Re: Iptables firewall

To: debian-firewall@lists.debian.org
Subject: Re: Iptables firewall
From: jmm19@humboldt.edu
Date: Wed, 21 Jul 2004 08:11:24 -0700 (PDT)
Message-id: <[🔎] 46658.158.96.227.221.1090422684.squirrel@webmail.humboldt.edu>
In-reply-to: <[🔎] 878ydep2a4.fsf@enki.rimspace.net>
References: <[🔎] 40FABD9B.80106@verizon.net> <[🔎] 87ekn8j1kn.fsf@enki.rimspace.net><[🔎] 64872.68.121.150.231.1090215970.squirrel@webmail.humboldt.edu><[🔎] 87hds4v7pw.fsf@enki.rimspace.net><[🔎] 65158.68.121.164.187.1090271476.squirrel@webmail.humboldt.edu><[🔎] 87hds3twe5.fsf@enki.rimspace.net><[🔎] 64930.68.121.164.187.1090286287.squirrel@webmail.humboldt.edu><[🔎] 871xj7rtc5.fsf@enki.rimspace.net><[🔎] 64881.68.122.7.147.1090369201.squirrel@webmail.humboldt.edu> <[🔎] 878ydep2a4.fsf@enki.rimspace.net>

Thanks Daniel

Even though tiger does not show errors and debsums cannot check /bin, I
decided I am going to do a complete reinstall -again-- since aide (for
some reason), reports files changes in /bin /dev and other places.  I
don't know how to trust this report is until I learn more about aide.

I hope this thread has helped somebody else in the sense to secure a
system as much as possible before it is connected to the internet.  It has
become certainly more hostile.



> On 21 Jul 2004, jmm wrote:
>>> On 20 Jul 2004, jmm wrote:
>>>> The antivirus program was "Vexira". When portsentry is not running,
>>>> there
>>>> is nothing attached to 'bind shell', as reported by chkrootkit. It is
>>>> strange since I ran Vexira in my previous system and after (it gave me
>>>> the
>>>> same warning in the previous system)I erased the whole disk and
>>>> installed
>>>> Woody from scratch with minimal services running.  Then, in the
>>>> afternoon,
>>>> when I ran Vexira, the virus signature was showing in /proc/kcore.
>>>
>>> Hrm. Only with that scanner, and only in kcore, huh?  Maybe it is
>>> confused by some track of itself running in memory or something.
>>>
>>> Can you boot off a known good media (like, say, an install CD or
>>> something) and run the scanner from there? That should determine if it
>>> is an error, or if it is that the rootkit mostly manages to hide
>>> itself.
>>
>> Well I booted with a debian cd and scanning /proc/kcore gives no errors
>> and I also did a manual scan for each directory and nothing...Should I
>> consider the first finding in /proc/kcore an error of the antivirus
>> software?
>
> That seems likely to me.
>
> That said, I offer no warranty with my advice. :)
>
> Seriously -- it sounds like a false positive to me, but the key is to do
> enough that *you* are happy that it was a mistake of the virus scanner.
>
>      Daniel
> --
> Sadness is but a wall between two gardens.
>         -- Kahlil Gibran
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>


-- 
Jose Marrero <jmm19@humboldt.edu>
Key fingerprint = 1259 79C5 D922 EC07 47CC  724709C6

Reply to:

Follow-Ups:
- Re: Iptables firewall
  - From: Daniel Pittman <daniel@rimspace.net>

References:
- Iptables firewall
  - From: Sykotic <sykoticchaos@verizon.net>
- Re: Iptables firewall
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: Iptables firewall
  - From: jmm19@humboldt.edu
- Re: Iptables firewall
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: Iptables firewall
  - From: jmm19@humboldt.edu
- Re: Iptables firewall
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: Iptables firewall
  - From: jmm19@humboldt.edu
- Re: Iptables firewall
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: Iptables firewall
  - From: jmm19@humboldt.edu
- Re: Iptables firewall
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Re: [fw-wiz] Firewalling at the domain users level instead of network level
Next by Date: Re: [fw-wiz] Firewalling at the domain users level instead of network level
Previous by thread: Re: Iptables firewall
Next by thread: Re: Iptables firewall
Index(es):
- Date
- Thread