Net-Worm.PHP.Mongiko.a got you? Really, are you sure??

2015-02-25
this is new: email spam to trigger hosting companies to get their clients panicked sys admins to install root back doors

just finished with a quick security audit for one of my boxes. Our cloud vendor received this complaint implicating one of our servers:

> ---------- Forwarded message ----------
> From: Abuse <abuse@email.it>
> To: abuse@arpnetworks.com
> Cc:
> Date: Wed, 25 Feb 2015 16:30:14 +0100
> Subject: Abuse report
> Dear Sir/Madam,
> We have detected abuse from the IP address 174.136.102.170,
> which according to a whois lookup is on your network.
> We would appreciate if you would investigate and take action as appropriate.
>
> Based on the logs fingerprints seems that your server is infected by the following worm: Net-Worm.PHP.Mongiko.a
>
> (If you are not the correct person to contact about this please accept our apologies -
> your e-mail address was extracted from the whois record by an automated process.
> This mail was generated automatically.)
>
> Note: Local timezone is +0100 (CET)
>
> 174.136.102.170 - - [23/Feb/2015:14:53:37 +0100] "POST /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" 200 429 "-" "Net-Worm.PHP.Mongiko.a"
> 174.136.102.170 - - [23/Feb/2015:14:53:38 +0100] "POST /?cmd=info&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" 200 429 "-" "Net-Worm.PHP.Mongiko.a"
> 174.136.102.170 - - [23/Feb/2015:14:53:40 +0100] "POST /?cmd=list&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" 200 429 "-" "Net-Worm.PHP.Mongiko.a"
> 174.136.102.170 - - [23/Feb/2015:14:53:45 +0100] "POST /?cmd=exec&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" 200 429 "-" "Net-Worm.PHP.Mongiko.a"
> 174.136.102.170 - - [23/Feb/2015:14:53:48 +0100] "POST /?cmd=exec&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" 200 429 "-" "Net-Worm.PHP.Mongiko.a"
> 174.136.102.170 - - [23/Feb/2015:14:53:49 +0100] "POST /?cmd=exec&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" 200 429 "-" "Net-Worm.PHP.Mongiko.a"
> 174.136.102.170 - - [23/Feb/2015:14:53:55 +0100] "POST /?cmd=exec&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" 200 429 "-" "Net-Worm.PHP.Mongiko.a"
> 174.136.102.170 - - [23/Feb/2015:14:53:59 +0100] "POST /?cmd=exec&key=f8184c819717b6815a8b8037e91c59ef&ip=212.97.34.7 HTTP/1.1" 200 429 "-" "Net-Worm.PHP.Mongiko.a"
> 
> Thanks,
> 
> The Email.it abuse team

WAT?

It sure is great that there is a shiny new Linux security tool you can download which will help you find and fix exactly this horrible, unexpected, and unexplainable compromise?!

Turns out this is a scam. If you google this naughty worm (the obvious thing to do next), you will find a Linux binary-only system tool you can download to help you find and fix this horrible PHP related problem on your Linux server. This will then install itself on your Linux box and give a back door root access to the wrong people.

No, I did not fall for it, and hopefully neither will you (hopefully). If your box got implicated in being infected by Net-Worm.PHP.Mongiko.a, you might want to read this thread:

https://lists.freebsd.org/pipermail/freebsd-security/2015-February/008212.html

I hope this is not going to be some sort of new normal.

security

all articles