On Sunday 11 December 2005 10:25, William Case wrote: >On Sun, 2005-12-11 at 00:44 -0500, Scot L. Harris wrote: >> On Sun, 2005-12-11 at 00:31, Gene Heskett wrote: >> > A friend of mine just reported he has been rooted, and his >> > machine was spewing spam in the name of the colonial bank. >> > >> > FWIW, chkrootkit didn't find it! >> >> Did you try rkhunter? Would be interesting to know if it could see >> it. >> >> > Whats the general removal procedure for this, and better yet, how >> > did they get in? >> >> Once a system has been rooted the only action to take is to rebuild >> the system from scratch, format the drives and install clean. Be >> very careful of anything backed up on the system since the root kit >> was installed. > >I think I know in a general kind of way. But, what is a rootkit? > >Regards Bill Thats where someone gets in thru a buffer overflow, or other exploitable means, possibly guessing passwords (we think this is how this one got in, sons very weak pw) and takes over the machine to turn it into a zombie sending spam or virii to a large mailing list. The kit in question managed to send some 19,000 emails before the ISP cut him off, according to logs on both ends. Dumb rootkit, it didn't even try to clean up the logs. -- Cheers, Gene People having trouble with vz bouncing email to me should use this address: <gene.heskett@xxxxxxxxxxxxxxxxx> which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
