Date: Wed, 25 Feb 2015 21:19:46 +0100 From: Walter Hop <freebsd@spam.lifeforms.nl> To: freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> In-Reply-To: <864mq9zsmm.fsf@gly.ftfl.ca> References: <864mq9zsmm.fsf@gly.ftfl.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25 Feb 2015, at 20:41, Joseph Mingrone <jrm@ftfl.ca> wrote: >=20 > "Based on the logs fingerprints seems that your server is infected by > the following worm: Net-Worm.PHP.Mongiko.a" >=20 > my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > /?cmd=3Dinfo&key=3Df8184c819717b6815a8b8037e91c59ef&ip=3D212.97.34.7 = HTTP/1.1" > 200 429 "-" "Net-=20 > Worm.PHP.Mongiko.a=E2=80=9D I haven=E2=80=99t heard of this worm, although this type of request is = seen more often: = https://www.google.nl/search?q=3Dpost%20%22cmd%3Dinfo%26key%22 = <https://www.google.nl/search?q=3Dpost%20%22cmd=3Dinfo&key%22>; If this traffic is originating from your system, and you were running = PHP, I=E2=80=99d say it=E2=80=99s probably most likely that some PHP = script/application on your host was compromised. Were you running stuff = like phpMyAdmin, Wordpress or Drupal that might not have been updated = too often? Often in such a compromise, the attacker leaves traces in the = filesystem, like executable scripts or temp files. Try to look for new = files which are owned by the webserver or fastcgi process, see if you = find some surprises. Example: # touch -t 201501010000 foo # find / -user www -newer foo If you don=E2=80=99t find anything, look back a little further. Hopefully you will find a clue in this way. --=20 Walter Hop | PGP key: https://lifeforms.nl/pgp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?32202C62-3CED-49B6-8259-0B18C52159D1>