Jung-uk Kim <jkim at FreeBSD.org> writes:> On 02/25/2015 14:41, Joseph Mingrone wrote: >> This morning when I arrived at work I had this email from my >> university's IT department (via email.it) informing me that my host >> was infected and spreading a worm. >> >> "Based on the logs fingerprints seems that your server is infected >> by the following worm: Net-Worm.PHP.Mongiko.a" >> >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >> >> Despite the surprising name, I don't see any evidence that it's >> related to php. I did remove php, because I don't really need it. >> I've included my /etc/rc.conf below. pkg audit doesn't show any >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >> much. I've run chkrootkit, netstat/sockstat and I don't see >> anything suspicious and I plan to finally put some reasonable >> firewall rules on this host. >> >> Do you have any suggestions? Should I include any other >> information here? > ... > > I found this: > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do > > Jung-uk KimYeah, I saw that as well. I wouldn't be concerned if this was hitting my web server, but the key difference here is that my IP is the apparently the source in this case. Joseph
> Am 25.02.2015 um 21:04 schrieb Joseph Mingrone <jrm at ftfl.ca>: > > Jung-uk Kim <jkim at FreeBSD.org> writes: > >> On 02/25/2015 14:41, Joseph Mingrone wrote: >>> This morning when I arrived at work I had this email from my >>> university's IT department (via email.it) informing me that my host >>> was infected and spreading a worm. >>> >>> "Based on the logs fingerprints seems that your server is infected >>> by the following worm: Net-Worm.PHP.Mongiko.a" >>> >>> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST >>> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 >>> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" >>> >>> Despite the surprising name, I don't see any evidence that it's >>> related to php. I did remove php, because I don't really need it. >>> I've included my /etc/rc.conf below. pkg audit doesn't show any >>> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show >>> much. I've run chkrootkit, netstat/sockstat and I don't see >>> anything suspicious and I plan to finally put some reasonable >>> firewall rules on this host. >>> >>> Do you have any suggestions? Should I include any other >>> information here? >> ... >> >> I found this: >> >> http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do >> >> Jung-uk Kim > > Yeah, I saw that as well. I wouldn't be concerned if this was hitting > my web server, but the key difference here is that my IP is the > apparently the source in this case. > > Josephare those the only lines they sent you? Weirdly, we got a report like this today as well with the first (out of 8) sample line showing the exact time stamp (23/Feb/2015:14:53:37 +0100) and the exact query string (/?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7) which makes it a bit strange to be a coincidence. There is a webserver running in a jail on the reported IP address, but I can't find any log lines on our side that could be related. We asked the email.it folks for details, but haven't heard back from them yet. Philip
On Feb 25, 2015 2:05 PM, "Joseph Mingrone" <jrm at ftfl.ca> wrote:> > Jung-uk Kim <jkim at FreeBSD.org> writes: > > > On 02/25/2015 14:41, Joseph Mingrone wrote: > >> This morning when I arrived at work I had this email from my > >> university's IT department (via email.it) informing me that my host > >> was infected and spreading a worm. > >> > >> "Based on the logs fingerprints seems that your server is infected > >> by the following worm: Net-Worm.PHP.Mongiko.a" > >> > >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 > >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" > >> > >> Despite the surprising name, I don't see any evidence that it's > >> related to php. I did remove php, because I don't really need it. > >> I've included my /etc/rc.conf below. pkg audit doesn't show any > >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show > >> much. I've run chkrootkit, netstat/sockstat and I don't see > >> anything suspicious and I plan to finally put some reasonable > >> firewall rules on this host. > >> > >> Do you have any suggestions? Should I include any other > >> information here? > > ... > > > > I found this: > > > >http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do> > > > Jung-uk Kim > > Yeah, I saw that as well. I wouldn't be concerned if this was hitting > my web server, but the key difference here is that my IP is the > apparently the source in this case. > > Joseph > _______________________________________________Hello, First run sockstat to see any connections that you do not recognize. This will help narrow the scope. Usually this is installed though a compromised web application as well such as a password compromise or a vulnerability. As several malware when doing ps looks like a different program running.
Philip Jocks <pjlists at netzkommune.com> writes:> are those the only lines they sent you? Weirdly, we got a report like this today > as well with the first (out of 8) sample line showing the exact time stamp > (23/Feb/2015:14:53:37 +0100) and the exact query string > (/?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7) which makes it > a bit strange to be a coincidence. There is a webserver running in a jail on the > reported IP address, but I can't find any log lines on our side that could be > related. > We asked the email.it folks for details, but haven't heard back from them yet. > > PhilipInteresting. Yes, they sent nearly the same line about 8 times with the timestamps a second or two apart. What other daemons are you running on that host? Something other than the webserver could be compromised. Please share if you hear anything from email.it. Joseph
On Wed, Feb 25, 2015 at 04:04:59PM -0400, Joseph Mingrone wrote:> Jung-uk Kim <jkim at FreeBSD.org> writes: > > > On 02/25/2015 14:41, Joseph Mingrone wrote: > >> This morning when I arrived at work I had this email from my > >> university's IT department (via email.it) informing me that my host > >> was infected and spreading a worm. > >> > >> "Based on the logs fingerprints seems that your server is infected > >> by the following worm: Net-Worm.PHP.Mongiko.a" > >> > >> my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > >> /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 > >> HTTP/1.1" 200 429 "-" "Net- Worm.PHP.Mongiko.a" > >> > >> Despite the surprising name, I don't see any evidence that it's > >> related to php. I did remove php, because I don't really need it. > >> I've included my /etc/rc.conf below. pkg audit doesn't show any > >> vulnerabilities. Searching for Worm.PHP.Mongiko doesn't show > >> much. I've run chkrootkit, netstat/sockstat and I don't see > >> anything suspicious and I plan to finally put some reasonable > >> firewall rules on this host. > >> > >> Do you have any suggestions? Should I include any other > >> information here? > > ... > > > > I found this: > > > > http://security.stackexchange.com/questions/82273/what-is-net-worm-php-mongiko-trying-to-do > > > > Jung-uk Kim > > Yeah, I saw that as well. I wouldn't be concerned if this was hitting > my web server, but the key difference here is that my IP is the > apparently the source in this case.Did you see the part of the link that said the alert was likely a scam? Sounds to me like the people who cold call people and tell them their Windows computer is broken have moved on. The fact your Uni's IT department sent an e-mail from email.it smells extremely suspicious to me. Why would they use a 3rd party e-mail solution instead of their own email system? Call your Uni's IT department and confirm the report came from them. Gary