On Fri, Mar 17, 2006 at 11:01:53AM +0100, Mark Prins wrote:
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> wrote on :
>
> > On Wed, Mar 15, 2006 at 12:31:06PM +0000, Gaby vanhegan wrote:
>
> >> 1. How do I find out their attack vector? I have had a nessus scan
> >> performed on the machine, but it did not present any security (I can
> >> supply on request). I've checked the security releases in
> >> security.html and there are no pertinent ones for httpd. Snort has
> >> provided little useful information (I can provide access to the
> >> snort logs if required).
>
> Your access log only shows the request errors (404, 408) this makes it
> useless for finding the entry point (which would be logged with 2xx)
> assuming it's httpd.
> The error log looks kinda scary...
> btw rotating the logs makes them easier to manage)
>
> >> 2. If I can't stop them getting in, is there any way to observe what
> >> they're doing, or how they're doing it, so I can get a pointer to
> >> the hole.
> >>
>
> >> i've run out of ideas here. Can you help?
> >
> > php is old, and best avoided as a matter of general principle. There
> > have been several security bugs found and fixed since 4.3.8.
>
> my bets are on php
Or, to be fair to the PHP developers, one of the numerous buggy apps
written in PHP.
Joachim
