[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to tell if a Linux machine is a zombie?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Jan 08, 2007 at 01:13:01PM -0600, Russell L. Harris wrote:
> Yesterday I read another article bemoaning the large number of Window$
> machines which have been commandeered remotely and turned into
> spam-spewing zombies.
> 
> If I understand the matter correctly, a firewall can protect only
> against incoming messages, and is useless against spyware which
> "phones home" or zombie-ware which spews email spam.
Hi R,
iptables can filter both incomming and outgoing packets. Although most
folks focus on the outgoing one.
> 
> So, before I preach about the dangers of spyware and zombies to my
> buddies using Window$, how can I be certain that my own Debian machine
> has not been compromised and has not become a zombie?  Is there a
> simple test which I can run on a weekly basis?  
there are 'root kit' that can look for them on your machine. Another way
is packages that check for 'new' files like aide. If a machine is
'rooted', the kit replaces tools like 'ps', 'ls', top', etc. so that you
can not easily know there is a problem and may setup someone thing like
an irc server or ssh on an odd port.
> 
> My LAN is protected by a machine running SmoothWall Express 2.0,
> acting as a firewall and router.  Would an internal firewall package be
> useful in this environment?
Many folks like that one. I use shorewall. You can always block outgoing
ports that you dont use. If you dont run an ftp server, block port 20
and 21, etc.
Kev
- -- 
|  .''`.  == Debian GNU/Linux == |       my web site:       |
| : :' :      The  Universal     |   'under construction'   |
| `. `'      Operating System    | go to counter.li.org and |
|   `-    http://www.debian.org/ |    be counted! #238656   |
|   my keysever: subkeys.pgp.net |     my NPO: cfsg.org     |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFoqDJv8UcC1qRZVMRAk83AJ9LuItRB3PMHmN/arWmndTUY37Z3gCeNyGE
47I0i54y6etfZz6aM8cBCts=
=Lj0O
-----END PGP SIGNATURE-----



Reply to: