Re: wget, apache and spam

To: debian-user@lists.debian.org
Subject: Re: wget, apache and spam
From: sethurf <sethurf@free.fr>
Date: Tue, 13 Apr 2010 19:31:06 +0200
Message-id: <[🔎] 4BC4AA5A.7000506@free.fr>
In-reply-to: <[🔎] 4BC444A6.3060802@debian.org>
References: <[🔎] 4BC370A3.4010907@free.fr> <[🔎] 4BC444A6.3060802@debian.org>

Jon Dowland wrote:
> sethurf wrote:
>   
>> Would you have any solution for me ? I don't know what to do... Maybe
>> there is a big big bug/fault in a hosted file for a hosted website.
>>     
>
> Yes, one of the sites you are hosting has a problem which is allowing a
> third party to run arbitrary commands on your server as the apache user.
>
> It will be a site which has access to scripting functionality: either
> via ExecCGI or a scripting language such as PHP if enabled.
>
> Check the log lines for the time around when the wget lines appear in
> your error log. That may help to narrow down which script or site is
> being exploited.
>
>
>   

Thanks for your quick answer.

Indeed, all hosted websites use PHP and suexec (for execCGI) is enables
and not installed.

I did take a look in apache's log but nothing seems strange during the
"wget" using. (before and after). Is it possible that the problem comes
from an exploited form on a website or for mysql (I do not know how...)
?  Is there a way or a software to find from where files are put in /tmp ?

Reply to:

Follow-Ups:
- Re: wget, apache and spam
  - From: sethurf <sethurf@free.fr>

References:
- wget, apache and spam
  - From: sethurf <sethurf@free.fr>
- Re: wget, apache and spam
  - From: Jon Dowland <jmtd@debian.org>

Prev by Date: Re: Boot / LVM best practices
Next by Date: system-test upgrade
Previous by thread: Re: wget, apache and spam
Next by thread: Re: wget, apache and spam
Index(es):
- Date
- Thread