From owner-freebsd-questions@FreeBSD.ORG Fri May 19 10:42:51 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16B6216A481 for ; Fri, 19 May 2006 10:42:51 +0000 (UTC) (envelope-from alive@dienub.org) Received: from pfepb.post.tele.dk (pfepb.post.tele.dk [195.41.46.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 864BB43D46 for ; Fri, 19 May 2006 10:42:50 +0000 (GMT) (envelope-from alive@dienub.org) Received: from m00h.dienub.org (dienub.org [87.49.144.133]) by pfepb.post.tele.dk (Postfix) with ESMTP id 8A0C4A5003B; Fri, 19 May 2006 12:42:44 +0200 (CEST) Received: from [192.168.0.2] (unknown [192.168.0.2]) by m00h.dienub.org (Postfix) with ESMTP id A03D51CC2B; Fri, 19 May 2006 12:42:44 +0200 (CEST) Message-ID: <446DA122.8020202@dienub.org> Date: Fri, 19 May 2006 12:42:42 +0200 From: "Daniel A." User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: Don O'Neil References: <004a01c67b0f$f5598b50$0300020a@mickey> In-Reply-To: <004a01c67b0f$f5598b50$0300020a@mickey> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: users@httpd.apache.org, freebsd-questions@freebsd.org Subject: Re: Hacked Web Site X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2006 10:42:51 -0000 Don O'Neil wrote: > A customer of mine recently had their web site hacked and the index file > defaced by Milli-Harekat... > > http://www.zone-h.org/en/search/what=Milli-Harekat.Org/ > > Does anyone know the exploit used for this and where to find out about > fixing it? I have a feeling it's a brute force attack of some sort, but I > can't find anything. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" Hi Don, Please look in your auth.log (Usually in /var/log) to check for recent failed log attempts, and your httpd-*.log (Usually /var/log unless specified otherwise in your httpd.conf files) If you find something suspicious, please paste the relevant lines. I suggest *not* attaching the entire log files, as they may contain sensitive data in form of IP addresses and valid usernames.