Security Basics mailing list archives
Root kits and host.deny
From: "Frynge.com Support" <frynge () frynge com>
Date: Wed, 7 Dec 2005 19:11:41 -0700
This is a great thread with great advice. I went and found this in my known_hosts in my .SSH directory [root@oannes .ssh]# cat known_hosts 211.174.53.89 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1pLdVrFc83cEsFKHnmA4wJL9GX4i9pa+Z2DeDLsp8pCGBxWk G/qJqoM51mVyhRjLD7zd3pzKmICJz3EqSMl8hs7M1VuwYb4C/6Qhfq7ieDJWA5GZE8PT62ToxxI4 VvOLjjpbVA1wKl8dhhZLAcwftRAo2oeVJf9g30xLMeKBMs8= I have a few new questions 1: Does anyone know without a firewall how to block an ip through the hosts.deny or any other secure method? is it ALL: 211.174.53.89 : DENY Also, should i delete the info in known_hosts I was thinking about trapping him somehow, but I cant risk it right now, because I have alot of clients on the server in question. This is a known spammer who has dropped 2 root kits to my VPS (virtual private server not dedicated). My tech says he cannot hurt the VPS and I should just delete the files below, but I am unsure. I would like to resinnstall, but my tech host is being a jerk. I am not using a firewall as my host said it would suck up too much bandwidth. 2: should i use a firewall on a vps, he told me not to, I dont really believe that to be true... 3: Also, do you have anywhere you can send ips like the above, to either report them, (i am going to report it to his isp he is in korea - but I am waiting to do things to him possibly) I want him to know he cant get away with it scott free. Thanks Kelly Sigethy Look below for full details on the spammer.... and the two root kits he installed. This person on this ip: 211.174.53.89 http://ws.arin.net/cgi-bin/whois.pl?queryinput=221.114.194.14 This is a sample of the email he is sending out X-T2-Real-To: <tadeus () c2i net> Return-Path: <terrystavridis0 () longbeachpride com> X-Cloudmark-Score: 0.000000 [] Received: from oannes.frynge.com ([209.152.161.33] verified) by mailfe01.swip.net (CommuniGate Pro SMTP 5.0.2) with SMTP id 29169325 for tadeus () c2i net; Sun, 27 Nov 2005 11:23:39 +0100 Received: (qmail 33892 invoked by uid 34118); Sun, 27 Nov 2005 11:56:06 +0200 (CEST) Message-Id: <20051127115606.33892.qmail () rackdj oannes frynge com> From: "Francisco Ayre" <terrystavridis0 () longbeachpride com> X-SpamWasher-UID: 4540 To: "tadeus" <tadeus () c2i net> Date: Sun, 27 Nov 2005 11:56:06 +0200 (CEST) Subject: {#2c3} Using sons tools for my needs Mime-Version: 1.0 Content-Type: text/plain Our mother wants to be filled in all her openings that is why she uses our tools in http://wf.retimonh.net/ willing more. ================================ [root@oannes chkrootkit-0.46a]# ./chkrootkit -q Possible t0rn v8 \(or variation\) rootkit installed /usr/lib/libsh/.backup /usr/lib/libsh/.owned /usr/lib/libsh/.sniff /usr/lib/libsh/.bashrc /usr/lib/php/.registry /usr/lib/php/.filemap /usr/lib/php/.lock /usr/lib/perl5/5.8.1/i386-linux-thread-multi/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/CGI/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Cwd/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/MD5/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/File/Spec/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/List/Util/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/MIME/Base64/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Net/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Storable/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Time/HiRes/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Archive/Tar/.pac klist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Archive/Zip/.pac klist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/BSD/Resource/.pa cklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/OnlineP ayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/OnlineP ayment/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/UPS/.pa cklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Compress/Zlib/.p acklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Convert/ASN1/.pa cklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Convert/BER/.pac klist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/Blowfish/. packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/Blowfish_P P/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/CBC/.packl ist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/DES/.packl ist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/SSLeay/.pa cklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/Multiplex/.p acklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/mysql/.packl ist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/Shell/.packl ist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Data/ShowTable/. packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Devel/Symdump/.p acklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Digest/SHA1/.pac klist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Expect/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/File/Copy/Recurs ive/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Filesys/Statvfs/ .packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph/.packli st /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph3d/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/SecurityImage /.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Text/.packlis t /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Geo/IPfree/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Clean/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/FillInForm/ .packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Parser/.pac klist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/SimpleParse /.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Tagset/.pac klist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Template/.p acklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Interactive/. packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Socket/SSL/.p acklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/String/.packl ist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Stringy/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Stty/.packlis t /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tee/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Zlib/.packlis t /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO-stringy/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Image/Size/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MLDBM/Sync/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/SpamAssassi n/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Module/Build/.pa cklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/AIM/.packlis t /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/DNS/.packlis t /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/Daemon/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/IP/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/OSCAR/.packl ist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/SSLeay/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/Telnet/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/OLE/Storage_Lite /.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Parse/RecDescent /.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Persistent/Base/ .packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Persistent/DBI/. packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RPC/PlServer/.pa cklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SOAP/Lite/.packl ist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SQL/Statement/.p acklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Safe/Hole/.packl ist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Spreadsheet/Pars eExcel/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Spreadsheet/Writ eExcel/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Sys/Hostname/Lon g/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/ReadKey/.pa cklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/ReadLine/.p acklist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/CSV_XS/.pac klist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/Query/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/Reform/.pac klist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/IxHash/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/ShadowHash/. packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/Watch/.packl ist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/TimeDate/.packli st /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tree/MultiNode/. packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/URI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/NamespaceSup port/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/Parser/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/RegExp/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/SAX/.packlis t /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/Simple/.pack list /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/XSLT/.packli st /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML-DOM/.packlis t /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/libwww-perl/.pac klist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/libxml-perl/.pac klist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/perl-ldap/.packl ist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/version/vxs/.pac klist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/version/.packlis t /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi/auto/mod_perl/.pack list /lib/security/grsec/include/.indent.pro /lib/security/grsec/.maxclients /usr/lib/libsh/.backup /usr/lib/libsh/.owned /usr/lib/libsh/.sniff /usr/lib/php/.registry Warning: Possible Showtee Rootkit installed /usr/include/file.h /usr/include/proc.h INFECTED (PORTS: 465)
Current thread:
- Strange found in apache error.log kc (Dec 05)
- Re: Strange found in apache error.log ascii (Dec 05)
- Re: Strange found in apache error.log Security (Dec 05)
- Re: Strange found in apache error.log Gaddis, Jeremy L. (Dec 06)
- Root kits and host.deny Frynge.com Support (Dec 08)
- Re: Root kits and host.deny Scott B (Dec 08)
- Re: Root kits and host.deny Jeff Davis (Dec 08)
- Re: Root kits and host.deny Edward Krack (Dec 12)
- Re: Root kits and host.deny Gaddis, Jeremy L. (Dec 12)
- Message not available
- Re: Root kits and host.deny Gaddis, Jeremy L. (Dec 13)
- <Possible follow-ups>
- Re: Strange found in apache error.log arron (Dec 05)
- RE: Strange found in apache error.log Miguel Dilaj (Dec 06)