From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:25:36 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B7914D20 for ; Wed, 25 Feb 2015 20:25:36 +0000 (UTC) Received: from mail-qc0-x22b.google.com (mail-qc0-x22b.google.com [IPv6:2607:f8b0:400d:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 62996219 for ; Wed, 25 Feb 2015 20:25:36 +0000 (UTC) Received: by qcvs11 with SMTP id s11so5023027qcv.11 for ; Wed, 25 Feb 2015 12:25:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ftfl.ca; s=google; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=qZ2ltPozzu+3ZNeIqCPUfE57PWhZPEI1se3gBXe8MUY=; b=CzPpfzqlVce8B4PDtIyS9pJjE2Q3kcXKYxHJvX9ZEGZlworv5gcJUZ+wLbnz0NUHN2 wteI3G5GcnNM2ZpFOefHZgf0mOgE8p1xpx5JS9+ZZEytwgh1yWt+exHYU00F9bxNyoVR xS6MbyIDDJY1w9QVW3m0nmPgke5kaeGhOst+o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=qZ2ltPozzu+3ZNeIqCPUfE57PWhZPEI1se3gBXe8MUY=; b=U2HupAg19FwKxJNvhgLyKeGWQVm9dkZlCsCbLEUduVnheWBzQ7Fq97FTjy535Lm9Yp eLbfaFHVNPEuPm4ol+tcpKE+6SO0rh5oNFga2qFItcyUU67vHDdP8p0v2UI3RDrq2zND qPMcOPSanlAQmaJeu81Lq/bZlCAcd8NzwRC4eQPRGI4f2iJuLsI6ywq11SvPZoUetVTh qwRtgq/ayy0AR+bjYIbwmj5ATI2oBHHUNrDawAImO7/5qrlwM+bA6FTUcqUviwoU6U1o Uow3p1rWPTtVZTOiRgx7BV6w38MvNWOCqeTA/Z6BbWlmH93etnFKRa/mK1w6R9MNt81k 6ACQ== X-Gm-Message-State: ALoCoQmWPSA/W0PGQnWFJ/1SbJMo9UUhudxJR0sJ4/RglJaYogvoh+WN/NWbaGfxTY2vwnmtj9OI X-Received: by 10.140.145.3 with SMTP id 3mr10745389qhr.43.1424895935324; Wed, 25 Feb 2015 12:25:35 -0800 (PST) Received: from gly.ftfl.ca.ftfl.ca (Dynamic34-29.Dynamic.Dal.Ca. [129.173.34.203]) by mx.google.com with ESMTPSA id x124sm22152081qha.2.2015.02.25.12.25.33 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Feb 2015 12:25:34 -0800 (PST) From: Joseph Mingrone To: Philip Jocks Subject: Re: has my 10.1-RELEASE system been compromised References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> Date: Wed, 25 Feb 2015 16:25:32 -0400 In-Reply-To: <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> (Philip Jocks's message of "Wed, 25 Feb 2015 21:16:48 +0100") Message-ID: <86k2z5yc03.fsf@gly.ftfl.ca> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:25:36 -0000 Philip Jocks writes: > are those the only lines they sent you? Weirdly, we got a report like this today > as well with the first (out of 8) sample line showing the exact time stamp > (23/Feb/2015:14:53:37 +0100) and the exact query string > (/?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7) which makes it > a bit strange to be a coincidence. There is a webserver running in a jail on the > reported IP address, but I can't find any log lines on our side that could be > related. > We asked the email.it folks for details, but haven't heard back from them yet. > > Philip Interesting. Yes, they sent nearly the same line about 8 times with the timestamps a second or two apart. What other daemons are you running on that host? Something other than the webserver could be compromised. Please share if you hear anything from email.it. Joseph