On Sunday 11 December 2005 00:35, Craig White wrote: >On Sun, 2005-12-11 at 00:31 -0500, Gene Heskett wrote: >> A friend of mine just reported he has been rooted, and his machine >> was spewing spam in the name of the colonial bank. >> >> The name of the tar.gz file found in the /tmp dir that seems to be >> the src of all the other oddball stuff is wam.tar.gz. >> >> The box is running fedora core 3, and the router has a switch on >> the lan side along with a windows box that also up. Anything that >> comes into the router on port 22 gets forwarded to this linux box. >> >> This wam.tar.gz file contains virtually everything needed to >> rootkit a machine, including a password cracker, and several lists >> of email address lists totalling about 23,000 addresses. >> >> FWIW, chkrootkit didn't find it! >> >> Whats the general removal procedure for this, and better yet, how >> did they get in? > >---- >it would seem that ssh, root allowed to login via password would be > the magic combination of bad judgement...it's been so thoroughly > discussed on this list as of late. > I forgot to mention that all the unpacked files are in his sons name, an unpriviledged user, but with a very weak password. So we think it came in and was running as this user. His son, taking comp sci courses as a junior in college now, simply would never have done this, its just not his style. All he ever uses is email & a web browser. >Craig -- Cheers, Gene People having trouble with vz bouncing email to me should use this address: <gene.heskett@xxxxxxxxxxxxxxxxx> which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
