From owner-freebsd-stable@FreeBSD.ORG Thu Dec 10 05:11:52 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 56A57106566B for ; Thu, 10 Dec 2009 05:11:52 +0000 (UTC) (envelope-from squirrel@mail.isot.com) Received: from mail.isot.com (mail.isot.com [66.187.86.1]) by mx1.freebsd.org (Postfix) with ESMTP id 1BCF78FC19 for ; Thu, 10 Dec 2009 05:11:51 +0000 (UTC) Received: from localhost ([127.0.0.1]) by mail.isot.com (ISOT) with SMTP id RRV01553; Wed, 09 Dec 2009 23:11:53 -0600 Date: Wed, 09 Dec 2009 23:11:52 -0600 From: Squirrel To: d@delphij.net Message-ID: <62e6c0845bd249dcc07bdc4ae48bf41e@mail.isot.com> X-Mailer: ISOT Web Mail 5.6.7 X-Originating-IP: 69.91.68.228 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Cc: FreeBSD-STABLE Mailing List Subject: Re: Hacked - FreeBSD 7.1-Release X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: squirrel@isot.com List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2009 05:11:52 -0000 Taking your advice and checking all ports for problems. Thanks. -----Original message----- From: Xin LI delphij@delphij.net Date: Wed, 09 Dec 2009 20:18:13 -0600 To: squirrel@isot.com Subject: Re: Hacked - FreeBSD 7.1-Release > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Squirrel wrote: > > My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites. The index.php had the following info: > > > > "Hacked By Top > > First Warning That's Bug From Your Servers > > Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again > > Sorry Admin And Don't Worry Just I Change Index > > ALTBTA > > For Contact : l_9@hotmail.com > > Best Wishes" > > > > Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up. But haven't got a reply yet. I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded. And I don't know where else to look, please help. > > > > I'm using FreeBSD 7.1-Release with below daemons > > > > Apache 2.2.11 > > ProFTP 1.32 > > OpenSSH 5.1 > > Webmin 1.480 > > MySQL 5.0.67 > > BIND 9.6.0 > > It could be tricky to figure out how the attacker gets in. I'd be > curious what PHP application are you using right now? Do you have > properly set the permissions (i.e. files are either executable, or > writable, but not both; www user can't write on where code can be > executed, etc), and there is no vulnerability in your web application? > > By the way, if you use ports you can install ports-mgmt/portaudit and > use 'portaudit -Fda' to check if there is known vulnerability with your > installed packages, just a hint. > > Cheers, > - -- > Xin LI http://www.delphij.net/ > FreeBSD - The Power to Serve! Live free or die > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.13 (FreeBSD) > > iEYEARECAAYFAksgTFUACgkQi+vbBBjt66DA5gCeKX9oPnuBJOEznAA6WOxozpTz > hZMAoI2CRuXM6o/t9JuKffPli6Uk7uQ/ > =rOnr > -----END PGP SIGNATURE-----