At face value, and without (intending to) sounding like a moron, Shorewall can block anything you tell it not to explicitly allow. Isn't that the default way its currently being used?
I am not an expert here, but I did get the code for this rootkit and took a fast look through it. The "spoofed" packets it sends are (again, at a quick look) ordinary looking at the TCP/IP level, but they go to port 80 on the destination host (presumably a host that is running the associated client). That makes them tough to block.
For a firewall to deal with this traffic, it would have to do application-level filtering. I'm not certain how a proxy server would process these packets. In any case, dealing with it is probably outside the range of what Shorewall does.
respectfully,
joey
----- Original Message ----- From: "Mike Noyes" <[EMAIL PROTECTED]> To: "Shorewall Users" <[EMAIL PROTECTED]> Cc: "leaf-user" <[EMAIL PROTECTED]> Sent: Tuesday, December 02, 2003 10:38 AM Subject: [leaf-user] SucKIT root-kit
> Tom, > Is Shorewall capable of blocking/logging/detecting the spoofed packet > SucKIT uses? > > > http://lists.debian.org/debian-announce/debian-announce-2003/msg00003.html > SucKIT is a root-kit presented in Phrack issue 58, article 0x07 > ("Linux on-the-fly kernel patching without LKM", by sd & devik). > This is a fully working root-kit that is loaded through /dev/kmem, > i.e. it does not need a kernel with support for loadable kernel > modules. It provides a password protected remote access > connect-back shell initiated by a spoofed packet (bypassing most > firewall configurations), and can hide processes, files and > connections.
------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html