Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)

From: "Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>
Date: Sat, 10 Jul 2004 22:42:51 +1200
Nathan, 


-----Original Message-----
From: nathan c. dickerson [mailto:nathan () pro net] 
Sent: Saturday, 10 July 2004 6:16 a.m.
To: incidents () securityfocus com
Subject: Interesting webserver intrusion (apache 1.3.31, 
mod_ssl 2.8.18, php 4.3.7) 

Greetings,


If I could get the full GET and POST request data, I could perform 
searches for interesting execution strings. Does anyone have any 
suggestions on this?


Whole thing sounds pretty interesting. Regarding post GET and POST requests,
there's (obviously) no way to get them.
But, in order to get those logs in the future, you can install mod_security
module for Apache (http://www.modsecurity.org).
Besides all the nice features that mod_security offers, one pretty
interesting is audit logging - it will log full details of every request
(including POST requests), which will allow you later analysis.

If you have that many sites hosted on a machine (120?), my wild guess would
be that they're getting in through one of the buggy PHP scripts - I saw far
too many sites compromised because of bad PHP scripts.

In any case, it would be interesting to see more information about this.

Hope this helps. Cheers,

Bojan Zdrnja
CISSP
Previous By Date Next
Previous By Thread Next

Current thread: