On Friday 31 March 2006 19:32, John Summerfield wrote: >Gene Heskett wrote: >>>---- >>>My money is on sshd - somebody with a weak password. >> >> We found a couple that were downright >> stupid/dumb/assinine/all_of_the_above. > >Since the attacker wrote to /usr I'd be looking at how he got to be > root. We haven't found that yet. We're still looking over the forensic copy we made of that drive with dd. And roots password was alpha-numeric, longer than most and certainly not susceptable to a dictionary attack. Interesting, since you made the comment re the compiler being handy, is that it wasn't used to install the irc botnet kit, only a shell, gzip, chmod & cp were used for that according to the install script we read. -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved.