From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 21:52:22 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D8A96DDD for ; Wed, 25 Feb 2015 21:52:22 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9238EE8C for ; Wed, 25 Feb 2015 21:52:22 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1YQjsQ-0003DW-FU for freebsd-security@freebsd.org; Wed, 25 Feb 2015 22:52:18 +0100 Received: from dynamic34-29.dynamic.dal.ca ([129.173.34.203]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Feb 2015 22:52:18 +0100 Received: from jrm by dynamic34-29.dynamic.dal.ca with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Feb 2015 22:52:18 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Joseph Mingrone Subject: Re: has my 10.1-RELEASE system been compromised Date: Wed, 25 Feb 2015 17:52:09 -0400 Lines: 40 Message-ID: <86a901wtfa.fsf@gly.ftfl.ca> References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: dynamic34-29.dynamic.dal.ca User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) Cancel-Lock: sha1:x1oXavWPFs+bsLdZ2Q6gAGLUClA= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 21:52:22 -0000 Walter Hop writes: > If this traffic is originating from your system, and you were running > PHP, I’d say it’s probably most likely that some PHP > script/application on your host was compromised. Were you running > stuff like phpMyAdmin, Wordpress or Drupal that might not have been > updated too often? I was running almost nothing with php except <?php echo $_SERVER['HTTP_HOST']?> on one page. I was recently testing out mediawiki. IIRC I installed it via the port, but uninstalled it almost immediately. I saw today that there was still a mediawiki directory left over with a timestamp of 2014-12-30 and one php file, LocalSettings.php. > Often in such a compromise, the attacker leaves traces in the > filesystem, like executable scripts or temp files. Try to look for new > files which are owned by the webserver or fastcgi process, see if you > find some surprises. > > Example: > # touch -t 201501010000 foo > # find / -user www -newer foo > > If you don’t find anything, look back a little further. > Hopefully you will find a clue in this way. # touch -t 201412250000 foo # find / -user www -newer foo turned up a few directories under /var/tmp/nginx, but they were all empty. The timestamps were the same as the mediawiki directory. Nothing interesting turned up in the output when I uninstalled the php or spawn-fcgi packages. Thanks, Joseph