Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 22 Sep 2009 05:55:35 -0700 (PDT)
From:      Aflatoon Aflatooni <aaflatooni@yahoo.com>
To:        Leandro Quibem Magnabosco <leandro.magnabosco@fcdl-sc.org.br>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: FreeBSD 6.3 installation hacked
Message-ID:  <477617.55755.qm@web56208.mail.re3.yahoo.com>
In-Reply-To: <4AB8C839.3000905@fcdl-sc.org.br>
References:  <196554.24096.qm@web56207.mail.re3.yahoo.com> <4AB8C839.3000905@fcdl-sc.org.br>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
I found a script in /tmp directory which could have been uploaded using php=
 or Java.=0AHow would they execute the code in /tmp directory? I couldn't f=
igure it out.=0A=0AThanks=0A=0A=0A=0A=0A----- Original Message ----=0AFrom:=
 Leandro Quibem Magnabosco <leandro.magnabosco@fcdl-sc.org.br>=0ATo: Aflato=
on Aflatooni <aaflatooni@yahoo.com>=0ACc: freebsd-questions@freebsd.org=0AS=
ent: Tuesday, September 22, 2009 8:51:05 AM=0ASubject: Re: FreeBSD 6.3 inst=
allation hacked=0A=0AAflatoon Aflatooni escreveu:=0A> My server installatio=
n of FreeBSD 6.3 is hacked and I am trying to find out how they managed to =
get into my Apache 2.0.61. =0A> This is what I see in my http error log:=0A=
> =0A> [Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down=0A=
> [Mon Sep 21 02:00:14 2009] [notice] Apache/2.0.61 (FreeBSD) PHP/5.2.5 mod=
_jk/1.2.25 configured -- resuming normal operations=0A> wget: not found=0A>=
 Can't open perl script "/tmp/shit.pl": No such file or directory=0A> wget:=
 not found=0A> Can't open perl script "zuo.txt": No such file or directory=
=0A> curl: not found=0A> Can't open perl script "zuo.txt": No such file or =
directory=0A> lwp-download: not found=0A> Can't open perl script "zuo.txt":=
 No such file or directory=0A> lynx: not found=0A> Can't open perl script "=
zuo.txt": No such file or directory=0A> zuo.txt=A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 11 kB=
=A0 56 kBps=0A> ...=0A=0AIt does not look they entered using any apache bug=
.=0AProbably you had a world writable directory and they managed to access =
it by ftp (or any other way) and sent a file containing commands to it.=0AO=
nce it is there, they've 'called' the file using apache to execute whatever=
 was in there (probably binding a shell to some port) in order to get acces=
s to the box.=0A=0A--=0ALeandro Quibem Magnabosco.=0A=0A=0A=0A      



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?477617.55755.qm>