nanog mailing list archives

Re: Security Guideance

From: "Aaron L. Meehan" <aaron () coinet com>
Date: Wed, 24 Feb 2010 10:04:02 -0800

On Tue, Feb 23, 2010 at 02:55:40PM -0600, Chris Adams wrote:

Once upon a time, Matt Sprague <msprague () readytechs com> said:

The user could also be running the command inline somehow or deleting
the file when they log off.   Check who was logged onto the server at
the time of the attack to narrow down your search.  I like the split
the users idea, though it could be several iterations to narrow down
the culprit.


We've also seen this with spammers.  They'll upload a PHP via a
compromised account, connect to it via HTTP, and then delete it from the
filesystem.  The PHP continues to run, Apache doesn't log anything
(because it only logs at the end of a request), and the admin is left
scratching his head to figure out where the problem is.

 
I've never used it myself, but Apache's mod_log_forensic is documented
to write two log entries for each request, one before and one after.

Aaron

Current thread:

Security Guideance Paul Stewart (Feb 23)
- Re: Security Guideance Ronald Cotoni (Feb 23)
  - RE: Security Guideance Matt Sprague (Feb 23)
    - Message not available
    - Re: RE: Security Guideance Paul Bosworth (Feb 23)
    - Re: Security Guideance Michael Holstein (Feb 23)
    - Re: Security Guideance Chris Adams (Feb 23)
    - RE: Security Guideance Adam Stasiniewicz (Feb 23)
    - Re: Security Guideance Aaron L. Meehan (Feb 24)
  - Re: Security Guideance Dan White (Feb 23)
    - Re: Security Guideance acv (Feb 23)
    - Re: Security Guideance Nathan Ward (Feb 23)
    - RE: Security Guideance Joe (Feb 23)
    - Re: Security Guideance Curtis Maurand (Feb 24)
- Re: Security Guideance LaDerrick H. (Feb 23)
- Re: Security Guideance David Freedman (Feb 23)
- RE: Security Guideance Joe Conlin (Feb 23)
- Re: Security Guideance Nate Itkin (Feb 23)
  - Re: Security Guideance Valdis . Kletnieks (Feb 23)

(Thread continues...)