Security Basics mailing list archives

Re: Root kits and host.deny

From: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
Date: Fri, 09 Dec 2005 19:47:41 -0500

Frynge.com Support wrote:

I went and found this in my known_hosts in my .SSH directory
[root@oannes .ssh]# cat known_hosts
211.174.53.89 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEA1pLdVrFc83cEsFKHnmA4wJL9GX4i9pa+Z2DeDLsp8pCGBxWk
G/qJqoM51mVyhRjLD7zd3pzKmICJz3EqSMl8hs7M1VuwYb4C/6Qhfq7ieDJWA5GZE8PT62ToxxI4
VvOLjjpbVA1wKl8dhhZLAcwftRAo2oeVJf9g30xLMeKBMs8=

Isn't initiating an outbound SSH connection the only way to get a hostadded to ~/.ssh/known_hosts? If that's the case, then it seems thatsomeone made an outbound SSH connection to 211.174.53.89. If it wasn'tyou, I'd be worried.

This is a known spammer who has dropped 2 root kits to my VPS (virtual
private server not dedicated).  My tech says he cannot hurt the VPS and I
should just delete the files below, but I am unsure.  I would like to
resinnstall, but my tech host is being a jerk.  I am not using a firewall as
my
host said it would suck up too much bandwidth.

If he's already rootkitted you twice, I hope you've reinstalled. If youhaven't, I'll bet you a beer he comes back yet again.

Have your tech define "hurt the VPS". If he gains administrativeaccess, he can do whatever he damn well pleases (including irrevocablywiping out all your clients' data).

2: should i use a firewall on a vps, he told me not to, I dont really
believe that to be
true...


Absolutely you should use a firewall.

3: Also, do you have anywhere you can send ips like the above, to either
report them, (i am going to report it to his isp he is in korea - but I am
waiting to do things to him possibly)

What are you going to do? Since the IP above is probably also acompromised host (like it seems yours is), you're not going to beattacking "him", just another innocent box he compromised. Doing somakes you no better than he, and could possibly expose you to liability,depending on what you do.

I want him to know he cant get away with it scott free.


Unfortunately, the sad truth is that he probably can (and will).

-j

--
Jeremy L. Gaddis, GCWN
http://www.jeremygaddis.com/

Current thread:

Strange found in apache error.log kc (Dec 05)
- Re: Strange found in apache error.log ascii (Dec 05)
- Re: Strange found in apache error.log Security (Dec 05)
- Re: Strange found in apache error.log Gaddis, Jeremy L. (Dec 06)
- Root kits and host.deny Frynge.com Support (Dec 08)
  - Re: Root kits and host.deny Scott B (Dec 08)
  - Re: Root kits and host.deny Jeff Davis (Dec 08)
  - Re: Root kits and host.deny Edward Krack (Dec 12)
  - Re: Root kits and host.deny Gaddis, Jeremy L. (Dec 12)
    - Message not available
    - Re: Root kits and host.deny Gaddis, Jeremy L. (Dec 13)
- <Possible follow-ups>
- Re: Strange found in apache error.log arron (Dec 05)
- RE: Strange found in apache error.log Miguel Dilaj (Dec 06)