Hacked - FreeBSD 7.1-Release

[ocean]

Squirrel wrote:
> My server was hacked, and the hacker was nice enough to not cause
> damage except changing index.php of couple of my websites.  The
> index.php had the following info:
> 
> "Hacked By Top First Warning That's Bug From Your Servers Next Time
> You Must Be Careful And Fixed Your Site Before Coming Another Hacker
> And Hacked You Again Sorry Admin And Don't Worry Just I Change Index 
> ALTBTA For Contact : l_9 at hotmail.com Best Wishes"

i won't be sure he has changed only indexes, it's a good rule to check carefully every other file or revert to a backup precedent to the hacking.

> 
> Of course, I sent him email, just in case it's valid, asking how he
> did it or how should I patch things up.  But haven't got a reply yet.
> I've looked at all the log files, particularly auth.log, although
> there were thousands of login attempts to SSH and FTP, but none
> succeeded.  And I don't know where else to look, please help.
> 
> I'm using FreeBSD 7.1-Release with below daemons
> 
> Apache 2.2.11 ProFTP 1.32 OpenSSH 5.1 Webmin 1.480 MySQL 5.0.67 BIND
> 9.6.0
> 

most likely could be some kind of remote code execution or SQLi executed in the context of some php scripts, you should audit php code of your web interface and of the websites you host.
also consider the strenght of your passwords, lots of login attempts to ssh/ftp may mean a he has tried a bruteforce (or a dictionary attack maybe). you should also check webmin logs, there are a few bruteforcer  for webmin out there, (*hint*) consider the lenght of your average password if it's more than 7-8 characters aplhanumeric with simbols most likely this isn't the case.

check (if you have them) logs of urls requested and mysql errors, the answer could be find here probably.

regards
ocean