Date: Wed, 25 Feb 2015 16:25:32 -0400 From: Joseph Mingrone <jrm@ftfl.ca> To: Philip Jocks <pjlists@netzkommune.com> Cc: freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <86k2z5yc03.fsf@gly.ftfl.ca> In-Reply-To: <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com> (Philip Jocks's message of "Wed, 25 Feb 2015 21:16:48 %2B0100") References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org> <86vbipycyc.fsf@gly.ftfl.ca> <1B20A559-59C5-477A-A2F3-9FD7E16C09E8@netzkommune.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Philip Jocks <pjlists@netzkommune.com> writes: > are those the only lines they sent you? Weirdly, we got a report like this today > as well with the first (out of 8) sample line showing the exact time stamp > (23/Feb/2015:14:53:37 +0100) and the exact query string > (/?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7) which makes it > a bit strange to be a coincidence. There is a webserver running in a jail on the > reported IP address, but I can't find any log lines on our side that could be > related. > We asked the email.it folks for details, but haven't heard back from them yet. > > Philip Interesting. Yes, they sent nearly the same line about 8 times with the timestamps a second or two apart. What other daemons are you running on that host? Something other than the webserver could be compromised. Please share if you hear anything from email.it. Joseph
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86k2z5yc03.fsf>