On Sun, 11 Dec 2005 00:31:03 -0500
Gene Heskett <gene.heskett@xxxxxxxxxxx> opined:
> A friend of mine just reported he has been rooted, and his machine
> was spewing spam in the name of the colonial bank.
>
> The name of the tar.gz file found in the /tmp dir that seems to be
> the src of all the other oddball stuff is wam.tar.gz.
>
> The box is running fedora core 3, and the router has a switch on the
> lan side along with a windows box that also up. Anything that comes
> into the router on port 22 gets forwarded to this linux box.
>
> This wam.tar.gz file contains virtually everything needed to rootkit
> a machine, including a password cracker, and several lists of email
> address lists totalling about 23,000 addresses.
>
> FWIW, chkrootkit didn't find it!
>
> Whats the general removal procedure for this, and better yet, how did
> they get in?
>
Slightly OT, but is this a VOL customer? I have been getting hammered
from VOL zombies lately. Can you share the first 3 octets of the IP?
--
Our DNSRBL -
Eliminate Spam: http://www.TQMcube.com/spam_trap.php
Zombie Graphs: http://www.TQMcube.com/zombies.php
GeoGraphics: http://www.TQMcube.com/origins.php
