From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:24:06 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B84C0C10; Wed, 25 Feb 2015 20:24:06 +0000 (UTC) Received: from mail-qa0-x22c.google.com (mail-qa0-x22c.google.com [IPv6:2607:f8b0:400d:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6E9CB1E8; Wed, 25 Feb 2015 20:24:06 +0000 (UTC) Received: by mail-qa0-f44.google.com with SMTP id n8so4604393qaq.3; Wed, 25 Feb 2015 12:24:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/gzVWjG8jFJQCWT2NuOQvrFuit4MeL4clniwNcPodiw=; b=eX6no+8nyghphuz7wFC0nsWME1W2xHWWpRHG5V2OsubqBoGEcQqg71H/mAi57y6Qwv 05yS6guEf1eY7E2qvak1NgJpSslyqc7CPE0s37mEjHSs8090RRcwc60UJNRTfgcAoIU2 w2NtvBaC4oYXDZzq0wEIKDBEohuCADU2okZnbJeuqx47ompByjKbTSCjFCGmcBJA1lQf 1FdUuC+3eQRRUMQ+QwvMawtTqu+lsAD9eZSJJ6mNOPWksuwYXYHGDdTbkpitloVh1PtH cIdW0FGWLSLYyl/8850drzhC2lTYO8Zsk2IfiDTXoJGYHoMs0RLslZ+lvtIGTMMCRcT9 08/g== MIME-Version: 1.0 X-Received: by 10.140.88.80 with SMTP id s74mr10348720qgd.28.1424895845550; Wed, 25 Feb 2015 12:24:05 -0800 (PST) Received: by 10.140.107.165 with HTTP; Wed, 25 Feb 2015 12:24:04 -0800 (PST) Received: by 10.140.107.165 with HTTP; Wed, 25 Feb 2015 12:24:04 -0800 (PST) In-Reply-To: <86vbipycyc.fsf@gly.ftfl.ca> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> Date: Wed, 25 Feb 2015 14:24:04 -0600 Message-ID: Subject: Re: has my 10.1-RELEASE system been compromised From: Matt Donovan To: Joseph Mingrone Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-security , Jung-uk Kim X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:24:06 -0000 On Feb 25, 2015 2:05 PM, "Joseph Mingrone" wrote: > > Jung-uk Kim writes: > > > On 02/25/2015 14:41, Joseph Mingrone wrote: > >> This morning when I arrived at work I had this email from my > >> university's IT department (via email.it) informing me that my host > >> was infected and spreading a worm. > >> > >> "Based on the logs fingerprints seems that your server is infected > >> by the following worm: Net-Worm.PHP.Mongiko.a" > >> > >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 > >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" > >> > >> Despite the surprising name, I don't see any evidence that it's > >> related to php. I did remove php, because I don't really need it. > >> I've included my /etc/rc.conf below. pkg audit doesn't show any > >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show > >> much. I've run chkrootkit, netstat/sockstat and I don't see > >> anything suspicious and I plan to finally put some reasonable > >> firewall rules on this host. > >> > >> Do you have any suggestions? Should I include any other > >> information here? > > ... > > > > I found this: > > > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do > > > > Jung-uk Kim > > Yeah, I saw that as well. I wouldn't be concerned if this was hitting > my web server, but the key difference here is that my IP is the > apparently the source in this case. > > Joseph > _______________________________________________ Hello, First run sockstat to see any connections that you do not recognize. This will help narrow the scope. Usually this is installed though a compromised web application as well such as a password compromise or a vulnerability. As several malware when doing ps looks like a different program running.