[CLUE-Tech] root kit checker

Mike Staver staver at fimble.com
Thu May 6 15:42:18 MDT 2004 

No, there was not a rootkit found using the checker.  I did recompile 
apache with the latest anyhow.  Oh, and some people have asked why I 
don't use the latest red hat rpm - it's because I'm running RH9 on this 
box and I can't use apache2 for my purposes - I must have 1.3 for some 
modules.  Anyhoo, it turns out after much digging through my logs - MSN 
sucks.  When apache is turned on, there is a constant stream of traffic 
from that ip because it's apparently caught in some type of a loop when 
trying to index a phpbb based forum I'm hosting for someone.  Some 
dynamic url creation is used for this picture slide show they are 
running, and msn keeps trying to index it and appears to be looped, it's 
been doing this for 2 days now.  I have this in the robots.txt file:

User-agent: *
Disallow: /

And it still won't stop.  I wish I had a phone number for somebody as 
MSN so I could yell at somebody about this.  I have tried to block them 
on my firewall, I have put their ip in hosts.deny, and I can't prevent 
it from sucking up bandwidth.

David Anselmi wrote:

> Mike Staver wrote:
> 
>> Yeah, it turns out it was apache that was spewing all that traffic at 
>> that one ip.  I ran chkrootkit version 0.43 after stopping it, and it 
>> didn't detect any other kits - I was running a manually compiled 
>> 1.3.27 version of apache on a RH9 box, so I was asking for it.
> 
> 
> So was there a rootkit or not?  The apache security list 
> (http://www.apacheweek.com/features/security-13) doesn't say anything 
> about any remote exploits against 1.3.27.
> 
> Regardless, you might consider using a RH package so that upgrades are 
> easier -- if patching isn't easy you won't do it until it is too late.
> 
> [...]
> 
>> Dan Harris wrote:
>>
>>> Mike Staver wrote:
>>>
>>>> Hello everybody - I need help trying to determine what's going on 
>>>> with a linux box of mine.  I have ntop running, and it's showing 
>>>> that this box is sending about 10 megs of tcp traffic an hour to an ip:
>>>>
>>>> 65.54.164.101
> 
> 
> You never said what port this traffic was coming from.  Presumably it 
> was coming from 80 and was going to 33839 and similar.  Do your apache 
> logs show http requests/replies that match the traffic?  So maybe MSN is 
> just indexing your site?
> 
> You can capture the traffic with tcpdump and look at it in ethereal, if 
> it's too much trouble to put ethereal on the box in question.  You can 
> also look at as much detail as you want in tcpdump but that's harder to 
> read.  I think you'll find regular http traffic.
> 
> Dave
> 
> 
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options: 
> http://clue.denver.co.us/mailman/listinfo/clue-tech

-- 

                                 -Mike Staver
                                  staver at fimble.com
                                  mstaver at globaltaxnetwork.com

More information about the clue-tech mailing list