Hacked - FreeBSD 7.1-Release
cswiger at mac.com
Thu Dec 10 01:12:33 UTC 2009
On Dec 9, 2009, at 4:40 PM, Squirrel wrote:
> My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites. The index.php had the following info:
> "Hacked By Top
> First Warning That's Bug From Your Servers
> Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again
> Sorry Admin And Don't Worry Just I Change Index
> For Contact : l_9 at hotmail.com
> Best Wishes"
While it's unfortunate that your machine was hacked, and it would be nice to assume that no other changes were made, you need to completely rebuild this box, regenerate SSH keys, SSL certs, etc before you can trust anything it talks to.
> Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up. But haven't got a reply yet. I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded. And I don't know where else to look, please help.
> I'm using FreeBSD 7.1-Release with below daemons
> Apache 2.2.11
> ProFTP 1.32
> OpenSSH 5.1
> Webmin 1.480
> MySQL 5.0.67
> BIND 9.6.0
You're down-rev on Apache and BIND, for the very least. And, the fact that you mentioned index.php suggests that you're running a lot more than just a basic Apache webserver; PHP is a likely candidate for security vulnerabilities by itself, and if you haven't patched for FreeBSD-SA-09:16.rtld, any local exploit will yield root.
Installing /usr/ports/ports-mgmt/portaudit can be helpful....
More information about the freebsd-stable