has my 10.1-RELEASE system been compromised
Joseph Mingrone
jrm at ftfl.ca
Wed Feb 25 21:52:22 UTC 2015
Walter Hop <freebsd at spam.lifeforms.nl> writes:
> If this traffic is originating from your system, and you were running
> PHP, I’d say it’s probably most likely that some PHP
> script/application on your host was compromised. Were you running
> stuff like phpMyAdmin, Wordpress or Drupal that might not have been
> updated too often?
I was running almost nothing with php except
<TITLE><?php echo $_SERVER['HTTP_HOST']?></TITLE>
on one page. I was recently testing out mediawiki. IIRC I installed it
via the port, but uninstalled it almost immediately. I saw today that
there was still a mediawiki directory left over with a timestamp of
2014-12-30 and one php file, LocalSettings.php.
> Often in such a compromise, the attacker leaves traces in the
> filesystem, like executable scripts or temp files. Try to look for new
> files which are owned by the webserver or fastcgi process, see if you
> find some surprises.
>
> Example:
> # touch -t 201501010000 foo
> # find / -user www -newer foo
>
> If you don’t find anything, look back a little further.
> Hopefully you will find a clue in this way.
# touch -t 201412250000 foo
# find / -user www -newer foo
turned up a few directories under /var/tmp/nginx, but they were all
empty. The timestamps were the same as the mediawiki directory.
Nothing interesting turned up in the output when I uninstalled the php
or spawn-fcgi packages.
Thanks,
Joseph
More information about the freebsd-security
mailing list