[CLUE-Tech] root kit checker
Mike Staver
staver at fimble.com
Thu May 6 15:42:18 MDT 2004
No, there was not a rootkit found using the checker. I did recompile
apache with the latest anyhow. Oh, and some people have asked why I
don't use the latest red hat rpm - it's because I'm running RH9 on this
box and I can't use apache2 for my purposes - I must have 1.3 for some
modules. Anyhoo, it turns out after much digging through my logs - MSN
sucks. When apache is turned on, there is a constant stream of traffic
from that ip because it's apparently caught in some type of a loop when
trying to index a phpbb based forum I'm hosting for someone. Some
dynamic url creation is used for this picture slide show they are
running, and msn keeps trying to index it and appears to be looped, it's
been doing this for 2 days now. I have this in the robots.txt file:
User-agent: *
Disallow: /
And it still won't stop. I wish I had a phone number for somebody as
MSN so I could yell at somebody about this. I have tried to block them
on my firewall, I have put their ip in hosts.deny, and I can't prevent
it from sucking up bandwidth.
David Anselmi wrote:
> Mike Staver wrote:
>
>> Yeah, it turns out it was apache that was spewing all that traffic at
>> that one ip. I ran chkrootkit version 0.43 after stopping it, and it
>> didn't detect any other kits - I was running a manually compiled
>> 1.3.27 version of apache on a RH9 box, so I was asking for it.
>
>
> So was there a rootkit or not? The apache security list
> (http://www.apacheweek.com/features/security-13) doesn't say anything
> about any remote exploits against 1.3.27.
>
> Regardless, you might consider using a RH package so that upgrades are
> easier -- if patching isn't easy you won't do it until it is too late.
>
> [...]
>
>> Dan Harris wrote:
>>
>>> Mike Staver wrote:
>>>
>>>> Hello everybody - I need help trying to determine what's going on
>>>> with a linux box of mine. I have ntop running, and it's showing
>>>> that this box is sending about 10 megs of tcp traffic an hour to an ip:
>>>>
>>>> 65.54.164.101
>
>
> You never said what port this traffic was coming from. Presumably it
> was coming from 80 and was going to 33839 and similar. Do your apache
> logs show http requests/replies that match the traffic? So maybe MSN is
> just indexing your site?
>
> You can capture the traffic with tcpdump and look at it in ethereal, if
> it's too much trouble to put ethereal on the box in question. You can
> also look at as much detail as you want in tcpdump but that's harder to
> read. I think you'll find regular http traffic.
>
> Dave
>
>
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options:
> http://clue.denver.co.us/mailman/listinfo/clue-tech
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
More information about the clue-tech
mailing list