Tracking the "Crusader Spammer"

Some more info from the admins at

The sites attacked during last week-end (Saturday and Sunday) in Strasbourg, France, are SUN/OS stations in our astronomical institute (, or These machines are pretty visible on the network as we manage an international data center, including ftp and web site. Apparently the hacker used a hole in the "sendmail" on these machines to enter the system and gain "root" privileges. National and international computer security organizations (including CERT) have been immediately informed, a complaint have been lodged, and the French security agency (DST) is working on the problem, in collaboration with FBI. We have partial copies of the list of addresses used, and they are being analysed. Two days later the same problem arose in ESO computers in Garching, Germany. ESO is an international organization (European Southern Observatory) with which we are closely collaborating and the hacker obviously benefited rhosts connections existing between our two networks of workstations.