On Thu, Dec 24, 2015 at 2:08 PM, John Andersen
On December 24, 2015 10:45:36 AM PST, Greg Freemyer
wrote: * stakanov@freenet.de
[12-24-15 07:18]: [...] Somebody who does not want to use "remote" at all. What can he do to un-install every remote package. The problem is that if you un-install openssh a lot of applications of kde seemed to complain. [...]
So don't "uninstall", just don't open the firewall ports.
No open ports, no external access. Now only physical access is a
On Thu, Dec 24, 2015 at 8:56 AM, Patrick Shanahan
wrote: problem. For completeness:
A modern malware attack often uses a reverse tunnel.
ie. malware gets on the machine via a phishing attack or an infected website.
Once on your machine it establishes outbound connections to a command and control site that tells it what to do.
No inbound connections are needed so a traditional firewall blocking incoming posts has no effect.
I would guess the majority of infections today happily ignore inbound firewalls.
Greg
If they are very sophisticated they csn hide outbound ports from some tools, probably not all.
Using netstat you can look at all the outbound connections, and explain every one of those to yourself.
Fairly easy to do on your own workstation, but quite a task on your gateway.
They often use a polling strategy of one poll a day or less and also use standard ports at the far end. It is difficult to detect manually and certainly not by just the occasional audit of current open sockets. This is one reason companies are moving to using white lists of allowed outbound connections. The hope is the command and control sites won't be on the white list. Websense is a major player in that market. And a lot of my customers use it or similar. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org