I’ve posted a bzip2’d ext3 image of the compromised (etch) OS here:
List of packages installed on the machine here:
I’ll be pointing the authorities to it and providing any other logs required to track down the responsible party.
Dear Carl Please read this message carefully. You are receiving this email because you are responsible for IP address 188.8.131.52 https://bugzilla.colliertech.org/cgi-bin/bugzilla/index.cgi The machine at this address has been hijacked, and an extra process called "tswapd" has been installed. This process is running many web sites as shown by these URLs: http://184.108.40.206:8080/p/images/weship.gif http://220.127.116.11:8080/legalrx/images/logo.gif http://18.104.22.168:8080/usd/images/logo.gif http://22.214.171.124:8080/rolex/images/logo.gif http://126.96.36.199:8080/caviar/images/main_logo.gif Action required 1. locate the machine at this IP address 2. change the root and any administrator passwords to make them more secure 3. shutdown the machine, and restart Alternatively, you can issue the commands to display the process id and kill it: ps wax | grep "tswapd" kill <pid> [where <pid> is the process-id displayed by the ps command] If you are not the administrator, please forward this information to the administrator. To help you locate the hijacked machine, use this link http://www.dnsstuff.com/tools/tracert.ch?ip=188.8.131.52 Thank you from the Pharmacy Alert Security Team For more information view http://pharmalert.zoomshare.com/ and http://spamhater.zoomshare.com/2.shtml