FreeBSD 6.3 installation hacked

[Aflatoon Aflatooni]

I found a script in /tmp directory which could have been uploaded using php or Java.
How would they execute the code in /tmp directory? I couldn't figure it out.

Thanks




----- Original Message ----
From: Leandro Quibem Magnabosco <leandro.magnabosco at fcdl-sc.org.br>
To: Aflatoon Aflatooni <aaflatooni at yahoo.com>
Cc: freebsd-questions at freebsd.org
Sent: Tuesday, September 22, 2009 8:51:05 AM
Subject: Re: FreeBSD 6.3 installation hacked

Aflatoon Aflatooni escreveu:
> My server installation of FreeBSD 6.3 is hacked and I am trying to find out how they managed to get into my Apache 2.0.61. 
> This is what I see in my http error log:
> 
> [Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down
> [Mon Sep 21 02:00:14 2009] [notice] Apache/2.0.61 (FreeBSD) PHP/5.2.5 mod_jk/1.2.25 configured -- resuming normal operations
> wget: not found
> Can't open perl script "/tmp/shit.pl": No such file or directory
> wget: not found
> Can't open perl script "zuo.txt": No such file or directory
> curl: not found
> Can't open perl script "zuo.txt": No such file or directory
> lwp-download: not found
> Can't open perl script "zuo.txt": No such file or directory
> lynx: not found
> Can't open perl script "zuo.txt": No such file or directory
> zuo.txt                                                11 kB  56 kBps
> ...

It does not look they entered using any apache bug.
Probably you had a world writable directory and they managed to access it by ftp (or any other way) and sent a file containing commands to it.
Once it is there, they've 'called' the file using apache to execute whatever was in there (probably binding a shell to some port) in order to get access to the box.

--
Leandro Quibem Magnabosco.