From owner-freebsd-stable@FreeBSD.ORG Thu Dec 10 05:08:24 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE225106568D for ; Thu, 10 Dec 2009 05:08:24 +0000 (UTC) (envelope-from squirrel@mail.isot.com) Received: from mail.isot.com (mail.isot.com [66.187.86.1]) by mx1.freebsd.org (Postfix) with ESMTP id 72F748FC18 for ; Thu, 10 Dec 2009 05:08:24 +0000 (UTC) Received: from localhost ([127.0.0.1]) by mail.isot.com (ISOT) with SMTP id RRS20225; Wed, 09 Dec 2009 23:08:25 -0600 Date: Wed, 09 Dec 2009 23:08:25 -0600 From: Squirrel To: "Chuck Swiger" Message-ID: <70b530187d5c4ef4336260f6fdf72193@mail.isot.com> X-Mailer: ISOT Web Mail 5.6.7 X-Originating-IP: 69.91.68.228 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Cc: FreeBSD-STABLE Mailing List Subject: Re: Hacked - FreeBSD 7.1-Release X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: squirrel@isot.com List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2009 05:08:24 -0000 I've just finished the rtld patch. Now in process of regenerating all the keys and certs. Next will look into php. But far as rtld vulnerability, doesn't it require at least a local user account? Looking at all the authentication, there wasn't any authenticated session during the time frame. So I'm leaning more towards php 5.2.9, and checking all my ports. Thanks for info. -----Original message----- From: Chuck Swiger cswiger@mac.com Date: Wed, 09 Dec 2009 20:12:08 -0600 To: squirrel@isot.com Subject: Re: Hacked - FreeBSD 7.1-Release > On Dec 9, 2009, at 4:40 PM, Squirrel wrote: > > My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites. The index.php had the following info: > > > > "Hacked By Top > > First Warning That's Bug From Your Servers > > Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again > > Sorry Admin And Don't Worry Just I Change Index > > ALTBTA > > For Contact : l_9@hotmail.com > > Best Wishes" > > While it's unfortunate that your machine was hacked, and it would be nice to assume that no other changes were made, you need to completely rebuild this box, regenerate SSH keys, SSL certs, etc before you can trust anything it talks to. > > > Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up. But haven't got a reply yet. I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded. And I don't know where else to look, please help. > > > > I'm using FreeBSD 7.1-Release with below daemons > > > > Apache 2.2.11 > > ProFTP 1.32 > > OpenSSH 5.1 > > Webmin 1.480 > > MySQL 5.0.67 > > BIND 9.6.0 > > > You're down-rev on Apache and BIND, for the very least. And, the fact that you mentioned index.php suggests that you're running a lot more than just a basic Apache webserver; PHP is a likely candidate for security vulnerabilities by itself, and if you haven't patched for FreeBSD-SA-09:16.rtld, any local exploit will yield root. > > Installing /usr/ports/ports-mgmt/portaudit can be helpful.... > > Regards, > -- > -Chuck >