[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: In search of a Linux Virus Scanner

hi ya theodore...

> With the Nimba virus/worm and the Code Red worm breaking Windows around the globe, I am nervously waiting for the next Linux Worm. 

why ???  in the mean time... the script kiddies...with lots of free tme is
attacking your PCs with generic scripts that tries to exploit your
existing vulnerabilities in your systems....

insecure.org has lot more exploits posted and test apps than those you
posted

> It would be more work to make a Linux virus or worm because the designer would have to take care creating 2 programs as opposed to one.

gazillion ways to break into a server....

> What is being done to protect against this ?  Are there any Linux virus/ worm scanners for Debian?

i think you want to know when someone comes knocking ...
( port scanning is a precursor to their attack ?? )
	- run a port scanner ....
	( portsentry, snort, ippl, etc
 
	and review those logs as often as you want to satsify your paranoia

to protect against un-authorized use of your server and/or intruders...
-- harden your server and protect (backup) your data regularly

http://www.Linux-Sec.net/Harden

have fun
alvin

- ps ... was too lazy to fix your line lengths


> ---------------------------------------------
> Over-Simplified Hypothetical Linux Worm Design 
> ---------------------------------------------
> 
> The first program would have to be a transport or vector. 
> The second program would be the virus or worm. 
> The vector would open the door to the unpatched machine and then send the buffer overflows for known vunerablities. 
> During the Linux World in NYC Feb. 2001, Bruce Perens gave a high level presentation where he presented a little C program that could be used as a vector to open a door to an unpatched machine.
> 
> 1. Vector (transport)
>         C code that emulates a legal connection to a host machine. 
> 	This C code could try opening all the following connection to a remote host (open ports 21,22,23,25,53,80).
> 	After connecting, the C code would call the worm.
> 
> 2. Worm (known exploits)
> 	While (port open) 
> 		Send_Exploit_for_Wget       to port 21
> 		Send_Exploit_for_Sendmail   to port 25
> 		Send_Exploit_for_Telnet     to port 23
> 		Send_Exploit_for_SSH        to port 22
> 		Send_Exploit_for_Bind       to port 53
> 		Send_Exploit_for_Apache     to port 80
> 
> Other Hypothetical Threats Articles:
> http://lwn.net/1998/1119/Trojan.html
> 
> 
> Existing exploits for Linux machines:
> http://www.google.com/search?q=cache:a7Rlxpy-qPg:www.insecure.org/sploits/INND.1.6.overflow.html+exploit+%22%23include%3Cstdio.h%3E%22&hl=en
> http://www.google.com/search?q=cache:dI3dvxVTUoo:www.insecure.org/sploits/routed.tracefile.html+exploit+%22%23includ
> http://www.google.com/search?q=cache:P2i_y4xKLY0:oliver.efri.hr/~crv/security/bugs/Linux/krnl220.html+exploit+%22%23include%3Cstdio.h%3E%22+linux&hl=en
> http://www.google.com/search?q=cache:slTym0c2sGo:www.nmrc.org/files/unix/cxterm.exploit+exploit+%22%23include%3Cstdio.h%3E%
> http://www.google.com/search?q=cache:8YybojTeyf4:security-archive.merton.ox.ac.uk/bugtraq-199909/0104.html+exploit+%22%23include%3Cstdio.h%3E%22+linux&hl=en
> 
> ----------------------
> GNU PGP public key
> http://www.annapolislinux.org/docs/public_key/GnuPG.txt
> ---------------------
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: