `bindshell'... INFECTED (PORTS: 1524 31337)" but since
> I am running portsentry I consider this a normal false positive.

I would strongly suggest that you *stop* running portsentry and retest
with the 'chkrootkit' tool, to verify your belief.

While it is certainly possible that the detection of the virus was a
false-positive, any sort of uncertainty is ... more risk than I would
take with my systems.

The fact that the detection was only transient suggests two things to
me: either it was luck that made whatever package gave that warning
believe the rootkit was installed, or the rootkit is hiding better after
the reboot...

Personally, I suggest reinstalling your system to be safe.

    Daniel
-- 
There's real teaching: taking the risk and telling people what
you really think, why you think it, and what difference it makes.
        -- Prof. Jacob Neusner, commencement address, 1991

Reply to:

Follow-Ups:
- Re: Iptables firewall
  - From: jmm19@humboldt.edu

References:
- Iptables firewall
  - From: Sykotic <sykoticchaos@verizon.net>
- Re: Iptables firewall
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: Iptables firewall
  - From: jmm19@humboldt.edu
- Re: Iptables firewall
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: Iptables firewall
  - From: jmm19@humboldt.edu

Prev by Date: Re: Iptables firewall
Next by Date: Re: Iptables firewall
Previous by thread: Re: Iptables firewall
Next by thread: Re: Iptables firewall
Index(es):
- Date
- Thread