Re: some attack to fedora machine .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Apr 11, 2008 at 6:18 AM, Antti J. Huhtala <ahuhtal4@xxxxxxxxx> wrote:
>
>  to, 2008-04-10 kello 21:50 -0400, max kirjoitti:
>
>
> > Edwin Tan wrote:
>  > > hi Subhodip,
>  > > Please check below link for antivirus program download for linux.
>  > >
>  > > http://www.avast.com/eng/download-avast-for-linux-edition.html
>  > >
>  > > thanks.
>  > >
>  >
>  > Running virus scans is a waste of time. If you believe its compromised
>  > wipe the drive and flash the bios. I don't mean just format and install
>  > either. Write zeros (maybe more than once) to the harddrive. Make sure
>  > the MBR does not survive. Do not backup anything! if you have something
>  > that you absolutely cannot do with out, I don't mean MP3's either, then
>  > back that up to a cd and label it clearly and scan only that, more than
>  > once with multiple antivirus scanners, rootkit scanners, use windows and
>  > Linux antivirus scanners and rootkit hunters. if these are something for
>  > which you have a checksum then makesure that it matches the original no
>  > matter what or shred it. Yes i mean physically shred or otherwise
>  > destroy the cd. If the the files fail a single test, consider them
>  > tainted and destroy them. Flash the bios because there are viruses that
>  > will compromise the BIOS, these will be cross platform, they will affect
>  > any machine with any OS. Make sure that any external drives that have
>  > ever come into contact with the infected machine get the same treatment.
>  > Wipe it completely clean!
>  >
>  > Max
>  >
>  A spot of overkill, perhaps?
>
Perhaps but having your box compromised is no joke, especially if you
do things like online banking and such. Anyway better safe than sorry.

>  In my modest experience my Linux box has been compromised thŕee (3)
>  times that I know of. The first was an RH 6.2 box, and my present box
>  has been invaded twice, first during the FC6 era and then soon after my
>  F8 installation last December.
>  Each and every time the invader came in through ssh. Against my better
>  judgement in installing F8 I allowed ssh to remain a "secure service" as
>  suggested by the F8 installer. Well, it proved not to be.
>
>  There seem to be some "sportsmen" out there who just can't resist the
>  temptation of an open ssh port. Now, if I plan to use ssh to connect to
>  my box from a remote location, I'm going to have iptables rules to allow
>  ssh only from known addresses. Not very flexible, perhaps, but I don't
>  want to allow these sportsmen in again.
>
>  In each case, just wiping the installation clean and reinstalling with
>  ssh port closed seems to have done the trick.
>
Does it? As others have pointed out it is by no means a certainty that
you ever really know if the box is compromised, you can only achieve
reasonable certainty which isn't the same as knowing 100% that your
clean. Now if you have multiple computers running on the network then
what's to say they also are not compromised?How long did it take you
to notice the box was cracked? I am perhaps a little shellshocked from
dealing with so many compromised Windows boxes but I can tell you that
many well known viruses slip right past the today's antivirus
scanners. I have seen W95 viruses infecting Vista!!  Can these still
do a lot of damage to the system? These are old and well documented
viruses so how does it go right past the an active virus scanner? How
can a system like Vista still be vulnerable to a virus that old? Virus
scanners are signature based, they can only protect you against the
know virus. Against the unknown you are completely vulnerable ,  a
virus scanner is nothing more than a stupid database, if its in the
database it isn't supposed to be allowed but if its not in there then
its assumed to be safe. Not a very smart strategy. Also many viruses
are just red herrings, what does this mean? it means they(as in
whoever is trying to infect you) expects that many will get caught,
many are deployed just to help confuse the virus scanner , which
operates on very limited resources and has a huge database to check
against that gets bigger by the hour, so while your virus scanner is
frantically trying to keep up, bogging down the machine in the
process, the user is getting frustrated and turning it off or worse
blindly clicking on any box that says "next" or ok in the hopes that
it will make things go faster. Meanwhile the real payload is deployed
and your lucky if its in the database to begin with, now you may find
it later but if you don't get every bit of it out then the computer
often gets reinfected. Then of course some users just have to run as
admin all the time. I have spoken with linux users, largely uneducated
former windows users that will engage in the stupid act of running as
root just in case they need to add some software, because its such a
pain to have to type in the password everytime you want to install
something right? Worse is a system like the Mac or ubuntu where there
is no root and regular users often use weak passwords that are used to
gain admin access. There has been much debate about disabling the root
account but , the biggest point against it in my book, is often the
user is allowed to use passwords like "apple" or "@pple" then its the
OS's fault the box gets compromised. Yes not disabling root has its
drawbacks also like knowing that an account named root exists but at
least it forces you to be aware and hopefully you'll at least secure
root with a strong password if not enforcing the policy on regular
users. Personally I turn off ssh access if I don't expect to use it.
Default deny is the only sensible security policy. Nothing however
will save you from your own stupidity, not a virus scan, not
chkrootkit, not a strong password, nothing. I am wary of logging in as
root, even in a shell, sometimes its necessary but often I find that
its not. I have complete freedom in my home directory and its often
all i need to get the job done.

Max

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux