Walter Hop <free...@spam.lifeforms.nl> writes: > If this traffic is originating from your system, and you were running > PHP, I’d say it’s probably most likely that some PHP > script/application on your host was compromised. Were you running > stuff like phpMyAdmin, Wordpress or Drupal that might not have been > updated too often?
I was running almost nothing with php except <TITLE><?php echo $_SERVER['HTTP_HOST']?></TITLE> on one page. I was recently testing out mediawiki. IIRC I installed it via the port, but uninstalled it almost immediately. I saw today that there was still a mediawiki directory left over with a timestamp of 2014-12-30 and one php file, LocalSettings.php. > Often in such a compromise, the attacker leaves traces in the > filesystem, like executable scripts or temp files. Try to look for new > files which are owned by the webserver or fastcgi process, see if you > find some surprises. > > Example: > # touch -t 201501010000 foo > # find / -user www -newer foo > > If you don’t find anything, look back a little further. > Hopefully you will find a clue in this way. # touch -t 201412250000 foo # find / -user www -newer foo turned up a few directories under /var/tmp/nginx, but they were all empty. The timestamps were the same as the mediawiki directory. Nothing interesting turned up in the output when I uninstalled the php or spawn-fcgi packages. Thanks, Joseph _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
