Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 22 Sep 2009 09:51:05 -0300
From:      Leandro Quibem Magnabosco <leandro.magnabosco@fcdl-sc.org.br>
To:        Aflatoon Aflatooni <aaflatooni@yahoo.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: FreeBSD 6.3 installation hacked
Message-ID:  <4AB8C839.3000905@fcdl-sc.org.br>
In-Reply-To: <196554.24096.qm@web56207.mail.re3.yahoo.com>
References:  <196554.24096.qm@web56207.mail.re3.yahoo.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Aflatoon Aflatooni escreveu:
> My server installation of FreeBSD 6.3 is hacked and I am trying to find out how they managed to get into my Apache 2.0.61. 
>
> This is what I see in my http error log:
>
> [Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down
> [Mon Sep 21 02:00:14 2009] [notice] Apache/2.0.61 (FreeBSD) PHP/5.2.5 mod_jk/1.2.25 configured -- resuming normal operations
> wget: not found
> Can't open perl script "/tmp/shit.pl": No such file or directory
> wget: not found
> Can't open perl script "zuo.txt": No such file or directory
> curl: not found
> Can't open perl script "zuo.txt": No such file or directory
> lwp-download: not found
> Can't open perl script "zuo.txt": No such file or directory
> lynx: not found
> Can't open perl script "zuo.txt": No such file or directory
> zuo.txt                                                 11 kB   56 kBps
> ...

It does not look they entered using any apache bug.
Probably you had a world writable directory and they managed to access 
it by ftp (or any other way) and sent a file containing commands to it.
Once it is there, they've 'called' the file using apache to execute 
whatever was in there (probably binding a shell to some port) in order 
to get access to the box.

--
Leandro Quibem Magnabosco.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4AB8C839.3000905>