Dan Eskildsen <danes@image.dk> wrote:
> I don't have a FTP server running. If they are using wget how can I stop
> that?

Blocking the referrer, but that can be faked, if they uses a block of
specific ip addresses block those addresses in the firewall.

> After getting the files uploaded they are able to execute them running as
> user wwwrun

How? If they upload the files in /tmp, apache shouldn't be able to run
them in there, unless you have a really badly configured apache.

> How could I carry out an examination to find out how they are getting
> in and so that I can plug the hole?

Examining very carefully the log files, what they do and what they call.

> No.

Yes, otherwise they wouldn't be able to upload stuff.

Davide

--
| There are three possibilities: Pioneer's solar panel has turned away
| from the sun; there's a large meteor blocking transmission; or someone
| loaded Star Trek 3.2 into our video processor.
|