[svlug] efficient bot detection

[Rick Moen]

Quoting Rodney Crater (rodneycrater at hotmail.com):

> I ask you this question because I am aware of the tremendous amount of
> expertise individuals have on this list. What would be your
> recommendation for the most efficient bot detection and removal tool
> for either or both linux based machines and MS based machines? I see a
> flurry of loud speaking or loud writing individuals and commercial
> establishments boasting of their products but the noise is so loud it
> is difficult to establish the truth unless one asks those who have the
> best expertise. 

[No advice for maintenance / recovery of MS-Windows machines is offered
herein.  You might wish to try to purchase some advice on that matter
from Microsoft Corporation.]

"Removal":  If a machine is root-compromised, then obviously none of the
binaries, libraries, or system configuration can be trusted:  You want
in that case to yank the power immediately, remove it from production
deployment, and boot it from maintenance media to back up, study, make
your best guess about the avenue of compromise, and make any adjustments
to your security profile that seem desirable.  Having done that work, 
blow away the full machine contents, rebuild from trusted media,
recreate local configuration, restore data files (_only_, and don't
assume user executables or dotfiles are OK), set entirely new user
passwords, and let the users back in only after they've been talked to
about any security issues.

If the machine has not been root-compromised, then you have a
user-specific security issue that you need to work out with that user.

Note:  You're far more likely to be able to reliably determine the
nature / extent of compromise (if any) and and vector of attack if
you've been consistently running a file-based IDS, properly set up.
See:  http://linuxgazette.net/issue98/moen.html
 
As a further comment, anyone who attempts to sell you a "bot detection
and removal tool" for root-compromised boxes that is anything less than 
the assurance derived from yanking of the machine, study of the
compromise, backup, blowing away contents, and complete rebuild is
selling snake oil.

As an additional comment, "bots" are not a security problem, but are
rather a minor aftereffect of a more fundamental _real_ security
problem, usually entailing failure of due diligence -- followed by the 
wish to buy security off the shelf in retrospect, and failing to apply
it as a matter of process.

Save your money.