So this morning I get an email from the US Department of Defence. Seems one of our computers was being used as a launching pad to exploit some DOD systems. Found the computer, pulled it off the net and proceeded to do a post-mortem. My co-workers were offering all kinds of suggestions about how to go about this, what to look for, etc. All wrong of course. I've done this before. Found the payload in about 3 minutes. Hidden away in "/var/tmp/.. " - note the space at the end. Clever yes, but this is an old trick. I pulled off the payload files to have a look. Lessee, a streaming media server, thirty different denial of service attack generators, and one old root kit from 2001. 

My co-workers were instantly preparing to format the disk. Rootkit, bad. Re-format. Nah, these guys weren't after root, and they didn't get it. They got what they were after - another zombie to join their network of DoS slaves. If they really wanted to get root access, they would've used a modern rootkit.  The poor kid who uses this box has his entire PhD on it, and the last thing I want to do is erase his life's work. No need to. Just reset the password, get rid of the zombie net and put the machine back in service. 

Incidentally, this is just one of a growing number of incidents coming out of Romania. There were Romanian 'fingerprints' all over this particular exploit. FYI. In year's past we've seen involvement by Germany, Russia, China and others. This one is Romanian for what it's worth. Somebody there is funding an effort (or being funded) to stage denial of service attacks on a global scale. Interesting.