[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables firewall

I won't be able to do this until later in the day but this antivirus does
not detect anything in /proc/kcore anymore.  It is strange that a scan
with f-prot (up to date) did not detect anything (done after vexira
detected the signature in /proc/kcore).

I also thought that the antivirus scanner is seeing a copy of it's own
definition in kcore.  I emailed vexira and support staff said that they
don't think so and that it does not happen for them.

Just for curiosity, I ran an exhaustive scan all over and vexira dound a
signature in a tcpdump.log (a code Red--AFAIK, this is a windows worm). 
Of course, I deleted this file.

In summary,:
a) vexira does not detect anything in /proc/kcore (before and after
deleting that tcpdump.log) except on one ocassion and it dissapeared after

b)Support staff at vexira apparently cannot reproduce this.

c) fprot does not detect the signature.

I am curious to know how booting with a different kernel (from a cd
install, for example) will determine if it is an error?
What is the rationale, if you wish to share?

Joe M.

> On 20 Jul 2004, jmm wrote:
>> The antivirus program was "Vexira". When portsentry is not running,
>> there
>> is nothing attached to  'bind shell', as reported by chkrootkit.  It is
>> strange since I ran Vexira in my previous system and after (it gave me
>> the
>> same warning in the previous system)I erased the whole disk and
>> installed
>> Woody from scratch with minimal services running.  Then, in the
>> afternoon,
>> when I ran Vexira, the virus signature was showing in /proc/kcore.
> Hrm. Only with that scanner, and only in kcore, huh?  Maybe it is
> confused by some track of itself running in memory or something.
> Can you boot off a known good media (like, say, an install CD or
> something) and run the scanner from there?  That should determine if it
> is an error, or if it is that the rootkit mostly manages to hide itself.
> [...]
>>> The fact that the detection was only transient suggests two things to
>>> me: either it was luck that made whatever package gave that warning
>>> believe the rootkit was installed, or the rootkit is hiding better
>>> after
>>> the reboot...
>> That could be very possible.  Would a chkrootkit form unstable detect
>> something else?  AS I stated I run stable.
> It could do; I have not had occasion to try either of them. A newer
> version, of course, is always more likely to be up to date.
>          Daniel
> --
> The heart asks pleasure first, and then excuse from pain,
> and then those little anodynes that deaden suffering.
>         -- Emily Dickinson
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

Jose Marrero <jmm19@humboldt.edu>
Key fingerprint = 1259 79C5 D922 EC07 47CC  724709C6

Reply to: