has my 10.1-RELEASE system been compromised
Philip Jocks
pjlists at netzkommune.com
Wed Feb 25 20:25:42 UTC 2015
> Am 25.02.2015 um 21:04 schrieb Joseph Mingrone <jrm at ftfl.ca>:
>
> Jung-uk Kim <jkim at FreeBSD.org> writes:
>
>> On 02/25/2015 14:41, Joseph Mingrone wrote:
>>> This morning when I arrived at work I had this email from my
>>> university's IT department (via email.it) informing me that my host
>>> was infected and spreading a worm.
>>>
>>> "Based on the logs fingerprints seems that your server is infected
>>> by the following worm: Net-Worm.PHP.Mongiko.a"
>>>
>>> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST
>>> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7
>>> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a"
>>>
>>> Despite the surprising name, I don't see any evidence that it's
>>> related to php. I did remove php, because I don't really need it.
>>> I've included my /etc/rc.conf below. pkg audit doesn't show any
>>> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show
>>> much. I've run chkrootkit, netstat/sockstat and I don't see
>>> anything suspicious and I plan to finally put some reasonable
>>> firewall rules on this host.
>>>
>>> Do you have any suggestions? Should I include any other
>>> information here?
>> ...
>>
>> I found this:
>>
>> http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do
>>
>> Jung-uk Kim
>
> Yeah, I saw that as well. I wouldn't be concerned if this was hitting
> my web server, but the key difference here is that my IP is the
> apparently the source in this case.
>
> Joseph
are those the only lines they sent you? Weirdly, we got a report like this today as well with the first (out of 8) sample line showing the exact time stamp (23/Feb/2015:14:53:37 +0100) and the exact query string (/?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7) which makes it a bit strange to be a coincidence. There is a webserver running in a jail on the reported IP address, but I can't find any log lines on our side that could be related.
We asked the email.it folks for details, but haven't heard back from them yet.
Philip
More information about the freebsd-security
mailing list