[CLUE-Tech] root kit checker

Mike Staver staver at fimble.com
Thu May 6 16:06:36 MDT 2004 

This isn't even working in apache:

Deny from 65.54.164.101
Deny from msnbot64101.search.msn.com

I can't figure out how in my cisco access list I'm blocking 
65.54.164.101, and I have the ip in hosts.deny, and I have apache 
configured to deny it.... it's still happening.  I hate MSN.

Mike Staver wrote:

> No, there was not a rootkit found using the checker.  I did recompile 
> apache with the latest anyhow.  Oh, and some people have asked why I 
> don't use the latest red hat rpm - it's because I'm running RH9 on this 
> box and I can't use apache2 for my purposes - I must have 1.3 for some 
> modules.  Anyhoo, it turns out after much digging through my logs - MSN 
> sucks.  When apache is turned on, there is a constant stream of traffic 
> from that ip because it's apparently caught in some type of a loop when 
> trying to index a phpbb based forum I'm hosting for someone.  Some 
> dynamic url creation is used for this picture slide show they are 
> running, and msn keeps trying to index it and appears to be looped, it's 
> been doing this for 2 days now.  I have this in the robots.txt file:
> 
> User-agent: *
> Disallow: /
> 
> And it still won't stop.  I wish I had a phone number for somebody as 
> MSN so I could yell at somebody about this.  I have tried to block them 
> on my firewall, I have put their ip in hosts.deny, and I can't prevent 
> it from sucking up bandwidth.
> 
> David Anselmi wrote:
> 
>> Mike Staver wrote:
>>
>>> Yeah, it turns out it was apache that was spewing all that traffic at 
>>> that one ip.  I ran chkrootkit version 0.43 after stopping it, and it 
>>> didn't detect any other kits - I was running a manually compiled 
>>> 1.3.27 version of apache on a RH9 box, so I was asking for it.
>>
>>
>>
>> So was there a rootkit or not?  The apache security list 
>> (http://www.apacheweek.com/features/security-13) doesn't say anything 
>> about any remote exploits against 1.3.27.
>>
>> Regardless, you might consider using a RH package so that upgrades are 
>> easier -- if patching isn't easy you won't do it until it is too late.
>>
>> [...]
>>
>>> Dan Harris wrote:
>>>
>>>> Mike Staver wrote:
>>>>
>>>>> Hello everybody - I need help trying to determine what's going on 
>>>>> with a linux box of mine.  I have ntop running, and it's showing 
>>>>> that this box is sending about 10 megs of tcp traffic an hour to an 
>>>>> ip:
>>>>>
>>>>> 65.54.164.101
>>
>>
>>
>> You never said what port this traffic was coming from.  Presumably it 
>> was coming from 80 and was going to 33839 and similar.  Do your apache 
>> logs show http requests/replies that match the traffic?  So maybe MSN 
>> is just indexing your site?
>>
>> You can capture the traffic with tcpdump and look at it in ethereal, 
>> if it's too much trouble to put ethereal on the box in question.  You 
>> can also look at as much detail as you want in tcpdump but that's 
>> harder to read.  I think you'll find regular http traffic.
>>
>> Dave
>>
>>
>> _______________________________________________
>> CLUE-Tech mailing list
>> Post messages to: CLUE-Tech at clue.denver.co.us
>> Unsubscribe or manage your options: 
>> http://clue.denver.co.us/mailman/listinfo/clue-tech
> 
> 

-- 

                                 -Mike Staver
                                  staver at fimble.com
                                  mstaver at globaltaxnetwork.com

More information about the clue-tech mailing list