rootkit?

[Craig White]

On Sun, 2005-12-11 at 00:31 -0500, Gene Heskett wrote:
> A friend of mine just reported he has been rooted, and his machine was 
> spewing spam in the name of the colonial bank.
> 
> The name of the tar.gz file found in the /tmp dir that seems to be the 
> src of all the other oddball stuff is wam.tar.gz.
> 
> The box is running fedora core 3, and the router has a switch on the 
> lan side along with a windows box that also up.  Anything that comes 
> into the router on port 22 gets forwarded to this linux box.
> 
> This wam.tar.gz file contains virtually everything needed to rootkit a 
> machine, including a password cracker, and several lists of email 
> address lists totalling about 23,000 addresses.
> 
> FWIW, chkrootkit didn't find it!
> 
> Whats the general removal procedure for this, and better yet, how did 
> they get in?
----
it would seem that ssh, root allowed to login via password would be the
magic combination of bad judgement...it's been so thoroughly discussed
on this list as of late.

Craig