On 25 Feb 2015, at 20:41, Joseph Mingrone <jrm at ftfl.ca> wrote:> > "Based on the logs fingerprints seems that your server is infected by > the following worm: Net-Worm.PHP.Mongiko.a" > > my ip here - - [23/Feb/2015:14:53:37 +0100] "POST > /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" > 200 429 "-" "Net- > Worm.PHP.Mongiko.a?I haven?t heard of this worm, although this type of request is seen more often: https://www.google.nl/search?q=post%20%22cmd%3Dinfo%26key%22 <https://www.google.nl/search?q=post%20%22cmd=info&key%22> If this traffic is originating from your system, and you were running PHP, I?d say it?s probably most likely that some PHP script/application on your host was compromised. Were you running stuff like phpMyAdmin, Wordpress or Drupal that might not have been updated too often? Often in such a compromise, the attacker leaves traces in the filesystem, like executable scripts or temp files. Try to look for new files which are owned by the webserver or fastcgi process, see if you find some surprises. Example: # touch -t 201501010000 foo # find / -user www -newer foo If you don?t find anything, look back a little further. Hopefully you will find a clue in this way. -- Walter Hop | PGP key: https://lifeforms.nl/pgp
Walter Hop <freebsd at spam.lifeforms.nl> writes:> If this traffic is originating from your system, and you were running > PHP, I?d say it?s probably most likely that some PHP > script/application on your host was compromised. Were you running > stuff like phpMyAdmin, Wordpress or Drupal that might not have been > updated too often?I was running almost nothing with php except <TITLE><?php echo $_SERVER['HTTP_HOST']?></TITLE> on one page. I was recently testing out mediawiki. IIRC I installed it via the port, but uninstalled it almost immediately. I saw today that there was still a mediawiki directory left over with a timestamp of 2014-12-30 and one php file, LocalSettings.php.> Often in such a compromise, the attacker leaves traces in the > filesystem, like executable scripts or temp files. Try to look for new > files which are owned by the webserver or fastcgi process, see if you > find some surprises. > > Example: > # touch -t 201501010000 foo > # find / -user www -newer foo > > If you don?t find anything, look back a little further. > Hopefully you will find a clue in this way.# touch -t 201412250000 foo # find / -user www -newer foo turned up a few directories under /var/tmp/nginx, but they were all empty. The timestamps were the same as the mediawiki directory. Nothing interesting turned up in the output when I uninstalled the php or spawn-fcgi packages. Thanks, Joseph
On Wed, Feb 25, 2015, at 14:19, Walter Hop wrote:> > Example: > # touch -t 201501010000 foo > # find / -user www -newer foo > > If you don?t find anything, look back a little further. > Hopefully you will find a clue in this way. >Thanks for posting this trick -- I've never considered it before and will certainly put it in my toolbox!