[122964] in North American Network Operators' Group
Re: Security Guideance
daemon@ATHENA.MIT.EDU (Aaron L. Meehan)
Wed Feb 24 13:04:26 2010
Date: Wed, 24 Feb 2010 10:04:02 -0800
From: "Aaron L. Meehan" <aaron@coinet.com>
To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <20100223205540.GD1305778@hiwaay.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Feb 23, 2010 at 02:55:40PM -0600, Chris Adams wrote:
> Once upon a time, Matt Sprague <msprague@readytechs.com> said:
> > The user could also be running the command inline somehow or deleting
> > the file when they log off. Check who was logged onto the server at
> > the time of the attack to narrow down your search. I like the split
> > the users idea, though it could be several iterations to narrow down
> > the culprit.
>
> We've also seen this with spammers. They'll upload a PHP via a
> compromised account, connect to it via HTTP, and then delete it from the
> filesystem. The PHP continues to run, Apache doesn't log anything
> (because it only logs at the end of a request), and the admin is left
> scratching his head to figure out where the problem is.
I've never used it myself, but Apache's mod_log_forensic is documented
to write two log entries for each request, one before and one after.
Aaron
