From owner-freebsd-questions@FreeBSD.ORG Sat Aug 11 19:15:46 2007 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F0C0C16A419 for ; Sat, 11 Aug 2007 19:15:46 +0000 (UTC) (envelope-from erik@cepheid.org) Received: from mail.cepheid.org (wintermute.cepheid.org [64.92.165.98]) by mx1.freebsd.org (Postfix) with ESMTP id D1BA913C442 for ; Sat, 11 Aug 2007 19:15:46 +0000 (UTC) (envelope-from erik@cepheid.org) Received: by mail.cepheid.org (Postfix, from userid 1006) id 3A995170D9; Sat, 11 Aug 2007 13:43:52 -0500 (CDT) Date: Sat, 11 Aug 2007 13:43:52 -0500 From: Erik Osterholm To: Brent Message-ID: <20070811184352.GA23480@idoru.cepheid.org> References: <20070811110231.M84490@bmyster.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070811110231.M84490@bmyster.com> User-Agent: Mutt/1.4.2.2i Cc: questions@freebsd.org Subject: Re: server was hacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Aug 2007 19:15:47 -0000 On Sat, Aug 11, 2007 at 07:20:31AM -0400, Brent wrote: > a compromised mambo site. after getting rid of the program I changed > our router to disallow this type of traffic..& started trying to fix > the box. Im pretty sure that root wasnt compromised but im going to > re-install anyway. my question has anyone run into this problem with > CMS sites, HOw excatly are they getting in ? Lots of CMS have long histories of vulnerabilities. Check out www.securityfocus.com e.g. http://search.securityfocus.com/swsearch?query=mambo&sbm=bid&submit=Search%21&metaname=alldoc&sort=swishrank for some details. Erik