Date: Wed, 09 Dec 2009 23:11:52 -0600 From: Squirrel <squirrel@mail.isot.com> To: d@delphij.net Cc: FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org> Subject: Re: Hacked - FreeBSD 7.1-Release Message-ID: <62e6c0845bd249dcc07bdc4ae48bf41e@mail.isot.com>
next in thread | raw e-mail | index | archive | help
Taking your advice and checking all ports for problems. Thanks. -----Original message----- From: Xin LI delphij@delphij.net Date: Wed, 09 Dec 2009 20:18:13 -0600 To: squirrel@isot.com Subject: Re: Hacked - FreeBSD 7.1-Release > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Squirrel wrote: > > My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites. The index.php had the following info: > > > > "Hacked By Top > > First Warning That's Bug From Your Servers > > Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again > > Sorry Admin And Don't Worry Just I Change Index > > ALTBTA > > For Contact : l_9@hotmail.com > > Best Wishes" > > > > Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up. But haven't got a reply yet. I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded. And I don't know where else to look, please help. > > > > I'm using FreeBSD 7.1-Release with below daemons > > > > Apache 2.2.11 > > ProFTP 1.32 > > OpenSSH 5.1 > > Webmin 1.480 > > MySQL 5.0.67 > > BIND 9.6.0 > > It could be tricky to figure out how the attacker gets in. I'd be > curious what PHP application are you using right now? Do you have > properly set the permissions (i.e. files are either executable, or > writable, but not both; www user can't write on where code can be > executed, etc), and there is no vulnerability in your web application? > > By the way, if you use ports you can install ports-mgmt/portaudit and > use 'portaudit -Fda' to check if there is known vulnerability with your > installed packages, just a hint. > > Cheers, > - -- > Xin LI <delphij@delphij.net> http://www.delphij.net/ > FreeBSD - The Power to Serve! Live free or die > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.13 (FreeBSD) > > iEYEARECAAYFAksgTFUACgkQi+vbBBjt66DA5gCeKX9oPnuBJOEznAA6WOxozpTz > hZMAoI2CRuXM6o/t9JuKffPli6Uk7uQ/ > =rOnr > -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?62e6c0845bd249dcc07bdc4ae48bf41e>