has my 10.1-RELEASE system been compromised
Philip Jocks
pjlists at netzkommune.com
Thu Feb 26 09:37:24 UTC 2015
Am 26.02.2015 um 09:24 schrieb Gary Palmer <gpalmer at freebsd.org>:
> On Wed, Feb 25, 2015 at 04:04:59PM -0400, Joseph Mingrone wrote:
>> Jung-uk Kim <jkim at FreeBSD.org> writes:
>>
>>> On 02/25/2015 14:41, Joseph Mingrone wrote:
>>>> This morning when I arrived at work I had this email from my
>>>> university's IT department (via email.it) informing me that my host
>>>> was infected and spreading a worm.
>>>>
>>>> "Based on the logs fingerprints seems that your server is infected
>>>> by the following worm: Net-Worm.PHP.Mongiko.a"
>>>>
>>>> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST
>>>> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7
>>>> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a"
>>>>
>>>> Despite the surprising name, I don't see any evidence that it's
>>>> related to php. I did remove php, because I don't really need it.
>>>> I've included my /etc/rc.conf below. pkg audit doesn't show any
>>>> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show
>>>> much. I've run chkrootkit, netstat/sockstat and I don't see
>>>> anything suspicious and I plan to finally put some reasonable
>>>> firewall rules on this host.
>>>>
>>>> Do you have any suggestions? Should I include any other
>>>> information here?
>>> ...
>>>
>>> I found this:
>>>
>>> http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do
>>>
>>> Jung-uk Kim
>>
>> Yeah, I saw that as well. I wouldn't be concerned if this was hitting
>> my web server, but the key difference here is that my IP is the
>> apparently the source in this case.
>
> Did you see the part of the link that said the alert was likely a scam?
> Sounds to me like the people who cold call people and tell them their Windows
> computer is broken have moved on.
the thing about the scam was posted by a friend after Joseph's post to the freebsd-security mailing list so people on stackexchange will be warned as well.
Philip
More information about the freebsd-security
mailing list