This morning when I arrived at work I had this email from my university's IT department (via email.it) informing me that my host was infected and spreading a worm. "Based on the logs fingerprints seems that your server is infected by the following worm: Net-Worm.PHP.Mongiko.a" my ip here - - [23/Feb/2015:14:53:37 +0100] "POST /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" Despite the surprising name, I don't see any evidence that it's related to php. I did remove php, because I don't really need it. I've included my /etc/rc.conf below. pkg audit doesn't show any vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show much. I've run chkrootkit, netstat/sockstat and I don't see anything suspicious and I plan to finally put some reasonable firewall rules on this host. Do you have any suggestions? Should I include any other information here? Joseph #bsdstats_enable="YES" clear_tmp_enable="YES" devfs_system_ruleset="localrules" dumpdev="AUTO" hostname="gly.ftfl.ca" ifconfig_re0="SYNCDHCP" linux_enable="YES" local_unbound_enable="YES" keymap="us.jrm" lpd_enable="YES" moused_enable="YES" moused_port="/dev/ums0" moused_ums0_flags="-A 2.5,2.0 -a 1 -V" nginx_enable="YES" ntpd_enable="YES" panicmail_enable="YES" php_fpm_enable="YES" spawn_fcgi_enable="YES" spawn_fcgi_bindaddr="" spawn_fcgi_bindport="" spawn_fcgi_bindsocket="/var/run/spawn_fcgi.socket" spawn_fcgi_bindsocket_mode="0700" sshd_enable="YES" update_motd="NO" usbd_enable="YES" zfs_enable="YES" znc_enable="YES" znc_user="znc"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/25/2015 14:41, Joseph Mingrone wrote:> This morning when I arrived at work I had this email from my > university's IT department (via email.it) informing me that my host > was infected and spreading a worm. > > "Based on the logs fingerprints seems that your server is infected > by the following worm: Net-Worm.PHP.Mongiko.a" > > my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 > HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" > > Despite the surprising name, I don't see any evidence that it's > related to php. I did remove php, because I don't really need it. > I've included my /etc/rc.conf below. pkg audit doesn't show any > vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show > much. I've run chkrootkit, netstat/sockstat and I don't see > anything suspicious and I plan to finally put some reasonable > firewall rules on this host. > > Do you have any suggestions? Should I include any other > information here?... I found this: http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do Jung-uk Kim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJU7ioVAAoJEHyflib82/FGXjoH/if/ZIuW6/KvVD0fYJ7Mfmkj wkB7BzfYcE2KQ4PomwWzEUoyc1b2RNZ9a0b/FaxMK3xUGwbKqchiCT+KlHUAdWRc ifK9dOMg/DRtmacmo718k4SZghPlHY1AtB0I65vo7YSWCMxQJkgY9cxdKIvdoLkd ujV2+yFjmg2zKM7bDkoCt2c34iUODUeXm2FUPIjVYCycwusDhXY2WZ+AZTmgDdQA O8AlLRgSTjN53VdiK8HTW3Q5JTDtCymHNT8Oj8MZoEYwkOuh1jQnAaGrWaS1wQo4 MtiqShnKLZoyKPZYll84r0aCTqt997ZhhVYqsO13Db8Ev66pC56niQy31FfCfbw=0dgN -----END PGP SIGNATURE-----
On 25 Feb 2015, at 20:41, Joseph Mingrone <jrm at ftfl.ca> wrote:> > "Based on the logs fingerprints seems that your server is infected by > the following worm: Net-Worm.PHP.Mongiko.a" > > my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" > 200 429 "-" "Net- > Worm.PHP.Mongiko.a?I haven?t heard of this worm, although this type of request is seen more often: https://www.google.nl/search?q=post%20%22cmd%3Dinfo%26key%22 <https://www.google.nl/search?q=post%20%22cmd=info&key%22> If this traffic is originating from your system, and you were running PHP, I?d say it?s probably most likely that some PHP script/application on your host was compromised. Were you running stuff like phpMyAdmin, Wordpress or Drupal that might not have been updated too often? Often in such a compromise, the attacker leaves traces in the filesystem, like executable scripts or temp files. Try to look for new files which are owned by the webserver or fastcgi process, see if you find some surprises. Example: # touch -t 201501010000 foo # find / -user www -newer foo If you don?t find anything, look back a little further. Hopefully you will find a clue in this way. -- Walter Hop | PGP key: https://lifeforms.nl/pgp