On 11/01/12 22:37, Luisa Ester Navarro wrote:
------------------------------------------------------------------------
J.
Thanks Jeron:
any idea how to start researching which is the leaky script
Cheers
Luisa
Hehe, this is where they say, RTFS, or as Jeron suggested, see if you
can correlate something in the logs. If apache is still running and you
happen to have mod_info, it's useful as it at least gives you the paths
being processed, often the "child script" will hold up the processing
and you can then spot the script in use in the mod_info data, in other
cases, it's a wild goose chase.
mpm_user also helps to narrow things down in case of vhost setups (ISP
... find the offending user - disable the vhost - that usually gets the
offenders attention, and when you tell him/her that his code is bust
they need to audit their code they usually end up paying me for my time
to do it, which usually just involves pointing to one of the lastest
joomla/wordpress/flavor of the month CMS exploits).
With respect to the logs, often you'll find URIs in the get parameters,
so perhaps you can try grepping your logs for a regex, something like
"grep -E "\?.*http://"; and see if that shows anything.
I'm afraid there are no real shortcuts.
Good luck.
JK
