Security Basics mailing list archives
Re: Root kits and host.deny
From: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
Date: Fri, 09 Dec 2005 19:47:41 -0500
Frynge.com Support wrote:
I went and found this in my known_hosts in my .SSH directory [root@oannes .ssh]# cat known_hosts 211.174.53.89 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1pLdVrFc83cEsFKHnmA4wJL9GX4i9pa+Z2DeDLsp8pCGBxWk G/qJqoM51mVyhRjLD7zd3pzKmICJz3EqSMl8hs7M1VuwYb4C/6Qhfq7ieDJWA5GZE8PT62ToxxI4 VvOLjjpbVA1wKl8dhhZLAcwftRAo2oeVJf9g30xLMeKBMs8=
Isn't initiating an outbound SSH connection the only way to get a host added to ~/.ssh/known_hosts? If that's the case, then it seems that someone made an outbound SSH connection to 211.174.53.89. If it wasn't you, I'd be worried.
This is a known spammer who has dropped 2 root kits to my VPS (virtual private server not dedicated). My tech says he cannot hurt the VPS and I should just delete the files below, but I am unsure. I would like to resinnstall, but my tech host is being a jerk. I am not using a firewall as my host said it would suck up too much bandwidth.
If he's already rootkitted you twice, I hope you've reinstalled. If you haven't, I'll bet you a beer he comes back yet again.
Have your tech define "hurt the VPS". If he gains administrative access, he can do whatever he damn well pleases (including irrevocably wiping out all your clients' data).
2: should i use a firewall on a vps, he told me not to, I dont really believe that to be true...
Absolutely you should use a firewall.
3: Also, do you have anywhere you can send ips like the above, to either report them, (i am going to report it to his isp he is in korea - but I am waiting to do things to him possibly)
What are you going to do? Since the IP above is probably also a compromised host (like it seems yours is), you're not going to be attacking "him", just another innocent box he compromised. Doing so makes you no better than he, and could possibly expose you to liability, depending on what you do.
I want him to know he cant get away with it scott free.
Unfortunately, the sad truth is that he probably can (and will). -j -- Jeremy L. Gaddis, GCWN http://www.jeremygaddis.com/
Current thread:
- Strange found in apache error.log kc (Dec 05)
- Re: Strange found in apache error.log ascii (Dec 05)
- Re: Strange found in apache error.log Security (Dec 05)
- Re: Strange found in apache error.log Gaddis, Jeremy L. (Dec 06)
- Root kits and host.deny Frynge.com Support (Dec 08)
- Re: Root kits and host.deny Scott B (Dec 08)
- Re: Root kits and host.deny Jeff Davis (Dec 08)
- Re: Root kits and host.deny Edward Krack (Dec 12)
- Re: Root kits and host.deny Gaddis, Jeremy L. (Dec 12)
- Message not available
- Re: Root kits and host.deny Gaddis, Jeremy L. (Dec 13)
- <Possible follow-ups>
- Re: Strange found in apache error.log arron (Dec 05)
- RE: Strange found in apache error.log Miguel Dilaj (Dec 06)