Date: Thu, 26 Feb 2015 10:37:15 +0100 From: Philip Jocks <pjlists@netzkommune.com> To: Gary Palmer <gpalmer@freebsd.org> Cc: Joseph Mingrone <jrm@ftfl.ca>, freebsd-security@freebsd.org, Jung-uk Kim <jkim@FreeBSD.org> Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <D5557EB8-AF28-480D-8A22-0A9C03458E63@netzkommune.com> In-Reply-To: <20150226082400.GE29176@in-addr.com> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <20150226082400.GE29176@in-addr.com>
index | next in thread | previous in thread | raw e-mail
Am 26.02.2015 um 09:24 schrieb Gary Palmer <gpalmer@freebsd.org>: > On Wed, Feb 25, 2015 at 04:04:59PM -0400, Joseph Mingrone wrote: >> Jung-uk Kim <jkim@FreeBSD.org> writes: >> >>> On 02/25/2015 14:41, Joseph Mingrone wrote: >>>> This morning when I arrived at work I had this email from my >>>> university's IT department (via email.it) informing me that my host >>>> was infected and spreading a worm. >>>> >>>> "Based on the logs fingerprints seems that your server is infected >>>> by the following worm: Net-Worm.PHP.Mongiko.a" >>>> >>>> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST >>>> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 >>>> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >>>> >>>> Despite the surprising name, I don't see any evidence that it's >>>> related to php. I did remove php, because I don't really need it. >>>> I've included my /etc/rc.conf below. pkg audit doesn't show any >>>> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >>>> much. I've run chkrootkit, netstat/sockstat and I don't see >>>> anything suspicious and I plan to finally put some reasonable >>>> firewall rules on this host. >>>> >>>> Do you have any suggestions? Should I include any other >>>> information here? >>> ... >>> >>> I found this: >>> >>> http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do >>> >>> Jung-uk Kim >> >> Yeah, I saw that as well. I wouldn't be concerned if this was hitting >> my web server, but the key difference here is that my IP is the >> apparently the source in this case. > > Did you see the part of the link that said the alert was likely a scam? > Sounds to me like the people who cold call people and tell them their Windows > computer is broken have moved on. the thing about the scam was posted by a friend after Joseph's post to the freebsd-security mailing list so people on stackexchange will be warned as well. Philiphelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D5557EB8-AF28-480D-8A22-0A9C03458E63>