Frynge.com Support wrote:
> I went and found this in my known_hosts in my .SSH directory
> [root@oannes .ssh]# cat known_hosts
> 211.174.53.89 ssh-rsa
> AAAAB3NzaC1yc2EAAAABIwAAAIEA1pLdVrFc83cEsFKHnmA4wJL9GX4i9pa+Z2DeDLsp8pCG
BxWk
> G/qJqoM51mVyhRjLD7zd3pzKmICJz3EqSMl8hs7M1VuwYb4C/6Qhfq7ieDJWA5GZE8PT62To
xxI4
> VvOLjjpbVA1wKl8dhhZLAcwftRAo2oeVJf9g30xLMeKBMs8=
Isn't initiating an outbound SSH connection the only way to get a host
added to ~/.ssh/known_hosts? If that's the case, then it seems that
someone made an outbound SSH connection to 211.174.53.89. If it wasn't
you, I'd be worried.
> This is a known spammer who has dropped 2 root kits to my VPS (virtual
> private server not dedicated). My tech says he cannot hurt the VPS and I
> should just delete the files below, but I am unsure. I would like to
> resinnstall, but my tech host is being a jerk. I am not using a firewall as
> my
> host said it would suck up too much bandwidth.
If he's already rootkitted you twice, I hope you've reinstalled. If you
haven't, I'll bet you a beer he comes back yet again.
Have your tech define "hurt the VPS". If he gains administrative
access, he can do whatever he damn well pleases (including irrevocably
wiping out all your clients' data).
> 2: should i use a firewall on a vps, he told me not to, I dont really
> believe that to be
> true...
Absolutely you should use a firewall.
> 3: Also, do you have anywhere you can send ips like the above, to either
> report them, (i am going to report it to his isp he is in korea - but I am
> waiting to do things to him possibly)
What are you going to do? Since the IP above is probably also a
compromised host (like it seems yours is), you're not going to be
attacking "him", just another innocent box he compromised. Doing so
makes you no better than he, and could possibly expose you to liability,
depending on what you do.
> I want him to know he cant get away with it scott free.
Unfortunately, the sad truth is that he probably can (and will).
-j
--
Jeremy L. Gaddis, GCWN
http://www.jeremygaddis.com/
> I went and found this in my known_hosts in my .SSH directory
> [root@oannes .ssh]# cat known_hosts
> 211.174.53.89 ssh-rsa
> AAAAB3NzaC1yc2EAAAABIwAAAIEA1pLdVrFc83cEsFKHnmA4wJL9GX4i9pa+Z2DeDLsp8pCG
BxWk
> G/qJqoM51mVyhRjLD7zd3pzKmICJz3EqSMl8hs7M1VuwYb4C/6Qhfq7ieDJWA5GZE8PT62To
xxI4
> VvOLjjpbVA1wKl8dhhZLAcwftRAo2oeVJf9g30xLMeKBMs8=
Isn't initiating an outbound SSH connection the only way to get a host
added to ~/.ssh/known_hosts? If that's the case, then it seems that
someone made an outbound SSH connection to 211.174.53.89. If it wasn't
you, I'd be worried.
> This is a known spammer who has dropped 2 root kits to my VPS (virtual
> private server not dedicated). My tech says he cannot hurt the VPS and I
> should just delete the files below, but I am unsure. I would like to
> resinnstall, but my tech host is being a jerk. I am not using a firewall as
> my
> host said it would suck up too much bandwidth.
If he's already rootkitted you twice, I hope you've reinstalled. If you
haven't, I'll bet you a beer he comes back yet again.
Have your tech define "hurt the VPS". If he gains administrative
access, he can do whatever he damn well pleases (including irrevocably
wiping out all your clients' data).
> 2: should i use a firewall on a vps, he told me not to, I dont really
> believe that to be
> true...
Absolutely you should use a firewall.
> 3: Also, do you have anywhere you can send ips like the above, to either
> report them, (i am going to report it to his isp he is in korea - but I am
> waiting to do things to him possibly)
What are you going to do? Since the IP above is probably also a
compromised host (like it seems yours is), you're not going to be
attacking "him", just another innocent box he compromised. Doing so
makes you no better than he, and could possibly expose you to liability,
depending on what you do.
> I want him to know he cant get away with it scott free.
Unfortunately, the sad truth is that he probably can (and will).
-j
--
Jeremy L. Gaddis, GCWN
http://www.jeremygaddis.com/
[ reply ]