[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables firewall

The antivirus program was "Vexira".  When portsentry is not running, there
is nothing attached to  'bind shell', as reported by chkrootkit.  It is
strange since I ran Vexira in my previous system and after (it gave me the
same warning in the previous system)I erased the whole disk and installed
Woody from scratch with minimal services running.  Then, in the afternoon,
when I ran Vexira, the virus signature was showing in /proc/kcore.

Passwords were chosen carefully.

> The fact that the detection was only transient suggests two things to
> me: either it was luck that made whatever package gave that warning
> believe the rootkit was installed, or the rootkit is hiding better after
> the reboot...

That could be very possible.  Would a chkrootkit form unstable detect
something else?  AS I stated I run stable.

Thanks.


> On 20 Jul 2004, jmm wrote:
>> Recently I had this warning issued by an antivirus program. I must say
>> that clamav or f-prot did not detect this warning:
>>
>> "/proc/kcore
>> Date: 18.07.2004  Time: 19:37:56  Size: 278798336
>> ALERT: [BDS/VirtualRoot virus] /proc/kcore <<< Contains a signature of
>> the (dangerous) backdoor program BDS/VirtualRoot Backdoor server
>> programs"
>>
>> This is given as an alert.
>
> You don't say which package detected this problem, so it is hard to say
> if it is real or not. Assuming that it is correct, though...
>
>> kcore appears to be an alias of the memory in the system. I wonder if
>> one
>> can set up a firewall to avoid any attempts to /proc in general or
>> /proc/kcore in particular.
>
> ...a "firewall" is not what you need here. That term is for a packet
> filtering system intended to prevent undesired network traffic getting
> to machines.
>
> What you are talking about is some sort of restrictive file system
> permission set, or some sort of sandbox. That is a different problem
> domain.
>
> For what it is worth, /proc/kcore is *already* set with one of the most
> restrictive sets of permissions possible, 'read only to root only'.
>
>> Apparently since it is a virtual space, deleting the signature could
>> crash
>> the system.  How is this virus getting in?
>
> Well, my guess would be that you had a vulnerable service running, or an
> easily guessed password, and someone broke into the system that way,
> then installed a rootkit to retain access to your system.
>
> /proc/kcore shows the presence of the tool in kernel memory, but is very
> unlikely to be the source of the infection.
>
>> After a clean reboot, the antivirus did not detect anything in /proc.
>> Debsums appear to be fine and chkrootkit states that everything is ok
>> except: "Checking `bindshell'... INFECTED (PORTS: 1524 31337)" but since
>> I am running portsentry I consider this a normal false positive.
>
> I would strongly suggest that you *stop* running portsentry and retest
> with the 'chkrootkit' tool, to verify your belief.
>
> While it is certainly possible that the detection of the virus was a
> false-positive, any sort of uncertainty is ... more risk than I would
> take with my systems.
>
>
> Personally, I suggest reinstalling your system to be safe.
>
>     Daniel
> --
> There's real teaching: taking the risk and telling people what
> you really think, why you think it, and what difference it makes.
>         -- Prof. Jacob Neusner, commencement address, 1991
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>


-- 
Jose Marrero <jmm19@humboldt.edu>
Key fingerprint = 1259 79C5 D922 EC07 47CC  724709C6
Reply to: