Date: Wed, 25 Feb 2015 16:31:18 -0400 From: Joseph Mingrone <jrm@ftfl.ca> To: Matt Donovan <kitchetech@gmail.com> Cc: freebsd-security <freebsd-security@freebsd.org>, Jung-uk Kim <jkim@freebsd.org> Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <86fv9tybqh.fsf@gly.ftfl.ca> In-Reply-To: <CAD-N7OBKFMbyAVfwWhR_7Q1hcFPvTHx4NO5jgwG34vruJngHBQ@mail.gmail.com> (Matt Donovan's message of "Wed, 25 Feb 2015 14:24:04 -0600") References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <CAD-N7OBKFMbyAVfwWhR_7Q1hcFPvTHx4NO5jgwG34vruJngHBQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Matt Donovan <kitchetech@gmail.com> writes: > On Feb 25, 2015 2:05 PM, "Joseph Mingrone" <jrm@ftfl.ca> wrote: >> >> Jung-uk Kim <jkim@FreeBSD.org> writes: >> >> > On 02/25/2015 14:41, Joseph Mingrone wrote: >> >> This morning when I arrived at work I had this email from my >> >> university's IT department (via email.it) informing me that my host >> >> was infected and spreading a worm. >> >> >> >> "Based on the logs fingerprints seems that your server is infected >> >> by the following worm: Net-Worm.PHP.Mongiko.a" >> >> >> >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST >> >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 >> >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >> >> >> >> Despite the surprising name, I don't see any evidence that it's >> >> related to php. I did remove php, because I don't really need it. >> >> I've included my /etc/rc.conf below. pkg audit doesn't show any >> >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >> >> much. I've run chkrootkit, netstat/sockstat and I don't see >> >> anything suspicious and I plan to finally put some reasonable >> >> firewall rules on this host. >> >> >> >> Do you have any suggestions? Should I include any other >> >> information here? >> > ... >> > >> > I found this: >> > >> > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do >> > >> > Jung-uk Kim >> >> Yeah, I saw that as well. I wouldn't be concerned if this was hitting >> my web server, but the key difference here is that my IP is the >> apparently the source in this case. >> >> Joseph >> _______________________________________________ > Hello, > > First run sockstat to see any connections that you do not recognize. This > will help narrow the scope. Usually this is installed though a compromised > web application as well such as a password compromise or a vulnerability. > As several malware when doing ps looks like a different program running. I don't see anything out of the ordinary. All those connections are intended. % sockstat -cL4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS jrm lr 28536 7 tcp4 129.173.34.203:55957 8.8.8.8:53 jrm emacs-24.4 90922 24 tcp4 129.173.34.203:22783 80.91.229.13:119 znc znc 664 5 tcp4 129.173.34.203:11133 91.217.189.42:6697 znc znc 664 7 tcp4 129.173.34.203:57772 107.170.156.130:6697 znc znc 664 8 tcp4 129.173.34.203:56390 206.12.19.242:6697 znc znc 664 9 tcp4 129.173.34.203:11137 24.244.24.20:6697
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86fv9tybqh.fsf>