Gene Heskett wrote:
A friend of mine just reported he has been rooted, and his machine was
spewing spam in the name of the colonial bank.
The name of the tar.gz file found in the /tmp dir that seems to be the
src of all the other oddball stuff is wam.tar.gz.
The box is running fedora core 3, and the router has a switch on the
lan side along with a windows box that also up. Anything that comes
into the router on port 22 gets forwarded to this linux box.
This wam.tar.gz file contains virtually everything needed to rootkit a
machine, including a password cracker, and several lists of email
address lists totalling about 23,000 addresses.
FWIW, chkrootkit didn't find it!
Whats the general removal procedure for this, and better yet, how did
they get in?
I've seen two fractured boxes; one had root, the other not. You don't
need root (and the culprit who got root would have been better without
it, he fscked the system so it wouldn't run).
On the other, the culprit took over a a user account, and his mistake
was to change the user password; the user promptly complained she
couldn't check mail.
The first, pretty much all /bin and /sbin was broken and reinstall required.
The second, all that was required was a reboot (quick and easy way to
ensure processes got clobbered, and there's no magic way to restart
them), remove culprit's ssh keys and establish a better password.
Since the culprit's given you (at least part of) the rootkit, examine it
to see what it does.
Examine ~/.bash_history for the borked account to see whether you can
see what was done. Mine was very interesting, and quite amusing: the kit
emailed the IP address of eth0 off to someone@yahoo (so yahoo might have
been interested): eth0 had a 192.168.0.x address, so that wasn't going
to be useful.
Also, binaries were for RHL 7.x and hence didn't work so well on Debian.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
