[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables firewall

On 20 Jul 2004, jmm wrote:
> The antivirus program was "Vexira". When portsentry is not running, there
> is nothing attached to  'bind shell', as reported by chkrootkit.  It is
> strange since I ran Vexira in my previous system and after (it gave me the
> same warning in the previous system)I erased the whole disk and installed
> Woody from scratch with minimal services running.  Then, in the afternoon,
> when I ran Vexira, the virus signature was showing in /proc/kcore.

Hrm. Only with that scanner, and only in kcore, huh?  Maybe it is
confused by some track of itself running in memory or something.

Can you boot off a known good media (like, say, an install CD or
something) and run the scanner from there?  That should determine if it
is an error, or if it is that the rootkit mostly manages to hide itself.

[...]

>> The fact that the detection was only transient suggests two things to
>> me: either it was luck that made whatever package gave that warning
>> believe the rootkit was installed, or the rootkit is hiding better after
>> the reboot...
>
> That could be very possible.  Would a chkrootkit form unstable detect
> something else?  AS I stated I run stable.

It could do; I have not had occasion to try either of them. A newer
version, of course, is always more likely to be up to date.

         Daniel
-- 
The heart asks pleasure first, and then excuse from pain,
and then those little anodynes that deaden suffering.
        -- Emily Dickinson
Reply to: