On Sun, 2005-12-11 at 00:31, Gene Heskett wrote: > A friend of mine just reported he has been rooted, and his machine was > spewing spam in the name of the colonial bank. > FWIW, chkrootkit didn't find it! > Did you try rkhunter? Would be interesting to know if it could see it. > Whats the general removal procedure for this, and better yet, how did > they get in? Once a system has been rooted the only action to take is to rebuild the system from scratch, format the drives and install clean. Be very careful of anything backed up on the system since the root kit was installed. The two favorite ways of hacking a system is either through password guessing against ssh or telnet or by using a package that has known vulnerabilities such as phpnuke or some of the other CMS packages out there. Poor passwords are likely but easily corrected. Use of a CMS package is harder to fix in most cases.