Rich Wales:
>
> > I would suggest that you fix the exploited script. Look for time
> > stamps that appear in both web server logging and Postfix logging.
>
> Thanks, Wietse. That would obviously be the best approach, if it
> worked, but I tried it and (so far at least) haven't been able to find
> any matching entries.
>
> I did find some generally suspicious things in my web server logs --
> including lots of clients looking for the following item:
>
> /nette.micro?callback=shell_exec&cmd=ifconfig
Well here is, an idea:
Extract time stamps for NON-ERROR web server responses, and
correlate those time stamnps with activity in Postfix logs.
I prefer to spend my brain cycles on other things than to kook up
schemes that could perhaps slow down a hypothetical exploit.
Wietse
