On Wed, Apr 02, 2008 at 10:50:59AM -0700, Dennis Peterson wrote:
> Arthur Sherman wrote:
> >> I use scripts now to monitor user space for new php code.
> > Could you share these scripts?
>
> On a Solaris system you can use the built-in aset tool, and for any
> Unix/Linux system you can use trip-wire or Cfengine.
Or in plain old sh:
touch /tmp/lastscan.tmp
find /path/to/documentroot -newer /tmp/lastscan -name \*.php
mv /tmp/lastscan.tmp /tmp/lastscan
Bootstrapping this so it won't give an error on the first run is left as
an excersize to the reader (you could just ignore the error).
On a related note: I recently saw a php exploit finder, which could
search php source for possibly exploitable code. It was basically a
collection of regular expressions, written in php itself, version 0.01,
but it looked interesting. Sorry, no URL, you'll have to google it.
(how far away from viruses are we yet?)
--
Jan-Pieter Cornet <[EMAIL PROTECTED]>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs. !!
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
