|
I got to the bottom of it, this guy installed a rootkit "shv5_rootkit" and is sending spam (the Bank of America Hack I imagine) I was able to get a list of commands executed and saw exactly where he got in from and what he has done.
One of my clients seems to have installed an email list program and he gained access through the "temp" file on that program.
|