Quoting Timothy D Thatcher (daniel.thatc...@gmail.com): > Hah, I'm glad it was nothing as nefarious as some weird malware or > rootkit, or as irritating/potentially expensive as an actual hardware > failure. Great work, and thanks, Rick.
One more comment (and yes, as can be seen on http://linuxmafia.com/~rick/faq/ and http://linuxmafia.com/~rick/lexicon.html#moenslaw-security3, this _is_ something of a hobbyhorse of mine): _Rootkits_ are by definition NOT attack tools. Period. Yes, the contrary is widely believed, and I know exactly which commercial interest promotes that and many similar misunderstandings: It's the security / antimalware industry, which has absolutely no interest in a well-informed computer user community who understand security threats. They want a spooked community willing to outsource and open wallets. This essay ended up being long, and isn't yet in proper presentation format, but I think bountifully illustrates my point about that industry: http://linuxmafia.com/kb/Essays/security-snake-oil.html Back to rootkits: A rootkit is a set of replacements for regular administrative monitoring tools (ps, netstat, top, ls, etc.) that have been gimmicked to ignore the files and processes of an intruder. The intruder enters a system and escalates to root authority via OTHER MEANS ENTIRELY, and only then, armed with stolen root authority, replaces normal system tools with rootkit replacements in order to hide himself/herself. Quoting (myself) from http://linuxmafia.com/~rick/faq/#virus5: [omitting here a very long alphabetical list of 'ringers'; things often claimed in error to be 'viruses' that simply aren't] Every one of those is some sort of _post-attack_ tool; all are erroneously claimed on sundry anti-virus companies' sites (and consequently in various news articles) to be "Linux viruses". Some are actually "rootkits", which are kits of software to hide the intruder's presence from the system's owner and install "backdoor" re-entry mechanisms, after the intruder's broken in through other means entirely. Some are "worms"/"trojans" of the sort that get launched locally on the invaded system, by the intruder, to probe it and remote systems for further vulnerabilities. Some are outright attack tools of the "DDoS" (distributed denial of service) variety, which overwhelm a remote target with garbage network traffic from all directions, to render it temporarily non-functional or incommunicado. The news reporters and anti-virus companies in question should be ashamed of themselves: None of the above, in itself, can break into any remote Linux system. All must be imported manually (or equivalently by script) and installed by an intruder who has cracked your system by other means. That incompetent reporting sometimes has extremely damaging consequences: In 2002, British authorities arrested (https://www.nytimes.com/2002/09/20/world/computer-virus-author-arrested.html) the alleged author of the T0rn rootkit, based on their mistaken notion that it's a "Linux virus". (My efforts to get the Reuters / NY Times story corrected were ignored, except by cited anti-virus consultant Graham Cluley, who told me he'd been misquoted.) I should mention in passing that feeble albeit genuine malware like the RST and OSF ELF-infectors are often downloaded and manually installed, locally, by attackers AFTER THEY'VE ENTERED AND CRACKED ROOT VIA OTHER MEANS ENTIRELY, often as part of their "rootkits". Some of these help keep alive UDP-based backdoors to preserve their ongoing access. The point, again, is that they're an _after-effect_ of break-in, not a method of attack in themselves. It's like a burglar disabling your back-porch door lock from inside your kitchen; it's damage, but not the guy's means of entry. _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech