On Sun, 13 Nov 2005, Matt Graham wrote:
I wrote to this guy and asked him what he meant. There ARE a lot of pictures of me and my sister on that website. Vacation pics and things.
Ah, so he meant that the website on the attacking IP was riddled with pictures of you and your sister? That at least makes some degree of sense, and assuming that the email was sent to an address that was on the website rather than "webmaster@ip.add.res.ss" these are all good clues as to the legitimacy of the email.
I ran chkrootkit and the only (possibly) negative results I got were:
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! Searching for suspicious files and dirs, it may take a while... /usr/lib/j2se/1.4/jre/.systemPrefs /usr/lib/j2se/1.4/jre/.systemPrefs/.systemRootModFile /usr/lib/j2se/1.4/jre/.systemPrefs/.system.lock /usr/lib/j2se/1.4/jre/.systemPrefs
I guess that since I even suspect that it's comproimised, I should reinstall.
Reinstalling from disc probably won't remove the exploited hole. There's lots of ways to exploit security holes without being root. There's another awstats vulnerability that lets anyone run perl commands on a box that runs it. I'd check the apache logs, grep for awstats and see if anything interesting comes up, if you're running awstats.
What distribution are you running, and do you subscribe to the security mailing list for that distro?
Regards,
-Don