Stefan, I would be interested in information about your case. We had an old node with some outdated CGI stuff (including mapserv) that was compromized a few weeks back, via what appeared to be a CGI issue. We had php in the cgi-bin directory (5.2.13) as well as mapserver 5.6.3. As good fortune had it, I was in the process of migrating stuff from the directories on this old node to a new node at the exact same time as the intruders entry, and managed to capture a few lines from the log before the intruder wiped the logs clean on exit.
It was a very odd experience, I found a file named perl-cgi in the cgi-bin directory as I was listing the cgi-bin contents to verify the mapserv location. I did a quick grep of the logs for the file and found the call to that program with a password argument, and copied it to email our sysadmin guy, by the time that I shut down httpd and returned to scouring the logs, the logs had been wiped. In other words, I was lucky enough to be watching it go down in real time. Anyhow, we can discuss this off-list if it is not verified that mapserv may have been involved - or on list if there are any others who have had a similar experience in recent times. /r/b _______________________________________________ mapserver-users mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/mapserver-users
