Date: Tue, 22 Sep 2009 05:55:35 -0700 (PDT) From: Aflatoon Aflatooni <aaflatooni@yahoo.com> To: Leandro Quibem Magnabosco <leandro.magnabosco@fcdl-sc.org.br> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD 6.3 installation hacked Message-ID: <477617.55755.qm@web56208.mail.re3.yahoo.com> In-Reply-To: <4AB8C839.3000905@fcdl-sc.org.br> References: <196554.24096.qm@web56207.mail.re3.yahoo.com> <4AB8C839.3000905@fcdl-sc.org.br>
next in thread | previous in thread | raw e-mail | index | archive | help
I found a script in /tmp directory which could have been uploaded using php= or Java.=0AHow would they execute the code in /tmp directory? I couldn't f= igure it out.=0A=0AThanks=0A=0A=0A=0A=0A----- Original Message ----=0AFrom:= Leandro Quibem Magnabosco <leandro.magnabosco@fcdl-sc.org.br>=0ATo: Aflato= on Aflatooni <aaflatooni@yahoo.com>=0ACc: freebsd-questions@freebsd.org=0AS= ent: Tuesday, September 22, 2009 8:51:05 AM=0ASubject: Re: FreeBSD 6.3 inst= allation hacked=0A=0AAflatoon Aflatooni escreveu:=0A> My server installatio= n of FreeBSD 6.3 is hacked and I am trying to find out how they managed to = get into my Apache 2.0.61. =0A> This is what I see in my http error log:=0A= > =0A> [Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down=0A= > [Mon Sep 21 02:00:14 2009] [notice] Apache/2.0.61 (FreeBSD) PHP/5.2.5 mod= _jk/1.2.25 configured -- resuming normal operations=0A> wget: not found=0A>= Can't open perl script "/tmp/shit.pl": No such file or directory=0A> wget:= not found=0A> Can't open perl script "zuo.txt": No such file or directory= =0A> curl: not found=0A> Can't open perl script "zuo.txt": No such file or = directory=0A> lwp-download: not found=0A> Can't open perl script "zuo.txt":= No such file or directory=0A> lynx: not found=0A> Can't open perl script "= zuo.txt": No such file or directory=0A> zuo.txt=A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 11 kB= =A0 56 kBps=0A> ...=0A=0AIt does not look they entered using any apache bug= .=0AProbably you had a world writable directory and they managed to access = it by ftp (or any other way) and sent a file containing commands to it.=0AO= nce it is there, they've 'called' the file using apache to execute whatever= was in there (probably binding a shell to some port) in order to get acces= s to the box.=0A=0A--=0ALeandro Quibem Magnabosco.=0A=0A=0A=0A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?477617.55755.qm>