has my 10.1-RELEASE system been compromised
Joseph Mingrone
jrm at ftfl.ca
Wed Feb 25 20:25:36 UTC 2015
Philip Jocks <pjlists at netzkommune.com> writes:
> are those the only lines they sent you? Weirdly, we got a report like this today
> as well with the first (out of 8) sample line showing the exact time stamp
> (23/Feb/2015:14:53:37 +0100) and the exact query string
> (/?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7) which makes it
> a bit strange to be a coincidence. There is a webserver running in a jail on the
> reported IP address, but I can't find any log lines on our side that could be
> related.
> We asked the email.it folks for details, but haven't heard back from them yet.
>
> Philip
Interesting. Yes, they sent nearly the same line about 8 times with the timestamps a
second or two apart. What other daemons are you running on that host?
Something other than the webserver could be compromised.
Please share if you hear anything from email.it.
Joseph
More information about the freebsd-security
mailing list