[CLUE-Tech] root kit checker
David Anselmi
anselmi at anselmi.us
Thu May 6 12:18:41 MDT 2004
Mike Staver wrote:
> Yeah, it turns out it was apache that was spewing all that traffic at
> that one ip. I ran chkrootkit version 0.43 after stopping it, and it
> didn't detect any other kits - I was running a manually compiled 1.3.27
> version of apache on a RH9 box, so I was asking for it.
So was there a rootkit or not? The apache security list
(http://www.apacheweek.com/features/security-13) doesn't say anything
about any remote exploits against 1.3.27.
Regardless, you might consider using a RH package so that upgrades are
easier -- if patching isn't easy you won't do it until it is too late.
[...]
> Dan Harris wrote:
>> Mike Staver wrote:
>>
>>> Hello everybody - I need help trying to determine what's going on
>>> with a linux box of mine. I have ntop running, and it's showing that
>>> this box is sending about 10 megs of tcp traffic an hour to an ip:
>>>
>>> 65.54.164.101
You never said what port this traffic was coming from. Presumably it
was coming from 80 and was going to 33839 and similar. Do your apache
logs show http requests/replies that match the traffic? So maybe MSN is
just indexing your site?
You can capture the traffic with tcpdump and look at it in ethereal, if
it's too much trouble to put ethereal on the box in question. You can
also look at as much detail as you want in tcpdump but that's harder to
read. I think you'll find regular http traffic.
Dave
More information about the clue-tech
mailing list