From owner-freebsd-questions@FreeBSD.ORG  Fri May 19 13:10:50 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4F26F16A482
	for <freebsd-questions@freebsd.org>;
	Fri, 19 May 2006 13:10:50 +0000 (UTC) (envelope-from kdk@daleco.biz)
Received: from ezekiel.daleco.biz (southernuniform.com [66.76.92.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 18B8243D73
	for <freebsd-questions@freebsd.org>;
	Fri, 19 May 2006 13:10:47 +0000 (GMT) (envelope-from kdk@daleco.biz)
Received: from [192.168.2.2] ([69.27.149.254])
	by ezekiel.daleco.biz (8.13.4/8.13.1) with ESMTP id k4JDAjDp039595;
	Fri, 19 May 2006 08:10:46 -0500 (CDT) (envelope-from kdk@daleco.biz)
Message-ID: <446DC3D0.8010903@daleco.biz>
Date: Fri, 19 May 2006 08:10:40 -0500
From: Kevin Kinsey <kdk@daleco.biz>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US;
	rv:1.8.0.2) Gecko/20060509 SeaMonkey/1.0.1
MIME-Version: 1.0
To: "Don O'Neil" <don@lizardhill.com>
References: <004a01c67b0f$f5598b50$0300020a@mickey>
In-Reply-To: <004a01c67b0f$f5598b50$0300020a@mickey>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: Hacked Web Site
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2006 13:10:50 -0000

Don O'Neil wrote:
> A customer of mine recently had their web site hacked and the index file
> defaced by Milli-Harekat...
> 
> http://www.zone-h.org/en/search/what=Milli-Harekat.Org/
> 
> Does anyone know the exploit used for this and where to find out about
> fixing it? I have a feeling it's a brute force attack of some sort, but I
> can't find anything.


What makes you think it was a BF attack?  IANAE, but looking over
a list of exploits, I see a fairly large number against PHP pages
and the like, including what appears to be HTML URI injection by means
of a semicolon and HTTP 'meta-refresh' tag; so, I'd starting looking
for insecure server-side scripting, especially in the absence of any
evidence of compromise of the machine itself.

Of course, "compromise of the machine itself" is a whole 'nother
"ball of wax".  You've my sympathies either way.

Kevin Kinsey