[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: Virus and file /proc/kcore

Thanks,
Will look around to see what I can find.  
Later,
Michael
> 
> From: Cameron Hutchison <camh+dl@xdna.net>
> Date: 2002/08/10 Sat AM 09:58:38 EDT
> To: debian-user <debian-user@lists.debian.org>
> Subject: Re: Re: Virus and file /proc/kcore
> 
> Once upon a time colemw@cox.net said...
> > Thanks,
> 
> > I have rebooted the system.  It still comes up with this file being
> > HUGE and when I do a 'df' it shows that partition to be 100% full.
> 
> The 100% full will be because of something else. Files in the /proc
> filesystem are not on the root partition (they are not on disk at all -
> the files are all virtual, presenting information about the system as it
> is currently running).
> 
> > I know that it is only about 45% full the other day.  
> 
> Something else must have filled it up. Do you have a separate /var
> partition? If not, check /var/tmp for stray files that can be deleted.
> /tmp also, but that should be cleared automatically on boot.
> 
> > When I run f-prot again with -auto -delete it doesn't
> > find any virus.  If I do it with -noheur it finds the W32.  I have to
> > read a bit more to understand the ins and outs of this.
> 
> I think the virus scanner is picking up itself in the memory image. For
> the scanner to be able to detect a virus signature, it must contain the
> virus signature in its own code. When f-prot looks in /proc/kcore, it
> sees its own memory (as well as other memory), and sees the virus
> signatures, fooling it into thinking it has found a virus.
> 
> > Another thing.  I have a seperate /usr partition.  Can I wipe the /
> > partition and reinstall it without changing the other partition?
> 
> I dont think it is necessary for you to wipe any partitions. From what
> you have said so far, it is unlikely you have a virus. Instead look
> around your root filesystem for the file that is taking up all your
> space (it will NOT be in /proc).
> 
> Hope this helps.
> 
> -- 
> Cameron Hutchison (camh@xdna.net) | Onward To Mars
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 

Michael Ward Cole, DO
1216 Cedar Point Drive
Virginia Beach, Virginia 23451
Reply to: