FreeBSD 6.3 installation hacked
Leandro Quibem Magnabosco
leandro.magnabosco at fcdl-sc.org.br
Tue Sep 22 12:51:08 UTC 2009
Aflatoon Aflatooni escreveu:
> My server installation of FreeBSD 6.3 is hacked and I am trying to find out how they managed to get into my Apache 2.0.61.
>
> This is what I see in my http error log:
>
> [Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down
> [Mon Sep 21 02:00:14 2009] [notice] Apache/2.0.61 (FreeBSD) PHP/5.2.5 mod_jk/1.2.25 configured -- resuming normal operations
> wget: not found
> Can't open perl script "/tmp/shit.pl": No such file or directory
> wget: not found
> Can't open perl script "zuo.txt": No such file or directory
> curl: not found
> Can't open perl script "zuo.txt": No such file or directory
> lwp-download: not found
> Can't open perl script "zuo.txt": No such file or directory
> lynx: not found
> Can't open perl script "zuo.txt": No such file or directory
> zuo.txt 11 kB 56 kBps
> ...
It does not look they entered using any apache bug.
Probably you had a world writable directory and they managed to access
it by ftp (or any other way) and sent a file containing commands to it.
Once it is there, they've 'called' the file using apache to execute
whatever was in there (probably binding a shell to some port) in order
to get access to the box.
--
Leandro Quibem Magnabosco.
More information about the freebsd-questions
mailing list