Date: Wed, 25 Feb 2015 17:52:09 -0400 From: Joseph Mingrone <jrm@ftfl.ca> To: freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <86a901wtfa.fsf@gly.ftfl.ca> References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Walter Hop <freebsd@spam.lifeforms.nl> writes: > If this traffic is originating from your system, and you were running > PHP, I’d say it’s probably most likely that some PHP > script/application on your host was compromised. Were you running > stuff like phpMyAdmin, Wordpress or Drupal that might not have been > updated too often? I was running almost nothing with php except <TITLE><?php echo $_SERVER['HTTP_HOST']?></TITLE> on one page. I was recently testing out mediawiki. IIRC I installed it via the port, but uninstalled it almost immediately. I saw today that there was still a mediawiki directory left over with a timestamp of 2014-12-30 and one php file, LocalSettings.php. > Often in such a compromise, the attacker leaves traces in the > filesystem, like executable scripts or temp files. Try to look for new > files which are owned by the webserver or fastcgi process, see if you > find some surprises. > > Example: > # touch -t 201501010000 foo > # find / -user www -newer foo > > If you don’t find anything, look back a little further. > Hopefully you will find a clue in this way. # touch -t 201412250000 foo # find / -user www -newer foo turned up a few directories under /var/tmp/nginx, but they were all empty. The timestamps were the same as the mediawiki directory. Nothing interesting turned up in the output when I uninstalled the php or spawn-fcgi packages. Thanks, Joseph
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86a901wtfa.fsf>