[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to tell if a Linux machine is a zombie?

Angelo Bertolli wrote:

> Russell L. Harris wrote:
>> My LAN is protected by a machine running SmoothWall Express 2.0,
>> acting as a firewall and router.  Would an internal firewall package be
>> useful in this environment?
> As someone mentioned Linux already has an internal firewall.

Or rather, a DoD-grade TCP/IP stack secure enough to be trusted as part of a
firewall system.  It sounds like Mr. Harris is already taking advantage of
this with his smoothwall box.

> Depending on the state of your machine, once there is a root compromise,
> there is only one or two sure-fire ways to see if you're a zombie.

You missed the obvious one:  fdisk, format, reinstall, restore known-good
backup.  This, of course, assumes the victim is following best practices,
thus has a recent, working backup.

> 1) Set up a brand new intermediate machine that captures all network
> traffic from the machine you're questioning and see what it's doing.

I'm not sure I'd trust a machine thought to be compromised even that much,
but I'm paranoid.

> 2) If  you have a hash of all the files (like tripwire provides) on some
> media that was NOT compromised, you can check those.

tripwire is a good way to keep track of this.  The upstream maintainer also
sells similar software that lets you have more than one baseline and a
neato web-based GUI to manage it with.

Reply to: