[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to tell if a Linux machine is a zombie?

Hash: SHA1

On Mon, Jan 08, 2007 at 01:13:01PM -0600, Russell L. Harris wrote:
> Yesterday I read another article bemoaning the large number of Window$
> machines which have been commandeered remotely and turned into
> spam-spewing zombies.
> If I understand the matter correctly, a firewall can protect only
> against incoming messages, and is useless against spyware which
> "phones home" or zombie-ware which spews email spam.
Hi R,
iptables can filter both incomming and outgoing packets. Although most
folks focus on the outgoing one.
> So, before I preach about the dangers of spyware and zombies to my
> buddies using Window$, how can I be certain that my own Debian machine
> has not been compromised and has not become a zombie?  Is there a
> simple test which I can run on a weekly basis?  
there are 'root kit' that can look for them on your machine. Another way
is packages that check for 'new' files like aide. If a machine is
'rooted', the kit replaces tools like 'ps', 'ls', top', etc. so that you
can not easily know there is a problem and may setup someone thing like
an irc server or ssh on an odd port.
> My LAN is protected by a machine running SmoothWall Express 2.0,
> acting as a firewall and router.  Would an internal firewall package be
> useful in this environment?
Many folks like that one. I use shorewall. You can always block outgoing
ports that you dont use. If you dont run an ftp server, block port 20
and 21, etc.
- -- 
|  .''`.  == Debian GNU/Linux == |       my web site:       |
| : :' :      The  Universal     |   'under construction'   |
| `. `'      Operating System    | go to counter.li.org and |
|   `-    http://www.debian.org/ |    be counted! #238656   |
|   my keysever: subkeys.pgp.net |     my NPO: cfsg.org     |
Version: GnuPG v1.4.6 (GNU/Linux)


Reply to: