> >Chris Robertson wrote: >> >> Where's the posix api and dl-functionality report? Any specific >> keywords to narrow it down? > >disable_*** in php.ini? I thought you meant a vulnerability/exploit report... >> I actually started with PHP as my most likely culprit but in digging in >> one of the servers that was compromised doesn't have any php web pages, >> i.e. the module is loaded but not in use. > >well, is it possible it crossed process boundries to other processes also >running as user 'wwwrun'? Apache is the only thing running as that user. Regardless there were commands issue with root privs so what ever happened needed to have gotten back to kernel space to elevate privileges. >Whoops. Don't tell us you started httpd as wwwrun? That means you don't Nope standard start scripts. Thanks for the feedback. Chris --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|