[Dshield] Is it true that Linux users do not fear Viruses and Trojans (+ some vital questions)

Patrick Andry pandry at wolverinefreight.ca
Thu Oct 10 16:20:57 GMT 2002

Firewalls ultimately will fail to stop a determined and knowledgable 
intruder.   This fact however does not negate their usage.  A 
well-configured firewall most likely would have stopped this attack. 
 The attack in itself seemed opportunistic and malicious.  It is not 
unheard of that an attacker would erase all of one's data, but it is 
increasingly rare.  

Attaching a monetary value to damages is a good idea.  Perhaps your 
provider would be more willing to help knowing that there was more than 
pride that was damaged.    Also check your terms of service with your 
ISP, specifically regarding networks and allowed use.  

After the attack, how did you go about recovering?  Did you pull the 
plug on the machine, erase everything, and reinstall?  Did you examine 
what happened and document it?  These steps are important if you are 
expecting help in tracking down the cause/culprit.  Also, knowing how 
your system was compromised would be a great help.   Due to the damage, 
I would lean towards an internet virus/worm.

The big question I have, is how did you track down the attacker?  This 
would give us more insight into exactly what happened.

I don't think that anyone on this list would disagree with timely 
backups, distributed storage, yada yada...  
I think the biggest error made in this situation was faking the network 
structure of a big company without faking the policy that goes with it. 
   Incidentally,  this was exactly how I learned my lesson.

John Groseclose wrote:

> Question: why did you not simply restore your data from your 
> backups/archives?
> More important than building a solid firewall is backing up your data 
> in intervals that make sense for the importance of the data. If you 
> can afford to lose a week's worth of work, back up once a week.
> I back up daily. Several of the systems that I work on write data to 
> optical drives as the data comes in, so that no data is ever really 
> "lost".
> 1) Firewalls can fail to stop a determined intruder.
> 2) Catching them after the damage is done may not result in anything 
> useful - can you attach a monetary value to whatever time you'd put 
> into the dissertation?
> 3) Archiving your data and keeping it safe will minimize the amount of 
> time you have to spend rebuilding everything, dependent solely on the 
> archival interval.

More information about the list mailing list