What are some ways of protecting executables such as the ones in the /bin
directory from viruses and rootkits?

I have tripwire, and f-prot, but these just detect -- not deter the attacks.
I have RHN setup for automatic patches as well.

I heard somewhere I can change the attribute of these binaries to prevent
other programs from changing them.  Is this possible?

Actually, such attribute exists: it is the write permission! If you keep you
box updated, this is sufficient. Of course, only run programs as root that
you trust ;-)

Dan DeLion wrote:
 
> I heard somewhere I can change the attribute of these binaries to prevent
> other programs from changing them.  Is this possible?


-- 
I use Linux because it assumes the user is reasonably bright.

Dan DeLion wrote:
> I heard somewhere I can change the attribute of these binaries to prevent
> other programs from changing them.  Is this possible?

>From 'man chattr':
       A  file with the `i' attribute cannot be modified: it can-
       not be deleted or renamed, no link can be created to  this
       file  and  no  data  can  be written to the file. Only the
       superuser can set or clear this attribute.

Note that malware running as root can remove the attribute, and
malware running as non-root shouldn't have regular write access to
those files in the first place.

Ed

On Fri, 12 Sep 2003 15:19:47 +0000, Dan DeLion wrote:

> What are some ways of protecting executables such as the ones in the /bin
> directory from viruses and rootkits?
> 
> I have tripwire, and f-prot, but these just detect -- not deter the attacks.
> I have RHN setup for automatic patches as well.
> 
> I heard somewhere I can change the attribute of these binaries to prevent
> other programs from changing them.  Is this possible?

chattr(1)
lsattr(1)

Yes, that's the one I heard about -- chattr

Does this actually help against ELF viruses such as OSF?



"Ed Blackman" <news@edgewood.to> wrote in message
news:1063382824.31494@strabo.loghyr.farmgate...
> Dan DeLion wrote:
> > I heard somewhere I can change the attribute of these binaries to
prevent
> > other programs from changing them.  Is this possible?
>
> >From 'man chattr':
>        A  file with the `i' attribute cannot be modified: it can-
>        not be deleted or renamed, no link can be created to  this
>        file  and  no  data  can  be written to the file. Only the
>        superuser can set or clear this attribute.
>
> Note that malware running as root can remove the attribute, and
> malware running as non-root shouldn't have regular write access to
> those files in the first place.
>
> Ed
>

Andreas Stieger wrote:
> Actually, such attribute exists: it is the write permission! If you keep you
> box updated, this is sufficient. Of course, only run programs as root that
> you trust ;-)
> 
> Dan DeLion wrote:
>  
> 
>>I heard somewhere I can change the attribute of these binaries to prevent
>>other programs from changing them.  Is this possible?
> 
> 
> 

Well, you might wish to chattr the files so no one, even a stupid person 
logged in as root, from changing them. Of course any smart person logged 
in as root could still do it, but it might keep out the script kiddies 
for a while.

-- 
   .~.  Jean-David Beyer           Registered Linux User 85642.
   /V\                             Registered Machine    73926.
  /( )\ Shrewsbury, New Jersey     http://counter.li.org
  ^^-^^ 4:20pm up 22 days, 1:46, 2 users, load average: 2.17, 2.16, 2.16

Dan DeLion <noemail@northpole.nowhere> wrote:
> Yes, that's the one I heard about -- chattr

> Does this actually help against ELF viruses such as OSF?

Would you mind showing us a link to this OSF virus?

AFAIK there are no virus for Linux, worms perhaps for
some app, but not the kernel.

BTW
Please stop top-posting.


-- 
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for 
inconvenience, but I get tons of SPAM

Michael Heiming <michael+USENET@www.heiming.de> wrote:
: Dan DeLion <noemail@northpole.nowhere> wrote:
:> Yes, that's the one I heard about -- chattr

:> Does this actually help against ELF viruses such as OSF?

: Would you mind showing us a link to this OSF virus?

: AFAIK there are no virus for Linux, worms perhaps for
: some app, but not the kernel.

Don't know how reliable their info is, but "viruslist.com"
shows some pretty nasty looking and recent Linux viruses
and worms, including OSF. Took a couple of seconds "googling"
to find it...

Stan
-- 
Stan Bischof ("stan" at the below domain)
www.worldbadminton.com 

Here is info on the OSF.A linux virus,

http://www.sophos.com/virusinfo/analyses/linuxosfa.html




"Michael Heiming" <michael+USENET@www.heiming.de> wrote in message
news:hratjb.im5.ln@news.heiming.de...
> Dan DeLion <noemail@northpole.nowhere> wrote:
> > Yes, that's the one I heard about -- chattr
>
> > Does this actually help against ELF viruses such as OSF?
>
> Would you mind showing us a link to this OSF virus?
>
> AFAIK there are no virus for Linux, worms perhaps for
> some app, but not the kernel.
>
> BTW
> Please stop top-posting.
>
>
> -- 
> Michael Heiming
>
> Remove +SIGNS and www. if you expect an answer, sorry for
> inconvenience, but I get tons of SPAM

nobody@nowhere.com wrote:
> Michael Heiming <michael+USENET@www.heiming.de> wrote:
> : Dan DeLion <noemail@northpole.nowhere> wrote:
> :> Yes, that's the one I heard about -- chattr

> :> Does this actually help against ELF viruses such as OSF?

> : Would you mind showing us a link to this OSF virus?

> : AFAIK there are no virus for Linux, worms perhaps for
> : some app, but not the kernel.

> Don't know how reliable their info is, but "viruslist.com"
> shows some pretty nasty looking and recent Linux viruses
> and worms, including OSF. Took a couple of seconds "googling"
> to find it...

Ah well but then Kaspersky sell anti virus software, that's 
probably pure FUD...

$ whois viruslist.com

[..]

Kaspersky Lab Ltd. (VIRUSLIST-DOM)
   Geroyev Panfilovtcev St., 10
   Moscow 123363
   RU

   Domain Name: VIRUSLIST.COM

   Administrative Contact, Technical Contact:
      Kirsanova, Ekaterina  (EK4609)            webmaster@AVP.RU
      Kaspersky Lab Ltd.
      Geroyev Panfilovtcev St., 10
      Moscow, 123363
      RU
      +7 095 9484331 fax: +7 095 9484331


-- 
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for 
inconvenience, but I get tons of SPAM

Dan DeLion <noemail@northpole.nowhere> wrote:
> Here is info on the OSF.A linux virus,

> http://www.sophos.com/virusinfo/analyses/linuxosfa.html

Strange, all you M$ OE-boys can come up with are some 
top-posted links to anti-virus vendors. Looks like 
they don't want to miss the Linux business, if you
ask me...
;)

BTW
Please stop top-posting! Thx

-- 
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for 
inconvenience, but I get tons of SPAM

On Fri, 12 Sep 2003 23:08:56 +0200, Michael Heiming wrote:

> Dan DeLion <noemail@northpole.nowhere> wrote:
>> Here is info on the OSF.A linux virus,
> 
>> http://www.sophos.com/virusinfo/analyses/linuxosfa.html
> 
> Strange, all you M$ OE-boys can come up with are some 
> top-posted links to anti-virus vendors. Looks like 
> they don't want to miss the Linux business, if you
> ask me...
> ;)

Does your MUA preserve the executable bits on attachments?  Mine doesn't.

Dave Uhring <daveuhring@yahoo.com> wrote:
[..]

> Does your MUA preserve the executable bits on attachments?  Mine doesn't.

Nope, AFAIK there is not a single *nix MUA, who would do something as 
stupid as this.

-- 
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for 
inconvenience, but I get tons of SPAM

On Fri, 12 Sep 2003 23:34:21 +0200, Michael Heiming wrote:

> Dave Uhring <daveuhring@yahoo.com> wrote:
> [..]
> 
>> Does your MUA preserve the executable bits on attachments?  Mine doesn't.
> 
> Nope, AFAIK there is not a single *nix MUA, who would do something as 
> stupid as this.

You misread the question.  Does -your- MUA .....

Dave Uhring <daveuhring@yahoo.com> wrote:
> On Fri, 12 Sep 2003 23:34:21 +0200, Michael Heiming wrote:

> > Dave Uhring <daveuhring@yahoo.com> wrote:
> > [..]
> > 
> >> Does your MUA preserve the executable bits on attachments?  Mine doesn't.
> > 
> > Nope, AFAIK there is not a single *nix MUA, who would do something as 
> > stupid as this.

> You misread the question.  Does -your- MUA .....

"Nope" was the answer, as it doesn't and it is included in the group of
*nix MUA. But then, doesn't matter, who misunderstood whomever.
;)

-- 
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for 
inconvenience, but I get tons of SPAM

On Sat, 13 Sep 2003 00:18:38 +0200, Michael Heiming wrote:

> Dave Uhring <daveuhring@yahoo.com> wrote:
>> On Fri, 12 Sep 2003 23:34:21 +0200, Michael Heiming wrote:
> 
>> > Dave Uhring <daveuhring@yahoo.com> wrote:
>> > [..]
>> > 
>> >> Does your MUA preserve the executable bits on attachments?  Mine doesn't.
>> > 
>> > Nope, AFAIK there is not a single *nix MUA, who would do something as 
>> > stupid as this.
> 
>> You misread the question.  Does -your- MUA .....
> 
> "Nope" was the answer, as it doesn't and it is included in the group of
> *nix MUA. But then, doesn't matter, who misunderstood whomever.
> ;)

Then how could that OSF virus propagate?  For that matter how could *any*
Linux/BSD/UNIX virus propagate?  Worms are another matter; the subject
applies to viruses.

Dave Uhring <daveuhring@yahoo.com> wrote:

> Then how could that OSF virus propagate?  For that matter how could *any*
> Linux/BSD/UNIX virus propagate?  Worms are another matter; the subject
> applies to viruses.

It simply can't, thought I had indicated with my reply to 
"nobody@nowhere.com" what those "virus" look like...

Where did I mentioned it might propagate?

-- 
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for 
inconvenience, but I get tons of SPAM

On Sat, 13 Sep 2003 01:02:35 +0200, Michael Heiming wrote:

> Dave Uhring <daveuhring@yahoo.com> wrote:
> 
>> Then how could that OSF virus propagate?  For that matter how could *any*
>> Linux/BSD/UNIX virus propagate?  Worms are another matter; the subject
>> applies to viruses.
> 
> It simply can't, thought I had indicated with my reply to 
> "nobody@nowhere.com" what those "virus" look like...
> 
> Where did I mentioned it might propagate?

I don't recall that you did.  The question was rhetorical.

"Dan DeLion" <noemail@northpole.nowhere> wrote:
>Here is info on the OSF.A linux virus,
>
>http://www.sophos.com/virusinfo/analyses/linuxosfa.html

The only way to get infected with it is to go find an infected
binary, tranfer it to your system, and run it as root.

I don't run unsafe binaries as *any* user, much less as root.

This is a "virus" that can't spread.  I'm not sure that even
counts as a virus...

-- 
Floyd L. Davidson           <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska)                         floyd@barrow.com

That can't be true, because our system got infected with OSF.A due to not
having the very latest patches.  Perhaps through OpenSSL.

I'm finding that Linux is not a very secure environment unless you take
pro-active steps to manage the system daily or weekly.



"Floyd Davidson" <floyd@barrow.com> wrote in message
news:878yotwpdu.fld@barrow.com...
> "Dan DeLion" <noemail@northpole.nowhere> wrote:
> >Here is info on the OSF.A linux virus,
> >
> >http://www.sophos.com/virusinfo/analyses/linuxosfa.html
>
> The only way to get infected with it is to go find an infected
> binary, tranfer it to your system, and run it as root.
>
> I don't run unsafe binaries as *any* user, much less as root.
>
> This is a "virus" that can't spread.  I'm not sure that even
> counts as a virus...
>
> -- 
> Floyd L. Davidson           <http://web.newsguy.com/floyd_davidson>
> Ukpeagvik (Barrow, Alaska)                         floyd@barrow.com

"Dan DeLion" <noemail@northpole.nowhere> wrote:
>That can't be true, because our system got infected with OSF.A due to not
>having the very latest patches.  Perhaps through OpenSSL.

To put it simply, no way.

Somebody downloaded an infected *binary* and ran it.  If it
infected system files (/bin or /usr/bin as it apparently is
intended) then some fool ran the infected binary as the root
user.

You *can't* get it from email, from OpenSSL, etc etc.  You
either have someone intentionally infecting it, or somebody
doing something that is *really* dumb (running unsafe binaries
is *really* dumb on a Linux box).

>I'm finding that Linux is not a very secure environment unless you take
>pro-active steps to manage the system daily or weekly.

So?  Do you think there is, or ever will be, a system that requires
annual maintenance?  I don't think so...

>"Floyd Davidson" <floyd@barrow.com> wrote:
>> "Dan DeLion" <noemail@northpole.nowhere> wrote:
>> >Here is info on the OSF.A linux virus,
>> >
>> >http://www.sophos.com/virusinfo/analyses/linuxosfa.html
>>
>> The only way to get infected with it is to go find an infected
>> binary, tranfer it to your system, and run it as root.
>>
>> I don't run unsafe binaries as *any* user, much less as root.
>>
>> This is a "virus" that can't spread.  I'm not sure that even
>> counts as a virus...

-- 
Floyd L. Davidson           <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska)                         floyd@barrow.com

On Sat, 13 Sep 2003 12:48:21 -0800, Floyd Davidson wrote:

> "Dan DeLion" <noemail@northpole.nowhere> wrote:
>>That can't be true, because our system got infected with OSF.A due to not
>>having the very latest patches.  Perhaps through OpenSSL.
> 
> To put it simply, no way.
> 
> Somebody downloaded an infected *binary* and ran it.  If it
> infected system files (/bin or /usr/bin as it apparently is
> intended) then some fool ran the infected binary as the root
> user.
> 
> You *can't* get it from email, from OpenSSL, etc etc.  You
> either have someone intentionally infecting it, or somebody
> doing something that is *really* dumb (running unsafe binaries
> is *really* dumb on a Linux box).

Dan is a Windows user and is probably running that W2k box as a user with
Administrator privileges.  Almost certainly he ran the Linux box as root
and caused the damage himself.

Dave Uhring <daveuhring@yahoo.com> wrote:
[...]

> Dan is a Windows user and is probably running that W2k box as a user with
> Administrator privileges.  Almost certainly he ran the Linux box as root
> and caused the damage himself.

Sounds reasonable or he's a damn liar. Albeit looking at his User-Agent
suggests the former...

-- 
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for 
inconvenience, but I get tons of SPAM

Dave Uhring <daveuhring@yahoo.com> wrote:
>On Sat, 13 Sep 2003 12:48:21 -0800, Floyd Davidson wrote:
>> 
>> You *can't* get it from email, from OpenSSL, etc etc.  You
>> either have someone intentionally infecting it, or somebody
>> doing something that is *really* dumb (running unsafe binaries
>> is *really* dumb on a Linux box).
>
>Dan is a Windows user and is probably running that W2k box as a user with
>Administrator privileges.  Almost certainly he ran the Linux box as root
>and caused the damage himself.

Even then, he had to do more than just run as root.  He had to
find and execute an infected binary!  I mean, to do that he'd
practically have to post advertizements that he's looking for
one!

-- 
Floyd L. Davidson           <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska)                         floyd@barrow.com

On Sat, 13 Sep 2003 14:18:14 -0800, Floyd Davidson wrote:

> Dave Uhring <daveuhring@yahoo.com> wrote:

>>Dan is a Windows user and is probably running that W2k box as a user with
>>Administrator privileges.  Almost certainly he ran the Linux box as root
>>and caused the damage himself.
> 
> Even then, he had to do more than just run as root.  He had to
> find and execute an infected binary!  I mean, to do that he'd
> practically have to post advertizements that he's looking for
> one!

Do his other comments indicate to you that he would be smart enough not to
do that?  He is a Windoze advocate and does not want to learn how to admin
a Linux system.

Dave Uhring <daveuhring@yahoo.com> wrote:
>On Sat, 13 Sep 2003 14:18:14 -0800, Floyd Davidson wrote:
>
>> Dave Uhring <daveuhring@yahoo.com> wrote:
>
>>>Dan is a Windows user and is probably running that W2k box as a user with
>>>Administrator privileges.  Almost certainly he ran the Linux box as root
>>>and caused the damage himself.
>> 
>> Even then, he had to do more than just run as root.  He had to
>> find and execute an infected binary!  I mean, to do that he'd
>> practically have to post advertizements that he's looking for
>> one!
>
>Do his other comments indicate to you that he would be smart enough not to
>do that?  He is a Windoze advocate and does not want to learn how to admin
>a Linux system.

Do you mean... do I think he is lying??

Yes.  He made up the whole story of a linux virus infection.  It never
happened.

-- 
Floyd L. Davidson           <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska)                         floyd@barrow.com

In <pan.2003.09.13.23.50.14.971667@yahoo.com>, Dave Uhring:

[Snip...]

>Do his other comments indicate to you that he would be smart enough not to
>do that?  He is a Windoze advocate and does not want to learn how to admin
>a Linux system.

Indeed. The shrillness of he and other wintrolls like "Funkenbusch" lately
(and especially following the MSBlaster/Sobig meltdown in August) are very
eloquent testimony to desperate dissarray in the Borg ranks.

Even with every bug to date in Doze fixed, *nix and especially Open Source
is by far the better value, especially in the server space, and the gap is
widening with each Doze exploit trashing the net, costing billions.

Anyone who "believes" Trustworthy Computing anymore is completely foolish.

-- 

Regards, Weird (Harold Stevens) * IMPORTANT EMAIL INFO FOLLOWS *
Pardon any bogus email addresses (mklog*) in place for spambots.
Really it's (wyrd) at raytheon, dotted with com. DO NOT SPAM IT.
Standard Disclaimer: These are my opinions not Raytheon Company.

"Floyd Davidson" <floyd@barrow.com> wrote in message
news:87ad98tnxm.fld@barrow.com...
> "Dan DeLion" <noemail@northpole.nowhere> wrote:
> >That can't be true, because our system got infected with OSF.A due to not
> >having the very latest patches.  Perhaps through OpenSSL.
>
> To put it simply, no way.
>
> Somebody downloaded an infected *binary* and ran it.  If it
> infected system files (/bin or /usr/bin as it apparently is
> intended) then some fool ran the infected binary as the root
> user.
>
> You *can't* get it from email, from OpenSSL, etc etc.  You
> either have someone intentionally infecting it, or somebody
> doing something that is *really* dumb (running unsafe binaries
> is *really* dumb on a Linux box).

These assumptions are not correct because the /bin files became infected
while no one had accessed the system, other than a restricted ftp account.
I suspect a hacker took advantage of a vulnerability to install a rootkit
and gained access from there.

On Wed, 17 Sep 2003 22:21:32 +0000, Dan DeLion wrote:

> These assumptions are not correct because the /bin files became infected
> while no one had accessed the system, other than a restricted ftp account.
> I suspect a hacker took advantage of a vulnerability to install a rootkit
> and gained access from there.

PEBCK