Hi, On Thu, 20 Apr 2006, Marcel Mourguiart wrote:
On 4/20/06, jdd
wrote: Marcel Mourguiart wrote:
Hi, i have a web server with suse 10 ( php, apache, postnuke, etc ). My connection has been stop because MY server is making DDOS attacks
Then i read this: http://blogs.zdnet.com/threatchaos/?p=310
Is there a patch, link or what ever you can give me to resolf the poblem ??
Sorry if this not the appropriate list, i'm just desperate.
the best way should be to update your php version with YOU, or if this is not sufficient directly from the php site.
I'm sure this bug is already fixed.
I have every thing updated with YOU.
Carl: I'll subscribe to "suse-segurity" and i'm aware this is not a suse specific bug or a linux one, is probably a php bug, which make the problem just harder to resolve.
Any way if some body know the specific problem with PHP or have a clue, i'll be happy to heart.
I am watching for "PHP invaders" with this cron job: php-server1:1 21:39:34 ~ # cat bin/hack-detect #!/bin/bash export HOST=php-server1 export DATE=`date +%y%m%d.%H%M` export B=/home/detector/bin SF=/home/detector/find.wwwrun M="em@kki.org" S="${HOST} hack-detect ${DATE}" rm -f ${SF}.old ${SF}.dif mv ${SF} ${SF}.old echo "=== Prozesse:" >${SF} ${B}/pstree -p wwwrun | grep -v ^httpd2-prefork | sort -u >>${SF} echo "=== Dateien:" >>${SF} for i in /tmp /var/lib/wwwrun /var/tmp do ${B}/find $i -type f -user wwwrun | grep -v ^/tmp/sess_ | sort >>${SF} done ${B}/diff -U 0 ${SF}.old ${SF} | grep -v "^--- \|^+++ \|^@@ ">${SF}.dif if [ -s ${SF}.dif ]; then mail -s"${S}" ${M} <${SF}.dif & fi php-server1:1 21:39:41 ~ # It is simply monitoring all areas which are writable by the user wwwrun and all wwwrun processes. The invoked binaries reside in an exclusive place, so no root kit will overwrite them. It does in no way protect, but alarm. Cheers -e -- Eberhard Moenkeberg (emoenke@gwdg.de, em@kki.org)