On Wed, Sep 01, 2004 at 12:25:19AM +0200, Timo Veith wrote: > > I seems to be a php issue. I > searched through all php files that "include" or "fopen" something ... > whew there are way too many. > > Any ideas ?
If you have pristine logfiles for apache you might want to look for suspicious parameters passed to requests recently. Perhaps `ftp` or `wget` commands were used to upload the DOS / forking program upon your box? I'm sure a competant attacker would have either nuked the logs or used POST's for any control - but if you have some code running on that box which is using fopen, etc, the initial attempt might have been recorded. Failing that you could look at installing mod_security to record all future GET/POST arguments and payloads. I found it fairly simple to backport to stable, and could probably dig out packages if that would be useful. Steve - # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
