[CLUE-Tech] root kit checker
Mike Staver
staver at fimble.com
Thu May 6 11:53:56 MDT 2004
Yeah, it turns out it was apache that was spewing all that traffic at
that one ip. I ran chkrootkit version 0.43 after stopping it, and it
didn't detect any other kits - I was running a manually compiled 1.3.27
version of apache on a RH9 box, so I was asking for it. I'll recompile
a new version of apache and blow away the old one for now. Thanks again
for the info everybody.
Dan Harris wrote:
> Mike Staver wrote:
>
>> Hello everybody - I need help trying to determine what's going on with
>> a linux box of mine. I have ntop running, and it's showing that this
>> box is sending about 10 megs of tcp traffic an hour to an ip:
>>
>> 65.54.164.101
>>
>
> It's quite possible that the rootkit has overwritten all the important
> binaries on the box and that the infected system is sending data out on
> a common port so you might not see any "oddball" ports open at all. A
> common thing would be xdcc, used for "warez" distributors.
>
> One thing to check before reinstalling the system, which I almost always
> recommend, is to try 'netstat -tap'. This will show all the ports that
> are listening and which pid is bound to that port. I've seen rootkits
> that overwrote netstat but overwrote with a version of netstat that
> didn't support the 'p' flag. This was a clue that it had been
> compromised. If it does still support it, maybe you can tell which
> processes are listening, kill each pid one by one until your traffic
> dies off and investigate further.
>
> -Dan
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options:
> http://clue.denver.co.us/mailman/listinfo/clue-tech
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
More information about the clue-tech
mailing list