A Good Start at Eliminating Virus Attacks Against Your Computer.

[tratan]

Thanks for the great link Voidman, I'm not surprised that Linux already has support for what I was suggesting   .

[voidmain]

Well, this is not really a Linux specific feature but a feature of bash.  I have used other restricted shells (restricted Korn shell, similar to restricted bash) as long as I've been using UNIX (10 years). I only use it for giving limited shell access to remote users. I never would inflict it on my normal local users.

Most security "wishes" have been included in *NIX for a very very long time. I have found that rather than wishing for something, I do a search and find there is already a way to do what I would have wished for in nearly all cases.

[TU]

virus damage on linux/unix minimal? not if it is a root virus.  99/100 if your system is compremised on linux you reinstall. period. thats because linux can be some complcated (configurable) theres infinate many ways to hide it. windows has it easy here. because it is harder to forge files and install a root kit that makes the kernel its bitch    (although having my choice of bitches the windows kernel is *not* one of them)

[voidmain]

Someone breaking into your computer through a remote exploit and installing a root kit is *not* a virus.  Geez... But since you brought it up, certainly if you do not run a firewall (and know how to configure one) then you need to make sure you turn off all unnecessary services and keep the ones updated that you do need, subscribing to the CERT mailing list certainly wouldn't hurt.

So if you are good and do the above then the only way you should really be vulnerable is if you are running a server and do not adhere to good administrative basics.  That is, run intrusion detection both on the network (snort, etc) and on the local system (tripwire, etc), and of course keep good backups.  I have unfortunately had to recover systems for people who have had their systems rooted for lack of good administration and upkeep.  It really isn't rocket science.  It usually only takes me a couple of hours to completely recover a rooted system, even if they don't have backups.

A couple of basic ways to find what files have been modified is if you are running an RPM based system then just run a verify on each of the RPMS that are installed. It will tell you very quickly which files are not original (I don't know why they don't hack the RPM database too, have never seen that done).  

But before that you want to make sure you are running a good copy of the most basic commands. Usually the first commands replaced in a root kit are commands like: ps, ls, top, netstat, find, login, etc.  So you want to put static linked versions of any of those types of commands you want to run onto the rooted system into a directory and set your PATH to that directory.  Then you can see what processes the script kiddie has running and you can determine roughly the time of the break in. Then you can use your good "find" command to find any files/directories created/modified in that time period. You will usually find all of the pieces to the root kit at that point.  

Recovering includes, killing the processes that they started, copying all the pieces of the root kit to a quarantine area, restoring the original files, upgrading the service that was vulnerable, get the email address that the passwords were being sent to from the kiddie password sniffer so you can notify the appropriate service provider, looking for any IP addresses in any logs (system, Apache, etc) of unusual activity. Remove any users that were added by Mr script kiddie and change all passwords.

Finally when you have all the information, call the FBI and nail their ass.  Then end up in jail without a computer or an X-Box just like the script kiddie Mafia Boy.

[ July 29, 2002: Message edited by: VoidMain ]