On Wed, Dec 09, 2009 at 06:40:17PM -0600, Squirrel wrote: > My server was hacked, and the hacker was nice enough to not cause damage > except changing index.php of couple of my websites. The index.php had the > following info: > > "Hacked By Top > First Warning That's Bug From Your Servers > Next Time You Must Be Careful And Fixed Your Site Before Coming Another > Hacker And Hacked You Again > Sorry Admin And Don't Worry Just I Change Index > ALTBTA > For Contact : l...@hotmail.com > Best Wishes" > > Of course, I sent him email, just in case it's valid, asking how he did it or > how should I patch things up. But haven't got a reply yet. I've looked at > all the log files, particularly auth.log, although there were thousands of > login attempts to SSH and FTP, but none succeeded. And I don't know where > else to look, please help. > > I'm using FreeBSD 7.1-Release with below daemons > > Apache 2.2.11 > ProFTP 1.32 > OpenSSH 5.1 > Webmin 1.480 > MySQL 5.0.67 > BIND 9.6.0 > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
1) Immediately disable all forms of network connectivity from the Internet to this box. Do it physically if possible, otherwise cross your fingers (that nothing low-level got tinkered with) and use pf. 2) Format the box + reinstall OS. Don't bother trying to "fix up what may have been changed", nor simply rebuilding world/kernel + rebooting. There is absolutely no guarantee the individual did not backdoor something, including libraries or even replace kernel modules. Don't risk it: reinstall the entire OS and rebuild from scratch, or restore necessary (non-OS) pieces from backups (assuming you know absolutely 100% for sure when the person "hacked the box" -- chances are it could've been hacked long before the person told you and your backups contain the same backdoors). Don't have backups? Use this situation as justification for 'em. :-) -- | Jeremy Chadwick j...@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"