Recently I had this warning issued by an antivirus program. I must say that clamav or f-prot did not detect this warning:
"/proc/kcore Date: 18.07.2004 Time: 19:37:56 Size: 278798336 ALERT: [BDS/VirtualRoot virus] /proc/kcore <<< Contains a signature of the (dangerous) backdoor program BDS/VirtualRoot Backdoor server programs" This is given as an alert. kcore appears to be an alias of the memory in the system. I wonder if one can set up a firewall to avoid any attempts to /proc in general or /proc/kcore in particular. Apparently since it is a virtual space, deleting the signature could crash the system. How is this virus getting in? After a clean reboot, the antivirus did not detect anything in /proc. Debsums appear to be fine and chkrootkit states that everything is ok except: "Checking `bindshell'... INFECTED (PORTS: 1524 31337)" but since I am running portsentry I consider this a normal false positive. Any ideas?
