Trojans and Trojan-scanner

Hi,

Trojans are not really a big topic at Linux, are they?
How often do some pop up throughout a month?
Are there any dedicated Trojan-scanners oder Trojan-scanning features
within other security related software yet? (I googled for it, but found
none)


Greetings, Frank

In comp.os.linux.security Frank J?lich <usenet@frankjuelich.de>:
> Hi,

> Trojans are not really a big topic at Linux, are they?

No.

> How often do some pop up throughout a month?

0

The only thing viewable, case I'm looking into SpamAssassin are
those numerous automatically dropped M$ virus/trojans/etc one
gets blasted with.

> Are there any dedicated Trojan-scanners oder Trojan-scanning features
> within other security related software yet? (I googled for it, but found
> none)

There are IDS and alike available, (man snort), usually it's a
waste of time if you keep your system patched on a regular basis
and use iptables in a reasonable way.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 88: Boss' kid fucked up the machine

Michael Heiming wrote:

> In comp.os.linux.security Frank J?lich <usenet@frankjuelich.de>:
>> Hi,
>
>> Trojans are not really a big topic at Linux, are they?
>
> No.

Bzzzzzzzzzt. Wrong answer. Trojans _are_ a big topic on linux. Have a
look at chkrootkit and why it is so popular. Last time I heard somebody
say that there environment was safe I found that all 70 servers were
severely infected...

>
>> How often do some pop up throughout a month?
>
> 0

Depends on the admin. They usually won't be sent by mail though.

>
> The only thing viewable, case I'm looking into SpamAssassin are
> those numerous automatically dropped M$ virus/trojans/etc one
> gets blasted with.

See above for the reason.

>
>> Are there any dedicated Trojan-scanners oder Trojan-scanning features
>> within other security related software yet? (I googled for it, but
>> found none)
>
> There are IDS and alike available, (man snort), usually it's a
> waste of time if you keep your system patched on a regular basis
> and use iptables in a reasonable way.
>

Bzzzzzzzt, wrong answer again. Run an updated version of chkrootkit
regurarly. iptables will NOT stop trojans or infections on normally
opened ports. Have a look at snort-inline to stop malicious traffic at
your gateway. Keep the Net safe please...

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

Frank Jülich wrote:
> Hi,
>
> Trojans are not really a big topic at Linux, are they?
> How often do some pop up throughout a month?
> Are there any dedicated Trojan-scanners oder Trojan-scanning features
> within other security related software yet? (I googled for it, but found
> none)
>
> Greetings, Frank

Run rootkit check regularly.

http://www.chkrootkit.org/

http://www.rootkit.nl/


I think that (colsfaq) "comp.os.linux.security FAQ" had a good answer on
trojans, but the document has been empty (unavailable) for some time
now: http://www.linuxsecurity.com/docs/

.....

Ok, google found these.
http://www.dsinet.org/textfiles/faqs/colsfaq.html

http://www.geocities.com/swan_daniel/colsfaq.html

Are those valid?
Do you know where to grab the latest "colsfaq" ?



//moma

((
http://www.futuredesktop.org/OpenOffice.html
http://www.futuredesktop.org/how2burn.html
))

In comp.os.linux.security erik <erik@geenspam.vanwesten.net>:
> Michael Heiming wrote:

>> In comp.os.linux.security Frank J?lich <usenet@frankjuelich.de>:
>>> Hi,
>>
>>> Trojans are not really a big topic at Linux, are they?
>>
>> No.

> Bzzzzzzzzzt. Wrong answer. Trojans _are_ a big topic on linux. Have a
> look at chkrootkit and why it is so popular. Last time I heard somebody
> say that there environment was safe I found that all 70 servers were
> severely infected...

Running Linux since ages on a large amount of systems I have
never seen one. So it doesn't seem to be a big topic. Correct
answer.

[..]

*PLONK*

--
Michael Heiming - RHCE (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 389: /dev/clue was linked to /dev/null

Michael Heiming <michael+USENET@www.heiming.de> writes:

> In comp.os.linux.security erik <erik@geenspam.vanwesten.net>:
>> Michael Heiming wrote:
>
>>> In comp.os.linux.security Frank J?lich <usenet@frankjuelich.de>:
>>>> Hi,
>>>
>>>> Trojans are not really a big topic at Linux, are they?
>>>
>>> No.
>
>> Bzzzzzzzzzt. Wrong answer. Trojans _are_ a big topic on linux. Have a
>> look at chkrootkit and why it is so popular. Last time I heard somebody
>> say that there environment was safe I found that all 70 servers were
>> severely infected...
>
> Running Linux since ages on a large amount of systems I have never seen
> one. So it doesn't seem to be a big topic. Correct answer.

Now now .. Where does someone who's encountered 3 cracked boxes (owned by
other people, over a course of 2-3 yrs) fit between 0 and 70? What if said
someone thinks the name `trojan' is meaningless and that what matters is
there's been no security exploit of any stupid name conducted on your box?



The reasons one doesn't hear too much about these things are two-fold:
a) the people not getting cracked are the ones who've gone to the trouble
to protect their assets, who take a personal interest in the running of
their servers, while
b) the fuckwits who get all their boxes cracked are the ones who don't show
any care and either turn up on here and whinge, or don't even notice.

In any case, we linux-ers still have a better track-record than the vast
millions who use windoze. Statistics have been flying again, this past
~fortnight, about the percentage of windoze boxes infected by at least one
virus or spyware program.

~Tim
--
Sometimes you're the pigeon, |piglet@stirfried.vegetable.org.uk
Sometimes you're the statue. |http://pig.sty.nu/Pictures/composition/

In comp.os.linux.security Tim Haynes <usenet-20041030@stirfried.vegetable.org.uk>:
> Michael Heiming <michael+USENET@www.heiming.de> writes:

>> In comp.os.linux.security erik <erik@geenspam.vanwesten.net>:
>>> Michael Heiming wrote:
>>>> In comp.os.linux.security Frank J?lich <usenet@frankjuelich.de>:
>>>>> Hi,
>>>>
>>>>> Trojans are not really a big topic at Linux, are they?
[..]
>> Running Linux since ages on a large amount of systems I have never seen
>> one. So it doesn't seem to be a big topic. Correct answer.

> Now now .. Where does someone who's encountered 3 cracked boxes (owned by
> other people, over a course of 2-3 yrs) fit between 0 and 70? What if said
> someone thinks the name `trojan' is meaningless and that what matters is
> there's been no security exploit of any stupid name conducted on your box?

> The reasons one doesn't hear too much about these things are two-fold:
> a) the people not getting cracked are the ones who've gone to the trouble
> to protect their assets, who take a personal interest in the running of
> their servers, while
> b) the fuckwits who get all their boxes cracked are the ones who don't show
> any care and either turn up on here and whinge, or don't even notice.

> In any case, we linux-ers still have a better track-record than the vast
> millions who use windoze. Statistics have been flying again, this past

Not only still, even where the OSS market-share is much higher
then anything else like Apache, but we haven't heard about large
scale attacks/trojans against it. OK, might be type a).;)

> ~fortnight, about the percentage of windoze boxes infected by at least one
> virus or spyware program.

100% ack, great write up!

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 97: Small animal kamikaze attack on power supplies

Frank Jülich <usenet@frankjuelich.de> wrote in
news:clvs08$1k0$2@online.de:

> Trojans are not really a big topic at Linux, are they?
> How often do some pop up throughout a month?
> Are there any dedicated Trojan-scanners oder Trojan-scanning features
> within other security related software yet? (I googled for it, but
> found none)

It might depend on your definition of a trojan (trojan horse program).
A trojan on linux is rare. A virus on linux is rare.
A worm on linux is slightly more common than either a trojan or a virus
but its still rarely seen by anyone.

On the other hand... scripted probes looking for un-patched exploits is
extremely common. If one is found then manually using it to get into a
machine is common enough to have been seen by many admins. That is often
used to install a backdoor program or owning program (such as a
rootkit). In cases such as that I wouldnt really call it a trojan since
Ive never seen it use a program masquerading as a good thing to get the
machine owner to run it.

Gandalf Parker
-- My mom always told me that if you open it, then you shut it. And if
you arent going to pay attention to it, then dont leave it running. And
put away your toys when you are done playing with them. Never talk to
strangers and never accept gifts from people you dont know.
She made me the security expert that I am today.

Tim Haynes wrote:

> Michael Heiming <michael+USENET@www.heiming.de> writes:
>
>> In comp.os.linux.security erik <erik@geenspam.vanwesten.net>:
>>> Michael Heiming wrote:
>>
>>>> In comp.os.linux.security Frank J?lich <usenet@frankjuelich.de>:
>>>>> Hi,
>>>>
>>>>> Trojans are not really a big topic at Linux, are they?
>>>>
>>>> No.
>>
>>> Bzzzzzzzzzt. Wrong answer. Trojans _are_ a big topic on linux. Have
>>> a look at chkrootkit and why it is so popular. Last time I heard
>>> somebody say that there environment was safe I found that all 70
>>> servers were severely infected...
>>
>> Running Linux since ages on a large amount of systems I have never
>> seen one. So it doesn't seem to be a big topic. Correct answer.

And what makes you authoritative on the subject? Just plainly ignoring
rootkits doesn't make you an expert on the topic.

>
> Now now .. Where does someone who's encountered 3 cracked boxes (owned
> by other people, over a course of 2-3 yrs) fit between 0 and 70? What
> if said someone thinks the name `trojan' is meaningless and that what
> matters is there's been no security exploit of any stupid name
> conducted on your box?

How about 0day is the only thing I can add...

>
>
>
> The reasons one doesn't hear too much about these things are two-fold:
> a) the people not getting cracked are the ones who've gone to the
> trouble
> to protect their assets, who take a personal interest in the
> running of their servers, while
> b) the fuckwits who get all their boxes cracked are the ones who don't
> show
> any care and either turn up on here and whinge, or don't even
> notice.

c) lots of companies running (unsecured?) linux boxes don't want the
world to know that they have been cracked.

A long time ago I 'found' that about 30% of co-located boxes (running
linux) were cracked. That is too much to be funny. Braindead admins?
Probably. Have a look around at ISP's. You'll be amazed how many of
their boxes turn out to be cracked. My ISP is one of the few I know
that permits its customer to crack them (under condition that you will
not destroy anything and so on), and actually give a reward if you tell
them how you did it.

It is not without reason that still a number of customers get their
account for free for a year (because _that_ is the prize)... (o, and
they run freebsd).

>
> In any case, we linux-ers still have a better track-record than the
> vast millions who use windoze. Statistics have been flying again, this
> past ~fortnight, about the percentage of windoze boxes infected by at
> least one virus or spyware program.
>

Absolutely right.

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

In article <4183b37b$0$65124$c5fe704e@news6.xs4all.nl>, erik wrote:

>Bzzzzzzzzzt. Wrong answer. Trojans _are_ a big topic on linux. Have a
>look at chkrootkit and why it is so popular.

Oh, that's simple. The windoze wankers who discovered how l33t it is
to run a *nix are used to having a program to run to see how badly they
are infected. chkrootkit was written to fill that need. That the dumb
fucks could have avoided the problem in Linux, just as easily as they
could have avoided being infected in windoze is an education problem.
They don't want to learn, and actively resist clue. chkrootkit has
the same drawback that all of the windoze virus/trojan/spyware hunter
programs have - if the bad guy does even one thing differently, then
the hunter program doesn't find it - or it misidentifies things, and
the luser doesn't know what to do. But he doesn't worry, because he
has a r00tkit detector and like two crossed sticks, that will keep the
vampires away.

>Last time I heard somebody say that there environment was safe I found
>that all 70 servers were severely infected...

Windoze wanker admins trained (conditioned) by microsoft

>Bzzzzzzzt, wrong answer again. Run an updated version of chkrootkit
>regurarly. iptables will NOT stop trojans or infections on normally
>opened ports. Have a look at snort-inline to stop malicious traffic at
>your gateway. Keep the Net safe please...

Two crossed sticks _supplemented_ by a wreath of braided garlic bulbs.
Maybe also a bucket of blessed water (hey, it worked on the Wicked
Witch of the West, didn't it?) Yeah, that ought to do it.

Old guy