Date: Wed, 25 Feb 2015 16:25:32 -0400 From: Joseph Mingrone <jrm@ftfl.ca> To: Philip Jocks <pjlists@netzkommune.com> Cc: freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <86k2z5yc03.fsf@gly.ftfl.ca> In-Reply-To: <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> (Philip Jocks's message of "Wed, 25 Feb 2015 21:16:48 %2B0100") References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com>
index | next in thread | previous in thread | raw e-mail
Philip Jocks <pjlists@netzkommune.com> writes: > are those the only lines they sent you? Weirdly, we got a report like this today > as well with the first (out of 8) sample line showing the exact time stamp > (23/Feb/2015:14:53:37 +0100) and the exact query string > (/?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7) which makes it > a bit strange to be a coincidence. There is a webserver running in a jail on the > reported IP address, but I can't find any log lines on our side that could be > related. > We asked the email.it folks for details, but haven't heard back from them yet. > > Philip Interesting. Yes, they sent nearly the same line about 8 times with the timestamps a second or two apart. What other daemons are you running on that host? Something other than the webserver could be compromised. Please share if you hear anything from email.it. Josephhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86k2z5yc03.fsf>