trojan problem

Michael T. Richter ttmrichter at gmail.com
Sun Jan 22 15:53:42 UTC 2006


On Sun, 2006-22-01 at 23:16 +0800, Brian Walker wrote:
> Indeed. Good advice. All of which has been followed. Therefore I
> assume an attack via ssh and a brute force hack, none of which showed
> up in /var/log/auth.log

If you had someone smart pushing that through, one of the first things
they'd do is cover any log tracks.

> nmapfe on 127.0.0.1 .... any other would be of no value to the system
> integrity, surely?

Under XP (not yet under Ubuntu because I don't know the tools yet) I'd
routinely scan my external IP address too -- basically to check my
firewall box and make sure it's not been compromised.  (I don't trust a
firewall built into the computer I'm actively using just on a matter of
principle.  I believe in simple, streamlined, specialised devices for
such critical tasks.)

> >Wasn't one of the benefits of moving to Linux supposed to >be not
> facing these scenarios?  :-O
> 
> 1. no - just much less
> 2. linux lets me immediately recognse the problem AND take action.

I don't see this as a Linux thing.  I've been using the whole
DOS/OS2/Windows/Win32 spectrum for most of my career and have never been
hit by a virus, worm, trojan or this latest round of things which
exploit buffer overruns and that kind of stuff.  (And I don't see
"reinstall the whole OS and restore private data -- which may be the
source of the infection anyway -- as a real solution.  It's not much
different from Sony's approach to "recovery" that led to me switching
mostly to Ubuntu in the first place.)

<digression>Sorry.  One exception.  I let one of my idiot students put a
floppy in my machine to do some work once.  He rebooted -- with the
floppy still inside -- and I had a virus infection for about 15 minutes
as a result.  I later removed the floppy drive.  ;-)</digression>

Anyway, back to the main point, I guess I've just always been the
hyper-paranoid type.  I scan/block/firewall/whatever obsessively.  (One
of the earliest things I installed under Ubuntu was Aegis.)  I have a
different password for anything that uses passwords and store those
passwords in a single AES-protected file that is in removable storage
which is always on my person except for the short periods of time in
which it is in use.  This kind of renders me less than open to the most
conventional attacks.

What makes me nervous about what you just reported (and what I later dug
up on the 'net) is that I don't know my way around Ubuntu/Linux enough
yet to know how to detect and/or remove such threats.  While I don't
*think* I've been hit, despite my very high bandwidth making me a choice
target for this kind of nonsense, I don't know enough to be sure.  I can
only rest somewhat assured that my firewall is still in place and still
only have two well-known ports open that I can monitor pretty
effectively.  Getting infected by an open ssh, however?  That makes me a
little nervous.  The first question I'm having run through my brain is
"how?".

> Tony - many thanks for that ... confirmed my fears. A fresh reinstall
> is coming up. I will check the /home/brian/.  areas before importing
> the old /home.

How can you have a file named "."?  Isn't there a directory
automatically in place in every directory on the file system called
"." (and one called "..")?  Can you actually shadow a pre-provided
directory like that?

--
Michael T. Richter
Email: ttmrichter at gmail.com, mtr1966 at hotpop.com
MSN: ttmrichter at hotmail.com, mtr1966 at hotmail.com; YIM:
michael_richter_1966; AIM: YanJiahua1966; ICQ: 241960658; Jabber:
mtr1966 at jabber.cn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060122/8657a004/attachment.pgp>


More information about the ubuntu-users mailing list