[CLUE-Tech] root kit checker
Mike Staver
staver at fimble.com
Thu May 6 16:06:36 MDT 2004
This isn't even working in apache:
Deny from 65.54.164.101
Deny from msnbot64101.search.msn.com
I can't figure out how in my cisco access list I'm blocking
65.54.164.101, and I have the ip in hosts.deny, and I have apache
configured to deny it.... it's still happening. I hate MSN.
Mike Staver wrote:
> No, there was not a rootkit found using the checker. I did recompile
> apache with the latest anyhow. Oh, and some people have asked why I
> don't use the latest red hat rpm - it's because I'm running RH9 on this
> box and I can't use apache2 for my purposes - I must have 1.3 for some
> modules. Anyhoo, it turns out after much digging through my logs - MSN
> sucks. When apache is turned on, there is a constant stream of traffic
> from that ip because it's apparently caught in some type of a loop when
> trying to index a phpbb based forum I'm hosting for someone. Some
> dynamic url creation is used for this picture slide show they are
> running, and msn keeps trying to index it and appears to be looped, it's
> been doing this for 2 days now. I have this in the robots.txt file:
>
> User-agent: *
> Disallow: /
>
> And it still won't stop. I wish I had a phone number for somebody as
> MSN so I could yell at somebody about this. I have tried to block them
> on my firewall, I have put their ip in hosts.deny, and I can't prevent
> it from sucking up bandwidth.
>
> David Anselmi wrote:
>
>> Mike Staver wrote:
>>
>>> Yeah, it turns out it was apache that was spewing all that traffic at
>>> that one ip. I ran chkrootkit version 0.43 after stopping it, and it
>>> didn't detect any other kits - I was running a manually compiled
>>> 1.3.27 version of apache on a RH9 box, so I was asking for it.
>>
>>
>>
>> So was there a rootkit or not? The apache security list
>> (http://www.apacheweek.com/features/security-13) doesn't say anything
>> about any remote exploits against 1.3.27.
>>
>> Regardless, you might consider using a RH package so that upgrades are
>> easier -- if patching isn't easy you won't do it until it is too late.
>>
>> [...]
>>
>>> Dan Harris wrote:
>>>
>>>> Mike Staver wrote:
>>>>
>>>>> Hello everybody - I need help trying to determine what's going on
>>>>> with a linux box of mine. I have ntop running, and it's showing
>>>>> that this box is sending about 10 megs of tcp traffic an hour to an
>>>>> ip:
>>>>>
>>>>> 65.54.164.101
>>
>>
>>
>> You never said what port this traffic was coming from. Presumably it
>> was coming from 80 and was going to 33839 and similar. Do your apache
>> logs show http requests/replies that match the traffic? So maybe MSN
>> is just indexing your site?
>>
>> You can capture the traffic with tcpdump and look at it in ethereal,
>> if it's too much trouble to put ethereal on the box in question. You
>> can also look at as much detail as you want in tcpdump but that's
>> harder to read. I think you'll find regular http traffic.
>>
>> Dave
>>
>>
>> _______________________________________________
>> CLUE-Tech mailing list
>> Post messages to: CLUE-Tech at clue.denver.co.us
>> Unsubscribe or manage your options:
>> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
>
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
More information about the clue-tech
mailing list