Hacked - FreeBSD 7.1-Release

[Xin LI]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Squirrel wrote:
> My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites.  The index.php had the following info:
> 
> "Hacked By Top
> First Warning That's Bug From Your Servers
> Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again
> Sorry Admin And Don't Worry Just I Change Index
> ALTBTA
> For Contact : l_9 at hotmail.com
> Best Wishes"
> 
> Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up.  But haven't got a reply yet.  I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded.  And I don't know where else to look, please help.
> 
> I'm using FreeBSD 7.1-Release with below daemons
> 
> Apache 2.2.11
> ProFTP 1.32
> OpenSSH 5.1
> Webmin 1.480
> MySQL 5.0.67
> BIND 9.6.0

It could be tricky to figure out how the attacker gets in.  I'd be
curious what PHP application are you using right now?  Do you have
properly set the permissions (i.e. files are either executable, or
writable, but not both; www user can't write on where code can be
executed, etc), and there is no vulnerability in your web application?

By the way, if you use ports you can install ports-mgmt/portaudit and
use 'portaudit -Fda' to check if there is known vulnerability with your
installed packages, just a hint.

Cheers,
- --
Xin LI <delphij at delphij.net>	http://www.delphij.net/
FreeBSD - The Power to Serve!	       Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)

iEYEARECAAYFAksgTFUACgkQi+vbBBjt66DA5gCeKX9oPnuBJOEznAA6WOxozpTz
hZMAoI2CRuXM6o/t9JuKffPli6Uk7uQ/
=rOnr
-----END PGP SIGNATURE-----