From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 19:50:10 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8FF12EDC for ; Wed, 25 Feb 2015 19:50:10 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4B180CBE for ; Wed, 25 Feb 2015 19:50:10 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1YQhy8-0005fl-4R for freebsd-security@freebsd.org; Wed, 25 Feb 2015 20:50:04 +0100 Received: from dynamic34-29.dynamic.dal.ca ([129.173.34.203]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Feb 2015 20:50:04 +0100 Received: from jrm by dynamic34-29.dynamic.dal.ca with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Feb 2015 20:50:04 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Joseph Mingrone Subject: has my 10.1-RELEASE system been compromised Date: Wed, 25 Feb 2015 15:41:05 -0400 Lines: 53 Message-ID: <864mq9zsmm.fsf@gly.ftfl.ca> Mime-Version: 1.0 Content-Type: text/plain X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: dynamic34-29.dynamic.dal.ca User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) Cancel-Lock: sha1:sKJAeAID8q4ZZSfwFnvR+y8LMc0= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 19:50:10 -0000 This morning when I arrived at work I had this email from my university's IT department (via email.it) informing me that my host was infected and spreading a worm. "Based on the logs fingerprints seems that your server is infected by the following worm: Net-Worm.PHP.Mongiko.a" my ip here - - [23/Feb/2015:14:53:37 +0100] "POST /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" Despite the surprising name, I don't see any evidence that it's related to php. I did remove php, because I don't really need it. I've included my /etc/rc.conf below. pkg audit doesn't show any vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show much. I've run chkrootkit, netstat/sockstat and I don't see anything suspicious and I plan to finally put some reasonable firewall rules on this host. Do you have any suggestions? Should I include any other information here? Joseph #bsdstats_enable="YES" clear_tmp_enable="YES" devfs_system_ruleset="localrules" dumpdev="AUTO" hostname="gly.ftfl.ca" ifconfig_re0="SYNCDHCP" linux_enable="YES" local_unbound_enable="YES" keymap="us.jrm" lpd_enable="YES" moused_enable="YES" moused_port="/dev/ums0" moused_ums0_flags="-A 2.5,2.0 -a 1 -V" nginx_enable="YES" ntpd_enable="YES" panicmail_enable="YES" php_fpm_enable="YES" spawn_fcgi_enable="YES" spawn_fcgi_bindaddr="" spawn_fcgi_bindport="" spawn_fcgi_bindsocket="/var/run/spawn_fcgi.socket" spawn_fcgi_bindsocket_mode="0700" sshd_enable="YES" update_motd="NO" usbd_enable="YES" zfs_enable="YES" znc_enable="YES" znc_user="znc"