From owner-freebsd-security@FreeBSD.ORG  Wed Feb 25 20:01:31 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 47309359
 for <freebsd-security@freebsd.org>; Wed, 25 Feb 2015 20:01:31 +0000 (UTC)
Received: from hammer.pct.niksun.com (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx2.freebsd.org (Postfix) with ESMTP id CEE15860;
 Wed, 25 Feb 2015 20:01:30 +0000 (UTC)
Message-ID: <54EE2A19.7050108@FreeBSD.org>
Date: Wed, 25 Feb 2015 15:01:29 -0500
From: Jung-uk Kim <jkim@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Joseph Mingrone <jrm@ftfl.ca>, freebsd-security@freebsd.org
Subject: Re: has my 10.1-RELEASE system been compromised
References: <864mq9zsmm.fsf@gly.ftfl.ca>
In-Reply-To: <864mq9zsmm.fsf@gly.ftfl.ca>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2015 20:01:31 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/25/2015 14:41, Joseph Mingrone wrote:
> This morning when I arrived at work I had this email from my 
> university's IT department (via email.it) informing me that my host
> was infected and spreading a worm.
> 
> "Based on the logs fingerprints seems that your server is infected
> by the following worm: Net-Worm.PHP.Mongiko.a"
> 
> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST 
> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7
> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a"
> 
> Despite the surprising name, I don't see any evidence that it's
> related to php.  I did remove php, because I don't really need it.
> I've included my /etc/rc.conf below.  pkg audit doesn't show any 
> vulnerabilities.  Searching for Worm.PHP.Mongiko doesn't show
> much. I've run chkrootkit, netstat/sockstat and I don't see
> anything suspicious and I plan to finally put some reasonable
> firewall rules on this host.
> 
> Do you have any suggestions?  Should I include any other
> information here?
...

I found this:

http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do

Jung-uk Kim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJU7ioVAAoJEHyflib82/FGXjoH/if/ZIuW6/KvVD0fYJ7Mfmkj
wkB7BzfYcE2KQ4PomwWzEUoyc1b2RNZ9a0b/FaxMK3xUGwbKqchiCT+KlHUAdWRc
ifK9dOMg/DRtmacmo718k4SZghPlHY1AtB0I65vo7YSWCMxQJkgY9cxdKIvdoLkd
ujV2+yFjmg2zKM7bDkoCt2c34iUODUeXm2FUPIjVYCycwusDhXY2WZ+AZTmgDdQA
O8AlLRgSTjN53VdiK8HTW3Q5JTDtCymHNT8Oj8MZoEYwkOuh1jQnAaGrWaS1wQo4
MtiqShnKLZoyKPZYll84r0aCTqt997ZhhVYqsO13Db8Ev66pC56niQy31FfCfbw=
=0dgN
-----END PGP SIGNATURE-----