Re: In search of a Linux Virus Scanner
On Mon, Oct 01, 2001 at 01:51:31PM -0400, Theodore Knab wrote: With the Nimba virus/worm and the Code Red worm breaking Windows around the globe, I am nervously waiting for the next Linux Worm. It would be more work to make a Linux virus or worm because the designer would have to take care creating 2 programs as opposed to one. What is being done to protect against this ? Are there any Linux virus/ worm scanners for Debian? I don't see much of a use for such a thing. In the windows world, a virus scanner is merely a program that searching the contents of a disk for fingerprints. It keeps these fingerprints in a database that must be periodically updated by the user. The only reason this is needed is that there are just so damn many Windows viruses. In the Linux world, it's much more reasonable to just write a one-shot scripts/programs to search for specific viruses/worms, since they're so uncommon. Since the virus/worm doesn't yet exist, we don't know what to look for. Once it exists, someone will figure out exactly what to look for to determine whether a host has been infected and write a scanner. You can also use a tool like AIDE or tripwire to monitor your disk for unexpected changes. That will catch most trouble right there. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp5yrNTCwwPt.pgp Description: PGP signature
Re: In search of a Linux Virus Scanner
On Mon, Oct 01, 2001 at 01:51:31PM -0400, Theodore Knab wrote: What is being done to protect against this ? apt-get and security.debian.org. When a new exploit is announced, security.debian.org almost always has an updated deb available within a day and this update is announced on the debian-announce list. To date, I am not aware of any virus/worm which has exploited vulnerabilities less than a month or two old, so following debian-accounce and applying security updates immediately when they're announced would seem to be a very effective strategy. Are there any Linux virus/ worm scanners for Debian? The only virus scanners I am aware of that run under linux are designed to scan for Windows viruses in traffic that the linux server is handling. -- When we reduce our own liberties to stop terrorism, the terrorists have already won. - reverius
Re: In search of a Linux Virus Scanner
also sprach Dave Sherohman (on Mon, 01 Oct 2001 04:22:04PM -0500): The only virus scanners I am aware of that run under linux are designed to scan for Windows viruses in traffic that the linux server is handling. are there any that can interface with postfix packaged as debian? i can't find any with apt-cache in testing... martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] -- information superhighway is just an anagram for i'm on a huge wispy rhino fart. pgpsMt9KzfT2p.pgp Description: PGP signature
RE: In search of a Linux Virus Scanner
also sprach Dave Sherohman (on Mon, 01 Oct 2001 04:22:04PM -0500): The only virus scanners I am aware of that run under linux are designed to scan for Windows viruses in traffic that the linux server is handling. McAfee's (NAI) searches for Windows and Unix variants. From the Virus DAT update list: INTERNET WORM (3) - BSD/WALK.WORM W32/[EMAIL PROTECTED] W32/[EMAIL PROTECTED] LINUX/UNIX FILE-INFECTING VIRUSES (0) - No new detections MACRO VIRUSES (1) - W97M/BACT etc... are there any that can interface with postfix packaged as debian? i can't find any with apt-cache in testing... You probably won't find one packaged, but Amavis (www.amavis.org) works great with Postfix. The Postfix in Unstable works better than the one in Testing though. martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] -- information superhighway is just an anagram for i'm on a huge wispy rhino fart.
Re: In search of a Linux Virus Scanner
hi ya theodore... With the Nimba virus/worm and the Code Red worm breaking Windows around the globe, I am nervously waiting for the next Linux Worm. why ??? in the mean time... the script kiddies...with lots of free tme is attacking your PCs with generic scripts that tries to exploit your existing vulnerabilities in your systems insecure.org has lot more exploits posted and test apps than those you posted It would be more work to make a Linux virus or worm because the designer would have to take care creating 2 programs as opposed to one. gazillion ways to break into a server What is being done to protect against this ? Are there any Linux virus/ worm scanners for Debian? i think you want to know when someone comes knocking ... ( port scanning is a precursor to their attack ?? ) - run a port scanner ( portsentry, snort, ippl, etc and review those logs as often as you want to satsify your paranoia to protect against un-authorized use of your server and/or intruders... -- harden your server and protect (backup) your data regularly http://www.Linux-Sec.net/Harden have fun alvin - ps ... was too lazy to fix your line lengths - Over-Simplified Hypothetical Linux Worm Design - The first program would have to be a transport or vector. The second program would be the virus or worm. The vector would open the door to the unpatched machine and then send the buffer overflows for known vunerablities. During the Linux World in NYC Feb. 2001, Bruce Perens gave a high level presentation where he presented a little C program that could be used as a vector to open a door to an unpatched machine. 1. Vector (transport) C code that emulates a legal connection to a host machine. This C code could try opening all the following connection to a remote host (open ports 21,22,23,25,53,80). After connecting, the C code would call the worm. 2. Worm (known exploits) While (port open) Send_Exploit_for_Wget to port 21 Send_Exploit_for_Sendmail to port 25 Send_Exploit_for_Telnet to port 23 Send_Exploit_for_SSHto port 22 Send_Exploit_for_Bind to port 53 Send_Exploit_for_Apache to port 80 Other Hypothetical Threats Articles: http://lwn.net/1998/1119/Trojan.html Existing exploits for Linux machines: http://www.google.com/search?q=cache:a7Rlxpy-qPg:www.insecure.org/sploits/INND.1.6.overflow.html+exploit+%22%23include%3Cstdio.h%3E%22hl=en http://www.google.com/search?q=cache:dI3dvxVTUoo:www.insecure.org/sploits/routed.tracefile.html+exploit+%22%23includ http://www.google.com/search?q=cache:P2i_y4xKLY0:oliver.efri.hr/~crv/security/bugs/Linux/krnl220.html+exploit+%22%23include%3Cstdio.h%3E%22+linuxhl=en http://www.google.com/search?q=cache:slTym0c2sGo:www.nmrc.org/files/unix/cxterm.exploit+exploit+%22%23include%3Cstdio.h%3E% http://www.google.com/search?q=cache:8YybojTeyf4:security-archive.merton.ox.ac.uk/bugtraq-199909/0104.html+exploit+%22%23include%3Cstdio.h%3E%22+linuxhl=en -- GNU PGP public key http://www.annapolislinux.org/docs/public_key/GnuPG.txt - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]