Re: How to tell if a Linux machine is a zombie?
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, Jan 08, 2007 at 01:13:01PM -0600, Russell L. Harris wrote:
> Yesterday I read another article bemoaning the large number of Window$
> machines which have been commandeered remotely and turned into
> spam-spewing zombies.
> If I understand the matter correctly, a firewall can protect only
> against incoming messages, and is useless against spyware which
> "phones home" or zombie-ware which spews email spam.
iptables can filter both incomming and outgoing packets. Although most
folks focus on the outgoing one.
> So, before I preach about the dangers of spyware and zombies to my
> buddies using Window$, how can I be certain that my own Debian machine
> has not been compromised and has not become a zombie? Is there a
> simple test which I can run on a weekly basis?
there are 'root kit' that can look for them on your machine. Another way
is packages that check for 'new' files like aide. If a machine is
'rooted', the kit replaces tools like 'ps', 'ls', top', etc. so that you
can not easily know there is a problem and may setup someone thing like
an irc server or ssh on an odd port.
> My LAN is protected by a machine running SmoothWall Express 2.0,
> acting as a firewall and router. Would an internal firewall package be
> useful in this environment?
Many folks like that one. I use shorewall. You can always block outgoing
ports that you dont use. If you dont run an ftp server, block port 20
and 21, etc.
| .''`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal | 'under construction' |
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keysever: subkeys.pgp.net | my NPO: cfsg.org |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----