From owner-freebsd-stable@FreeBSD.ORG  Thu Dec 10 00:53:06 2009
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C900D1065670
	for <freebsd-stable@freebsd.org>; Thu, 10 Dec 2009 00:53:06 +0000 (UTC)
	(envelope-from squirrel@mail.isot.com)
Received: from mail.isot.com (mail.isot.com [66.187.86.1])
	by mx1.freebsd.org (Postfix) with ESMTP id 8E6F18FC0A
	for <freebsd-stable@freebsd.org>; Thu, 10 Dec 2009 00:53:06 +0000 (UTC)
Received: from localhost ([127.0.0.1])
	by mail.isot.com (ISOT) with SMTP id RMY49917
	for <freebsd-stable@freebsd.org>; Wed, 09 Dec 2009 18:40:17 -0600
Date: Wed, 09 Dec 2009 18:40:17 -0600
From: Squirrel <squirrel@mail.isot.com>
To: "FreeBSD-STABLE Mailing List" <freebsd-stable@freebsd.org>
Message-ID: <bd52e0bd614fbaffcf8c9ff9da35286e@mail.isot.com>
X-Mailer: ISOT Web Mail 5.6.7
X-Originating-IP: 66.187.95.74
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Subject: Hacked - FreeBSD 7.1-Release
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: squirrel@isot.com
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2009 00:53:06 -0000

My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites.  The index.php had the following info:

"Hacked By Top
First Warning That's Bug From Your Servers
Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again
Sorry Admin And Don't Worry Just I Change Index
ALTBTA
For Contact : l_9@hotmail.com
Best Wishes"

Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up.  But haven't got a reply yet.  I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded.  And I don't know where else to look, please help.

I'm using FreeBSD 7.1-Release with below daemons

Apache 2.2.11
ProFTP 1.32
OpenSSH 5.1
Webmin 1.480
MySQL 5.0.67
BIND 9.6.0