From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:05:03 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4B5B75E3 for ; Wed, 25 Feb 2015 20:05:03 +0000 (UTC) Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EC98BEED for ; Wed, 25 Feb 2015 20:05:02 +0000 (UTC) Received: by mail-qg0-f49.google.com with SMTP id q107so4994464qgd.8 for ; Wed, 25 Feb 2015 12:05:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ftfl.ca; s=google; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=lBYgmmRu1nhuZh++S2pV+CQcdJI5q2wvKOc4m6LwMLE=; b=ajKTuJy8WVOLVNGAUA//qNZie/QRnr4bBCo4a9mI7vSz+t49BNRLA/0NprVlqwdFTG IBJPibHxSCrWTOSh1NjTS+0h1VOCiiX/kmew7THvvf5pggFawWiZuGLlcVWOuFL3Pv8d sH0hzlRXrapf+tn8XsY0QXP6wAtoIDXfJ2EqI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=lBYgmmRu1nhuZh++S2pV+CQcdJI5q2wvKOc4m6LwMLE=; b=fLq9gbYsTPaQjrUw1qYIm8WNZalwUEnGBKtajtSy9Q2sjtTW2SqAFNiCQdap8h9s+K vViTEKec0J8p1fpo4TgiQerQRem81qySeKDo/GOYTpLR9W6wPInnTJb0hvGS1jL/ysZU QyBHBJP8GuxHg1FMhP4LKlyg1NwW0mcdXv2bBMrVG71skvlGuDD+3eRhlNuGJcAOARXX TSIFjZr9z30HLxaj7HM1eCwOJLat/cl0xwXIp3fEP1ntEyvXtOFQ82iw7e9F+GJBOG6h gdUBbOYEZJj2kjVbbTeO5zmR5TH54QfjT/cTUWE5HCXIUN9czMPrLw4K+/RT5UR3MyIQ aklg== X-Gm-Message-State: ALoCoQlNy+U9EiYWoPwMI8fW6l1k/ph21d5ja5tvBft+NbXM2lAndK+bnzg5homvOWjTIRLHAaoO X-Received: by 10.140.201.84 with SMTP id w81mr10843045qha.19.1424894702015; Wed, 25 Feb 2015 12:05:02 -0800 (PST) Received: from gly.ftfl.ca.ftfl.ca (Dynamic34-29.Dynamic.Dal.Ca. [129.173.34.203]) by mx.google.com with ESMTPSA id f9sm32127115qgf.17.2015.02.25.12.05.00 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Feb 2015 12:05:00 -0800 (PST) From: Joseph Mingrone To: Jung-uk Kim Subject: Re: has my 10.1-RELEASE system been compromised References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> Date: Wed, 25 Feb 2015 16:04:59 -0400 In-Reply-To: <54EE2A19.7050108@FreeBSD.org> (Jung-uk Kim's message of "Wed, 25 Feb 2015 15:01:29 -0500") Message-ID: <86vbipycyc.fsf@gly.ftfl.ca> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:05:03 -0000 Jung-uk Kim writes: > On 02/25/2015 14:41, Joseph Mingrone wrote: >> This morning when I arrived at work I had this email from my >> university's IT department (via email.it) informing me that my host >> was infected and spreading a worm. >> >> "Based on the logs fingerprints seems that your server is infected >> by the following worm: Net-Worm.PHP.Mongiko.a" >> >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >> >> Despite the surprising name, I don't see any evidence that it's >> related to php. I did remove php, because I don't really need it. >> I've included my /etc/rc.conf below. pkg audit doesn't show any >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >> much. I've run chkrootkit, netstat/sockstat and I don't see >> anything suspicious and I plan to finally put some reasonable >> firewall rules on this host. >> >> Do you have any suggestions? Should I include any other >> information here? > ... > > I found this: > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do > > Jung-uk Kim Yeah, I saw that as well. I wouldn't be concerned if this was hitting my web server, but the key difference here is that my IP is the apparently the source in this case. Joseph