Hi, I am an experienced user of Windows and Linux. I am currently running Mandriva 10.0 official. I have noticed my network logo is flashing between the warning triangle with the exclamation mark and the normal logo. My firewall is also very active. I checked /etc/resolv.conf and it contained a temporary entry for a DNS number address which was showing up on the firewall alerts. I edited it out BUT I think it must have come from some form of malware. What software provisions/packages are available in LINUX for 1. Anti trojan 2. anti spyware 3. anti browser hijacking 4. anti adware 5. root kit attacks 6. DNS changers, etc? I have scanned the system with Klammav and it finds it clear (apart from the usual Klammav findings). I have years of experience of system security but all on Windows systems. Whilst I started my computer life in a unix based software house, I have yet to learn about the above mentioned security aspects on a Linux system. All help and knowledge would be appreciated. In the mean time I will keep my eye on the resolv.conf file to see if the rogue DNS address is re-entered. Thanks.

There are several pieces of software available for rootkit detection, including rkhunter and chkrootkit. With regards to spyware, I don't believe anything exists as I've never seen spyware capable of running on Linux, so this would be a first.

The troubling thing about this is that /etc/resolv.conf should only be writeable to root, so that suggests whatever is making the change is either running with root privilege or somehow poisoning your DNS cache or DHCP/BOOTP if the system gets its DNS info on boot. Does the system get its info dynamically using one of those protocols?

Also, could you use tcpdump or ethereal to capture some of the packets from the network traffic you are seeing. Make sure to capture the packet payload as well as all the header info. If you are unfamiliar with it, then ethereal is probably the easier of the two.

Thanks for the prompt reply Capt. Firstly, I removed the offending DNS yesterday before posting the thread. I have just booted up for the day and checked the resolv.conf file. It had not been written to and the permissions were 644. Yesterday, when it had been written to, the permissions were 744!!!My system uses the eagle-usb modem for broadband access and is started at boot. The DNS comes into play at boot time and the confirmation of this is that yesterday, on boot up, the firewall was giving me an attack warning BEFORE the KDE splash screen had started up. As regards tcpdump or ethereal, I would welcome some instructions or hints on what to do and how to do it. INTERESTINGLY, as I am posting this thread I have just had another firewall warning about an attack, but not from the site I edited out of resolv.conf AND the logo for my network connection is again flashing between the logo and the warning triangle, so something is on my system and still working.

Just another bit of info. My system has 2 hard drives, each one containing an identical install of Mandriva 10. The problem is on the A drive which is the default drive. The B drive is not used for e-mails and rarely used for internet access. They are linked both ways via /mnt/share from boot up. I have just gone onto drive B and the warning on the network logo is NOT flashing. Virus type infections would have infected the B drive immediately on access by the A drive and I do copy data daily from A to B. Having said all that, I am now on the A drive and also, obviously the internet and the logo is again NOT flashing with the warning. Very curious.

Run rkhunter/chkrootkit on the system and see if it turns anything up. I believe mandrake still has rpm, so you can try verifying the integrity of packages on the system using rpm -Va (you may need to use urpmi instead, but I'm not sure if urpmi can do verification). Take a look at the /etc/passwd directory and see if you can find any abnormal or new users, especially any with uid/gid of 0. See if you can find any SUID/SGID root files on the system with 'find / -perm 2000 -o perm 4000'. Go through all the system logs and look for any abnormal messages. Look at the output of last -i for any abnormal logins.

Also, what services do you normally have running on the system? Was the system kept updated with security fixes/patches?

As regards tcpdump or ethereal, I would welcome some instructions or hints on what to do and how to do it.
Ethereal is fairly user-friendly, so use that. Just run it and capture traffic on the external interface (you should see a listing of the available interfaces in the capture menu). Let it capture data for awhile, preferably when you see the warning icon flashing. Then look at the capture log. When you are capturing data, try not to create any extra traffic by surfing the web or sending mail, etc.

I have just gone onto drive B and the warning on the network logo is NOT flashing.
Are these 2 different installs of the same OS and you only see it when one is booted? If so, run the rootkit tests and take a listing of the above info as well as output from 'ps aux' 'netstat -pantu' and 'cat /etc/modules' and do not use the potentially compromised OS.

Thanks Capt. I have printed all this out. I will try the tests and let you know the results, however things have changed. Since I edited the rogue DNS out of resolv.conf, the warning signal has not been present, nor have I had any firewall warnings. ALSO, this weekend I am upgrading my PC and will be doing a full re-install, this time to the Manfriva 10 64 bit system. This will clear all problems, particularly as I have the factory tools to do a low level re-format on the hard drive. I will do the tests first because I want to know what happened. Will be in touch after the weekend. Thanks again, your help much appreciated.

Hello again. It is now 12.00 midday GMT. My PC has been running since 09.00. At that time there was no warning flashing on the network logo. NOW there is. I checked resolv.conf and it had again been written to with the offending DNS. I have taken it out. There is definitely some form of infecting program running. The upgrade will fix this but the worry is 1. what is it and 2. how to get rid of it. Constant re-installation is not an option, is it? Will carry on investigating.

Well, now this is good. I am in the UK, using Mandriva 10 2006 official and Evolution e-mail. There are currently a spate of false e-mails purporting to come from the major banks. They are phishing exercises. Klammail finds them to contain a virus. Once on your system, shorewall emits a warning of snooping. If you shut down and re-boot it is still there. If you expunge evolution and then re-boot it is OK. SO, the bug is in the e-mail and will live there until you physically clean it. I was told that spyware doesn't work on LINUX but it DOES! Clamav has some obvious limitations. If we look at Windows, you need an anti virus, a firewall, a rootkit revealer, an anti browser hijacker, an anti trojan, an adware killer and the list goes on. I would suggest to the writers of clamav that, if we want LINUX to take a giant leap forward, we should build clamav into the superbug finder and killer it needs to become. Offer this to the world and the windows --> Linux migration will become quite furious. I am doing my bit. Look at http://www.the-jsc-group.co.uk and you will see my dedication to Linux. I am prepared to offer all my experience and knowledge to anyone associated with clamav if they want it.