rootkit?

[Gene Heskett]

On Sunday 11 December 2005 00:35, Craig White wrote:
>On Sun, 2005-12-11 at 00:31 -0500, Gene Heskett wrote:
>> A friend of mine just reported he has been rooted, and his machine
>> was spewing spam in the name of the colonial bank.
>>
>> The name of the tar.gz file found in the /tmp dir that seems to be
>> the src of all the other oddball stuff is wam.tar.gz.
>>
>> The box is running fedora core 3, and the router has a switch on
>> the lan side along with a windows box that also up.  Anything that
>> comes into the router on port 22 gets forwarded to this linux box.
>>
>> This wam.tar.gz file contains virtually everything needed to
>> rootkit a machine, including a password cracker, and several lists
>> of email address lists totalling about 23,000 addresses.
>>
>> FWIW, chkrootkit didn't find it!
>>
>> Whats the general removal procedure for this, and better yet, how
>> did they get in?
>
>----
>it would seem that ssh, root allowed to login via password would be
> the magic combination of bad judgement...it's been so thoroughly
> discussed on this list as of late.
>
I forgot to mention that all the unpacked files are in his sons name, 
an unpriviledged user, but with a very weak password.  So we think it 
came in and was running as this user.  His son, taking comp sci 
courses as a junior in college now, simply would never have done this, 
its just not his style.  All he ever uses is email & a web browser.

>Craig

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should use this
address: <gene.heskett at verizononline.net> which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.