has my 10.1-RELEASE system been compromised
Joseph Mingrone
jrm at ftfl.ca
Wed Feb 25 20:31:22 UTC 2015
Matt Donovan <kitchetech at gmail.com> writes:
> On Feb 25, 2015 2:05 PM, "Joseph Mingrone" <jrm at ftfl.ca> wrote:
>>
>> Jung-uk Kim <jkim at FreeBSD.org> writes:
>>
>> > On 02/25/2015 14:41, Joseph Mingrone wrote:
>> >> This morning when I arrived at work I had this email from my
>> >> university's IT department (via email.it) informing me that my host
>> >> was infected and spreading a worm.
>> >>
>> >> "Based on the logs fingerprints seems that your server is infected
>> >> by the following worm: Net-Worm.PHP.Mongiko.a"
>> >>
>> >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST
>> >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7
>> >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a"
>> >>
>> >> Despite the surprising name, I don't see any evidence that it's
>> >> related to php. I did remove php, because I don't really need it.
>> >> I've included my /etc/rc.conf below. pkg audit doesn't show any
>> >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show
>> >> much. I've run chkrootkit, netstat/sockstat and I don't see
>> >> anything suspicious and I plan to finally put some reasonable
>> >> firewall rules on this host.
>> >>
>> >> Do you have any suggestions? Should I include any other
>> >> information here?
>> > ...
>> >
>> > I found this:
>> >
>> >
> http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do
>> >
>> > Jung-uk Kim
>>
>> Yeah, I saw that as well. I wouldn't be concerned if this was hitting
>> my web server, but the key difference here is that my IP is the
>> apparently the source in this case.
>>
>> Joseph
>> _______________________________________________
> Hello,
>
> First run sockstat to see any connections that you do not recognize. This
> will help narrow the scope. Usually this is installed though a compromised
> web application as well such as a password compromise or a vulnerability.
> As several malware when doing ps looks like a different program running.
I don't see anything out of the ordinary. All those connections are intended.
% sockstat -cL4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
jrm lr 28536 7 tcp4 129.173.34.203:55957 8.8.8.8:53
jrm emacs-24.4 90922 24 tcp4 129.173.34.203:22783 80.91.229.13:119
znc znc 664 5 tcp4 129.173.34.203:11133 91.217.189.42:6697
znc znc 664 7 tcp4 129.173.34.203:57772 107.170.156.130:6697
znc znc 664 8 tcp4 129.173.34.203:56390 206.12.19.242:6697
znc znc 664 9 tcp4 129.173.34.203:11137 24.244.24.20:6697
More information about the freebsd-security
mailing list