Date: Thu, 10 Dec 2009 00:51:36 -0800 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: freebsd-stable@freebsd.org Subject: Re: Hacked - FreeBSD 7.1-Release Message-ID: <20091210085136.GA6280@icarus.home.lan> In-Reply-To: <bd52e0bd614fbaffcf8c9ff9da35286e@mail.isot.com> References: <bd52e0bd614fbaffcf8c9ff9da35286e@mail.isot.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 09, 2009 at 06:40:17PM -0600, Squirrel wrote: > My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites. The index.php had the following info: > > "Hacked By Top > First Warning That's Bug From Your Servers > Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again > Sorry Admin And Don't Worry Just I Change Index > ALTBTA > For Contact : l_9@hotmail.com > Best Wishes" > > Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up. But haven't got a reply yet. I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded. And I don't know where else to look, please help. > > I'm using FreeBSD 7.1-Release with below daemons > > Apache 2.2.11 > ProFTP 1.32 > OpenSSH 5.1 > Webmin 1.480 > MySQL 5.0.67 > BIND 9.6.0 > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" 1) Immediately disable all forms of network connectivity from the Internet to this box. Do it physically if possible, otherwise cross your fingers (that nothing low-level got tinkered with) and use pf. 2) Format the box + reinstall OS. Don't bother trying to "fix up what may have been changed", nor simply rebuilding world/kernel + rebooting. There is absolutely no guarantee the individual did not backdoor something, including libraries or even replace kernel modules. Don't risk it: reinstall the entire OS and rebuild from scratch, or restore necessary (non-OS) pieces from backups (assuming you know absolutely 100% for sure when the person "hacked the box" -- chances are it could've been hacked long before the person told you and your backups contain the same backdoors). Don't have backups? Use this situation as justification for 'em. :-) -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091210085136.GA6280>