Portal Home > Knowledgebase > Articles Database > how can i find out what script is being exploited?
how can i find out what script is being exploited?
| Posted by disgust, 04-12-2010, 02:35 PM |
| we're being continually explioted. all server software is up to date so it must be a php script, but how can i find out which one is responsible?
|
| Posted by JulesR, 04-12-2010, 05:29 PM |
| How long is a piece of string?
Do you have mod_security installed?
|
| Posted by ServerSitters_Paul, 04-12-2010, 06:31 PM |
| If the script is being used to send email I would start by checking out the mail headers. Hopefully the X-Mailer is set and you can see exactly what script is being used. If not and the process is running for a while - then I would run a top and look for the php/apache process id. Run an
lsof -p $pid
If you're lucky it will return information on the process like the file location.
is it a 32-bit or 64-bit strand?
|
| Posted by Jedito, 04-12-2010, 07:30 PM |
| What do you mean? your site? or the server? exactly what are you facing? are you running PHP under the user name? (suphp/fastcgi/etc)?
|
| Posted by izumi777, 04-12-2010, 08:23 PM |
| Install mod_security2 and mod_evasive.
It will help to protect your script from being exploited.
|
| Posted by JulesR, 04-12-2010, 08:24 PM |
| mod_evasive does nothing for script security.
|
| Posted by LeaTrueman, 04-13-2010, 06:13 AM |
| Hello,
Check the process list , pstree -apu
top -c
check /tmp for any vulnerable scripts. Run a chkrootkit, rkhunter on the server.
|
| Posted by ah-quinn, 04-13-2010, 08:28 PM |
| It may be possible to run a packet capture and search for the POST data that sends the email. In the free software wireshark there is a search expression you can build that just searches the contents of the packet similar to grep and finds matching packets. You could look for the destination email, or ongoing HTTP connections to .php pages that might match what you're looking for.
|
| Posted by boxer, 04-13-2010, 09:21 PM |
| sorry for this question, but i try the lsof command
then
+
is that right?
|
Add to Favourites 
Print this Article
Also Read
shared ssl (Views: 763)