From owner-freebsd-questions@FreeBSD.ORG Tue Sep 22 12:51:08 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0686C106566C for ; Tue, 22 Sep 2009 12:51:08 +0000 (UTC) (envelope-from leandro.magnabosco@fcdl-sc.org.br) Received: from mail.cdl-sc.org.br (mail.cdl-sc.org.br [189.39.224.30]) by mx1.freebsd.org (Postfix) with ESMTP id B84DA8FC19 for ; Tue, 22 Sep 2009 12:51:07 +0000 (UTC) Received: from [127.0.0.1] (unknown [192.168.200.189]) by mail.cdl-sc.org.br (Postfix) with ESMTP id CF24D634DC; Tue, 22 Sep 2009 09:51:08 -0300 (BRT) Message-ID: <4AB8C839.3000905@fcdl-sc.org.br> Date: Tue, 22 Sep 2009 09:51:05 -0300 From: Leandro Quibem Magnabosco Organization: FCDL/SC User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Aflatoon Aflatooni References: <196554.24096.qm@web56207.mail.re3.yahoo.com> In-Reply-To: <196554.24096.qm@web56207.mail.re3.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD 6.3 installation hacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Sep 2009 12:51:08 -0000 Aflatoon Aflatooni escreveu: > My server installation of FreeBSD 6.3 is hacked and I am trying to find out how they managed to get into my Apache 2.0.61. > > This is what I see in my http error log: > > [Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down > [Mon Sep 21 02:00:14 2009] [notice] Apache/2.0.61 (FreeBSD) PHP/5.2.5 mod_jk/1.2.25 configured -- resuming normal operations > wget: not found > Can't open perl script "/tmp/shit.pl": No such file or directory > wget: not found > Can't open perl script "zuo.txt": No such file or directory > curl: not found > Can't open perl script "zuo.txt": No such file or directory > lwp-download: not found > Can't open perl script "zuo.txt": No such file or directory > lynx: not found > Can't open perl script "zuo.txt": No such file or directory > zuo.txt 11 kB 56 kBps > ... It does not look they entered using any apache bug. Probably you had a world writable directory and they managed to access it by ftp (or any other way) and sent a file containing commands to it. Once it is there, they've 'called' the file using apache to execute whatever was in there (probably binding a shell to some port) in order to get access to the box. -- Leandro Quibem Magnabosco.