From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 08:24:04 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 801CDE5F; Thu, 26 Feb 2015 08:24:04 +0000 (UTC) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 416ECDCB; Thu, 26 Feb 2015 08:24:04 +0000 (UTC) Received: from gjp by mail.in-addr.com with local (Exim 4.85 (FreeBSD)) (envelope-from ) id 1YQtjk-000MYw-Nv; Thu, 26 Feb 2015 08:24:00 +0000 Date: Thu, 26 Feb 2015 08:24:00 +0000 From: Gary Palmer To: Joseph Mingrone Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <20150226082400.GE29176@in-addr.com> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86vbipycyc.fsf@gly.ftfl.ca> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org, Jung-uk Kim X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2015 08:24:04 -0000 On Wed, Feb 25, 2015 at 04:04:59PM -0400, Joseph Mingrone wrote: > Jung-uk Kim writes: > > > On 02/25/2015 14:41, Joseph Mingrone wrote: > >> This morning when I arrived at work I had this email from my > >> university's IT department (via email.it) informing me that my host > >> was infected and spreading a worm. > >> > >> "Based on the logs fingerprints seems that your server is infected > >> by the following worm: Net-Worm.PHP.Mongiko.a" > >> > >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 > >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" > >> > >> Despite the surprising name, I don't see any evidence that it's > >> related to php. I did remove php, because I don't really need it. > >> I've included my /etc/rc.conf below. pkg audit doesn't show any > >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show > >> much. I've run chkrootkit, netstat/sockstat and I don't see > >> anything suspicious and I plan to finally put some reasonable > >> firewall rules on this host. > >> > >> Do you have any suggestions? Should I include any other > >> information here? > > ... > > > > I found this: > > > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do > > > > Jung-uk Kim > > Yeah, I saw that as well. I wouldn't be concerned if this was hitting > my web server, but the key difference here is that my IP is the > apparently the source in this case. Did you see the part of the link that said the alert was likely a scam? Sounds to me like the people who cold call people and tell them their Windows computer is broken have moved on. The fact your Uni's IT department sent an e-mail from email.it smells extremely suspicious to me. Why would they use a 3rd party e-mail solution instead of their own email system? Call your Uni's IT department and confirm the report came from them. Gary