From owner-freebsd-questions@FreeBSD.ORG Tue Sep 22 12:51:46 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 157861065698 for ; Tue, 22 Sep 2009 12:51:46 +0000 (UTC) (envelope-from seklecki@noc.cfi.pgh.pa.us) Received: from collaborativefusion.com (mx01.pub.collaborativefusion.com [206.210.89.201]) by mx1.freebsd.org (Postfix) with ESMTP id AF3C68FC23 for ; Tue, 22 Sep 2009 12:51:45 +0000 (UTC) Received: from Internal Mail-Server by mx01 (envelope-from seklecki@noc.cfi.pgh.pa.us) with SMTP; 22 Sep 2009 08:51:44 -0400 From: Brian Seklecki To: Aflatoon Aflatooni In-Reply-To: <196554.24096.qm@web56207.mail.re3.yahoo.com> References: <196554.24096.qm@web56207.mail.re3.yahoo.com> Content-Type: text/plain Organization: Collaborative Fusion, Inc. Date: Tue, 22 Sep 2009 08:51:42 -0400 Message-Id: <1253623902.26253.1.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.24.5 (2.24.5-1.fc10) Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD 6.3 installation hacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Sep 2009 12:51:46 -0000 On Tue, 2009-09-22 at 05:01 -0700, Aflatoon Aflatooni wrote: > My server installation of FreeBSD 6.3 is hacked and I am trying to find out how they managed to get into my Apache 2.0.61. > > This is what I see in my http error log: > > [Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down > [M According to Apache.org, there were vulns in 2.0.6x before 2.0.63. However, when you do your forensic analysis, you'll want to focus on code installed on your webserver that runs with the posix user 'www''s permissions. ~BAS This mail was sent via Mail-SeCure System.