Re: Mass Mailing Worm on Linux

From: Owen Jacobson (
Date: 05/12/04

Date: Wed, 12 May 2004 08:13:26 GMT

On Wed, 12 May 2004 07:56:13 +0000, Nils Petter Vaskinn wrote:

> On Tue, 11 May 2004 20:16:14 -0500, Shashank Khanvilkar wrote:
>> I have a redHat 9 system that I had been using for the past few years.
>> Yesterday, one of our system adnins filtered my machine saying that it
>> is infected by a mass mailing worm that is sending spam.
> Your machine has probably been broken into by a human or a worm, or you
> have executed a trojan.
> As a result you can no longer trust any of the files on the system to be
> unmodified. Tools like ps and top may be fixed not to show the spammers
> processes.
> If you want to poke around and try to find out what has happened you'll
> need to boot from something like a rescue CD/floppy or knoppix to be sure
> you're running tools that are not tampered with.
>> Has anyone ever faced such a problem and what steps did they take to
>> eliminate it.
> Plenty of people probably.
> Erase and reinstall. Since even if your investigation turns out a rootkit
> you can never be certain that there isn't one more modified program there
> that will let the spammer right back in.

You may (possibly) gain some useful information by monitoring the traffic
to and from the "compromised" box, using a secure, clean, impenetrable
machine to do the listening. Since this is impossible, the next best
thing is to monitor from a machine with no IP address, such as a bridge.

If you're really compromised, you'll probably find out where from (though
this information will be next to useless, as it's probably another
compromised host). If you've simply misconfigured something, the traffic
will tell you what.

Some say the Wired doesn't have political borders like the real world,
but there are far too many nonsense-spouting anarchists or idiots who
think that pranks are a revolution.