gene.heskett at verizon.net
Sun Dec 11 05:31:03 UTC 2005
A friend of mine just reported he has been rooted, and his machine was
spewing spam in the name of the colonial bank.
The name of the tar.gz file found in the /tmp dir that seems to be the
src of all the other oddball stuff is wam.tar.gz.
The box is running fedora core 3, and the router has a switch on the
lan side along with a windows box that also up. Anything that comes
into the router on port 22 gets forwarded to this linux box.
This wam.tar.gz file contains virtually everything needed to rootkit a
machine, including a password cracker, and several lists of email
address lists totalling about 23,000 addresses.
FWIW, chkrootkit didn't find it!
Whats the general removal procedure for this, and better yet, how did
they get in?
People having trouble with vz bouncing email to me should use this
address: <gene.heskett at verizononline.net> which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
More information about the users