Date: Thu, 26 Feb 2015 10:37:15 +0100 From: Philip Jocks <pjlists@netzkommune.com> To: Gary Palmer <gpalmer@freebsd.org> Cc: Joseph Mingrone <jrm@ftfl.ca>, freebsd-security@freebsd.org, Jung-uk Kim <jkim@FreeBSD.org> Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <D5557EB8-AF28-480D-8A22-0A9C03458E63@netzkommune.com> In-Reply-To: <20150226082400.GE29176@in-addr.com> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <20150226082400.GE29176@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 26.02.2015 um 09:24 schrieb Gary Palmer <gpalmer@freebsd.org>: > On Wed, Feb 25, 2015 at 04:04:59PM -0400, Joseph Mingrone wrote: >> Jung-uk Kim <jkim@FreeBSD.org> writes: >>=20 >>> On 02/25/2015 14:41, Joseph Mingrone wrote: >>>> This morning when I arrived at work I had this email from my=20 >>>> university's IT department (via email.it) informing me that my host >>>> was infected and spreading a worm. >>>>=20 >>>> "Based on the logs fingerprints seems that your server is infected >>>> by the following worm: Net-Worm.PHP.Mongiko.a" >>>>=20 >>>> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST=20 >>>> /?cmd=3Dinfo&key=3Df8184c819717b6815a8b8037e91c59ef&ip=3D212.97.34.7 >>>> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >>>>=20 >>>> Despite the surprising name, I don't see any evidence that it's >>>> related to php. I did remove php, because I don't really need it. >>>> I've included my /etc/rc.conf below. pkg audit doesn't show any=20 >>>> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >>>> much. I've run chkrootkit, netstat/sockstat and I don't see >>>> anything suspicious and I plan to finally put some reasonable >>>> firewall rules on this host. >>>>=20 >>>> Do you have any suggestions? Should I include any other >>>> information here? >>> ... >>>=20 >>> I found this: >>>=20 >>> = http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mon= giko-trying-to-do >>>=20 >>> Jung-uk Kim >>=20 >> Yeah, I saw that as well. I wouldn't be concerned if this was = hitting >> my web server, but the key difference here is that my IP is the >> apparently the source in this case. >=20 > Did you see the part of the link that said the alert was likely a = scam? > Sounds to me like the people who cold call people and tell them their = Windows > computer is broken have moved on. the thing about the scam was posted by a friend after Joseph's post to = the freebsd-security mailing list so people on stackexchange will be = warned as well. Philip
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D5557EB8-AF28-480D-8A22-0A9C03458E63>