John Summerfied debian at
Wed Dec 14 06:39:09 UTC 2005

Gene Heskett wrote:
> A friend of mine just reported he has been rooted, and his machine was 
> spewing spam in the name of the colonial bank.
> The name of the tar.gz file found in the /tmp dir that seems to be the 
> src of all the other oddball stuff is wam.tar.gz.
> The box is running fedora core 3, and the router has a switch on the 
> lan side along with a windows box that also up.  Anything that comes 
> into the router on port 22 gets forwarded to this linux box.
> This wam.tar.gz file contains virtually everything needed to rootkit a 
> machine, including a password cracker, and several lists of email 
> address lists totalling about 23,000 addresses.
> FWIW, chkrootkit didn't find it!
> Whats the general removal procedure for this, and better yet, how did 
> they get in?

I've seen two fractured boxes; one had root, the other not. You don't 
need root (and the culprit who got root would have been better without 
it, he fscked the system so it wouldn't run).

On the other, the culprit took over a a user account, and his mistake 
was to change the user password; the user promptly complained she 
couldn't check mail.

The first, pretty much all /bin and /sbin was broken and reinstall required.

The second, all that was required was a reboot (quick and easy way to 
ensure processes got clobbered, and there's no magic way to restart 
them), remove culprit's ssh keys and establish a better password.

Since the culprit's given you (at least part of) the rootkit, examine it 
to see what it does.

Examine ~/.bash_history for the borked account to see whether you can 
see what was done. Mine was very interesting, and quite amusing: the kit 
emailed the IP address of eth0 off to someone at yahoo (so yahoo might have 
been interested): eth0 had a 192.168.0.x address, so that wasn't going 
to be useful.

Also, binaries were for RHL 7.x and hence didn't work so well on Debian.



-- spambait
1aaaaaaa at  Z1aaaaaaa at
Tourist pics

do not reply off-list

More information about the fedora-list mailing list