A friend of mine just reported he has been rooted, and his machine was spewing spam in the name of the colonial bank. The name of the tar.gz file found in the /tmp dir that seems to be the src of all the other oddball stuff is wam.tar.gz. The box is running fedora core 3, and the router has a switch on the lan side along with a windows box that also up. Anything that comes into the router on port 22 gets forwarded to this linux box. This wam.tar.gz file contains virtually everything needed to rootkit a machine, including a password cracker, and several lists of email address lists totalling about 23,000 addresses. FWIW, chkrootkit didn't find it! Whats the general removal procedure for this, and better yet, how did they get in? -- Cheers, Gene People having trouble with vz bouncing email to me should use this address: <gene.heskett@xxxxxxxxxxxxxxxxx> which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
