Re: [opensuse] Massive PHP DDOS ??

Thu, 20 Apr 2006 12:47:27 -0700 

Hi,

On Thu, 20 Apr 2006, Marcel Mourguiart wrote:

On 4/20/06, jdd <[EMAIL PROTECTED]> wrote:

Marcel Mourguiart wrote:



Hi, i have a web server with suse 10 ( php, apache, postnuke, etc ).
My connection has been stop because MY server is making DDOS attacks

Then i read this:
http://blogs.zdnet.com/threatchaos/?p=310

Is there a patch, link or what ever you can give me to resolf the poblem ??

Sorry if this not the appropriate list, i'm just desperate.


the best way should be to update your php version with YOU,
or if this is not sufficient directly from the php site.

I'm sure this bug is already fixed.


I have every thing updated with YOU.

Carl: I'll subscribe to "suse-segurity" and i'm aware this is not a
suse specific bug or a linux one, is probably a php bug, which make
the problem just harder to resolve.

Any way if some body know the specific problem with PHP or have a
clue, i'll be happy to heart.


I am watching for "PHP invaders" with this cron job:

php-server1:1 21:39:34 ~ # cat bin/hack-detect
#!/bin/bash

export HOST=php-server1
export DATE=`date +%y%m%d.%H%M`
export B=/home/detector/bin

SF=/home/detector/find.wwwrun
M="[EMAIL PROTECTED]"
S="${HOST} hack-detect ${DATE}"
rm -f ${SF}.old ${SF}.dif
mv ${SF} ${SF}.old
echo "=== Prozesse:" >${SF}
${B}/pstree -p wwwrun | grep -v ^httpd2-prefork | sort -u >>${SF}
echo "=== Dateien:" >>${SF}
for i in /tmp /var/lib/wwwrun /var/tmp
do
  ${B}/find $i -type f -user wwwrun | grep -v ^/tmp/sess_ | sort >>${SF}
done
${B}/diff -U 0 ${SF}.old ${SF} | grep -v "^--- \|^+++ \|^@@ ">${SF}.dif
if [ -s ${SF}.dif ]; then
  mail -s"${S}" ${M} <${SF}.dif &
fi
php-server1:1 21:39:41 ~ #

It is simply monitoring all areas which are writable by the user wwwrun
and all wwwrun processes.


The invoked binaries reside in an exclusive place, so no root kit will 
overwrite them.


It does in no way protect, but alarm.

Cheers -e
--
Eberhard Moenkeberg ([EMAIL PROTECTED], [EMAIL PROTECTED])

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to