|
madopal
|
 |
« Reply #15 on: November 27, 2007, 11:28:33 pm » |
|
I'm running OSSEC, which is how I found out about the probes in the first place. It's got logging, checksum'ing, the works. It seems like it's very similar to Tripwire. I'll check if I can run both.
The bigger thing that bothers me is that this seems to be a common Apache config on Fedora (at least). I'm trying to suss out how the vulnerability got there. The timing of the attack (day after Thanksgiving) coupled with the frequency (once every 25 minutes) shows that whoever did this is patient, clever, and trying their hardest not be seen. Not the usual behaviors for spammers. Also, since you have to hack Apache to see what data was being sent with a POST, I have no idea what was being sent.
I'm sufficiently protected on the Apache side now, but I'm going to look into more sophisticated log analysis. All my other ports are (and have been) secure. If I hadn't been paranoid up to this point, I'd never have seen it.
I'll keep trying to poke at Apache/Fedora folk to find out why a blind POST to the webroot would allow this. It's not like they were using a php/cgi that was lying around. This is a default capability in Apache that seems to be enabled quite a bit.
|
|
|
|
|
|
|
|
