On Fri, Mar 17, 2006 at 11:01:53AM +0100, Mark Prins wrote: > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> wrote on : > > > On Wed, Mar 15, 2006 at 12:31:06PM +0000, Gaby vanhegan wrote: > > >> 1. How do I find out their attack vector? I have had a nessus scan > >> performed on the machine, but it did not present any security (I can > >> supply on request). I've checked the security releases in > >> security.html and there are no pertinent ones for httpd. Snort has > >> provided little useful information (I can provide access to the > >> snort logs if required). > > Your access log only shows the request errors (404, 408) this makes it > useless for finding the entry point (which would be logged with 2xx) > assuming it's httpd. > The error log looks kinda scary... > btw rotating the logs makes them easier to manage) > > >> 2. If I can't stop them getting in, is there any way to observe what > >> they're doing, or how they're doing it, so I can get a pointer to > >> the hole. > >> > > >> i've run out of ideas here. Can you help? > > > > php is old, and best avoided as a matter of general principle. There > > have been several security bugs found and fixed since 4.3.8. > > my bets are on php
Or, to be fair to the PHP developers, one of the numerous buggy apps written in PHP. Joachim