On Sunday 11 December 2005 12:15, David Cary Hart wrote: >On Sun, 11 Dec 2005 00:31:03 -0500 > >Gene Heskett <gene.heskett@xxxxxxxxxxx> opined: >> A friend of mine just reported he has been rooted, and his machine >> was spewing spam in the name of the colonial bank. >> >> The name of the tar.gz file found in the /tmp dir that seems to be >> the src of all the other oddball stuff is wam.tar.gz. >> >> The box is running fedora core 3, and the router has a switch on >> the lan side along with a windows box that also up. Anything that >> comes into the router on port 22 gets forwarded to this linux box. >> >> This wam.tar.gz file contains virtually everything needed to >> rootkit a machine, including a password cracker, and several lists >> of email address lists totalling about 23,000 addresses. >> >> FWIW, chkrootkit didn't find it! >> >> Whats the general removal procedure for this, and better yet, how >> did they get in? > >Slightly OT, but is this a VOL customer? I have been getting hammered >from VOL zombies lately. Can you share the first 3 octets of the IP? > No, cebridge.net, a local cable provider. >-- >Our DNSRBL - > Eliminate Spam: http://www.TQMcube.com/spam_trap.php > Zombie Graphs: http://www.TQMcube.com/zombies.php > GeoGraphics: http://www.TQMcube.com/origins.php -- Cheers, Gene People having trouble with vz bouncing email to me should use this address: <gene.heskett@xxxxxxxxxxxxxxxxx> which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
