The culprit turned out to be some guy who, instead of creating links to
his web-pages decided to include them.
This happened in the form of http://domain/index.php?p=/bla/data.html
Of course, "p" could be overwritten and some guy was loading a php-mailer
from various geocities and yahoo pages, which our server dutifully
parsed...
We could only shake our heads in disbelieve. This had cost us countless
hours of (until now) fruitless work.
One relatively easy way to prevent this type of problem is to disallow your
web server from making outgoing connections to port 80 TCP (i.e. do not
allow it to request things). If you want to be really anal simply disallow
any outgoing connection attempts for TCP SYN, this will prevent all sorts of
naughtiness from your webserver. Plus when you do see blocked outgoing
connections you will know something is up and can correlate it with web
logs/etc.
-Kurt Seifried
