From owner-freebsd-stable@FreeBSD.ORG Thu Dec 10 01:18:37 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FAE8106566B for ; Thu, 10 Dec 2009 01:18:37 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id DD51B8FC0A for ; Thu, 10 Dec 2009 01:18:36 +0000 (UTC) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 42960A577B5; Thu, 10 Dec 2009 09:18:35 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id rpadsiCZIEqf; Thu, 10 Dec 2009 09:18:20 +0800 (CST) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 64AFBA577B0; Thu, 10 Dec 2009 09:18:17 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=OiD9iKt1aJ0C58D6PN3Knamk5KmuTav9ANGzRB/Hm7CxVDioPfEQptjbL2bowilwT UaAJLPwKwSujusp9vq96Q== Message-ID: <4B204C55.5050900@delphij.net> Date: Wed, 09 Dec 2009 17:18:13 -0800 From: Xin LI Organization: The Geek China Organization User-Agent: Thunderbird 2.0.0.23 (X11/20091130) MIME-Version: 1.0 To: squirrel@isot.com References: In-Reply-To: X-Enigmail-Version: 0.95.7 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: FreeBSD-STABLE Mailing List Subject: Re: Hacked - FreeBSD 7.1-Release X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2009 01:18:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Squirrel wrote: > My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites. The index.php had the following info: > > "Hacked By Top > First Warning That's Bug From Your Servers > Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again > Sorry Admin And Don't Worry Just I Change Index > ALTBTA > For Contact : l_9@hotmail.com > Best Wishes" > > Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up. But haven't got a reply yet. I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded. And I don't know where else to look, please help. > > I'm using FreeBSD 7.1-Release with below daemons > > Apache 2.2.11 > ProFTP 1.32 > OpenSSH 5.1 > Webmin 1.480 > MySQL 5.0.67 > BIND 9.6.0 It could be tricky to figure out how the attacker gets in. I'd be curious what PHP application are you using right now? Do you have properly set the permissions (i.e. files are either executable, or writable, but not both; www user can't write on where code can be executed, etc), and there is no vulnerability in your web application? By the way, if you use ports you can install ports-mgmt/portaudit and use 'portaudit -Fda' to check if there is known vulnerability with your installed packages, just a hint. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) iEYEARECAAYFAksgTFUACgkQi+vbBBjt66DA5gCeKX9oPnuBJOEznAA6WOxozpTz hZMAoI2CRuXM6o/t9JuKffPli6Uk7uQ/ =rOnr -----END PGP SIGNATURE-----