Re: Iptables firewall
I won't be able to do this until later in the day but this antivirus does
not detect anything in /proc/kcore anymore. It is strange that a scan
with f-prot (up to date) did not detect anything (done after vexira
detected the signature in /proc/kcore).
I also thought that the antivirus scanner is seeing a copy of it's own
definition in kcore. I emailed vexira and support staff said that they
don't think so and that it does not happen for them.
Just for curiosity, I ran an exhaustive scan all over and vexira dound a
signature in a tcpdump.log (a code Red--AFAIK, this is a windows worm).
Of course, I deleted this file.
a) vexira does not detect anything in /proc/kcore (before and after
deleting that tcpdump.log) except on one ocassion and it dissapeared after
b)Support staff at vexira apparently cannot reproduce this.
c) fprot does not detect the signature.
I am curious to know how booting with a different kernel (from a cd
install, for example) will determine if it is an error?
What is the rationale, if you wish to share?
> On 20 Jul 2004, jmm wrote:
>> The antivirus program was "Vexira". When portsentry is not running,
>> is nothing attached to 'bind shell', as reported by chkrootkit. It is
>> strange since I ran Vexira in my previous system and after (it gave me
>> same warning in the previous system)I erased the whole disk and
>> Woody from scratch with minimal services running. Then, in the
>> when I ran Vexira, the virus signature was showing in /proc/kcore.
> Hrm. Only with that scanner, and only in kcore, huh? Maybe it is
> confused by some track of itself running in memory or something.
> Can you boot off a known good media (like, say, an install CD or
> something) and run the scanner from there? That should determine if it
> is an error, or if it is that the rootkit mostly manages to hide itself.
>>> The fact that the detection was only transient suggests two things to
>>> me: either it was luck that made whatever package gave that warning
>>> believe the rootkit was installed, or the rootkit is hiding better
>>> the reboot...
>> That could be very possible. Would a chkrootkit form unstable detect
>> something else? AS I stated I run stable.
> It could do; I have not had occasion to try either of them. A newer
> version, of course, is always more likely to be up to date.
> The heart asks pleasure first, and then excuse from pain,
> and then those little anodynes that deaden suffering.
> -- Emily Dickinson
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
Jose Marrero <firstname.lastname@example.org>
Key fingerprint = 1259 79C5 D922 EC07 47CC 724709C6