rootkit?
Gene Heskett
gene.heskett at verizon.net
Sun Dec 11 21:46:34 UTC 2005
On Sunday 11 December 2005 12:15, David Cary Hart wrote:
>On Sun, 11 Dec 2005 00:31:03 -0500
>
>Gene Heskett <gene.heskett at verizon.net> opined:
>> A friend of mine just reported he has been rooted, and his machine
>> was spewing spam in the name of the colonial bank.
>>
>> The name of the tar.gz file found in the /tmp dir that seems to be
>> the src of all the other oddball stuff is wam.tar.gz.
>>
>> The box is running fedora core 3, and the router has a switch on
>> the lan side along with a windows box that also up. Anything that
>> comes into the router on port 22 gets forwarded to this linux box.
>>
>> This wam.tar.gz file contains virtually everything needed to
>> rootkit a machine, including a password cracker, and several lists
>> of email address lists totalling about 23,000 addresses.
>>
>> FWIW, chkrootkit didn't find it!
>>
>> Whats the general removal procedure for this, and better yet, how
>> did they get in?
>
>Slightly OT, but is this a VOL customer? I have been getting hammered
>from VOL zombies lately. Can you share the first 3 octets of the IP?
>
No, cebridge.net, a local cable provider.
>--
>Our DNSRBL -
> Eliminate Spam: http://www.TQMcube.com/spam_trap.php
> Zombie Graphs: http://www.TQMcube.com/zombies.php
> GeoGraphics: http://www.TQMcube.com/origins.php
--
Cheers, Gene
People having trouble with vz bouncing email to me should use this
address: <gene.heskett at verizononline.net> which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
More information about the fedora-list
mailing list