Re: apache / exe process taking 99 % cpu
On Wed, Sep 01, 2004 at 12:25:19AM +0200, Timo Veith wrote:
> I seems to be a php issue. I
> searched through all php files that "include" or "fopen" something ...
> whew there are way too many.
> Any ideas ?
If you have pristine logfiles for apache you might want to look for
suspicious parameters passed to requests recently. Perhaps `ftp`
or `wget` commands were used to upload the DOS / forking program
upon your box?
I'm sure a competant attacker would have either nuked the logs or
used POST's for any control - but if you have some code running
on that box which is using fopen, etc, the initial attempt might
have been recorded.
Failing that you could look at installing mod_security to record
all future GET/POST arguments and payloads. I found it fairly
simple to backport to stable, and could probably dig out packages
if that would be useful.
# The Debian Security Audit Project.