From owner-freebsd-questions@freebsd.org  Sat Nov 24 20:08:44 2018
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26D361137CF8
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Sat, 24 Nov 2018 20:08:44 +0000 (UTC)
 (envelope-from 4250.10.freebsd-questions=freebsd.org@email-od.com)
Received: from s1-b0c6.socketlabs.email-od.com
 (s1-b0c6.socketlabs.email-od.com [142.0.176.198])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7C1A08A4A0
 for <freebsd-questions@freebsd.org>; Sat, 24 Nov 2018 20:08:43 +0000 (UTC)
 (envelope-from 4250.10.freebsd-questions=freebsd.org@email-od.com)
DKIM-Signature: v=1; a=rsa-sha256; d=email-od.com;i=@email-od.com;s=dkim;
 c=relaxed/relaxed; q=dns/txt; t=1543090123; x=1545682123;
 h=content-transfer-encoding:content-type:mime-version:references:in-reply-to:message-id:subject:to:from:date:x-thread-info;
 bh=mD8qziapK5yg28joxHJ9OKHFkhOzJJJjGliYrjrLTOc=;
 b=gMRqUjDMOYVaoD1ZpogthiBPUbtttaXmJQ23fi2+BMDR7HitJjZyCeodGRAo46wMYptvJX3hrN+SAzyEbYz/QMmpRdWQz0jLISl2Adw2A/UOyfUK+VYtBNb8DvHgrpQXQRFv6agRzI5UZymBtDHiGMksy36jFht06FG5vX7O3Nc=
X-Thread-Info: NDI1MC4xMi4xYTEwMDAwMDBjMGVlNzIuZnJlZWJzZC1xdWVzdGlvbnM9ZnJlZWJzZC5vcmc=
Received: from r2.h.in.socketlabs.com (r2.h.in.socketlabs.com [142.0.180.12])
 by mxsg2.email-od.com
 with ESMTP(version=Tls12 cipher=Aes256 bits=256);
 Sat, 24 Nov 2018 15:08:34 -0500
Received: from smtp.lan.sohara.org (EMTPY [89.127.62.20]) by
 r2.h.in.socketlabs.com
 with ESMTP(version=Tls12 cipher=Aes256 bits=256);
 Sat, 24 Nov 2018 15:08:34 -0500
Received: from [192.168.63.1] (helo=steve.lan.sohara.org)
 by smtp.lan.sohara.org with smtp (Exim 4.91 (FreeBSD))
 (envelope-from <steve@sohara.org>) id 1gQeEB-000HFo-W5
 for freebsd-questions@freebsd.org; Sat, 24 Nov 2018 20:08:32 +0000
Date: Sat, 24 Nov 2018 20:08:31 +0000
From: Steve O'Hara-Smith <steve@sohara.org>
To: freebsd-questions@freebsd.org
Subject: Re: New Virus that targets *.nix
Message-Id: <20181124200831.95698d25ed05d1480fda55f9@sohara.org>
In-Reply-To: <8240dbdb-7e6e-23b7-caa0-9867ab2a74c3@tundraware.com>
References: <DM5PR20MB210207A5208820C5F435CC1580D50@DM5PR20MB2102.namprd20.prod.outlook.com>
 <20181124175844.6115411.91608.68576@shaw.ca>
 <8240dbdb-7e6e-23b7-caa0-9867ab2a74c3@tundraware.com>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; amd64-portbld-freebsd11.1)
X-Clacks-Overhead: "GNU Terry Pratchett"
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 7C1A08A4A0
X-Spamd-Result: default: False [-2.70 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.90)[-0.902,0];
 R_DKIM_ALLOW(-0.20)[email-od.com]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:142.0.176.0/20]; MV_CASE(0.50)[];
 MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[];
 DMARC_NA(0.00)[sohara.org]; FORGED_SENDER_VERP_SRS(0.00)[];
 RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.94)[-0.939,0];
 RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 DKIM_TRACE(0.00)[email-od.com:+];
 MX_GOOD(-0.01)[cached: mxbh.socketlabs.com];
 RCVD_IN_DNSWL_NONE(0.00)[198.176.0.142.list.dnswl.org : 127.0.15.0];
 NEURAL_HAM_SHORT(-0.70)[-0.703,0]; ENVFROM_VERP(0.00)[];
 FORGED_SENDER(0.00)[steve@sohara.org,4250.10.freebsd-questions=freebsd.org@email-od.com];
 RCVD_TLS_LAST(0.00)[];
 IP_SCORE(-0.15)[ip: (-0.34), ipnet: 142.0.176.0/22(-0.17), asn: 7381(-0.14),
 country: US(-0.09)]; 
 ASN(0.00)[asn:7381, ipnet:142.0.176.0/22, country:US];
 FROM_NEQ_ENVFROM(0.00)[steve@sohara.org,4250.10.freebsd-questions=freebsd.org@email-od.com];
 MID_RHS_MATCH_FROM(0.00)[]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Nov 2018 20:08:44 -0000

On Sat, 24 Nov 2018 13:10:57 -0600
Tim Daneliuk <tundra@tundraware.com> wrote:

> On 11/24/18 11:58 AM, Dale Scott wrote:
> > I don't know about everyone else, but considering my general lack of
> > success running Linux shell scripts in general on FBSD, I don't think
> > I'll  panic just yet. ;-) 
> 
> I saw this earlier in the day.  What was unclear to me was the exact
> vector of propagation.  Does it magically appear on my system somehow?

	Apparently it will try and make use of any ssh credentials it can
get at to propagate, so unless it's on a system with credentials to log
into yours then it needs someone to put it there and run it. OTOH if it
gets into a large farm and finds ssh keys with no passphrases (all too
often they'll belong to admins with access all over the place) it's going to
go through it like a dose of salts.

-- 
Steve O'Hara-Smith <steve@sohara.org>