On 11/01/12 22:37, Luisa Ester Navarro wrote:
Hehe, this is where they say, RTFS, or as Jeron suggested, see if you can correlate something in the logs. If apache is still running and you happen to have mod_info, it's useful as it at least gives you the paths being processed, often the "child script" will hold up the processing and you can then spot the script in use in the mod_info data, in other cases, it's a wild goose chase. mpm_user also helps to narrow things down in case of vhost setups (ISP ... find the offending user - disable the vhost - that usually gets the offenders attention, and when you tell him/her that his code is bust they need to audit their code they usually end up paying me for my time to do it, which usually just involves pointing to one of the lastest joomla/wordpress/flavor of the month CMS exploits). With respect to the logs, often you'll find URIs in the get parameters, so perhaps you can try grepping your logs for a regex, something like "grep -E "\?.*http://" and see if that shows anything. I'm afraid there are no real shortcuts. Good luck. JK |
|