On Tue, Feb 23, 2010 at 02:55:40PM -0600, Chris Adams wrote:
Once upon a time, Matt Sprague <msprague@readytechs.com> said:
The user could also be running the command inline somehow or deleting the file when they log off. Check who was logged onto the server at the time of the attack to narrow down your search. I like the split the users idea, though it could be several iterations to narrow down the culprit.
We've also seen this with spammers. They'll upload a PHP via a compromised account, connect to it via HTTP, and then delete it from the filesystem. The PHP continues to run, Apache doesn't log anything (because it only logs at the end of a request), and the admin is left scratching his head to figure out where the problem is.
I've never used it myself, but Apache's mod_log_forensic is documented to write two log entries for each request, one before and one after. Aaron