From owner-freebsd-questions@FreeBSD.ORG Tue Sep 22 12:55:36 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7393106566C for ; Tue, 22 Sep 2009 12:55:36 +0000 (UTC) (envelope-from aaflatooni@yahoo.com) Received: from web56208.mail.re3.yahoo.com (web56208.mail.re3.yahoo.com [216.252.110.217]) by mx1.freebsd.org (Postfix) with SMTP id 604D28FC08 for ; Tue, 22 Sep 2009 12:55:36 +0000 (UTC) Received: (qmail 56646 invoked by uid 60001); 22 Sep 2009 12:55:35 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1253624135; bh=Mb4S44qbbYHLEtQgT1LQXKNMVfQakkujLCeKt/O/2iQ=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=tB05BYeK9OMSdlnUNerQXQeAhXq4QfSU40naOLTP7d8IzqvCqHIuw+TXVt0231BQv2kJw4f9Kk1ewQd2gKJuMAcWFxj9QLQpWS4DZT/3Rg9ImsKNm1TD/A3KxXelg04sXjPeqIuPzQZla6sCyJXqcQR4J486y0gSVtIUVNmhjYM= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=U6Fl6zMRl2rVFvG2ihkaxgY32+6jXwuK+2h5zZTtguNzcQ5dVhkDPK3J+Oj8Cabniqb69MjjrSEpXPlkoRsXIvVf5jRdfIt9AeM92WliJRMvDxLgkF7gDm30AnvK/3QuiSrULgIA3PC/Z6Jc/KsT50WPJ0jpszRzWwn+b9l9IcQ=; Message-ID: <477617.55755.qm@web56208.mail.re3.yahoo.com> X-YMail-OSG: OBgaOk8VM1ldLBqdPEMwaAuci_D08XtyFJHwextyn5EtHWpl5q2YOKpgTljNFkEl8JkzYb7Hh1E1jj3TfaR5elikrjw_pEcfX936ezKTyaR3tu5dn0bBOrruxk8OE3QORr9kHa84_dcXtQ6b15PdN_VqVWzaXmt3x.OMnoarnMTYdAzuFNLoHd.rbEbHlL4Abnw6_6q6HKR7fcFbLWQyJwylintLpDNdGoHCgjyEW.H_ioAb8xM5VY8IApM9yi6sTkNYlUZFleUDVVGg37CEAJ2XTafGj1Q39LB0Fbehn2kR2QtyFzrFZsHqAi8GYSoHfmFLgBKKV6qMC92Dl2rNNzNR7jTAIv1.SfiyG6Y8GmMnbWaQwCE- Received: from [142.166.2.134] by web56208.mail.re3.yahoo.com via HTTP; Tue, 22 Sep 2009 05:55:35 PDT X-Mailer: YahooMailRC/157.18 YahooMailWebService/0.7.347.2 References: <196554.24096.qm@web56207.mail.re3.yahoo.com> <4AB8C839.3000905@fcdl-sc.org.br> Date: Tue, 22 Sep 2009 05:55:35 -0700 (PDT) From: Aflatoon Aflatooni To: Leandro Quibem Magnabosco In-Reply-To: <4AB8C839.3000905@fcdl-sc.org.br> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD 6.3 installation hacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Sep 2009 12:55:36 -0000 I found a script in /tmp directory which could have been uploaded using php= or Java.=0AHow would they execute the code in /tmp directory? I couldn't f= igure it out.=0A=0AThanks=0A=0A=0A=0A=0A----- Original Message ----=0AFrom:= Leandro Quibem Magnabosco =0ATo: Aflato= on Aflatooni =0ACc: freebsd-questions@freebsd.org=0AS= ent: Tuesday, September 22, 2009 8:51:05 AM=0ASubject: Re: FreeBSD 6.3 inst= allation hacked=0A=0AAflatoon Aflatooni escreveu:=0A> My server installatio= n of FreeBSD 6.3 is hacked and I am trying to find out how they managed to = get into my Apache 2.0.61. =0A> This is what I see in my http error log:=0A= > =0A> [Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down=0A= > [Mon Sep 21 02:00:14 2009] [notice] Apache/2.0.61 (FreeBSD) PHP/5.2.5 mod= _jk/1.2.25 configured -- resuming normal operations=0A> wget: not found=0A>= Can't open perl script "/tmp/shit.pl": No such file or directory=0A> wget:= not found=0A> Can't open perl script "zuo.txt": No such file or directory= =0A> curl: not found=0A> Can't open perl script "zuo.txt": No such file or = directory=0A> lwp-download: not found=0A> Can't open perl script "zuo.txt":= No such file or directory=0A> lynx: not found=0A> Can't open perl script "= zuo.txt": No such file or directory=0A> zuo.txt=A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 11 kB= =A0 56 kBps=0A> ...=0A=0AIt does not look they entered using any apache bug= .=0AProbably you had a world writable directory and they managed to access = it by ftp (or any other way) and sent a file containing commands to it.=0AO= nce it is there, they've 'called' the file using apache to execute whatever= was in there (probably binding a shell to some port) in order to get acces= s to the box.=0A=0A--=0ALeandro Quibem Magnabosco.=0A=0A=0A=0A