Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Root kits and host.deny

From: "Frynge.com Support" <frynge () frynge com>
Date: Wed, 7 Dec 2005 19:11:41 -0700
This is a great thread with great advice.

I went and found this in my known_hosts in my .SSH directory
[root@oannes .ssh]# cat known_hosts
211.174.53.89 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEA1pLdVrFc83cEsFKHnmA4wJL9GX4i9pa+Z2DeDLsp8pCGBxWk
G/qJqoM51mVyhRjLD7zd3pzKmICJz3EqSMl8hs7M1VuwYb4C/6Qhfq7ieDJWA5GZE8PT62ToxxI4
VvOLjjpbVA1wKl8dhhZLAcwftRAo2oeVJf9g30xLMeKBMs8=

I have a few new questions

1:  Does anyone know without a firewall how to block an ip through the
hosts.deny or any other secure method?

is it
ALL: 211.174.53.89 : DENY

Also, should i delete the info in known_hosts

I was thinking about trapping him somehow, but I cant risk it right now,
because I have alot of clients on the server in question.

This is a known spammer who has dropped 2 root kits to my VPS (virtual
private server not dedicated).  My tech says he cannot hurt the VPS and I
should just delete the files below, but I am unsure.  I would like to
resinnstall, but my tech host is being a jerk.  I am not using a firewall as
my
host said it would suck up too much bandwidth.

2: should i use a firewall on a vps, he told me not to, I dont really
believe that to be
true...

3: Also, do you have anywhere you can send ips like the above, to either
report them, (i am going to report it to his isp he is in korea - but I am
waiting to do things to him possibly)

I want him to know he cant get away with it scott free.

Thanks
Kelly Sigethy

Look below for full details on the spammer.... and the two root kits he
installed.

This person on this ip: 211.174.53.89
http://ws.arin.net/cgi-bin/whois.pl?queryinput=221.114.194.14


This is a sample of the email he is sending out
X-T2-Real-To: <tadeus () c2i net>
Return-Path: <terrystavridis0 () longbeachpride com>
X-Cloudmark-Score: 0.000000 []
Received: from oannes.frynge.com ([209.152.161.33] verified)
  by mailfe01.swip.net (CommuniGate Pro SMTP 5.0.2)
  with SMTP id 29169325 for tadeus () c2i net; Sun, 27 Nov 2005 11:23:39 +0100
Received: (qmail 33892 invoked by uid 34118); Sun, 27 Nov 2005 11:56:06
+0200 (CEST)
Message-Id: <20051127115606.33892.qmail () rackdj oannes frynge com>
From: "Francisco Ayre" <terrystavridis0 () longbeachpride com>
X-SpamWasher-UID: 4540
To: "tadeus" <tadeus () c2i net>
Date: Sun, 27 Nov 2005 11:56:06 +0200 (CEST)
Subject: {#2c3} Using sons tools for my needs
Mime-Version: 1.0
Content-Type: text/plain

Our mother wants to be filled in all her openings that is why she
uses our tools in http://wf.retimonh.net/ willing more.
================================


[root@oannes chkrootkit-0.46a]# ./chkrootkit -q
Possible t0rn v8 \(or variation\) rootkit installed

/usr/lib/libsh/.backup /usr/lib/libsh/.owned /usr/lib/libsh/.sniff
/usr/lib/libsh/.bashrc /usr/lib/php/.registry /usr/lib/php/.filemap
/usr/lib/php/.lock /usr/lib/perl5/5.8.1/i386-linux-thread-multi/.packlist
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/CGI/.packlist
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Cwd/.packlist
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/MD5/.packlist
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/.packlist
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/File/Spec/.packlist
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/List/Util/.packlist
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/MIME/Base64/.packlist
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Net/.packlist
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Storable/.packlist
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Time/HiRes/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Archive/Tar/.pac
klist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Archive/Zip/.pac
klist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/BSD/Resource/.pa
cklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/OnlineP
ayment/AuthorizeNet/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/OnlineP
ayment/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/UPS/.pa
cklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Compress/Zlib/.p
acklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Convert/ASN1/.pa
cklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Convert/BER/.pac
klist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/Blowfish/.
packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/Blowfish_P
P/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/CBC/.packl
ist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/DES/.packl
ist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/SSLeay/.pa
cklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/Multiplex/.p
acklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/mysql/.packl
ist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/Shell/.packl
ist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Data/ShowTable/.
packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Devel/Symdump/.p
acklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Digest/SHA1/.pac
klist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Expect/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/File/Copy/Recurs
ive/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Filesys/Statvfs/
.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph/.packli
st
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph3d/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/SecurityImage
/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Text/.packlis
t /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Geo/IPfree/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Clean/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/FillInForm/
.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Parser/.pac
klist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/SimpleParse
/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Tagset/.pac
klist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Template/.p
acklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Interactive/.
packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Socket/SSL/.p
acklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/String/.packl
ist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Stringy/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Stty/.packlis
t
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tee/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tty/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Zlib/.packlis
t
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO-stringy/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Image/Size/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MD5/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MLDBM/Sync/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MLDBM/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/SpamAssassi
n/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Module/Build/.pa
cklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/AIM/.packlis
t
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/DNS/.packlis
t
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/Daemon/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/IP/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/OSCAR/.packl
ist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/SSLeay/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/Telnet/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/OLE/Storage_Lite
/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Parse/RecDescent
/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Persistent/Base/
.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Persistent/DBI/.
packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RPC/PlServer/.pa
cklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SOAP/Lite/.packl
ist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SQL/Statement/.p
acklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Safe/Hole/.packl
ist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Spreadsheet/Pars
eExcel/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Spreadsheet/Writ
eExcel/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Sys/Hostname/Lon
g/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/ReadKey/.pa
cklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/ReadLine/.p
acklist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/CSV_XS/.pac
klist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/Query/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/Reform/.pac
klist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/IxHash/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/ShadowHash/.
packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/Watch/.packl
ist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/TimeDate/.packli
st
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tree/MultiNode/.
packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/URI/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/NamespaceSup
port/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/Parser/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/RegExp/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/SAX/.packlis
t
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/Simple/.pack
list
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/XSLT/.packli
st
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML-DOM/.packlis
t
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/libwww-perl/.pac
klist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/libxml-perl/.pac
klist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/perl-ldap/.packl
ist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/version/vxs/.pac
klist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/version/.packlis
t
/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi/auto/mod_perl/.pack
list /lib/security/grsec/include/.indent.pro /lib/security/grsec/.maxclients
/usr/lib/libsh/.backup /usr/lib/libsh/.owned /usr/lib/libsh/.sniff
/usr/lib/php/.registry


Warning: Possible Showtee Rootkit installed
 /usr/include/file.h /usr/include/proc.h
INFECTED (PORTS:  465)
Previous By Date Next
Previous By Thread Next

Current thread: