Well, for those all of those who say "it will never happen to a linux box" it did..

My Slackware box caught a virus.

Yes, It has samba shares, but both my NT box and XP box have upto date A/V software, in fact it was norton that rang the alarm bell. It would appear a dodgy tgz was/is the culprit.

Moving on,

I have ClamAV looking after email, and indeed it catches the occasional bug that finds it's way via Email..

But now, I think (feeling a bit paranoid...) I need something to "monitor" what's going on alll the time, - i.e. it's too late when ClamAV finds something via a CRON job later in the day. I wish to stop it dead before it gets going and installs itself all over my box.

I have had a google, either I am missing something, or there are no , real-time scanners? (unless one pays ££££/€€€€/$$$$$ )

and if would detect a root kit install attmept, that would be even better !


My other question is regarding Apache.

I note in my logs there are numerous attemps to do various things, (mainly not welcome) what' do we have in our arsenal to filter such attacks? I am behind a hardware firewall/router, so that's not a major problem.


Suggestions. ? is snort what I'm looking for ? espicallly if I intend to re-instate SQUID again..

Any thoughts ?




Mark A

Hmmm.. I didn't know Slackware or any other Linux distro could run norton software. Are you sure your Slackware box caught the virus or did a Microsoft box catch it?

For Linux, have you tried chkrootkit?

# Basic Linux security and virus info
The Virus Writing HOWTO reference: Should I get anti-virus software for my Linux box?
Unusual network activity? chkrootkit is a tool to locally check for signs of a rootkit
Linux Questions Security references
Security Help Files
Linux Administrator's Security Guide
Security Focus
Linux Security
Firewalls and Security

# Basic Microsoft Windows security
Firewall: ZoneAlarm
Virus protection: AntiVir

#Multi spyware removal utilities:
Lavasoft
Spy-bot

# Microsoft Windows tools
Belarc Advisor - Free Personal PC Audit - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser. All of your PC profile information is kept private on your PC and is not sent to any web server.
Driver Cleaner - Driver Cleaner is a program which helps you to remove parts of drivers that are left after uninstalling the old drivers. The program is for ATI and nVidia drivers. First you need to uninstall the drivers from the control panel than reboot and after that run the program. If you really want a good description of what steps you should do than you really need to read the readme file included in the zip file and installation as it contains a detailed description step by step.
Download the Mega-Codec pack and never worry about codecs again! The Mega-Codec pack allows custom installation. It will let you install any and all codecs that you can imagine, plus their own media player will play .mov and .rm files. It even comes with Quicktime and Realmedia plugins for Mozilla/Opera browsers.
GNUWin II - Lots of freeware from the Open Source community

# Microsoft Windows help sites
Windows BBS
Computing.net
Annoyances.org
BlackViper.com
Microsoft's Computer Management
Dr. TCP

for apache i suggest you to not set default settings.

use virtual webhosting.

first configure any virtual domain(dont need valid dns entries) .set passwords on that directory.

now configure your real domains as virtualhosts.

the advantage is this that now no one can access your any file.because mostly all http scanners work on ip not on domainname so they will be mapped by apache to first virtualhost and offcourse it will deny access because it needs password.

Hello,

Perhaps i didn't specify exactly right...

I was accessing a samba share, from my XP workstation, equipped with Norton. - That's what found the bug...

I am sure that the Slackware box caught the virus.. ClamAV which I have on the nix box confirmed infection in /bin etc. upon scan

My XP workstation and NT box is armed to the teeth for all MS crap.... so no worries there thank you. but Will have a read for extra tips.

As for Apcahe, thanks for that tip, Indeed. I have already configured as "virtual hosts" as I run local and public domain(s). but will need take note of other suggestion I have read abt.. Defaults being the most obvious, but need to learn a bit more about cgi and cross scripting type attacks.

I indeed have used chkroot, but will automate the procedure.. it's on the todo list, but all takes time !

zonealarm.. big, bulky, slowed my PC down.. was a good app. but its turned into typical Windeez appz what happened to good windeeze code? or is the fault of the api it has use? anyway.. beyond the remit of these forums. and too many knobheads on typical MS forums. :-) (no offense, but I am sure you what I mean....)



MarkA