Mailinglist Archive: opensuse (911 mails)

< Previous Next >
Re: [opensuse] Have I been hacked or "visited"? seccheck and rkhunter outputs
On Thu, Dec 24, 2015 at 2:08 PM, John Andersen <jsamyth@xxxxxxxxx> wrote:
On December 24, 2015 10:45:36 AM PST, Greg Freemyer <greg.freemyer@xxxxxxxxx>
wrote:
On Thu, Dec 24, 2015 at 8:56 AM, Patrick Shanahan <paka@xxxxxxxxxxxx>
wrote:
* stakanov@xxxxxxxxxx <stakanov@xxxxxxxxxx> [12-24-15 07:18]:
[...]
Somebody who does not want to use "remote" at all. What can he do to
un-install every remote package. The problem is that if you
un-install
openssh a lot of applications of kde seemed to complain.
[...]

So don't "uninstall", just don't open the firewall ports.

No open ports, no external access. Now only physical access is a
problem.


For completeness:

A modern malware attack often uses a reverse tunnel.

ie. malware gets on the machine via a phishing attack or an infected
website.

Once on your machine it establishes outbound connections to a command
and control site that tells it what to do.

No inbound connections are needed so a traditional firewall blocking
incoming posts has no effect.

I would guess the majority of infections today happily ignore inbound
firewalls.

Greg


If they are very sophisticated they csn hide outbound ports from some tools,
probably not all.

Using netstat you can look at all the outbound connections, and explain every
one of those to yourself.

Fairly easy to do on your own workstation, but quite a task on your gateway.


They often use a polling strategy of one poll a day or less and also
use standard ports at the far end.

It is difficult to detect manually and certainly not by just the
occasional audit of current open sockets.

This is one reason companies are moving to using white lists of
allowed outbound connections. The hope is the command and control
sites won't be on the white list.

Websense is a major player in that market. And a lot of my customers
use it or similar.

Greg
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups