Ok, so my intuition that somewhere I should find a corresponding entry in an access log for one of the websites is correct, presumably somewhere near the time of the timestamp from the error log.
So, this goes more into PHP than Apache but would presumably suggest either a script allowing an upload or a query string that was exploited or the like.
Thanks very much. Jim. On Sat, 28 Jan 2006, Joshua Slive wrote:
On 1/28/06, James R. Hay <jrhay@xxxxxxxxxx> wrote:The entries below were found in the Apache error log while investigating on apparent exploit. Thus far I have not found any corresponding access log entry and I am wondering if this is an indication that the intruder gained a shell?Close enough. It is the stderr from a broken script someplace, most likely indicating that you have a compromised php script on your system. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
James R. Hay jrhay@xxxxxxxxxx Hay-Net Networks P.O. Box 46051 Pointe Claire, QC H9R 5R4 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|