From owner-freebsd-questions@FreeBSD.ORG Tue Sep 22 12:58:20 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F7F4106568B for ; Tue, 22 Sep 2009 12:58:20 +0000 (UTC) (envelope-from leandro.magnabosco@fcdl-sc.org.br) Received: from mail.cdl-sc.org.br (mail.cdl-sc.org.br [189.39.224.30]) by mx1.freebsd.org (Postfix) with ESMTP id F0A908FC24 for ; Tue, 22 Sep 2009 12:58:19 +0000 (UTC) Received: from [127.0.0.1] (unknown [192.168.200.189]) by mail.cdl-sc.org.br (Postfix) with ESMTP id 210D3636EE; Tue, 22 Sep 2009 09:58:22 -0300 (BRT) Message-ID: <4AB8C9EB.2050107@fcdl-sc.org.br> Date: Tue, 22 Sep 2009 09:58:19 -0300 From: Leandro Quibem Magnabosco Organization: FCDL/SC User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Aflatoon Aflatooni , freebsd-questions@freebsd.org References: <196554.24096.qm@web56207.mail.re3.yahoo.com> <4AB8C839.3000905@fcdl-sc.org.br> <684860.58563.qm@web56202.mail.re3.yahoo.com> In-Reply-To: <684860.58563.qm@web56202.mail.re3.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: FreeBSD 6.3 installation hacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Sep 2009 12:58:20 -0000 Aflatoon Aflatooni escreveu: > I found a script in /tmp directory which could have been uploaded using php or Java. > How would they execute the code in /tmp directory? > > Thanks > > You can execute files from scripts or from apache itself when they are scripts. There are several programming/scripting languages that are accessible by web and those are the ones that an intruder will have to use to exploit some scenario like yours. Take some time to read this doc: http://www.dataloss.net/papers/how.defaced.apache.org.txt It is pretty interesting as, unfortunately, it suits the same scenario you, unintentionally, created for the hackers. Cheers, -- Leandro Quibem Magnabosco.