Re: rootkit?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 11 Dec 2005 00:31:03 -0500
Gene Heskett <gene.heskett@xxxxxxxxxxx> opined:

> A friend of mine just reported he has been rooted, and his machine
> was spewing spam in the name of the colonial bank.
> 
> The name of the tar.gz file found in the /tmp dir that seems to be
> the src of all the other oddball stuff is wam.tar.gz.
> 
> The box is running fedora core 3, and the router has a switch on the 
> lan side along with a windows box that also up.  Anything that comes 
> into the router on port 22 gets forwarded to this linux box.
> 
> This wam.tar.gz file contains virtually everything needed to rootkit
> a machine, including a password cracker, and several lists of email 
> address lists totalling about 23,000 addresses.
> 
> FWIW, chkrootkit didn't find it!
> 
> Whats the general removal procedure for this, and better yet, how did 
> they get in?
> 
Slightly OT, but is this a VOL customer? I have been getting hammered
from VOL zombies lately. Can you share the first 3 octets of the IP?

-- 
Our DNSRBL - 
       Eliminate Spam: http://www.TQMcube.com/spam_trap.php
        Zombie Graphs: http://www.TQMcube.com/zombies.php
          GeoGraphics: http://www.TQMcube.com/origins.php


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux