Similar to what Alexander is suggesting... Firewall the box itself... iptables -A OUTPUT -j LOG --log-level info --log-prefix output-drop: iptables -A OUTPUT -j DROP iptables -A FORWARD -j LOG --log-level info --log-prefix forward-drop: iptables -A FORWARD -j DROP
This way the box can't talk to the network at all unless the kernel's been hacked (or /sbin/iptables is a trojan). Quite obviously you'll need to allow specific stuff as needed, this will need to come *before* the above 4 rules in your firewall script. EG DNS, DHCP, http? Any email generated in the normal way will be queued up wherever your MTA does this (sendmail is /var/spool/mqueue). Otherwise if it's something sending direct emails it'll only show in the log (depends on syslog setup). Likewise if something's generating other types of attacks it'll show in the logs as well. For the pedants, the forward stuff is just insurance and probably will have zero effect unless you've setup the machine as a gateway to other machines (or their default route is your IP on the LAN) and turned IP forwarding on. On Wed, 12 Nov 2003, Alexander Samad wrote: > why not place it on a switch by itself and then dump the interface to > see what is going out ! > > On Wed, Nov 12, 2003 at 01:00:54PM +1100, [EMAIL PROTECTED] wrote: > > > How exactly did they come to this conclusion? Reading up on the virus > > > it appears to only run and infect Windows systems ... > > > > > > http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100401 > > > > > > I know corporate IT people are often very quick to blame any sort of > > > abnormal behaviour on a perfectly fine Linux box, but that seems like an > > > extreme accusation. > > > > That's what I thought first. This worm should be windows specific. I did > > few quick checkup, everything seemed to be normal. I then reconnected my > > machine to network. Within 10 minutes, I got call from the support guy > > asking me whether I have reconnected. I was told two more machines just > > got infected. For some stupid reasons (I couldn't even remember now) I did > > not save my ethereal snapshot of traffic going out of my eth0 during that > > time (DAMN!) so I can't prove anything. But from my memory there were few > > announcement/browse packets from samba sent out. Right now, I am really > > hesitant to reconnect my machine to the network for further testing, > > before I have some clues of what has happened. I really don't want to piss > > them off. Ever since that MBlaster worm... ;-) > > > > Xun. > > > > > > > > -i > > > > > > > > -- > > SLUG - Sydney Linux User's Group - http://slug.org.au/ > > More Info: http://lists.slug.org.au/listinfo/slug > > > > -- ---<GRiP>--- Electronic Hobbyist, Former Arcadia BBS nut, Occasional nudist, Linux Guru, SLUG/AUUG/Linux Australia member, Sydney Flashmobber, BMX rider, Walker, Raver & rave music lover, Big kid that refuses to grow up. I'd make a good family pet, take me home today! Do people actually read these things? -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
