On Tue, Feb 23, 2010 at 02:55:40PM -0600, Chris Adams wrote: > Once upon a time, Matt Sprague <mspra...@readytechs.com> said: > > The user could also be running the command inline somehow or deleting > > the file when they log off. Check who was logged onto the server at > > the time of the attack to narrow down your search. I like the split > > the users idea, though it could be several iterations to narrow down > > the culprit. > > We've also seen this with spammers. They'll upload a PHP via a > compromised account, connect to it via HTTP, and then delete it from the > filesystem. The PHP continues to run, Apache doesn't log anything > (because it only logs at the end of a request), and the admin is left > scratching his head to figure out where the problem is. I've never used it myself, but Apache's mod_log_forensic is documented to write two log entries for each request, one before and one after.
Aaron