Date: Wed, 25 Feb 2015 16:04:59 -0400 From: Joseph Mingrone <jrm@ftfl.ca> To: Jung-uk Kim <jkim@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <86vbipycyc.fsf@gly.ftfl.ca> In-Reply-To: <54EE2A19.7050108@FreeBSD.org> (Jung-uk Kim's message of "Wed, 25 Feb 2015 15:01:29 -0500") References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail
Jung-uk Kim <jkim@FreeBSD.org> writes: > On 02/25/2015 14:41, Joseph Mingrone wrote: >> This morning when I arrived at work I had this email from my >> university's IT department (via email.it) informing me that my host >> was infected and spreading a worm. >> >> "Based on the logs fingerprints seems that your server is infected >> by the following worm: Net-Worm.PHP.Mongiko.a" >> >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >> >> Despite the surprising name, I don't see any evidence that it's >> related to php. I did remove php, because I don't really need it. >> I've included my /etc/rc.conf below. pkg audit doesn't show any >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >> much. I've run chkrootkit, netstat/sockstat and I don't see >> anything suspicious and I plan to finally put some reasonable >> firewall rules on this host. >> >> Do you have any suggestions? Should I include any other >> information here? > ... > > I found this: > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do > > Jung-uk Kim Yeah, I saw that as well. I wouldn't be concerned if this was hitting my web server, but the key difference here is that my IP is the apparently the source in this case. Josephhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86vbipycyc.fsf>