newbie with www user security problem
Stijn Hoop
stijn at win.tue.nl
Thu Aug 11 13:46:59 GMT 2005
On Thu, Aug 11, 2005 at 09:32:22AM -0400, Ken Hawkins wrote:
> we have been hacked by a spammer
[snip]
> X-AntiAbuse: Board servername - srforum.prosoundweb.com
Ouch. You appear to be running a phpBB installation from 2002 (version
2.0.6). That's asking for trouble. A lot of exploits have been found
in phpBB since that time, see
http://www.phpbb.com/support/documents.php?mode=changelog
and
http://www.vuxml.org/freebsd/pkg-phpbb.html
There are lots of automated scripts running on already compromised
machines that scan other machines for these vulnerabilities. Assuming
that is how the spammer got in, there is no telling what he has done
after that.
You must assume that your machine has been fully compromised. The
only way to know for sure that your machine is clean again is to build
a new machine from scratch and transfer all your _non-executable_ data
to it.
You _might_ be able to get away with identifying any and all
processes, removing suspicious data from /tmp, /var/tmp and any other
OS place, changing passwords on _all_ accounts (but especially
sensitive ones like root, your own and www). But you might not find
the one backdoor that the spammer left and then you're back to square
one again.
It's your choice.
To prevent this from happening, perform regular port updates and make
sure to subscribe to the announcement list of highprofile publicly
accessible software that you run.
Good luck.
--Stijn
--
A "No" uttered from deepest conviction is better and greater than a
"Yes" merely uttered to please, or what is worse, to avoid trouble.
-- Mahatma Ghandi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050811/af68f2f4/attachment.bin
More information about the freebsd-security
mailing list