From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:31:21 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EFE611B2 for ; Wed, 25 Feb 2015 20:31:21 +0000 (UTC) Received: from mail-qa0-x233.google.com (mail-qa0-x233.google.com [IPv6:2607:f8b0:400d:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9969F364 for ; Wed, 25 Feb 2015 20:31:21 +0000 (UTC) Received: by mail-qa0-f51.google.com with SMTP id i13so4609817qae.10 for ; Wed, 25 Feb 2015 12:31:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ftfl.ca; s=google; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=60SCWh8IKdUJabU3KnBPo/tvZU6p95Yen9Yh3GI8WW4=; b=NU/apMH8UtOMQKZvMGnZ6Xj7KPLOLdd6agOaKoYy03ilMKD8L43kkjgrfJJ46WQcIm eXNj25WB511Sub7Z6GNBQkkbX3Xyos/+LaoMOgR9K5Bu0AOJDbQTKr8amdQssTJVVqD+ ha0+rxs7TU8dDVK5Ra9eQoL7/mmKZmewcX4xU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=60SCWh8IKdUJabU3KnBPo/tvZU6p95Yen9Yh3GI8WW4=; b=MhlDCy0dcuph8kfjfGiKqC+ebt2cS5DVDSsQh0nXss2yEdmMWgWTJh/ek8V9F0Oayk IkMnLk/p8P8DmW/XmccTKZOeZYlUNh6au9QrDS92mwv2MPcj+FSGZzGvlnWj7EEu12No yAwPILt0CU8FhV3wi5Jf/Yv6lJ0E6HJVgH86QtJd6K3PmNnI9OoubI+V5lNwiEqGfn2p yInZHTN3GxJCo4FYznUNWDBfMu8VA1rDzWktvVzu+IkGkft8lEVuZC7/SP0NdXtko2B7 aKaMNPqzrDfuqK74ZqR+GsM5FG6lxqQNgzwVHOsIGOgzhEWn0Zvc4glveAex5YUxsL3p 4Fww== X-Gm-Message-State: ALoCoQnkSb/RT8S6eceWEq/6S/k3UFkQNcwbFOmOsUaBt2mBGpDxcO9BPoz9QGXSXS3ZDr/R8H/j X-Received: by 10.229.64.67 with SMTP id d3mr11080513qci.9.1424896280805; Wed, 25 Feb 2015 12:31:20 -0800 (PST) Received: from gly.ftfl.ca.ftfl.ca (Dynamic34-29.Dynamic.Dal.Ca. [129.173.34.203]) by mx.google.com with ESMTPSA id c102sm25552704qge.41.2015.02.25.12.31.19 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Feb 2015 12:31:19 -0800 (PST) From: Joseph Mingrone To: Matt Donovan Subject: Re: has my 10.1-RELEASE system been compromised References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> Date: Wed, 25 Feb 2015 16:31:18 -0400 In-Reply-To: (Matt Donovan's message of "Wed, 25 Feb 2015 14:24:04 -0600") Message-ID: <86fv9tybqh.fsf@gly.ftfl.ca> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security , Jung-uk Kim X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:31:22 -0000 Matt Donovan writes: > On Feb 25, 2015 2:05 PM, "Joseph Mingrone" wrote: >> >> Jung-uk Kim writes: >> >> > On 02/25/2015 14:41, Joseph Mingrone wrote: >> >> This morning when I arrived at work I had this email from my >> >> university's IT department (via email.it) informing me that my host >> >> was infected and spreading a worm. >> >> >> >> "Based on the logs fingerprints seems that your server is infected >> >> by the following worm: Net-Worm.PHP.Mongiko.a" >> >> >> >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST >> >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 >> >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >> >> >> >> Despite the surprising name, I don't see any evidence that it's >> >> related to php. I did remove php, because I don't really need it. >> >> I've included my /etc/rc.conf below. pkg audit doesn't show any >> >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >> >> much. I've run chkrootkit, netstat/sockstat and I don't see >> >> anything suspicious and I plan to finally put some reasonable >> >> firewall rules on this host. >> >> >> >> Do you have any suggestions? Should I include any other >> >> information here? >> > ... >> > >> > I found this: >> > >> > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do >> > >> > Jung-uk Kim >> >> Yeah, I saw that as well. I wouldn't be concerned if this was hitting >> my web server, but the key difference here is that my IP is the >> apparently the source in this case. >> >> Joseph >> _______________________________________________ > Hello, > > First run sockstat to see any connections that you do not recognize. This > will help narrow the scope. Usually this is installed though a compromised > web application as well such as a password compromise or a vulnerability. > As several malware when doing ps looks like a different program running. I don't see anything out of the ordinary. All those connections are intended. % sockstat -cL4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS jrm lr 28536 7 tcp4 129.173.34.203:55957 8.8.8.8:53 jrm emacs-24.4 90922 24 tcp4 129.173.34.203:22783 80.91.229.13:119 znc znc 664 5 tcp4 129.173.34.203:11133 91.217.189.42:6697 znc znc 664 7 tcp4 129.173.34.203:57772 107.170.156.130:6697 znc znc 664 8 tcp4 129.173.34.203:56390 206.12.19.242:6697 znc znc 664 9 tcp4 129.173.34.203:11137 24.244.24.20:6697