[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables firewall

On 21 Jul 2004, jmm wrote:
>> On 20 Jul 2004, jmm wrote:
>>> The antivirus program was "Vexira". When portsentry is not running,
>>> there
>>> is nothing attached to 'bind shell', as reported by chkrootkit. It is
>>> strange since I ran Vexira in my previous system and after (it gave me
>>> the
>>> same warning in the previous system)I erased the whole disk and
>>> installed
>>> Woody from scratch with minimal services running.  Then, in the
>>> afternoon,
>>> when I ran Vexira, the virus signature was showing in /proc/kcore.
>>
>> Hrm. Only with that scanner, and only in kcore, huh?  Maybe it is
>> confused by some track of itself running in memory or something.
>>
>> Can you boot off a known good media (like, say, an install CD or
>> something) and run the scanner from there? That should determine if it
>> is an error, or if it is that the rootkit mostly manages to hide itself.
>
> Well I booted with a debian cd and scanning /proc/kcore gives no errors
> and I also did a manual scan for each directory and nothing...Should I
> consider the first finding in /proc/kcore an error of the antivirus
> software?

That seems likely to me.

That said, I offer no warranty with my advice. :)

Seriously -- it sounds like a false positive to me, but the key is to do
enough that *you* are happy that it was a mistake of the virus scanner.

     Daniel
-- 
Sadness is but a wall between two gardens.
        -- Kahlil Gibran
Reply to: