On Wed, 2002-10-23 at 16:44, az_pete@cactusfamily.com wrote:
> This box has been offline (actually powered off) for several weeks and I'm just now getting around to performing some 
> analysis on it.  

Ah, yes - I remember you mentioning this on the list (or someone else
had the same problem).

>When I discovred some strange behavior with some of the system utils (ps, ls, etc) I became suspious 
> and pulled the network connection.  After saving some static html files, I powered the unit off.
> >From my reading on the web regarding ShowTee, I've confirmed everything you mentioned below.  I believe they got in via 
> a vulnerable version of wu-ftpd.  This server was running 2.6.0 (I believe).

UGH.  Don't you hate it when you're right?  :-)


> Do you think that this root kit would be able to capture passwords from other hosts on the network?  For example: while 
> this infected box was on the network, it captured the login password from the infected box.  Could it have captured 
> passwords when I logged into another machine on the network?

Absolutely - I'd scan all your other machines quickly and make sure your
security updates are recent.  

Are these boxes behind a proxy and/or firewall?  You might want to check
logs to see if any 'strange' traffic originated from that box (and
others).