has my 10.1-RELEASE system been compromised
Joseph Mingrone
jrm at ftfl.ca
Wed Feb 25 20:05:03 UTC 2015
Jung-uk Kim <jkim at FreeBSD.org> writes:
> On 02/25/2015 14:41, Joseph Mingrone wrote:
>> This morning when I arrived at work I had this email from my
>> university's IT department (via email.it) informing me that my host
>> was infected and spreading a worm.
>>
>> "Based on the logs fingerprints seems that your server is infected
>> by the following worm: Net-Worm.PHP.Mongiko.a"
>>
>> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST
>> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7
>> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a"
>>
>> Despite the surprising name, I don't see any evidence that it's
>> related to php. I did remove php, because I don't really need it.
>> I've included my /etc/rc.conf below. pkg audit doesn't show any
>> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show
>> much. I've run chkrootkit, netstat/sockstat and I don't see
>> anything suspicious and I plan to finally put some reasonable
>> firewall rules on this host.
>>
>> Do you have any suggestions? Should I include any other
>> information here?
> ...
>
> I found this:
>
> http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do
>
> Jung-uk Kim
Yeah, I saw that as well. I wouldn't be concerned if this was hitting
my web server, but the key difference here is that my IP is the
apparently the source in this case.
Joseph
More information about the freebsd-security
mailing list