has my 10.1-RELEASE system been compromised

Joseph Mingrone jrm at ftfl.ca
Wed Feb 25 20:31:22 UTC 2015 

Matt Donovan <kitchetech at gmail.com> writes:

> On Feb 25, 2015 2:05 PM, "Joseph Mingrone" <jrm at ftfl.ca> wrote:
>>
>> Jung-uk Kim <jkim at FreeBSD.org> writes:
>>
>> > On 02/25/2015 14:41, Joseph Mingrone wrote:
>> >> This morning when I arrived at work I had this email from my
>> >> university's IT department (via email.it) informing me that my host
>> >> was infected and spreading a worm.
>> >>
>> >> "Based on the logs fingerprints seems that your server is infected
>> >> by the following worm: Net-Worm.PHP.Mongiko.a"
>> >>
>> >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST
>> >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7
>> >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a"
>> >>
>> >> Despite the surprising name, I don't see any evidence that it's
>> >> related to php.  I did remove php, because I don't really need it.
>> >> I've included my /etc/rc.conf below.  pkg audit doesn't show any
>> >> vulnerabilities.  Searching for Worm.PHP.Mongiko doesn't show
>> >> much. I've run chkrootkit, netstat/sockstat and I don't see
>> >> anything suspicious and I plan to finally put some reasonable
>> >> firewall rules on this host.
>> >>
>> >> Do you have any suggestions?  Should I include any other
>> >> information here?
>> > ...
>> >
>> > I found this:
>> >
>> >
> http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do
>> >
>> > Jung-uk Kim
>>
>> Yeah, I saw that as well.  I wouldn't be concerned if this was hitting
>> my web server, but the key difference here is that my IP is the
>> apparently the source in this case.
>>
>> Joseph
>> _______________________________________________
> Hello,
>
> First run sockstat to see any connections that you do not recognize.  This
> will help narrow the scope. Usually this is installed though a compromised
> web application as well such as a password compromise or a vulnerability.
> As several malware when doing ps looks like a different program running.

I don't see anything out of the ordinary.  All those connections are intended.

% sockstat -cL4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
jrm      lr         28536 7  tcp4   129.173.34.203:55957  8.8.8.8:53
jrm      emacs-24.4 90922 24 tcp4   129.173.34.203:22783  80.91.229.13:119
znc      znc        664   5  tcp4   129.173.34.203:11133  91.217.189.42:6697
znc      znc        664   7  tcp4   129.173.34.203:57772  107.170.156.130:6697
znc      znc        664   8  tcp4   129.173.34.203:56390  206.12.19.242:6697
znc      znc        664   9  tcp4   129.173.34.203:11137  24.244.24.20:6697

More information about the freebsd-security mailing list