Re: FreeBSD 6.3 installation hacked
Aflatoon Aflatooni escreveu: My server installation of FreeBSD 6.3 is hacked and I am trying to find out how they managed to get into my Apache 2.0.61. This is what I see in my http error log: [Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down [Mon Sep 21 02:00:14 2009] [notice] Apache/2.0.61 (FreeBSD) PHP/5.2.5 mod_jk/1.2.25 configured -- resuming normal operations wget: not found Can't open perl script /tmp/shit.pl: No such file or directory wget: not found Can't open perl script zuo.txt: No such file or directory curl: not found Can't open perl script zuo.txt: No such file or directory lwp-download: not found Can't open perl script zuo.txt: No such file or directory lynx: not found Can't open perl script zuo.txt: No such file or directory zuo.txt 11 kB 56 kBps ... It does not look they entered using any apache bug. Probably you had a world writable directory and they managed to access it by ftp (or any other way) and sent a file containing commands to it. Once it is there, they've 'called' the file using apache to execute whatever was in there (probably binding a shell to some port) in order to get access to the box. -- Leandro Quibem Magnabosco. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 6.3 installation hacked
Aflatoon Aflatooni escreveu: I found a script in /tmp directory which could have been uploaded using php or Java. How would they execute the code in /tmp directory? Thanks You can execute files from scripts or from apache itself when they are scripts. There are several programming/scripting languages that are accessible by web and those are the ones that an intruder will have to use to exploit some scenario like yours. Take some time to read this doc: http://www.dataloss.net/papers/how.defaced.apache.org.txt It is pretty interesting as, unfortunately, it suits the same scenario you, unintentionally, created for the hackers. Cheers, -- Leandro Quibem Magnabosco. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /tmp sticky bit differences on FreeBSD 8
Artis Caune escreveu: 2009/9/16 Matthew Seaman [1]m.sea...@infracaninophile.co.uk: On FreeBSD 6,7 files are created with wheel group, but on 8 - with `gid`. It seems that ZFS uses SysV group semantics (new files get the 1ary group of the user unless the directory is set to SGID). UFS filesystems on 8.x still behave in the expected BSD way (new files get the same group as the directory unless the user is not a member of that group, when they get the users' 1ary group). There's a thread 'ZFS Group ownership' on this topic in freebsd-hack...@... at the moment. hmm, I use ZFS on FreeBSD 7, but still get wheel group and not egid. Maybe you did a chmod g+s dir... Check that, mybe it has something to do to what's happening to you. Otherwise, it might be something implemented only on v7. Leandro Magnabosco. References 1. mailto:m.sea...@infracaninophile.co.uk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
First Traffic not graphing, Now nothing graphs anymore.
Hello guys, I have a running cacti on a mid to large environment running on a FreeBSD 7.1. Cacti's version is 0.8.7e and rrdtool is 1.2.23. First I was using 0.8.7d version of cacti but traffic was not graphing and I read somewhere on the net that this was corrected on 0.7.8e. Then I decided to upgrade to 0.8.7e. But since I upgraded, Cacti stopped graphing. You know when you look too much at the same thing and it makes you incapable of coming with new solutions? That is how I feel right now. I've been trying to figure this out for a while now, but I'm probably making a huge noob mistake and I feel blinded for some reason. That is why I need your help. The DEBUG log is available for those who think they can help: http://www.pastebin.org/3373 Thank you in advance, -- Leandro Quibem Magnabosco. leandr...@gmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: First Traffic not graphing, Now nothing graphs anymore.
My main problem will always be getting traffic to graph. I was able to solve the problem of the other ones not graphing by re-indexing everything, but it is still not graphing the traffic on some interfaces. The other graphics of the same machines are working pretty good, but those two interfaces are the only thing I did not manage to get to work. Here is a verbose run of it: http://www.pastebin.org/3414 The addresses were altered for security reasons. Thank you. 2009/7/21 Richard Mahlerwein mahle...@yahoo.com --- On Tue, 7/21/09, Leandro Quibem Magnabosco leandr...@gmail.com wrote: From: Leandro Quibem Magnabosco leandr...@gmail.com Subject: First Traffic not graphing, Now nothing graphs anymore. To: freebsd-questions@freebsd.org Date: Tuesday, July 21, 2009, 7:56 AM Hello guys, I have a running cacti on a mid to large environment running on a FreeBSD 7.1. Cacti's version is 0.8.7e and rrdtool is 1.2.23. First I was using 0.8.7d version of cacti but traffic was not graphing and I read somewhere on the net that this was corrected on 0.7.8e. Then I decided to upgrade to 0.8.7e. But since I upgraded, Cacti stopped graphing. You know when you look too much at the same thing and it makes you incapable of coming with new solutions? That is how I feel right now. I've been trying to figure this out for a while now, but I'm probably making a huge noob mistake and I feel blinded for some reason. That is why I need your help. The DEBUG log is available for those who think they can help: http://www.pastebin.org/3373 Thank you in advance, -- Leandro Quibem Magnabosco. leandr...@gmail.com Well, it *seems* your recording data OK so it seems it's only a cosmetic problem with Cacti (e.g. your data is still being collected). Confirm this by checking an rrd: # cd /usr/local/share/cacti/rra/ # /usr/local/bin/rrdtool dump lan_server_2_hdd_free_74.rrd |grep 2009-07-21 You should see a bunch of non-zero and non-NaN numbers in there covering the data it has collected today. Feel free to check a few others, as well, like svn-scsc21_hdd_free_587.rrd. Usually, my biggest problem with upgrading cacti is losing permissions on some or another directory. Often it's that the user apache runs under php can't access the rra folder. What *specific* problem are you having from cacti? Do you see where the graphs should be but they're broken images? Do you see graphs with titles but the data is all zero? -Rich -- Leandro Quibem Magnabosco. leandr...@gmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org