has my 10.1-RELEASE system been compromised
Walter Hop
freebsd at spam.lifeforms.nl
Wed Feb 25 20:28:36 UTC 2015
On 25 Feb 2015, at 20:41, Joseph Mingrone <jrm at ftfl.ca> wrote:
>
> "Based on the logs fingerprints seems that your server is infected by
> the following worm: Net-Worm.PHP.Mongiko.a"
>
> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST
> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1"
> 200 429 "-" "Net-
> Worm.PHP.Mongiko.a”
I haven’t heard of this worm, although this type of request is seen more often: https://www.google.nl/search?q=post%20%22cmd%3Dinfo%26key%22 <https://www.google.nl/search?q=post%20%22cmd=info&key%22>
If this traffic is originating from your system, and you were running PHP, I’d say it’s probably most likely that some PHP script/application on your host was compromised. Were you running stuff like phpMyAdmin, Wordpress or Drupal that might not have been updated too often?
Often in such a compromise, the attacker leaves traces in the filesystem, like executable scripts or temp files. Try to look for new files which are owned by the webserver or fastcgi process, see if you find some surprises.
Example:
# touch -t 201501010000 foo
# find / -user www -newer foo
If you don’t find anything, look back a little further.
Hopefully you will find a clue in this way.
--
Walter Hop | PGP key: https://lifeforms.nl/pgp
More information about the freebsd-security
mailing list