Re: How to tell if a Linux machine is a zombie?
Angelo Bertolli wrote:
> Russell L. Harris wrote:
>> My LAN is protected by a machine running SmoothWall Express 2.0,
>> acting as a firewall and router. Would an internal firewall package be
>> useful in this environment?
> As someone mentioned Linux already has an internal firewall.
Or rather, a DoD-grade TCP/IP stack secure enough to be trusted as part of a
firewall system. It sounds like Mr. Harris is already taking advantage of
this with his smoothwall box.
> Depending on the state of your machine, once there is a root compromise,
> there is only one or two sure-fire ways to see if you're a zombie.
You missed the obvious one: fdisk, format, reinstall, restore known-good
backup. This, of course, assumes the victim is following best practices,
thus has a recent, working backup.
> 1) Set up a brand new intermediate machine that captures all network
> traffic from the machine you're questioning and see what it's doing.
I'm not sure I'd trust a machine thought to be compromised even that much,
but I'm paranoid.
> 2) If you have a hash of all the files (like tripwire provides) on some
> media that was NOT compromised, you can check those.
tripwire is a good way to keep track of this. The upstream maintainer also
sells similar software that lets you have more than one baseline and a
neato web-based GUI to manage it with.