Date: Wed, 09 Dec 2009 23:08:25 -0600 From: Squirrel <squirrel@mail.isot.com> To: "Chuck Swiger" <cswiger@mac.com> Cc: FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org> Subject: Re: Hacked - FreeBSD 7.1-Release Message-ID: <70b530187d5c4ef4336260f6fdf72193@mail.isot.com>
next in thread | raw e-mail | index | archive | help
I've just finished the rtld patch. Now in process of regenerating all the keys and certs. Next will look into php. But far as rtld vulnerability, doesn't it require at least a local user account? Looking at all the authentication, there wasn't any authenticated session during the time frame. So I'm leaning more towards php 5.2.9, and checking all my ports. Thanks for info. -----Original message----- From: Chuck Swiger cswiger@mac.com Date: Wed, 09 Dec 2009 20:12:08 -0600 To: squirrel@isot.com Subject: Re: Hacked - FreeBSD 7.1-Release > On Dec 9, 2009, at 4:40 PM, Squirrel wrote: > > My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites. The index.php had the following info: > > > > "Hacked By Top > > First Warning That's Bug From Your Servers > > Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again > > Sorry Admin And Don't Worry Just I Change Index > > ALTBTA > > For Contact : l_9@hotmail.com > > Best Wishes" > > While it's unfortunate that your machine was hacked, and it would be nice to assume that no other changes were made, you need to completely rebuild this box, regenerate SSH keys, SSL certs, etc before you can trust anything it talks to. > > > Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up. But haven't got a reply yet. I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded. And I don't know where else to look, please help. > > > > I'm using FreeBSD 7.1-Release with below daemons > > > > Apache 2.2.11 > > ProFTP 1.32 > > OpenSSH 5.1 > > Webmin 1.480 > > MySQL 5.0.67 > > BIND 9.6.0 > > > You're down-rev on Apache and BIND, for the very least. And, the fact that you mentioned index.php suggests that you're running a lot more than just a basic Apache webserver; PHP is a likely candidate for security vulnerabilities by itself, and if you haven't patched for FreeBSD-SA-09:16.rtld, any local exploit will yield root. > > Installing /usr/ports/ports-mgmt/portaudit can be helpful.... > > Regards, > -- > -Chuck >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?70b530187d5c4ef4336260f6fdf72193>