Jon Dowland píše v Po 21. 08. 2006 v 19:05 +0100: > On Mon, Aug 21, 2006 at 06:44:00PM +0200, David Siroky > wrote: > > Attackers deleted all access.log and error.log files > > (which I had among the web files) > > I assume by "among the web files" you mean you'd adjusted > permissions on the logging directory so the apache user > could write to them: by default, with apache2/debian, the > www-data user cannot write to /var/log/apache2, and tampered > logs would indicate a root-level exploit. > > > I know that there is a security issue in mod_rewrite but I > > don't use it. Maybe PHP is unsafe. It is a mystery to me. > > If you are correct and no root-level permissions were > obtained, it is quite likely to be a badly written web > application, rather than a vulnerability in apache2 or php > itself. >
I finally found the hole. It was a badly written application (fortunately not by me :-). The server has PHP directive "allow_url_fopen on" and the application was passing one parameter directly into include(...) without checking. The parameter was used to include an enemy script. Not I can sleep again :-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
