# Virus on gentoo WTF??

## flazz

at about 5pm today my cable modem was deactivated because i had a "virus"

when i tried to explain to the tech support person that i run linux and there are no virii that run in linux i was told that the" latest wave of viruses released were targeted at linux operating systems"

so, my questions are:

are there virii targetted at linux? if so, then in portage? because i only install software from portage.

and i was told that this was happening since 10-5, is there a way i can scan for packages installed since a speciifc date?

thanks alot

btw my provider is cox, has this happened to anyone else???

----------

## allucid

he's talking out of his ass. ask tech support what the criteria is for determining you have a virus or even what virus they think you have so you can better understand what the problem is. they have no way of seeing what's on your computer they can only examine your network traffic. Honestly, I don't see how they could determine you have a virus (examine your outgoing email attachments would be the only think I can think of). Are you sharing the cable connection with anyone? What programs are you running that are accessing the network? Maybe you forwarded an email that was already infected?

You possibly might have been rooted but you don't have a virus.

----------

## flazz

i asked her for evidence and i got a turgid resonse consisting of open ports and such. she did a port scan after activating me and said something about an unknown port 1341

so i do a: 

```
# netstat -a | grep tcp

tcp        0      0 *:1314                  *:*                     LISTEN  

tcp        0      0 localhost:1314          localhost:45079         ESTABLISHED 

tcp        0      0 localhost:45079         localhost:1314          ESTABLISHED 

```

my network prowess isnt that grand but i'm guessing those ports are in use by X right?

i told her that, she googled it, and then aggreed that it is possible.

cox works on a 3 strike rule and i got my strike taken away this time.

----------

## allucid

Since when does virus == open ports?

I don't believe those ports are for X...at least I'm not using them. *shrugs*

Maybe someone with more knowledge could help you from here...

----------

## ScribeOfTheNile

I searched around a bit, and according to this, that port belongs to Photoscript Distributed Printing System.  :Confused: 

Edit: Try running "lsof | grep 1314".  :Smile: 

----------

## Hawkeye

Or, as root: 

netstat -p --listen --tcp.

From the netstat man page:

 *Quote:*   

> 
> 
> -p, --program
> 
>        Show the PID and name of the program to which each socket belongs.

 

Another ISP that thinks they know better. Granted, sometimes ISP's have to shut off users because they cause problems by having virusses probing entire networks trying to infect them, but getting shut off for having ports > 1024 open   :Shocked:  ?

----------

## cazort

If I were you, I'd do two things:

(1) make a horrible fuss.

(2) get a router.  They're $50 or less, and from a security standpoint, they have many advantages.  Sure, it might be really really hard to hack your box, but if you have open ports, then people will be able to tell that you have a box turned on.  And hey--what if there's a buffer overflow bug in that print spooler?  Then you're vulnerable.

If you have a router, then you can have open ports behind the router, yet your computer won't even RESPOND to requests (so it won't even be a closed port, it'll just look like your comp. is not turned on) on all ports, except those you choose to leave open.

In fact, with my network here, I am so ultra-paranoid (I keep some pretty sensitive data on it) that I disable all ports on the router, except when I need them, and then I turn them on while the access is needed, and then off again.

 :Smile: 

Good luck dealing with cox.  From my experience, you just need to be a b**** to them.  They're really not that bad of a company, I've had them and I'm quite happy with them.  Compare them to say, SBC = Southern Bell Communications, which is terrible as a DSL provider.  Just keep calling their tech support.  Remember, this costs them money.  Eventually, they'll have to concede to your wishes, because if they don't, you can keep eating up their time, and time is money!

----------

## duhblow7

cox internet sucks.  they also block all outgoing ports on 25 EXCEPT to Cox SMTP mail servers.  It would have been nice to be warned before this happened but it makes things difficult for 3rd party email providers.  I know i can use Cox's SMTP but they have limits on mail, such as attachment size.

Cox is ignorant.  I bet you have some odd terms you agreed to when you signed up with them.  I know of some ISP's that ban any TCP port open to the WAN, perhaps this is the case.  Open TCP port...YES; virus...DEF NOT.

A router can't fully block this.  Think about legitimate services that run on ports not on Cox "safe port list" or when you want to hide a service from hackers.  I run SSHD, WEB, FTP, anything i can on ports >50,000.  Most port scanners scan for known ports and not all ports.  If you're on a port greater than 50,000 and the attacker (in this case Cox) scans known ports it's unlikely they will find your port.

----------

## flazz

 *ScribeOfTheNile wrote:*   

> I searched around a bit, and according to this, that port belongs to Photoscript Distributed Printing System. 
> 
> Edit: Try running "lsof | grep 1314". 

 

when i did this it said that festival was running. festival is a program that lets you make speech from text like stephen hawking.

festival is in portage and  its homepage is here

so i googled it it and got some stuff.

i dont know if there is a trojan in festival or what, but i'm going to email the project and inform them.

----------

## malloc

You should call the manager and report that their tech people are smoking crack during work hours...

God i despise those front-office retards...

----------

## speed_bump

It sounds as though they did a quick port scan and banned you based upon those results. If you're running a legit service on those ports this shouldn't be a problem. If you've got festival installed, it may well open those ports for some reason. I'm not sure, as I'm not familiar with festival. 

In any case, before going too far in any direction, it's best to try to determine what's actually happening. Do some quick reading about festival and find out if it opens any TCP ports. If not, you may have problems. If so, great. However, you probably don't want those ports available for any old random d00ds to take a shot at, so use iptables to restrict access appropriately.

If you have problems, there are a number of possibilities short of having a trojanned version of festival. It could be that the bad guys have simply overlaid the in memory image of the process. It's also possible that the program is using the name "festival" but is not the same festival you're thinking of. Various fields in lsof can tell you this.

Finally, start logging packets (with an iptables LOG rule) so you can figure out wher your ISP's scans are coming from. Use that to DROP all their packets.   :Twisted Evil: 

----------

## bungle

I just saw this and felt obliged to have a bitch.

 *cazort wrote:*   

> 
> 
> (2) get a router.  They're $50 or less, and from a security standpoint, they have many advantages.
> 
> 

 

Imo there's little to no advantage of getting a hardware router for a single linux box. Iptables is pretty powerful stuff. If no services are being run, afaik a simple:

```

iptables -P INPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

```

should have exactly the same effect as that $50 router you were on about (if you trust the linux kernel).

----------

## johnnymac

Okeedokee...here's my view on the whole "use my linux box versus a router for firewalling" deal.

I've been involved in security for some time and my first suggestion to almost everyone is GET A ROUTER.  Granted you can do the same thing through the use of iptables in Linux; however, you miss a few plusses.

1.  You can grow your home network easily

2.  You aren't gonig to "accidentially" open ports that don't need to be opened

3.  It annoys the crap out of ISPs <-- That's just fun!!

So, unless your running an IDS on the linux box that is acting as your firewall your asking for trouble.  It doesn't take much for someone to come poking along and find an open port on your linux box that was opened by accident.  They find it...stick some sort of trojan...rootkit, whatever on there and now they've got a nice strong Linux zombie awaiting their command.

So....to end all of this mess you have.

1.  Use a router - it will just make your life a bit simpler

2.  Ask them why the HELL they are doing active port scans.

Good Luck...

----------

## jonnevers

it is entirely reasonable for the ISP to bring to your attention the possible of you having a virus. this is probably a residential account, and as such your user agreement should stipulate that no servers should be running. If they see open ports they could easily infer that you have a virus. there are virus that open ports to replicate themselves within a given network, its not really all the unbelievable (despite what posts above state). 

You shouldn't be pissed about the situation. Think of it as the ISP protecting you and protecting their network. My ISP once warned me because one of the windows PC's in my network was sending packets outs generated by a virus. They didn't deactivate my account but did give me a warning.

would you rather them just let it go, then have the rest of the network be infected, then go down? 

they may be making it up about viruses for linux, especially in terms of the "current wave". But don't be naive and think because you run linux you are safe.

----------

## Vogateer

I have ssh and a web server running, and I received the exact same treatment from Cox.  I received  the same instructions to upgrade my virus scanner, but the tech was a nice, honest guy, and admitted himself that linux didn't usually have these type of problems, and he couldn't tell me exactly what caused my modem to be shut down by their security department.

So I don't think the issue is that it's unreasonable for them to shut your modem down when they see suspicious traffic (and I believe that's what he told me was the criteria for having the modem shut down), they're just trying to keep the network in good shape, and nobody wants to blame them for that.  The issue is that in my case, I can't figure out how to make sure I don't get any other strikes against me, since I don't know exactly what caused this problem in the first place.  I thoroughly enjoy being able to ssh into my box, and it would also be nice to provide a very simple website for my family to keep track of various information.  Must I really give those things up, even though no harm has come to anyone?  I already have a hardware router, and I have only two ports open, one for each service, and that's all that showed up on the port scan, as well.  So having a hardware router/firewall doesn't really help you in this situation if you still plan to keep a service open on your machine.

Flazz, did you ever have any problems with Cox Security shutting your modem down again, or did you just receive that one strike and never have a problem after that?

----------

