Default ticks

inquis · **Posted:** Sat May 21, 2011 5:29 am

Hi guys,

im not sure whether this is an issue or not but its making me slightly worried.

Recently when I open a screen with asl my block list comes up with an entry with a whitelsit and blacklist ticked.

I am worried that an undesirable will be give free path to my system.

Is their a way to disable or amend this as what normally happening is that offenders are going into the sin bin so is this not creating a situation where they will be entered into the whitelist area ?

Attachment:

asl.jpg [ 157.61 KiB | Viewed 1110 times ]

Hopefully the picture makes it clear ;0)

scott · **Posted:** Sat May 21, 2011 11:18 am

So yes, that could in fact be a rootkit. Its definitely something you should investigate further. Thanks for the report on the whitelist/blacklist, its just a bug in the GUI so you can ignore it for now. I know that condition has been resolved in 3.0

inquis · **Posted:** Sat May 21, 2011 4:56 pm

scott wrote:

So yes, that could in fact be a rootkit. Its definitely something you should investigate further. Thanks for the report on the whitelist/blacklist, its just a bug in the GUI so you can ignore it for now. I know that condition has been resolved in 3.0

Hello Scott,

sorry what could be a rootkit?

Just to confirm my asl screen will open up on occasion with the screenshot type of thing where the ticks are visible.

As you have said its a GUI thing so that cool.

When you mention rootkit do you mean that in the context of if if a ip was added to both the blacklist and whitelist?

OK so if its a GUI thing I dont have to worry about the ticked rules automatically being added as I am unticking the entries as soon as I see it.

Sorry to confuse matters ;0)

EDIT ohhhhhhhh I see where I may have confused matters, the rootkit part of the image is not part of the problem/issue as its a VPS and is activity form the other users. Sorry i should have cropped the picture better to remove that from the "conversation" so to speak.

mikeshinn · **Posted:** Sat May 21, 2011 5:00 pm

Quote:

sorry what could be a rootkit?

The top of your screenshot shows a rootkit warning:

Process '25023' hidden from proc.

If this is a VPS, then you will see that even if the system does not have a rootkit, because the other VPS' processes are hidden from you (you might have a rootkit though, its just not possible to tell the difference because a VPS does not a kernel, and can not protect itself from a kernel level rootkit, only the host node can do that). If this is not a VPS, you may have a more serious issue.

inquis · **Posted:** Sat May 21, 2011 5:02 pm

mikeshinn wrote:

Quote:

sorry what could be a rootkit?

The top of your screenshot shows a rootkit warning:

Process '25023' hidden from proc.

If this is a VPS, then you will see that even if the system does not have a rootkit, because the other VPS' processes are hidden from you. If this is not a VPS, you may have a more serious issue.

LOL I looked at the picture and was posting my reply whilst you replied a shade earlier

))

Ok cool no worries, Im happy i dont have to now investigate rootkit etc - phew!

mikeshinn · **Posted:** Sat May 21, 2011 5:35 pm

Keep in mind that if you have a VPS, that does not mean there is no rootkit. VPS nodes do not control or protect their own kernel, only the host node can do that, and the host node could be compromised. This does not mean that it is, but it also does not mean that its not.

inquis · **Posted:** Mon May 23, 2011 1:02 am

mikeshinn wrote:

Keep in mind that if you have a VPS, that does not mean there is no rootkit. VPS nodes do not control or protect their own kernel, only the host node can do that, and the host node could be compromised. This does not mean that it is, but it also does not mean that its not.

Hello, all noted.

Thanks

Default ticks

Who is online