has my 10.1-RELEASE system been compromised

Wed Feb 25 20:24:06 UTC 2015

On Feb 25, 2015 2:05 PM, "Joseph Mingrone" <jrm at ftfl.ca> wrote:
>
> Jung-uk Kim <jkim at FreeBSD.org> writes:
>
> > On 02/25/2015 14:41, Joseph Mingrone wrote:
> >> This morning when I arrived at work I had this email from my
> >> university's IT department (via email.it) informing me that my host
> >> was infected and spreading a worm.
> >>
> >> "Based on the logs fingerprints seems that your server is infected
> >> by the following worm: Net-Worm.PHP.Mongiko.a"
> >>
> >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST
> >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7
> >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a"
> >>
> >> Despite the surprising name, I don't see any evidence that it's
> >> related to php.  I did remove php, because I don't really need it.
> >> I've included my /etc/rc.conf below.  pkg audit doesn't show any
> >> vulnerabilities.  Searching for Worm.PHP.Mongiko doesn't show
> >> much. I've run chkrootkit, netstat/sockstat and I don't see
> >> anything suspicious and I plan to finally put some reasonable
> >> firewall rules on this host.
> >>
> >> Do you have any suggestions?  Should I include any other
> >> information here?
> > ...
> >
> > I found this:
> >
> >
http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do
> >
> > Jung-uk Kim
>
> Yeah, I saw that as well.  I wouldn't be concerned if this was hitting
> my web server, but the key difference here is that my IP is the
> apparently the source in this case.
>
> Joseph
> _______________________________________________
Hello,

First run sockstat to see any connections that you do not recognize.  This
will help narrow the scope. Usually this is installed though a compromised
web application as well such as a password compromise or a vulnerability.
As several malware when doing ps looks like a different program running.