From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:28:36 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3CD06F8D for ; Wed, 25 Feb 2015 20:28:36 +0000 (UTC) Received: from tau.lfms.nl (tau.lfms.nl [93.189.130.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D9065279 for ; Wed, 25 Feb 2015 20:28:34 +0000 (UTC) Received: from sim.dt.lfms.nl (dt.lfms.nl [83.84.86.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by tau.lfms.nl (Postfix) with ESMTPS id 42C7A89285 for ; Wed, 25 Feb 2015 21:19:47 +0100 (CET) Received: from [192.168.130.112] (borax.dt.lfms.nl [192.168.130.112]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sim.dt.lfms.nl (Postfix) with ESMTPS id 0CF309C09085 for ; Wed, 25 Feb 2015 21:19:47 +0100 (CET) From: Walter Hop Message-Id: <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Subject: Re: has my 10.1-RELEASE system been compromised Date: Wed, 25 Feb 2015 21:19:46 +0100 References: <864mq9zsmm.fsf@gly.ftfl.ca> To: freebsd-security@freebsd.org In-Reply-To: <864mq9zsmm.fsf@gly.ftfl.ca> X-Mailer: Apple Mail (2.2070.6) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:28:36 -0000 On 25 Feb 2015, at 20:41, Joseph Mingrone wrote: >=20 > "Based on the logs fingerprints seems that your server is infected by > the following worm: Net-Worm.PHP.Mongiko.a" >=20 > my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > /?cmd=3Dinfo&key=3Df8184c819717b6815a8b8037e91c59ef&ip=3D212.97.34.7 = HTTP/1.1" > 200 429 "-" "Net-=20 > Worm.PHP.Mongiko.a=E2=80=9D I haven=E2=80=99t heard of this worm, although this type of request is = seen more often: = https://www.google.nl/search?q=3Dpost%20%22cmd%3Dinfo%26key%22 = If this traffic is originating from your system, and you were running = PHP, I=E2=80=99d say it=E2=80=99s probably most likely that some PHP = script/application on your host was compromised. Were you running stuff = like phpMyAdmin, Wordpress or Drupal that might not have been updated = too often? Often in such a compromise, the attacker leaves traces in the = filesystem, like executable scripts or temp files. Try to look for new = files which are owned by the webserver or fastcgi process, see if you = find some surprises. Example: # touch -t 201501010000 foo # find / -user www -newer foo If you don=E2=80=99t find anything, look back a little further. Hopefully you will find a clue in this way. --=20 Walter Hop | PGP key: https://lifeforms.nl/pgp