Date: Wed, 25 Feb 2015 16:04:59 -0400 From: Joseph Mingrone <jrm@ftfl.ca> To: Jung-uk Kim <jkim@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <86vbipycyc.fsf@gly.ftfl.ca> In-Reply-To: <54EE2A19.7050108@FreeBSD.org> (Jung-uk Kim's message of "Wed, 25 Feb 2015 15:01:29 -0500") References: <864mq9zsmm.fsf@gly.ftfl.ca> <54EE2A19.7050108@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Jung-uk Kim <jkim@FreeBSD.org> writes: > On 02/25/2015 14:41, Joseph Mingrone wrote: >> This morning when I arrived at work I had this email from my >> university's IT department (via email.it) informing me that my host >> was infected and spreading a worm. >> >> "Based on the logs fingerprints seems that your server is infected >> by the following worm: Net-Worm.PHP.Mongiko.a" >> >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >> >> Despite the surprising name, I don't see any evidence that it's >> related to php. I did remove php, because I don't really need it. >> I've included my /etc/rc.conf below. pkg audit doesn't show any >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >> much. I've run chkrootkit, netstat/sockstat and I don't see >> anything suspicious and I plan to finally put some reasonable >> firewall rules on this host. >> >> Do you have any suggestions? Should I include any other >> information here? > ... > > I found this: > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do > > Jung-uk Kim Yeah, I saw that as well. I wouldn't be concerned if this was hitting my web server, but the key difference here is that my IP is the apparently the source in this case. Joseph
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86vbipycyc.fsf>