Re: [SLUG] Linux & viruses
* This one time, at band camp, Andy Eager said: > Jamie Wilkinson wrote: > > > This one time, at band camp, Andy Eager said: > > > >> a) Periodically, examine all running tasks. > >> b) For each task, do an 'rpm --verify' for the package that this > >> process belongs to. > > > > > > How about a virus that renames itself to 'ls', you check the process list > > and verify that ls is in the package database. > > > If a virus did copy something over ls, it would be caught as follows: > >rpm -qif `which ls` would return the package name fileutils >rpm --verify fileutils would show that ls had been modified. > And if it were rpm that got trojaned? -- Greeno <[EMAIL PROTECTED]> GnuPG Key : 1024D/B5657C8B Key fingerprint = 9ED8 59CC C161 B857 462E 51E6 7DFB 465B B565 7C8B Imagine working in a secure environment and finding the string _NSAKEY in the OS binaries without a good explanation -Alan Cox 04/05/2001 PGP signature
Re: [SLUG] Linux & viruses
This one time, at band camp, Andy Eager said: >If a virus did copy something over ls, it would be caught as follows: > > rpm -qif `which ls` would return the package name fileutils > rpm --verify fileutils would show that ls had been modified. No, that's not what I said. You can change the name of a process once it has begun, so I can have a binary on disk that is called 'foobar', but once it is running, a ps shows it up as 'ls'. In this case, you'd do your verify, and as the real ls hasn't been overwritten, no virus would be detected. To get around this problem tho, you could run something like debian's cruft to find binaries that the package database doesn't know about; I'm sure there are ways around this, too -- such as putting spurious entries into the database. -- jamesw what's wrong with the default? :) It is poopie. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Linux & viruses
Jamie Wilkinson wrote: > This one time, at band camp, Andy Eager said: > >> a) Periodically, examine all running tasks. >> b) For each task, do an 'rpm --verify' for the package that this >> process belongs to. > > > How about a virus that renames itself to 'ls', you check the process list > and verify that ls is in the package database. > If a virus did copy something over ls, it would be caught as follows: rpm -qif `which ls` would return the package name fileutils rpm --verify fileutils would show that ls had been modified. I'm sure there are reasons why my idea is oversimplistic, but this would not be one of them. In addition, it seems to me that since the rpm --verify option (or its alternative) is free and not a bad thing to do on executables every now and again anyway. Regards, Andrew Eager. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Linux & viruses
This one time, at band camp, Andy Eager said: > a) Periodically, examine all running tasks. > b) For each task, do an 'rpm --verify' for the package that this >process belongs to. How about a virus that renames itself to 'ls', you check the process list and verify that ls is in the package database. -- jamesw what's wrong with the default? :) It is poopie. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Linux & viruses
Note the keywords: "worm" .. not "virus".. A dodgy script that exploits a known vulnerability and perpetuates itself by the same method is not worthy of the label "virus".. By the same token, some moron who writes a bit of cheap VBS and sends it to other morons who double click everything they see, has not created a "virus" per se, but has created a "cheap-arse trojan for Dummies(tm)". //umar. > Go to http://vil.nai.com/vil/ and do a search for Linux. > You will come up with 12 "viruses" > For instance, Ramen Worm: > http://vil.nai.com/vil/dispVirus.asp?virus_k=98975 > > I think it's a decent idea to add a virus scan to your daily cron job/ > security check scripts. Gives you an extra little bit of protection that > will hopefully never be needed :-) > -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Linux & viruses
At 10:26 AM 14/05/2001, you wrote: >Now if you do want a virus scanner Linux doesn't really have any to my >knowledge. The products like what mcafee and a few others offer (check >the amavis website) aren't linux virus scanners per se. > >They are virus scanners for windows viruses, macro viruses etc which run >under linux. Which means they are useful to run on linux boxes which are >email gateways so you can check email for viruses for your local LAN. >Also they're useful for checking linux based fileshares. Go to http://vil.nai.com/vil/ and do a search for Linux. You will come up with 12 "viruses" For instance, Ramen Worm: http://vil.nai.com/vil/dispVirus.asp?virus_k=98975 I think it's a decent idea to add a virus scan to your daily cron job/ security check scripts. Gives you an extra little bit of protection that will hopefully never be needed :-) Cheers __ Peter Nixon Senior Security Consultant ITAC: Leaders in IT security http://www.itacsecurity.com mailto:[EMAIL PROTECTED] PGP Key Fingerprint: 87CE CE41 AA07 B7AA 5F18 4EE4 FCD8 42BC F37B DE19 DISCLAIMER: The information contained in this e-mail message and in any annexure is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please advise us immediately by return e-mail (or telephone our Head Office on +61 2 6251 8585) and delete the message along with any annexure. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of ITAC. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Linux & viruses
Andy Eager wrote: > I've been looking around for any information on virus scanners for > Linux. Apart from McAfee, I couldn't see much. > > While I was doing this it occurred to me that it might be possible to > scan for viruses by doing the following: > >a) Periodically, examine all running tasks. >b) For each task, do an 'rpm --verify' for the package that this > process belongs to. > > Assuming that it is not possible to create a task in Linux without > creating a process ID entry (and therefore visible in the /proc directory.). > > Am I being to simplistic here? > I'm not a virus aware person, so I don't spend a lot of time trying to > work out the various ways of screwing up a linux box. Yes, you are being simplistic. But considering most virii and worms are written to use the gapping holes in Outlook and other Windoze junk just using *nix makes you immune to over 95% (99.9%?) of problems. A few lines in your procmail rules to reject email with attachments of vbs & exe extensions will fix most of them. AMP will not let attachments go direct to the users. The email is redirected to IT and they will forward it if the users need them. -- Richard Hayes Nada Marketing - 113-115 Oxford St Sydney Australia 2010 Phone: +(61-2) 9360 Fax: +(61-2) 9361 0094 Mob: +(61) 0414 618 425 http://www.nada.com.au -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
[SLUG] Linux & viruses
Hi all, I've been looking around for any information on virus scanners for Linux. Apart from McAfee, I couldn't see much. While I was doing this it occurred to me that it might be possible to scan for viruses by doing the following: a) Periodically, examine all running tasks. b) For each task, do an 'rpm --verify' for the package that this process belongs to. Assuming that it is not possible to create a task in Linux without creating a process ID entry (and therefore visible in the /proc directory.). Am I being to simplistic here? I'm not a virus aware person, so I don't spend a lot of time trying to work out the various ways of screwing up a linux box. Regards, Andrew Eager. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
