On 25 Feb 2015, at 20:41, Joseph Mingrone <j...@ftfl.ca> wrote: > > "Based on the logs fingerprints seems that your server is infected by > the following worm: Net-Worm.PHP.Mongiko.a" > > my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" > 200 429 "-" "Net- > Worm.PHP.Mongiko.a”
I haven’t heard of this worm, although this type of request is seen more often: https://www.google.nl/search?q=post%20%22cmd%3Dinfo%26key%22 <https://www.google.nl/search?q=post%20%22cmd=info&key%22> If this traffic is originating from your system, and you were running PHP, I’d say it’s probably most likely that some PHP script/application on your host was compromised. Were you running stuff like phpMyAdmin, Wordpress or Drupal that might not have been updated too often? Often in such a compromise, the attacker leaves traces in the filesystem, like executable scripts or temp files. Try to look for new files which are owned by the webserver or fastcgi process, see if you find some surprises. Example: # touch -t 201501010000 foo # find / -user www -newer foo If you don’t find anything, look back a little further. Hopefully you will find a clue in this way. -- Walter Hop | PGP key: https://lifeforms.nl/pgp _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
