Date: Wed, 25 Feb 2015 21:16:48 +0100 From: Philip Jocks <pjlists@netzkommune.com> To: Joseph Mingrone <jrm@ftfl.ca> Cc: freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> In-Reply-To: <86vbipycyc.fsf@gly.ftfl.ca> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
> Am 25.02.2015 um 21:04 schrieb Joseph Mingrone <jrm@ftfl.ca>: >=20 > Jung-uk Kim <jkim@FreeBSD.org> writes: >=20 >> On 02/25/2015 14:41, Joseph Mingrone wrote: >>> This morning when I arrived at work I had this email from my=20 >>> university's IT department (via email.it) informing me that my host >>> was infected and spreading a worm. >>>=20 >>> "Based on the logs fingerprints seems that your server is infected >>> by the following worm: Net-Worm.PHP.Mongiko.a" >>>=20 >>> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST=20 >>> /?cmd=3Dinfo&key=3Df8184c819717b6815a8b8037e91c59ef&ip=3D212.97.34.7 >>> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >>>=20 >>> Despite the surprising name, I don't see any evidence that it's >>> related to php. I did remove php, because I don't really need it. >>> I've included my /etc/rc.conf below. pkg audit doesn't show any=20 >>> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >>> much. I've run chkrootkit, netstat/sockstat and I don't see >>> anything suspicious and I plan to finally put some reasonable >>> firewall rules on this host. >>>=20 >>> Do you have any suggestions? Should I include any other >>> information here? >> ... >>=20 >> I found this: >>=20 >> = http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mon= giko-trying-to-do >>=20 >> Jung-uk Kim >=20 > Yeah, I saw that as well. I wouldn't be concerned if this was hitting > my web server, but the key difference here is that my IP is the > apparently the source in this case. >=20 > Joseph are those the only lines they sent you? Weirdly, we got a report like = this today as well with the first (out of 8) sample line showing the = exact time stamp (23/Feb/2015:14:53:37 +0100) and the exact query string = (/?cmd=3Dinfo&key=3Df8184c819717b6815a8b8037e91c59ef&ip=3D212.97.34.7) = which makes it a bit strange to be a coincidence. There is a webserver = running in a jail on the reported IP address, but I can't find any log = lines on our side that could be related. We asked the email.it folks for details, but haven't heard back from = them yet. Philip=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1B20A559-59C5-477A-A2F3-9FD7E16C09E8>