• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Windows / Linux / Virus Scan

F

fogleroller

Senior member
Question: Is it wise to let a virus scanner (Norton Corporate) on windows XP computer, scan a network drive that is on linux?

My W: drive is the root of my linux server and it's popping up all kinds of virus alerts. (a bunch of Hacktool.rootkit , and one trojan horse )

the Linux box is my webserver, and i just reloaded it a few weeks ago.

thanks.
 
Don't share your root.

Make a seperate /share directory and share that if you want. Or share the home directory of one of your users.

Sure it's fine to scan a network share then.
 
I'd be worried about norton finding those viruses. I'd take the server off the net asap. Once it's off the net, you can run chkrootkit, or something like that.

What distribution and version of linux are you running? Are you running any services besides the webserver?

The length of time since you installed linux isn't a factor if you are running a vulnerable service. Just like it can take minutes for a new windows xp machine to get blaster, you can get a root kit very quickly.
 
I shut it down, and I will reload

I am running RH 6.2 , I tried 7/7.1/7.2 before and it wasn't stable on my system

I guess I need to work on my linksys router and turn on the firewall.

I am running FTP, Apache webserver, I think that's it
 
That's the problem. Redhat 6.2 is old, and isn't supported anymore. The default installation has security holes big enough to drive a mack truck through. If your webserver and ftp server have security holes in them, then a firewall won't help a thing, if you keep ports 80 and 21 open to the internet.

Take a look at this page for a list of all the patched security holes in 6.2: http://rhn.redhat.com/errata/rh62-errata-security.html Since Redhat doesn't support it anymore, there are more that haven't been patched and won't show up on that list.

I found references to a 6.2 honeypot that got hacked within 26 minutes of being set up.

If you insist on using 6.2, should definetly install all the updates linked above, before connecting to the internet.

You could give Redhat 9 a try, and see if that works. Or, the problem may be that your computer likes a 2.2 series kernel better then the 2.4 that redhat 7 and above use. You could roll your own kernel then, for a later version of redhat (just don't do that with 9, as nptl will give you fits).

However, I would strongly consider using debian. The stable version has older software (but you don't care about that since you're running redhat 6.2), and still uses a 2.2 kernel by default, although 2.4 is packaged for it. It will still be patched for several years to come.
 
The way I figured it that virus scanner was never designed to scan linux systems.

The fundamental designs of windows/linux/unix are pretty similar and many similar programs are designed to do similar things in each OS. AFter all Bill Gates first OS was a unix OS.

s.So the virus scanner's huristics was just confused by many of the linux system binaries and assumed that they were trojens and stuff. I realy doubt that the scanner has the sophistication to detect linux root kits over smb shares anyways. The design of good root kits is so that they sit between the kernel and OS and intercept system calls effectively making them indetectable by normal mean. Usually they get detected by weird instabilities or what the hackers do with them after they get installed and due to design flaws. You would have to boot up with a different OS (linux on a cd, usually) to detect them.

They make scanners specificly designed for Linux and stuff, but they are generally worthless since attacks that these apps defend against aren't effective against linux. Not to say that you own a hack free OS, most definately not. The Linux OS is vunerable to other attacks, just not viruses at this time.

However unless you REALY know what you are doing no 6.2 redhat install has any business being on the internet. It's possible to make it secure, but it wouldn't be easy and would require manually replacing many system files and services.

So upgrade, Debian is a good choice. It's easy to update and people study security for it very carefully and offer security specific updates often.

Especially for the stable versions. Plus it will probably run faster and more stable then the older stuff.
 
Originally posted by: drag
s.So the virus scanner's huristics was just confused by many of the linux system binaries and assumed that they were trojens and stuff. I realy doubt that the scanner has the sophistication to detect linux root kits over smb shares anyways. The design of good root kits is so that they sit between the kernel and OS and intercept system calls effectively making them indetectable by normal mean. Usually they get detected by weird instabilities or what the hackers do with them after they get installed and due to design flaws. You would have to boot up with a different OS (linux on a cd, usually) to detect them.
Click to expand...

If you look up Hacktool.rootkit in norton's database, you will find that it is a linux root kit. Yes, I would have thought there was a problem if it was finding windows viruses on a linux box (unless they were uploaded to the ftp server he is running), but finding a linux root kit on a linux box makes me think he has a real problem.
 
Hacktool.rootkit is generic name.

There are several hundred different root kits.

You could find hacktool.rootkit on Sun Solaris, Linux, Unix, FreeBSD, Windows and a whole host of other operating systems. I would be like finding a win32.virus on a win95 machine.

Like I said before root kits (decent ones) are not just something that you can detect and get rid of using anti-virus software over a windows share.

I am not disputing that he got hacked, he may of (and if he had a stock Redhat 6.2 on the internet with no firewalls or security updates, it's pretty likely), but this is not proof of it.

Root kits are not like viruses or normal trojan programs. It's a collection of programs and replacement binaries that fundamentally change how your operating system operates and hides the identity of the hacker and it's own files.
 
It would be virtually impossible for norton to clean a root kit, but then again, it's virtually impossible for any tool to clean a root kit. It's not hard to detect some rootkits, just look for binaries that have certain signatures, just like windows virus scanners do. chkrootkit works in some cases, why can't norton work in some cases?
 
I suppose that's true, but still the likely hood of false positives is realy high.

edit: also don't forget that even chkrootkit can't detect LKM-type rootkits
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top