Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Root kits and host.deny

From: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
Date: Mon, 12 Dec 2005 23:20:33 -0500
Frynge.com Support wrote:

First i saved the iptables

iptables -I INPUT -s 211.174.53.89 -j DROP
Then i blocked the ip of his server
So you blocked access to your box from *ONE* IP address? That won't do much for stopping him from gaining access from any of the other hosts that he may have compromised. 


3: I have deleted the root kit manually.  Everyone said to reinstall, but it
wasnt that hard to repair the files.  I had a variant of t0rn v8 and
showtee, and t0rn made a backup of all my files.  I actually found the root
kit online to study what it does.
Perhaps you should have said "I have deleted *A* root kit manually." You can only delete the ones that you have detected. The ones you can't detect are probably still there.
I'm not trying to say that there are, in fact, other rootkits on your system. I'm trying to make you realize that you can't/don't know. Chances are good that t0rn is the only rootkit installed, but how can you know for sure?
Reinstall time. It sucks, it's a pain in the ass, I know, but you have to. Consider this a lesson learned and move on. 


5: I created a root login warning.  Anytime anyone logs in to root, it warns
me - gives me the ip address and warns the root login
Hopefully you've disabled the ability for root to login via SSH anyways. This can be accomplished by explicitly adding "PermitRootLogin no" to your sshd_config file. 


6: I put CHKROOTKIT on a cron job, and it scans for root kits daily to warn
me.
...about the ones it knows about. What does it do about the rootkits that it hasn't been made aware of? 


I would love to know how he dropped a root kit in there.  I assume html
injection.  I must have had a client with a page that he used to upload the
root kit and he used injection methods.  Any ideas?


I won't fathom a guess.  The possibilities are endless.


I havent set up a firewall yet, I dont know what a good firewall for linux
is.  I was told to use APF but from what I was told, that is for a windows
box, and this is linux.
Linux has firewalling code built into the kernel. It's called netfilter, and the user-space components used to work with it is called iptables (see Google). 


Thats the stage I am at. My host is seriously pathetic, they havent helped
me at all.  I wanted them to reiinstall but he said he wasnt an issue
because we are on a VPS and the kernal is protected.  I said the same thing
to him about the hacker/ spammer could delete my files.  He didnt seem to
care too much.  I am just setting up other hosting.
If this is a VPS, you probably won't get much help from your host. Most hosts give you complete control of the VPS and with that comes full responsibility. If I were such a host, I'd have a clause in my AUP or ToS that says I can kill your network connection if "bad things" are happening, but I'll guess that our host doesn't. 

They don't care as long as you pay your bill.


Isn't initiating an outbound SSH connection the only way to get a host
added to ~/.ssh/known_hosts?  If that's the case, then it seems that
someone made an outbound SSH connection to 211.174.53.89.  If it wasn't
you, I'd be worried.


Thanks for the info.. that makes sense... and I didnt consider that.
You should. If you didn't connect via SSH to 211.174.53.89, who did? If you didn't, someone else has root level access. 


If he's already rootkitted you twice, I hope you've reinstalled.  If you
haven't, I'll bet you a beer he comes back yet again.


lol, yes.... I want that beer, but I would end up paying :)  I did however
email his host and let them know what he is doing.
Don't take this the wrong way, but you probably wasted your time (and theirs). 


I am not sure what I am going to do. I am getting backups made daily, so I
wont lose anything.  My host is not helping me in the slightest so I am on
my own.
Reinstall. If you can't, have your provider. If they won't, cancel and find someone who will. 

-j

--
Jeremy L. Gaddis, GCWN, Linux+, Network+
LinuxWiz Consulting
http://www.linuxwiz.net/
Previous By Date Next
Previous By Thread Next

Current thread: