Scot L. Harris
webid at cfl.rr.com
Sun Dec 11 05:44:26 UTC 2005
On Sun, 2005-12-11 at 00:31, Gene Heskett wrote:
> A friend of mine just reported he has been rooted, and his machine was
> spewing spam in the name of the colonial bank.
> FWIW, chkrootkit didn't find it!
Did you try rkhunter? Would be interesting to know if it could see it.
> Whats the general removal procedure for this, and better yet, how did
> they get in?
Once a system has been rooted the only action to take is to rebuild the
system from scratch, format the drives and install clean. Be very
careful of anything backed up on the system since the root kit was
The two favorite ways of hacking a system is either through password
guessing against ssh or telnet or by using a package that has known
vulnerabilities such as phpnuke or some of the other CMS packages out
Poor passwords are likely but easily corrected. Use of a CMS package is
harder to fix in most cases.
More information about the fedora-list