From owner-freebsd-questions@FreeBSD.ORG  Tue Sep 22 12:55:36 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A7393106566C
	for <freebsd-questions@freebsd.org>;
	Tue, 22 Sep 2009 12:55:36 +0000 (UTC)
	(envelope-from aaflatooni@yahoo.com)
Received: from web56208.mail.re3.yahoo.com (web56208.mail.re3.yahoo.com
	[216.252.110.217])
	by mx1.freebsd.org (Postfix) with SMTP id 604D28FC08
	for <freebsd-questions@freebsd.org>;
	Tue, 22 Sep 2009 12:55:36 +0000 (UTC)
Received: (qmail 56646 invoked by uid 60001); 22 Sep 2009 12:55:35 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
	t=1253624135; bh=Mb4S44qbbYHLEtQgT1LQXKNMVfQakkujLCeKt/O/2iQ=;
	h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	b=tB05BYeK9OMSdlnUNerQXQeAhXq4QfSU40naOLTP7d8IzqvCqHIuw+TXVt0231BQv2kJw4f9Kk1ewQd2gKJuMAcWFxj9QLQpWS4DZT/3Rg9ImsKNm1TD/A3KxXelg04sXjPeqIuPzQZla6sCyJXqcQR4J486y0gSVtIUVNmhjYM=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	b=U6Fl6zMRl2rVFvG2ihkaxgY32+6jXwuK+2h5zZTtguNzcQ5dVhkDPK3J+Oj8Cabniqb69MjjrSEpXPlkoRsXIvVf5jRdfIt9AeM92WliJRMvDxLgkF7gDm30AnvK/3QuiSrULgIA3PC/Z6Jc/KsT50WPJ0jpszRzWwn+b9l9IcQ=;
Message-ID: <477617.55755.qm@web56208.mail.re3.yahoo.com>
X-YMail-OSG: OBgaOk8VM1ldLBqdPEMwaAuci_D08XtyFJHwextyn5EtHWpl5q2YOKpgTljNFkEl8JkzYb7Hh1E1jj3TfaR5elikrjw_pEcfX936ezKTyaR3tu5dn0bBOrruxk8OE3QORr9kHa84_dcXtQ6b15PdN_VqVWzaXmt3x.OMnoarnMTYdAzuFNLoHd.rbEbHlL4Abnw6_6q6HKR7fcFbLWQyJwylintLpDNdGoHCgjyEW.H_ioAb8xM5VY8IApM9yi6sTkNYlUZFleUDVVGg37CEAJ2XTafGj1Q39LB0Fbehn2kR2QtyFzrFZsHqAi8GYSoHfmFLgBKKV6qMC92Dl2rNNzNR7jTAIv1.SfiyG6Y8GmMnbWaQwCE-
Received: from [142.166.2.134] by web56208.mail.re3.yahoo.com via HTTP;
	Tue, 22 Sep 2009 05:55:35 PDT
X-Mailer: YahooMailRC/157.18 YahooMailWebService/0.7.347.2
References: <196554.24096.qm@web56207.mail.re3.yahoo.com>
	<4AB8C839.3000905@fcdl-sc.org.br>
Date: Tue, 22 Sep 2009 05:55:35 -0700 (PDT)
From: Aflatoon Aflatooni <aaflatooni@yahoo.com>
To: Leandro Quibem Magnabosco <leandro.magnabosco@fcdl-sc.org.br>
In-Reply-To: <4AB8C839.3000905@fcdl-sc.org.br>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-questions@freebsd.org
Subject: Re: FreeBSD 6.3 installation hacked
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2009 12:55:36 -0000

I found a script in /tmp directory which could have been uploaded using php=
 or Java.=0AHow would they execute the code in /tmp directory? I couldn't f=
igure it out.=0A=0AThanks=0A=0A=0A=0A=0A----- Original Message ----=0AFrom:=
 Leandro Quibem Magnabosco <leandro.magnabosco@fcdl-sc.org.br>=0ATo: Aflato=
on Aflatooni <aaflatooni@yahoo.com>=0ACc: freebsd-questions@freebsd.org=0AS=
ent: Tuesday, September 22, 2009 8:51:05 AM=0ASubject: Re: FreeBSD 6.3 inst=
allation hacked=0A=0AAflatoon Aflatooni escreveu:=0A> My server installatio=
n of FreeBSD 6.3 is hacked and I am trying to find out how they managed to =
get into my Apache 2.0.61. =0A> This is what I see in my http error log:=0A=
> =0A> [Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down=0A=
> [Mon Sep 21 02:00:14 2009] [notice] Apache/2.0.61 (FreeBSD) PHP/5.2.5 mod=
_jk/1.2.25 configured -- resuming normal operations=0A> wget: not found=0A>=
 Can't open perl script "/tmp/shit.pl": No such file or directory=0A> wget:=
 not found=0A> Can't open perl script "zuo.txt": No such file or directory=
=0A> curl: not found=0A> Can't open perl script "zuo.txt": No such file or =
directory=0A> lwp-download: not found=0A> Can't open perl script "zuo.txt":=
 No such file or directory=0A> lynx: not found=0A> Can't open perl script "=
zuo.txt": No such file or directory=0A> zuo.txt=A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 11 kB=
=A0 56 kBps=0A> ...=0A=0AIt does not look they entered using any apache bug=
.=0AProbably you had a world writable directory and they managed to access =
it by ftp (or any other way) and sent a file containing commands to it.=0AO=
nce it is there, they've 'called' the file using apache to execute whatever=
 was in there (probably binding a shell to some port) in order to get acces=
s to the box.=0A=0A--=0ALeandro Quibem Magnabosco.=0A=0A=0A=0A