[CentOS] Strange Apache log entry

Gordon Messmer yinyang at eburg.com
Sun Aug 22 22:17:42 UTC 2010


On 08/22/2010 03:05 PM, Gilbert Sebenste wrote:
> Thanks. They got a 404 error with me, obviously...but I wanted to make
> sure it was nothing more than that.

No, they didn't.  That's why you were warned that it was a potentially 
successful probe.

The exploit requires that you are running php and have a script that 
includes a file referenced by the global variable "g" (or maybe the http 
request varible "g").  You should check the files that appear at the 
URLs indicated in your logs.  If any of those files are php, then you 
should further check those to see if they might include files based on 
the "g" variable.  If so, you may have been compromised.



More information about the CentOS mailing list