[CLUE-Tech] root kit checker
Skipworthy
skipworthy at realivetech.com
Thu May 6 16:43:50 MDT 2004
Mike-
maybe try something like this http://www.lowth.com/cutter/
it's a utility that can cut a specific connection.
Also- with your firewall rules- have you taken into account that often
msn bots have a collaborator on the inside, and often that collaborator
is port-agile (for ex: msn messenger will 'dial the mothership'
automatically even if you don't run it, and it will *find* a port that
works. I've sat and watched it happen. I think yahoo does this too).
AND...if you have a rule that allows incoming connections that match
outbound requests (a common configuration)THAT , I'm pretty sure, would
keep any deny rules from being effective. VOILA ! you've got msnbot
connectivity.
I'm sure there are more experienced folks on this list who will
probably tell me I'm wrong...
G
> No, there was not a rootkit found using the checker. I did recompile
> apache with the latest anyhow. Oh, and some people have asked why I
> don't use the latest red hat rpm - it's because I'm running RH9 on
this
> box and I can't use apache2 for my purposes - I must have 1.3 for
some
> modules. Anyhoo, it turns out after much digging through my logs -
MSN
> sucks. When apache is turned on, there is a constant stream of
traffic
> from that ip because it's apparently caught in some type of a loop
when
> trying to index a phpbb based forum I'm hosting for someone. Some
> dynamic url creation is used for this picture slide show they are
> running, and msn keeps trying to index it and appears to be looped,
it's
> been doing this for 2 days now. I have this in the robots.txt file:
>
> User-agent: *
> Disallow: /
>
> And it still won't stop. I wish I had a phone number for somebody as
> MSN so I could yell at somebody about this. I have tried to block
them
> on my firewall, I have put their ip in hosts.deny, and I can't
prevent
> it from sucking up bandwidth.
>
> David Anselmi wrote:
>
> > Mike Staver wrote:
> >
> >> Yeah, it turns out it was apache that was spewing all that traffic
at
> >> that one ip. I ran chkrootkit version 0.43 after stopping it, and
it
> >> didn't detect any other kits - I was running a manually compiled
> >> 1.3.27 version of apache on a RH9 box, so I was asking for it.
> >
> >
> > So was there a rootkit or not? The apache security list
> > (http://www.apacheweek.com/features/security-13) doesn't say
anything
> > about any remote exploits against 1.3.27.
> >
> > Regardless, you might consider using a RH package so that upgrades
are
> > easier -- if patching isn't easy you won't do it until it is too
late.
> >
> > [...]
> >
> >> Dan Harris wrote:
> >>
> >>> Mike Staver wrote:
> >>>
> >>>> Hello everybody - I need help trying to determine what's going
on
> >>>> with a linux box of mine. I have ntop running, and it's showing
> >>>> that this box is sending about 10 megs of tcp traffic an hour to
an ip:
> >>>>
> >>>> 65.54.164.101
> >
> >
> > You never said what port this traffic was coming from. Presumably
it
> > was coming from 80 and was going to 33839 and similar. Do your
apache
> > logs show http requests/replies that match the traffic? So maybe
MSN is
> > just indexing your site?
> >
> > You can capture the traffic with tcpdump and look at it in
ethereal, if
> > it's too much trouble to put ethereal on the box in question. You
can
> > also look at as much detail as you want in tcpdump but that's
harder to
> > read. I think you'll find regular http traffic.
> >
> > Dave
> >
> >
> > _______________________________________________
> > CLUE-Tech mailing list
> > Post messages to: CLUE-Tech at clue.denver.co.us
> > Unsubscribe or manage your options:
> > http://clue.denver.co.us/mailman/listinfo/clue-tech
>
> --
>
> -Mike Staver
> staver at fimble.com
> mstaver at globaltaxnetwork.com
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options:
http://clue.denver.co.us/mailman/listinfo/clue-tech
>
>
--
More information about the clue-tech
mailing list