Aflatoon Aflatooni escreveu:
My server installation of FreeBSD 6.3 is hacked and I am trying to find out how they managed to get into my Apache 2.0.61.
This is what I see in my http error log:
[Mon Sep 21 02:00:01 2009] [notice] caught SIGTERM, shutting down
[Mon Sep 21 02:00:14 2009] [notice] Apache/2.0.61 (FreeBSD) PHP/5.2.5
mod_jk/1.2.25 configured -- resuming normal operations
wget: not found
Can't open perl script "/tmp/shit.pl": No such file or directory
wget: not found
Can't open perl script "zuo.txt": No such file or directory
curl: not found
Can't open perl script "zuo.txt": No such file or directory
lwp-download: not found
Can't open perl script "zuo.txt": No such file or directory
lynx: not found
Can't open perl script "zuo.txt": No such file or directory
zuo.txt 11 kB 56 kBps
...
It does not look they entered using any apache bug.
Probably you had a world writable directory and they managed to access
it by ftp (or any other way) and sent a file containing commands to it.
Once it is there, they've 'called' the file using apache to execute
whatever was in there (probably binding a shell to some port) in order
to get access to the box.
--
Leandro Quibem Magnabosco.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
