This morning when I arrived at work I had this email from my university's IT department (via email.it) informing me that my host was infected and spreading a worm.
"Based on the logs fingerprints seems that your server is infected by the following worm: Net-Worm.PHP.Mongiko.a" my ip here - - [23/Feb/2015:14:53:37 +0100] "POST /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" Despite the surprising name, I don't see any evidence that it's related to php. I did remove php, because I don't really need it. I've included my /etc/rc.conf below. pkg audit doesn't show any vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show much. I've run chkrootkit, netstat/sockstat and I don't see anything suspicious and I plan to finally put some reasonable firewall rules on this host. Do you have any suggestions? Should I include any other information here? Joseph #bsdstats_enable="YES" clear_tmp_enable="YES" devfs_system_ruleset="localrules" dumpdev="AUTO" hostname="gly.ftfl.ca" ifconfig_re0="SYNCDHCP" linux_enable="YES" local_unbound_enable="YES" keymap="us.jrm" lpd_enable="YES" moused_enable="YES" moused_port="/dev/ums0" moused_ums0_flags="-A 2.5,2.0 -a 1 -V" nginx_enable="YES" ntpd_enable="YES" panicmail_enable="YES" php_fpm_enable="YES" spawn_fcgi_enable="YES" spawn_fcgi_bindaddr="" spawn_fcgi_bindport="" spawn_fcgi_bindsocket="/var/run/spawn_fcgi.socket" spawn_fcgi_bindsocket_mode="0700" sshd_enable="YES" update_motd="NO" usbd_enable="YES" zfs_enable="YES" znc_enable="YES" znc_user="znc" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
