return to first page linux journal archive
keywordscontents

Best of Technical Support

Viruses

I would like to know what can be said about viruses in a Linux system which is installed on the same hard disk as Win95. For example, what can happen if a virus infects the MBR sector (where resides LILO) or if I mount an infected MS-DOS formatted diskette?

--
Troha Donato

Leaving out the usual statements about Unix systems being immune to standard virus attacks, this is an important point most people should consider, since many people who run Linux on personal computers (as opposed to servers) also run Win95 or some other operating system. You should be safe from a mounted floppy, but be warned that you can get some very odd effects reading such a disk, such as strange directory entries.

There are several scenarios, from boot sector infection to random pot shots some viruses are known to take. Unlike the DOS file systems, which concentrate their layout information into one or two dense tables, Linux spreads these across the disk. Random potshots are much more likely to wipe out vital structures on a Linux disk than they are on a DOS disk (assuming the virus ran from a booted DOS system).

Safety first, as always. When in Unix, don't use the root user account unless you need to. Create a normal user account in which to do your work. When in DOS, scan--scan--scan.

--
Chad Robinson, BRT Technologies
Senior System Analyst
chadr@brt.com

Chances are that if your system becomes infected with a boot sector virus, LILO will no longer work. The best defense against this situation is to keep an emergency boot floppy handy. I generally create them using the command dd if=/vmlinuz of=/dev/fd0. You will want to write-protect it of course. After booting from floppy, simply re-run LILO. Assuming you have LILO configured to use the system MBR, it will overwrite the virus.

The Linux operating system itself is not very vulnerable to MS-DOS-style viruses. All of the common ones depend on being in a DOS/Windows environment. They do not know how to cope with Linux and do not function.

--
Keith Stevenson
k.stevenson@louisville.edu

Memory Allocation

I have been working with the Linux system for almost two years. My problem is memory allocation. The kernel (2.xx) does not reclaim memory after things such as X sessions are perfomed. I am constantly rebooting the machine (shutdown -r now) in order to gain sufficient memory for multiple operations. Is there an executable that can be run which will free all possible memory that current kernel processes are not using?

If the answer is no, then how can one use Linux as an httpd server that takes a lot of hits per day? The system would almost always be short of memory to be able to quickly service, multiple httpd server and other processes. In short, I am somewhat disappointed in the way Linux handles memory reclamation. Is it that the X Server and applications are simply ``poorly written'' and do not free memory upon exit?

--
George R. Boyko

There are no memory leakages in Linux 2.0; there may be some in the 2.1 kernel series, but those versions are only beta-releases aimed specifically at developers. It's true, on the other hand, that the amount of free memory reported by a running Linux system is always tiny. This is a feature rather than a bug; free memory is just wasted, and Linux tries to avoid any waste by keeping disk buffers and page caches in an otherwise waste-free memory.

It's the kernel which releases any process resources upon exit. You don't want your students to lock memory by not calling free, do you? As a matter of fact, many one-shot programs are ``poorly written'' and rely on the system to close files and release memory.

--
Alessandro Rubini
rubini@linux.it

Memory management is one of the things I really like about Linux. I find it to be much more efficient than a certain popular commercial OS.

I have several Linux systems, all with 64MB of installed RAM. I use xosview to monitor things like CPU activity and memory utilization. These machines function as ftp servers, web servers and multi-user workstations. According to xosview, the memory utilization is consistently above 90% even when the machine is lightly loaded. This isn't a problem. It simply means that there is a lot of stuff cached in memory. The real indicator of whether or not you have enough RAM in your system is swap space utilization. This can be monitored with xosview or with the command vmstat. If you are swapping to disk often, you probably need to add more RAM to the system. If not, then things are probably okay. My 64MB systems almost never swap out to disk, and they have excellent response time despite the fact that 90% or more of their RAM is marked as being ``in use''.

--
Keith Stevenson
k.stevenson@louisville.edu

Geometry Mismatch Error

I am having a problem with LILO. It hangs after the letters ``LI''. I read the MINI-HOWTO, and it says that the first boot loader was able to load the second boot loader but has failed to execute it. Then it goes on to say that the cause is a ``geometry mismatch''. Any suggestions?

--
Jim Mendoza
Red Hat 4.2

LILO loads its second-stage loader and then the kernel by accessing disk blocks based on their disk location (CHS: Cylinder, Head, Sector). A ``geometry mismatch'' is what happens when LILO's map uses CHS values that are not those used by the BIOS; this happens with modern BIOSes that play dirty games with disk geometry to overcome a limitation built in Microsoft programs. Add a ``disk ='' section to your /etc/lilo.conf to specify disk geometry as Linux sees it.

--
Alessandro Rubini
rubini@linux.it

Undetected Modem

Linux does not detect my modem at com4 (/dev/cua3, address as 0x02e8) which works fine in Win95. Each time I reboot the system, it automatically detects only serial port number 1 (/dev/cua0, at 0x03f8) and port number 2 (/dev/cua1, at 0x02f8). My modem is internal, non-plug-and-play, 33.6Kbps and manufactured by PC tel.

--
Jianzhong Ding
Red Hat 4.2

Use setserial to tell the serial driver about the location of your ports. ``Plug-and-play'' is an ugly specification, and most of the time it creates problems. To look for your PnP devices and configure them, run the isapnp package.

--
Alessandro Rubini
rubini@linux.it

Sendmail Pause

During startup, there is a long pause while sendmail starts. I can only assume that a request is timing out while trying to contact something on the network (the network, of course, isn't up yet).

Is there a way to shorten the time-out period for sendmail or otherwise correct the situation?

--
David Moulton
Red Hat 4.0

This may be a problem with your machine name in the /etc/hosts file. Recent versions of sendmail need your name to be a FQDN (including a domain name):

192.168.1.1 foo foo.bar.com
If your name is not fully qualified, sendmail will sleep for about one minute.

--
Pierre Ficheux, Lectra Systèmes
pierre@rd.lectra.fr

The pause is most likely a name server lookup that is timing out. Have a look in your maillog (probably /var/log/maillog) and search for lines that look like these two:

Dec 21 18:33:46 keiko sendmail[4547]: 
 gethostbyaddr() failed for 192.168.0.1

Dec 21 18:33:47 keiko sendmail[4553]: 
 starting daemon (8.8.5): SMTP+queueing@00:05:00
What's happening is sendmail is trying to resolve the IP address of the machine it's running on. Name server calls take a relatively long time to timeout, thus the delay you are experiencing. The quick solution is to add an entry for this IP address into /etc/hosts or into your name server configuration. sendmail starts very quickly after you have done this.

--
Keith Stevenson
k.stevenson@louisville.edu