On Sun, 2005-12-11 at 00:31 -0500, Gene Heskett wrote: > A friend of mine just reported he has been rooted, and his machine was > spewing spam in the name of the colonial bank. > > The name of the tar.gz file found in the /tmp dir that seems to be the > src of all the other oddball stuff is wam.tar.gz. > > The box is running fedora core 3, and the router has a switch on the > lan side along with a windows box that also up. Anything that comes > into the router on port 22 gets forwarded to this linux box. > > This wam.tar.gz file contains virtually everything needed to rootkit a > machine, including a password cracker, and several lists of email > address lists totalling about 23,000 addresses. > > FWIW, chkrootkit didn't find it! > > Whats the general removal procedure for this, and better yet, how did > they get in? ---- it would seem that ssh, root allowed to login via password would be the magic combination of bad judgement...it's been so thoroughly discussed on this list as of late. Craig
