I've just finished the rtld patch. Now in process of regenerating all the keys and certs. Next will look into php. But far as rtld vulnerability, doesn't it require at least a local user account? Looking at all the authentication, there wasn't any authenticated session during the time frame. So I'm leaning more towards php 5.2.9, and checking all my ports.
Thanks for info. -----Original message----- From: Chuck Swiger cswi...@mac.com Date: Wed, 09 Dec 2009 20:12:08 -0600 To: squir...@isot.com Subject: Re: Hacked - FreeBSD 7.1-Release > On Dec 9, 2009, at 4:40 PM, Squirrel wrote: > > My server was hacked, and the hacker was nice enough to not cause damage > > except changing index.php of couple of my websites. The index.php had the > > following info: > > > > "Hacked By Top > > First Warning That's Bug From Your Servers > > Next Time You Must Be Careful And Fixed Your Site Before Coming Another > > Hacker And Hacked You Again > > Sorry Admin And Don't Worry Just I Change Index > > ALTBTA > > For Contact : l...@hotmail.com > > Best Wishes" > > While it's unfortunate that your machine was hacked, and it would be nice to > assume that no other changes were made, you need to completely rebuild this > box, regenerate SSH keys, SSL certs, etc before you can trust anything it > talks to. > > > Of course, I sent him email, just in case it's valid, asking how he did it > > or how should I patch things up. But haven't got a reply yet. I've looked > > at all the log files, particularly auth.log, although there were thousands > > of login attempts to SSH and FTP, but none succeeded. And I don't know > > where else to look, please help. > > > > I'm using FreeBSD 7.1-Release with below daemons > > > > Apache 2.2.11 > > ProFTP 1.32 > > OpenSSH 5.1 > > Webmin 1.480 > > MySQL 5.0.67 > > BIND 9.6.0 > > > You're down-rev on Apache and BIND, for the very least. And, the fact that > you mentioned index.php suggests that you're running a lot more than just a > basic Apache webserver; PHP is a likely candidate for security > vulnerabilities by itself, and if you haven't patched for > FreeBSD-SA-09:16.rtld, any local exploit will yield root. > > Installing /usr/ports/ports-mgmt/portaudit can be helpful.... > > Regards, > -- > -Chuck > _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
