I found a script in /tmp directory which could have been uploaded using php or Java. How would they execute the code in /tmp directory? I couldn't figure it out.
Thanks ----- Original Message ---- From: Leandro Quibem Magnabosco <leandro.magnabo...@fcdl-sc.org.br> To: Aflatoon Aflatooni <aaflato...@yahoo.com> Cc: freebsd-questions@freebsd.org Sent: Tuesday, September 22, 2009 8:51:05 AM Subject: Re: FreeBSD 6.3 installation hacked Aflatoon Aflatooni escreveu: > My server installation of FreeBSD 6.3 is hacked and I am trying to find out > how they managed to get into my Apache 2.0.61. > This is what I see in my http error log: > > [Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down > [Mon Sep 21 02:00:14 2009] [notice] Apache/2.0.61 (FreeBSD) PHP/5.2.5 > mod_jk/1.2.25 configured -- resuming normal operations > wget: not found > Can't open perl script "/tmp/shit.pl": No such file or directory > wget: not found > Can't open perl script "zuo.txt": No such file or directory > curl: not found > Can't open perl script "zuo.txt": No such file or directory > lwp-download: not found > Can't open perl script "zuo.txt": No such file or directory > lynx: not found > Can't open perl script "zuo.txt": No such file or directory > zuo.txt 11 kB 56 kBps > ... It does not look they entered using any apache bug. Probably you had a world writable directory and they managed to access it by ftp (or any other way) and sent a file containing commands to it. Once it is there, they've 'called' the file using apache to execute whatever was in there (probably binding a shell to some port) in order to get access to the box. -- Leandro Quibem Magnabosco. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
