Re: rootkit?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sunday 11 December 2005 12:15, David Cary Hart wrote:
>On Sun, 11 Dec 2005 00:31:03 -0500
>
>Gene Heskett <gene.heskett@xxxxxxxxxxx> opined:
>> A friend of mine just reported he has been rooted, and his machine
>> was spewing spam in the name of the colonial bank.
>>
>> The name of the tar.gz file found in the /tmp dir that seems to be
>> the src of all the other oddball stuff is wam.tar.gz.
>>
>> The box is running fedora core 3, and the router has a switch on
>> the lan side along with a windows box that also up.  Anything that
>> comes into the router on port 22 gets forwarded to this linux box.
>>
>> This wam.tar.gz file contains virtually everything needed to
>> rootkit a machine, including a password cracker, and several lists
>> of email address lists totalling about 23,000 addresses.
>>
>> FWIW, chkrootkit didn't find it!
>>
>> Whats the general removal procedure for this, and better yet, how
>> did they get in?
>
>Slightly OT, but is this a VOL customer? I have been getting hammered
>from VOL zombies lately. Can you share the first 3 octets of the IP?
>
No, cebridge.net, a local cable provider.

>--
>Our DNSRBL -
>       Eliminate Spam: http://www.TQMcube.com/spam_trap.php
>        Zombie Graphs: http://www.TQMcube.com/zombies.php
>          GeoGraphics: http://www.TQMcube.com/origins.php

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should use this
address: <gene.heskett@xxxxxxxxxxxxxxxxx> which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux