[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables firewall

I won't be able to do this until later in the day but this antivirus does
not detect anything in /proc/kcore anymore.  It is strange that a scan
with f-prot (up to date) did not detect anything (done after vexira
detected the signature in /proc/kcore).

I also thought that the antivirus scanner is seeing a copy of it's own
definition in kcore.  I emailed vexira and support staff said that they
don't think so and that it does not happen for them.

Just for curiosity, I ran an exhaustive scan all over and vexira dound a
signature in a tcpdump.log (a code Red--AFAIK, this is a windows worm). 
Of course, I deleted this file.

In summary,:
a) vexira does not detect anything in /proc/kcore (before and after
deleting that tcpdump.log) except on one ocassion and it dissapeared after
reboot.

b)Support staff at vexira apparently cannot reproduce this.


c) fprot does not detect the signature.

I am curious to know how booting with a different kernel (from a cd
install, for example) will determine if it is an error?
What is the rationale, if you wish to share?

Joe M.


> On 20 Jul 2004, jmm wrote:
>> The antivirus program was "Vexira". When portsentry is not running,
>> there
>> is nothing attached to  'bind shell', as reported by chkrootkit.  It is
>> strange since I ran Vexira in my previous system and after (it gave me
>> the
>> same warning in the previous system)I erased the whole disk and
>> installed
>> Woody from scratch with minimal services running.  Then, in the
>> afternoon,
>> when I ran Vexira, the virus signature was showing in /proc/kcore.
>
> Hrm. Only with that scanner, and only in kcore, huh?  Maybe it is
> confused by some track of itself running in memory or something.
>
> Can you boot off a known good media (like, say, an install CD or
> something) and run the scanner from there?  That should determine if it
> is an error, or if it is that the rootkit mostly manages to hide itself.
>
> [...]
>
>>> The fact that the detection was only transient suggests two things to
>>> me: either it was luck that made whatever package gave that warning
>>> believe the rootkit was installed, or the rootkit is hiding better
>>> after
>>> the reboot...
>>
>> That could be very possible.  Would a chkrootkit form unstable detect
>> something else?  AS I stated I run stable.
>
> It could do; I have not had occasion to try either of them. A newer
> version, of course, is always more likely to be up to date.
>
>          Daniel
> --
> The heart asks pleasure first, and then excuse from pain,
> and then those little anodynes that deaden suffering.
>         -- Emily Dickinson
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>


-- 
Jose Marrero <jmm19@humboldt.edu>
Key fingerprint = 1259 79C5 D922 EC07 47CC  724709C6
Reply to: