has my 10.1-RELEASE system been compromised

[Joseph Mingrone]

This morning when I arrived at work I had this email from my
university's IT department (via email.it) informing me that my host was
infected and spreading a worm.

"Based on the logs fingerprints seems that your server is infected by
the following worm: Net-Worm.PHP.Mongiko.a"

my ip here - - [23/Feb/2015:14:53:37 +0100] "POST
/?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1"
200 429 "-" "Net- 
Worm.PHP.Mongiko.a"

Despite the surprising name, I don't see any evidence that it's related
to php.  I did remove php, because I don't really need it.  I've
included my /etc/rc.conf below.  pkg audit doesn't show any
vulnerabilities.  Searching for Worm.PHP.Mongiko doesn't show much.
I've run chkrootkit, netstat/sockstat and I don't see anything
suspicious and I plan to finally put some reasonable firewall rules on
this host.

Do you have any suggestions?  Should I include any other information
here?

Joseph

#bsdstats_enable="YES"
clear_tmp_enable="YES"
devfs_system_ruleset="localrules"
dumpdev="AUTO"
hostname="gly.ftfl.ca"
ifconfig_re0="SYNCDHCP"
linux_enable="YES"
local_unbound_enable="YES"
keymap="us.jrm"
lpd_enable="YES"
moused_enable="YES"
moused_port="/dev/ums0"
moused_ums0_flags="-A 2.5,2.0 -a 1 -V"
nginx_enable="YES"
ntpd_enable="YES"
panicmail_enable="YES"
php_fpm_enable="YES"
spawn_fcgi_enable="YES"
spawn_fcgi_bindaddr=""
spawn_fcgi_bindport=""
spawn_fcgi_bindsocket="/var/run/spawn_fcgi.socket"
spawn_fcgi_bindsocket_mode="0700"
sshd_enable="YES"
update_motd="NO"
usbd_enable="YES"
zfs_enable="YES"
znc_enable="YES"
znc_user="znc"