the problem is:
1) it's probably not runned by a PHP script (since it wouldn't open a new process for it)
2) I grepd all the domain logs for the IP or hostname (when they use host) and didn't find anything
3) I checked all ports binded by apache to check if they exploiter isn't running a shell and executing the commands thru it... nothing found
so... how can these commands be executed by apache?
which other ways they can make apache execute things?!
Originally posted by JTY They are likely being executed by a PHP script. The PHP script is spawning off a shell instance, to do it's bidding. As well, if the exploit is done via POST, not much will show up in the logs.
I'd suggest installing mod_security, and tuning it to fit your needs. It'll really cut down on this sort of thing.
mod_security is already installed, but I've no idea on how they're doing this
as far as I checked, they tried to bind the shell, but didn't get (/tmp has "no exec")
any ideas on how to find if it was by POST?!
You need to tighten your mod_security rules a bit to include 'wget' , 'curl' , ...etc
when you see something like the above line , do the following
there is much helpful info. in this directory like the command used , also FD (file disc.) which will contain all the files used by this command and sure from all these info you will know the buggy script that is causing this.
Hope this helps.
knowledge is Power , Spread it.
www.e-tutankhamun.com [email protected]
AIM:AhmedFouad0 , yahooID:xor2004