From owner-freebsd-bugs Wed Jul 25 4:50:46 2001 Delivered-To: freebsd-bugs@freebsd.org Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138]) by hub.freebsd.org (Postfix) with ESMTP id 5CB7737B401 for ; Wed, 25 Jul 2001 04:50:41 -0700 (PDT) (envelope-from dima@unixfreak.org) Received: from hornet.unixfreak.org (hornet [63.198.170.140]) by bazooka.unixfreak.org (Postfix) with ESMTP id B1F073E28; Wed, 25 Jul 2001 04:50:40 -0700 (PDT) To: Peter Pentchev Cc: jett , freebsd-bugs Subject: Re: broken into via ssh? In-Reply-To: <20010725144452.A84551@ringworld.oblivion.bg>; from roam@orbitel.bg on "Wed, 25 Jul 2001 14:44:52 +0300" Date: Wed, 25 Jul 2001 04:50:40 -0700 From: Dima Dorfman Message-Id: <20010725115040.B1F073E28@bazooka.unixfreak.org> Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Peter Pentchev writes: > On Wed, Jul 25, 2001 at 10:33:01AM +0800, jett wrote: > > bash-2.04$ netstat -an | grep LISTEN > > tcp 0 0 *.80 *.* LISTEN > > tcp 0 0 *.443 *.* LISTEN > > tcp 0 0 *.31341 *.* LISTEN > > tcp 0 0 *.22 *.* LISTEN > > ... > From looking at your services list it would seem that either httpd by itself, > or some script you have on your website was used to break in. More specifically, it would seem that somebody used httpd or a CGI script to break in and get unprivileged user access, then one of the umpteen local holes in 3-stable to get root. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message